Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix/address addl rules fps #1372

Merged
merged 13 commits into from
Sep 3, 2020
+102 −17
Merged

Fix/address addl rules fps #1372

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
8fb3dcb
rule(Change thread namespace): Require proc name
mstemm Aug 27, 2020
7452d52
rule(Read sensitive file untrusted): linux-bench
mstemm Aug 28, 2020
89a26a5
rule(Update Package Repository): restrict files
mstemm Aug 28, 2020
95f06a5
rule(Write below etc): add calco exceptions
mstemm Aug 28, 2020
00fab2b
rule(Write below root): add mysqlsh
mstemm Aug 28, 2020
e0954c4
rule(Read sensitive file untrusted):google_oslogin
mstemm Aug 28, 2020
c906a0f
rule(Launch Privileged Container): sort/reorg list
mstemm Aug 28, 2020
b13dbef
rule(Launch Privileged Container) add images
mstemm Aug 28, 2020
d5c21e7
rule(Create HostNetwork Pod): add images
mstemm Aug 28, 2020
1f5f298
rule(Disallowed K8s User): add known users
mstemm Aug 28, 2020
0990ea4
Rule(Pod Created in Kube Namespace): add images
mstemm Aug 28, 2020
f38c8f4
rule(System ClusterRole Modified/Deleted): + role
mstemm Aug 28, 2020
36bb3b1
Start versioning trace files
mstemm Aug 31, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
rule(Write below etc): add calco exceptions 
Add several calico images and command line programs that end up writing
below /etc/calico.

Signed-off-by: Mark Stemm <[email protected]>
@mstemm
mstemm committed Sep 2, 2020
commit 95f06a56c24b10d120c8328468988dd10b3b4ebf
5 changes: 4 additions & 1 deletion rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
@@ -1183,7 +1183,10 @@

- macro: calico_writing_conf
condition: >
(proc.name = calico-node and fd.name startswith /etc/calico)
(((proc.name = calico-node) or
(container.image.repository=gcr.io/projectcalico-org/node and proc.name in (start_runit, cp)) or
(container.image.repository=gcr.io/projectcalico-org/cni and proc.name=sed))
and fd.name startswith /etc/calico)

- macro: prometheus_conf_writing_conf
condition: (proc.name=prometheus-conf and fd.name startswith /etc/prometheus/config_out)