Skip to content

Commit

Permalink
rule update: modify rule to detect connection to K8S API Server from …
Browse files Browse the repository at this point in the history
…a container

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
  • Loading branch information
rung authored and fntlnz committed Dec 5, 2019
1 parent e893e04 commit fc58ac7
Showing 1 changed file with 6 additions and 9 deletions.
15 changes: 6 additions & 9 deletions rules/falco_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2240,25 +2240,22 @@
tags: [network, container, mitre_discovery]


# In a local/user rules file, you should override this macro with the
# IP address of your k8s api server. The IP 1.2.3.4 is a placeholder
# IP that is not likely to be seen in practice.
- macro: k8s_api_server
condition: (fd.sip="1.2.3.4" and fd.sport=8080)

# In a local/user rules file, list the container images that are
# In a local/user rules file, list the namespace or container images that are
# allowed to contact the K8s API Server from within a container. This
# might cover cases where the K8s infrastructure itself is running
# within a container.
- macro: k8s_containers
condition: >
(container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
gcr.io/google_containers/kube2sky, sysdig/agent, sysdig/falco,
sysdig/sysdig))
sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
- macro: k8s_api_server
condition: (fd.sip.name="kubernetes.default.svc.cluster.local")

- rule: Contact K8S API Server From Container
desc: Detect attempts to contact the K8S API Server from a container
condition: outbound and k8s_api_server and container and not k8s_containers
condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6) and container and not k8s_containers and k8s_api_server
output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name)
priority: NOTICE
tags: [network, k8s, container, mitre_discovery]
Expand Down

0 comments on commit fc58ac7

Please sign in to comment.