-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address rules fps may #1230
Address rules fps may #1230
Conversation
Openshift specific variant, example alert: --- Log files were tampered (user=root command=fluentd /usr/bin/fluentd --no-supervisor file=/var/log/journal.pos CID1 image=registry.redhat.io/openshift3/ose-logging-fluentd) --- Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
…/log "The Azure's NPM is a a daemonset that supports network policies as defined by the Kubernetes policy specification." Example event: --- Log files were tampered (user=root command=azure-npm file=/var/log/iptables.conf CID1 image=mcr.microsoft.com/containernetworking/azure-npm) --- Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Example event. I'm pretty sure the full file in this case is /etc/lvm/cache: --- File below /etc opened for writing (user=root command=lvs --noheadings --readonly --separator=";" -a -o lv_tags,lv_path,lv_name,vg_name,lv_uuid,lv_size parent=ceph-volume pcmdline=ceph-volume /usr/sbin/ceph-volume inventory --format json file=/etc/lvm/c... --- Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
rules/falco_rules.yaml
Outdated
|
||
condition: > | ||
(k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler) or | ||
container.image=mcr.microsoft.com/aks/hcp/hcp-tunnel-front |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
container.image -> container.image.repository
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, fixed.
(k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler) or | ||
container.image=mcr.microsoft.com/aks/hcp/hcp-tunnel-front | ||
|
||
- macro: user_known_k8s_client_container_parens |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this macro used by any rule?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh sorry, I was editing things and missed this. I wanted to replace the use of user_known_k8s_client_container in the rule's condition. Fixed.
a9305c1
to
79dcf01
Compare
…run kubectl in containers https://stackoverflow.com/questions/50349586/what-is-hcp-tunnelfront Example alert: --- Docker or kubernetes client executed in container (user=root parent=run-tunnel-fron cmdline=kubectl --kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig get secret tunnelfront --namespace=kube-system --output json --ignore-not-found image=mcr.microsoft.com/aks/hcp/hcp-tunnel-front) --- Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
…s users https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler Example alert: --- K8s Operation performed by user not in allowed list of users (user=vpa-recommender target=vpa-recommender/endpoints verb=update uri=core/v1/namespaces/kube-system/endpoints/vpa-recommender resp=200) K8s Operation performed by user not in allowed list of users (user=vpa-updater target=vpa-updater/endpoints verb=update uri=core/v1/namespaces/kube-system/endpoints/vpa-updater resp=200) --- Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
79dcf01
to
048b33a
Compare
LGTM label has been added. Git tree hash: 1673498b65fd0390f1e810c33b3683543507c84b
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, Kaizhe, leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind rule-update
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: