Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Falco alerts mapping #35

Closed
bzurkowski opened this issue Apr 2, 2020 · 4 comments · Fixed by #59
Closed

Falco alerts mapping #35

bzurkowski opened this issue Apr 2, 2020 · 4 comments · Fixed by #59
Assignees
@aleksandra-galara
Labels
enhancement New feature or request good first issue Good for newcomers
Milestone
0.2

Comments

@bzurkowski
Copy link
Member

Falco provides a comprehensive set of alerting rules for Kubernetes such as:

  • Create Sensitive Mount Pod
  • Create HostNetwork Pod

Open RCA enables connecting some of these alerts to elements present in the infra graph by using a mapping file. The entries in the file are of the form:

- name: "Create Sensitive Mount Pod"
  source_mapping:
    origin: kubernetes
    kind: pod
    properties:
      name: ka.resp.name
      namespace: ka.target.namespace

The example above describes that whenever there is a Create Sensitive Mount Pod alert detected, it should be mapped to graph element of kubernetes origin and pod kind, and connected to an element with properties name and namespace with values fetched from labels in alert payload, named correspondingly ka.resp.name and ka.target.namespace.

The mapping file is not complete. There is still a significant number of alerts that Open RCA cannot recognize. The remaining alerting rules should be reviewed and integrated into the mapping.
@bzurkowski bzurkowski added the enhancement New feature or request label Apr 2, 2020
@bzurkowski
Copy link
Member Author

This enhancement might be partially blocked by #13.

@bzurkowski bzurkowski added the good first issue Good for newcomers label Apr 2, 2020
@bzurkowski bzurkowski changed the title Falco alerts support Falco alerts mapping Apr 2, 2020
@aleksandra-galara
Copy link
Member

Hi, I'd like to work on this issue, so if you can.. assign it to me! ;)

@aleksandra-galara
Copy link
Member

Hi, I've created the list of Falco alerts:

  • Disallowed K8s User
  • Create Disallowed Pod
  • Create Privileged Pod
  • Create Sensitive Mount Pod
  • Create HostNetwork Pod
  • Create NodePort Service
  • Create/Modify Configmap With Private Credentials
  • Anonymous Request Allowed
  • Attach/Exec Pod
  • Create Disallowed Namespace
  • Pod Created in Kube Namespace
  • Service Account Created in Kube Namespace
  • System ClusterRole Modified/Deleted
  • Attach to cluster-admin Role
  • ClusterRole With Wildcard Created
  • ClusterRole With Write Privileges Created
  • ClusterRole With Pod Exec Created
  • K8s Deployment Created
  • K8s Deployment Deleted
  • K8s Service Created
  • K8s Service Deleted
  • K8s ConfigMap Created
  • K8s ConfigMap Deleted
  • K8s Namespace Created
  • K8s Namespace Deleted
  • K8s Serviceaccount Created
  • K8s Serviceaccount Deleted
  • K8s Role/Clusterrole Created
  • K8s Role/Clusterrole Deleted
  • K8s Role/Clusterrolebinding Created
  • K8s Role/Clusterrolebinding Deleted
  • All K8s Audit Events
  • Full K8s Administrative Access
  • Ingress Object without TLS Certificate Created
  • Untrusted Node Successfully Joined the Cluster
  • Untrusted Node Unsuccessfully Tried to Join the Cluster

Are there any alerts, which shouldn't be mapped? ;)

@bzurkowski
Copy link
Member Author

It's actually easier to point out the ones that could be mapped 😄

  • Create Disallowed Pod
  • Create Privileged Pod
  • Create Sensitive Mount Pod
  • Create HostNetwork Pod
  • Create/Modify Configmap With Private Credentials
  • Attach/Exec Pod
  • Create Disallowed Namespace
  • Ingress Object without TLS Certificate Created
  • Untrusted Node Successfully Joined the Cluster
  • Untrusted Node Unsuccessfully Tried to Join the Cluster

Others, as you suggested offline, warn about creation/deletion of K8S entities. Since OpenRCA records all cluster events, we can skip them.

aleksandra-galara added a commit to aleksandra-galara/orca that referenced this issue Apr 20, 2020
@aleksandra-galara
Complete Falco alerts
ea8bb7b 
It refers to openrca#35 and complete mapping
alerts due to list created in issue

Signed-off-by: Aleksandra Galara <a.galara@samsung.com>
aleksandra-galara added a commit to aleksandra-galara/orca that referenced this issue Apr 20, 2020
@aleksandra-galara
Complete Falco alerts
baa267b 
It refers to openrca#35 and complete mapping
alerts due to list created in issue.

Signed-off-by: Aleksandra Galara <a.galara@samsung.com>
aleksandra-galara added a commit to aleksandra-galara/orca that referenced this issue Apr 20, 2020
@aleksandra-galara
Complete Falco alerts(1)
9c67a49 
It refers to openrca#35 and complete mapping
alerts due to list created in issue.

Signed-off-by: Aleksandra Galara <a.galara@samsung.com>
@bzurkowski bzurkowski added this to the 0.2 milestone Apr 21, 2020
aleksandra-galara added a commit to aleksandra-galara/orca that referenced this issue Apr 21, 2020
@aleksandra-galara
Complete Falco alerts
79e3928 
It refers to openrca#35 and complete mapping
alerts due to list created in issue.

Signed-off-by: Aleksandra Galara <a.galara@samsung.com>
@bzurkowski bzurkowski linked a pull request Apr 22, 2020 that will close this issue
Falco alerts mapping #59
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aleksandra-galara aleksandra-galara

Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
0.2
Development

Successfully merging a pull request may close this issue.

Falco alerts mapping aleksandra-galara/orca
2 participants
@bzurkowski @aleksandra-galara