From 786c773b51ca19274b5560ffc1bad453766c7a41 Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Mon, 17 Mar 2025 17:26:12 +0000 Subject: [PATCH 1/4] falco config with privileged container warnings --- apps/falco/configmap.yaml | 50 ++++++++++++++++++++++++++++++++++ apps/falco/helmrelease.yaml | 18 ++++++++++++ apps/falco/helmrepository.yaml | 9 ++++++ apps/falco/kustomization.yaml | 5 ++++ apps/falco/namespace.yaml | 5 ++++ 5 files changed, 87 insertions(+) create mode 100644 apps/falco/configmap.yaml create mode 100644 apps/falco/helmrelease.yaml create mode 100644 apps/falco/helmrepository.yaml create mode 100644 apps/falco/kustomization.yaml create mode 100644 apps/falco/namespace.yaml diff --git a/apps/falco/configmap.yaml b/apps/falco/configmap.yaml new file mode 100644 index 0000000..b940dd7 --- /dev/null +++ b/apps/falco/configmap.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: falco-config + namespace: falco +data: + values.yaml: | + tty: true + falco: + rules_files: + - /etc/falco/rules.d + - /etc/falco/falco_rules.yaml + - /etc/falco/falco_rules.local.yaml + # - /etc/falco/falco-incubating_rules.yaml + falcoctl: + config: + artifact: + install: + rulesfilesDir: /etc/falco + refs: + - falco-rules:3 + # - falco-incubating-rules:4 + follow: + rulesfilesDir: /etc/falco + refs: + - falco-rules:3 + # - falco-incubating-rules:4 + + customRules: + custom-rules.yaml: |- + - macro: spawned_process + condition: (evt.type in (execve, execveat) and evt.dir=<) + - macro: container + condition: (container.id != host) + - macro: container_started + condition: > + ((evt.type = container or + (spawned_process and proc.vpid=1)) and + container.image.repository != incomplete) + + - rule: Privileged Container Custom # version in incubating rules seems to trust arbitrary images + desc: > + Detect the initial process initiation within a privileged container. + condition: > + container_started + and container + and container.privileged=true + output: Privileged container started (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) + priority: WARNING diff --git a/apps/falco/helmrelease.yaml b/apps/falco/helmrelease.yaml new file mode 100644 index 0000000..03ad333 --- /dev/null +++ b/apps/falco/helmrelease.yaml @@ -0,0 +1,18 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: falco + namespace: falco +spec: + interval: 1m + chart: + spec: + chart: falco + version: "v4.21.1" + interval: 5m + sourceRef: + kind: HelmRepository + name: falco + valuesFrom: + - kind: ConfigMap + name: falco-config diff --git a/apps/falco/helmrepository.yaml b/apps/falco/helmrepository.yaml new file mode 100644 index 0000000..fbc8dc3 --- /dev/null +++ b/apps/falco/helmrepository.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: falco + namespace: falco +spec: + url: https://falcosecurity.github.io/charts + interval: 1h diff --git a/apps/falco/kustomization.yaml b/apps/falco/kustomization.yaml new file mode 100644 index 0000000..349ec64 --- /dev/null +++ b/apps/falco/kustomization.yaml @@ -0,0 +1,5 @@ +resources: + - namespace.yaml + - helmrepository.yaml + - helmrelease.yaml + - configmap.yaml diff --git a/apps/falco/namespace.yaml b/apps/falco/namespace.yaml new file mode 100644 index 0000000..8b7440f --- /dev/null +++ b/apps/falco/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: falco From 2dd4938715c4c6ed6cccb6d35b8bbf5a7af9f415 Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Mon, 17 Mar 2025 18:01:29 +0000 Subject: [PATCH 2/4] enabled ui and disabled api server rule --- apps/falco/configmap.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/apps/falco/configmap.yaml b/apps/falco/configmap.yaml index b940dd7..175791b 100644 --- a/apps/falco/configmap.yaml +++ b/apps/falco/configmap.yaml @@ -9,10 +9,10 @@ data: tty: true falco: rules_files: - - /etc/falco/rules.d - /etc/falco/falco_rules.yaml - /etc/falco/falco_rules.local.yaml # - /etc/falco/falco-incubating_rules.yaml + - /etc/falco/rules.d falcoctl: config: artifact: @@ -26,6 +26,10 @@ data: refs: - falco-rules:3 # - falco-incubating-rules:4 + falcosidekick: + enabled: true + webui: + enabled: true customRules: custom-rules.yaml: |- @@ -38,6 +42,11 @@ data: ((evt.type = container or (spawned_process and proc.vpid=1)) and container.image.repository != incomplete) + + - rule: Contact K8S API Server From Container # generates a lot of noise, but is it worth having this for some namespaces? + enabled: false + override: + enabled: replace - rule: Privileged Container Custom # version in incubating rules seems to trust arbitrary images desc: > From 80c08353bc8ba8d5f388f9f0b201bbf073f1abdf Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Mon, 17 Mar 2025 18:04:13 +0000 Subject: [PATCH 3/4] moved rules to seperate configmap --- apps/falco/custom-rules.yaml | 34 ++++++++++++++++++++++++++++++++++ apps/falco/helmrelease.yaml | 2 ++ apps/falco/kustomization.yaml | 1 + 3 files changed, 37 insertions(+) create mode 100644 apps/falco/custom-rules.yaml diff --git a/apps/falco/custom-rules.yaml b/apps/falco/custom-rules.yaml new file mode 100644 index 0000000..9f4a614 --- /dev/null +++ b/apps/falco/custom-rules.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: rules-config + namespace: falco +data: + custom-rules.yaml: | + customRules: + custom-rules.yaml: |- + - macro: spawned_process + condition: (evt.type in (execve, execveat) and evt.dir=<) + - macro: container + condition: (container.id != host) + - macro: container_started + condition: > + ((evt.type = container or + (spawned_process and proc.vpid=1)) and + container.image.repository != incomplete) + + - rule: Contact K8S API Server From Container # generates a lot of noise, but is it worth having this for some namespaces? + enabled: false + override: + enabled: replace + + - rule: Privileged Container Custom # version in incubating rules seems to trust arbitrary images + desc: > + Detect the initial process initiation within a privileged container. + condition: > + container_started + and container + and container.privileged=true + output: Privileged container started (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) + priority: WARNING diff --git a/apps/falco/helmrelease.yaml b/apps/falco/helmrelease.yaml index 03ad333..db645e7 100644 --- a/apps/falco/helmrelease.yaml +++ b/apps/falco/helmrelease.yaml @@ -16,3 +16,5 @@ spec: valuesFrom: - kind: ConfigMap name: falco-config + - kind: ConfigMap + name: rules-config diff --git a/apps/falco/kustomization.yaml b/apps/falco/kustomization.yaml index 349ec64..8168efc 100644 --- a/apps/falco/kustomization.yaml +++ b/apps/falco/kustomization.yaml @@ -3,3 +3,4 @@ resources: - helmrepository.yaml - helmrelease.yaml - configmap.yaml + - custom-rules.yaml From 8fa738ce280e8f7c32dfd07cae721d55a1fe967d Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Wed, 19 Mar 2025 12:06:38 +0000 Subject: [PATCH 4/4] Added root uid detection --- apps/falco/configmap.yaml | 31 ++++++++++++++++++++++++------- apps/falco/custom-rules.yaml | 34 ---------------------------------- apps/falco/helmrelease.yaml | 2 -- apps/falco/kustomization.yaml | 1 - 4 files changed, 24 insertions(+), 44 deletions(-) delete mode 100644 apps/falco/custom-rules.yaml diff --git a/apps/falco/configmap.yaml b/apps/falco/configmap.yaml index 175791b..03385aa 100644 --- a/apps/falco/configmap.yaml +++ b/apps/falco/configmap.yaml @@ -33,27 +33,44 @@ data: customRules: custom-rules.yaml: |- - - macro: spawned_process - condition: (evt.type in (execve, execveat) and evt.dir=<) - - macro: container - condition: (container.id != host) - macro: container_started condition: > ((evt.type = container or (spawned_process and proc.vpid=1)) and container.image.repository != incomplete) + - list: trusted_namespaces + items: [capi-addon-system,capi-janitor-system,capi-kubeadm-bootstrap-system,capi-kubeadm-control-plane-system,capi-operator-system,capi-self,capi-system,capo-system,cert-manager,flux-system,kube-node-lease,kube-public,kube-system,node-problem-detector,openstack-system,sealed-secrets-system,intel] + - macro: in_trusted_namespace + condition: (k8s.ns.name in (trusted_namespaces)) - rule: Contact K8S API Server From Container # generates a lot of noise, but is it worth having this for some namespaces? enabled: false override: enabled: replace - - - rule: Privileged Container Custom # version in incubating rules seems to trust arbitrary images + + - rule: Container Run as Root User # taken from sandbox rules minus exclusions (can add back in later) + higher priority + desc: > + Container detected running as the root user. This should be taken into account especially when policies disallow containers from running with + root user privileges. Note that a root user in containers doesn't inherently possess extensive power, as modern container environments define + privileges through Linux capabilities. To learn more, check out the rule "Launch Privileged Container". + condition: > + spawned_process + and container + and proc.vpid=1 + and user.uid=0 + and not in_trusted_namespace + output: Container launched with root user privilege (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) + priority: CRITICAL + tags: [maturity_sandbox, container, process, users, mitre_execution, T1610] + + - rule: Privileged Container Started # version in incubating rules seems to trust arbitrary images desc: > Detect the initial process initiation within a privileged container. condition: > container_started and container and container.privileged=true + and not in_trusted_namespace output: Privileged container started (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) - priority: WARNING + priority: CRITICAL + diff --git a/apps/falco/custom-rules.yaml b/apps/falco/custom-rules.yaml deleted file mode 100644 index 9f4a614..0000000 --- a/apps/falco/custom-rules.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: rules-config - namespace: falco -data: - custom-rules.yaml: | - customRules: - custom-rules.yaml: |- - - macro: spawned_process - condition: (evt.type in (execve, execveat) and evt.dir=<) - - macro: container - condition: (container.id != host) - - macro: container_started - condition: > - ((evt.type = container or - (spawned_process and proc.vpid=1)) and - container.image.repository != incomplete) - - - rule: Contact K8S API Server From Container # generates a lot of noise, but is it worth having this for some namespaces? - enabled: false - override: - enabled: replace - - - rule: Privileged Container Custom # version in incubating rules seems to trust arbitrary images - desc: > - Detect the initial process initiation within a privileged container. - condition: > - container_started - and container - and container.privileged=true - output: Privileged container started (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) - priority: WARNING diff --git a/apps/falco/helmrelease.yaml b/apps/falco/helmrelease.yaml index db645e7..03ad333 100644 --- a/apps/falco/helmrelease.yaml +++ b/apps/falco/helmrelease.yaml @@ -16,5 +16,3 @@ spec: valuesFrom: - kind: ConfigMap name: falco-config - - kind: ConfigMap - name: rules-config diff --git a/apps/falco/kustomization.yaml b/apps/falco/kustomization.yaml index 8168efc..349ec64 100644 --- a/apps/falco/kustomization.yaml +++ b/apps/falco/kustomization.yaml @@ -3,4 +3,3 @@ resources: - helmrepository.yaml - helmrelease.yaml - configmap.yaml - - custom-rules.yaml