mirror of
https://github.com/nold360/hive-apps
synced 2024-11-17 02:59:31 +00:00
220 lines
10 KiB
YAML
220 lines
10 KiB
YAML
|
docker:
|
||
|
enabled: false
|
||
|
|
||
|
podSecurityPolicy:
|
||
|
create: false
|
||
|
|
||
|
containerd:
|
||
|
enabled: true
|
||
|
|
||
|
#extraArgs:
|
||
|
# - --disable-cri-async
|
||
|
|
||
|
falco:
|
||
|
timeFormatISO8601: true
|
||
|
grpc:
|
||
|
enabled: true
|
||
|
grpcOutput:
|
||
|
enabled: false
|
||
|
|
||
|
falcosidekick:
|
||
|
enabled: true
|
||
|
replicaCount: 1
|
||
|
podSecurityPolicy:
|
||
|
create: true
|
||
|
|
||
|
webui:
|
||
|
enabled: true
|
||
|
retention: 200
|
||
|
darkmode: true
|
||
|
podSecurityPolicy:
|
||
|
create: true
|
||
|
ingress:
|
||
|
enabled: true
|
||
|
annotations:
|
||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||
|
hosts:
|
||
|
- host: falco.dc
|
||
|
paths: ["/ui", "/events", "/healthz", "/ws"]
|
||
|
tls:
|
||
|
- secretName: falcosidekick-tls
|
||
|
hosts:
|
||
|
- falco.dc
|
||
|
|
||
|
customRules:
|
||
|
rule_exceptions.yaml: |-
|
||
|
- rule: Contact K8S API Server From Container
|
||
|
exceptions:
|
||
|
- name: proc_filenames
|
||
|
value:
|
||
|
- argocd-applicat
|
||
|
append: true
|
||
|
- rule: Write below root
|
||
|
exceptions:
|
||
|
- name: container
|
||
|
value: [ host ]
|
||
|
append: true
|
||
|
- rule: Read sensitive file untrusted
|
||
|
exceptions:
|
||
|
- name: container
|
||
|
value: [ host ]
|
||
|
append: true
|
||
|
- rule: Non sudo setuid
|
||
|
exceptions:
|
||
|
- name: container
|
||
|
value: [ host ]
|
||
|
append: true
|
||
|
nginx_rules.yaml: |-
|
||
|
- macro: nginx_consider_syscalls
|
||
|
condition: (evt.num < 0)
|
||
|
- macro: app_nginx
|
||
|
condition: container and container.image contains "nginx"
|
||
|
# Any outbound traffic raises a WARNING
|
||
|
- rule: Unauthorized process opened an outbound connection (nginx)
|
||
|
desc: A nginx process tried to open an outbound connection and is not whitelisted
|
||
|
condition: outbound and evt.rawres >= 0 and app_nginx
|
||
|
output: Non-whitelisted process opened an outbound connection (command=%proc.cmdline connection=%fd.name)
|
||
|
priority: WARNING
|
||
|
# Restricting listening ports to selected set
|
||
|
- list: nginx_allowed_inbound_ports_tcp
|
||
|
items: [80, 443, 8080, 8443]
|
||
|
- rule: Unexpected inbound tcp connection nginx
|
||
|
desc: Detect inbound traffic to nginx using tcp on a port outside of expected set
|
||
|
condition: inbound and evt.rawres >= 0 and not fd.sport in (nginx_allowed_inbound_ports_tcp) and app_nginx
|
||
|
output: Inbound network connection to nginx on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
# Restricting spawned processes to selected set
|
||
|
- list: nginx_allowed_processes
|
||
|
items: ["nginx", "app-entrypoint.", "basename", "dirname", "grep", "nami", "node", "tini"]
|
||
|
- rule: Unexpected spawned process nginx
|
||
|
desc: Detect a process started in a nginx container outside of an expected set
|
||
|
condition: spawned_process and not proc.name in (nginx_allowed_processes) and app_nginx
|
||
|
output: Unexpected process spawned in nginx container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
# Restricting files read or written to specific set
|
||
|
- list: nginx_allowed_file_prefixes_readwrite
|
||
|
items: ["/var/log/nginx", "/var/run"]
|
||
|
# Remember to add your nginx cache path
|
||
|
|
||
|
- rule: Unexpected file access readwrite for nginx
|
||
|
desc: Detect an attempt to access a file readwrite other than below an expected list of directories
|
||
|
condition: (open_write) and not fd.name pmatch (nginx_allowed_file_prefixes_readwrite) and app_nginx
|
||
|
output: Unexpected file accessed readwrite for nginx (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
# Restricting syscalls to selected set
|
||
|
- list: nginx_allowed_syscalls
|
||
|
items: [accept, bind, clone, connect, dup, listen, mkdir, open, recvfrom, recvmsg, sendto, setgid, setuid, socket, socketpair]
|
||
|
- rule: Unexpected syscall nginx
|
||
|
desc: Detect a syscall in a nginx container outside of an expected set
|
||
|
condition: nginx_consider_syscalls and not evt.type in ("<unknown>", nginx_allowed_syscalls) and app_nginx
|
||
|
output: Unexpected syscall in nginx container (command=%proc.cmdline pid=%proc.pid user=%user.name syscall=%evt.type args=%evt.args %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
warn_evttypes: False
|
||
|
|
||
|
php_fpm.yaml: |-
|
||
|
- macro: php_fpm_consider_syscalls
|
||
|
condition: (evt.num < 0)
|
||
|
|
||
|
- macro: app_php_fpm
|
||
|
condition: container and container.image contains "fpm"
|
||
|
|
||
|
# Considering any inbound network connection suspect
|
||
|
- rule: Unexpected inbound connection php_fpm
|
||
|
desc: Detect any inbound connection arriving at php_fpm
|
||
|
condition: inbound and evt.rawres >= 0 and app_php_fpm
|
||
|
output: Unexpected inbound connection arriving at php_fpm (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
|
||
|
# Restricting listening ports to selected set
|
||
|
|
||
|
- list: php_fpm_allowed_inbound_ports_tcp
|
||
|
items: [80, 443]
|
||
|
|
||
|
- rule: Unexpected inbound tcp connection php_fpm
|
||
|
desc: Detect inbound traffic to php_fpm using tcp on a port outside of expected set
|
||
|
condition: inbound and evt.rawres >= 0 and not fd.sport in (php_fpm_allowed_inbound_ports_tcp) and app_php_fpm
|
||
|
output: Inbound network connection to php_fpm on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
|
||
|
# Restricting spawned processes to selected set
|
||
|
|
||
|
- list: php_fpm_allowed_processes
|
||
|
items: ["/usr/bin/python2", "nginx", "nginx: master process /usr/sbin/nginx -g daemon off; error_log /dev/stderr info;", "nginx: worker process", "php-fpm", "php-fpm: pool www"]
|
||
|
|
||
|
- rule: Unexpected spawned process php_fpm
|
||
|
desc: Detect a process started in a php_fpm container outside of an expected set
|
||
|
condition: spawned_process and not proc.name in (php_fpm_allowed_processes) and app_php_fpm
|
||
|
output: Unexpected process spawned in php_fpm container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
|
||
|
# Restricting files read or written to specific set
|
||
|
|
||
|
- list: php_fpm_allowed_file_prefixes_readonly
|
||
|
items: ["/dev", "/var/www/errors"]
|
||
|
|
||
|
- rule: Unexpected file access readonly for php_fpm
|
||
|
desc: Detect an attempt to access a file readonly other than below an expected list of directories
|
||
|
condition: (open_read and evt.is_open_write=false) and not fd.name pmatch (php_fpm_allowed_file_prefixes_readonly) and app_php_fpm
|
||
|
output: Unexpected file accessed readonly for php_fpm (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
|
||
|
- list: php_fpm_allowed_file_prefixes_readwrite
|
||
|
items: ["/dev", "/tmp", "/usr/local/var/log"]
|
||
|
|
||
|
- rule: Unexpected file access readwrite for php_fpm
|
||
|
desc: Detect an attempt to access a file readwrite other than below an expected list of directories
|
||
|
condition: (open_write) and not fd.name pmatch (php_fpm_allowed_file_prefixes_readwrite) and app_php_fpm
|
||
|
output: Unexpected file accessed readwrite for php_fpm (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
|
||
|
postgres.yaml: |-
|
||
|
- macro: postgres_consider_syscalls
|
||
|
condition: (evt.num < 0)
|
||
|
|
||
|
- macro: app_postgres
|
||
|
condition: container and container.image contains "postgres"
|
||
|
|
||
|
- list: postgres_allowed_inbound_ports_tcp
|
||
|
items: [5432]
|
||
|
|
||
|
- rule: Unexpected inbound tcp connection postgres
|
||
|
desc: Detect inbound traffic to postgres using tcp on a port outside of expected set
|
||
|
condition: inbound and evt.rawres >= 0 and not fd.sport in (postgres_allowed_inbound_ports_tcp) and app_postgres
|
||
|
output: Inbound network connection to postgres on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
|
||
|
# Restricting spawned processes to selected set
|
||
|
|
||
|
- list: postgres_allowed_processes
|
||
|
items: ["/proc/self/exe", "pg_isready", "postgres", "psql", "postgres: autovacuum launcher process", "pg_ctl" , "postgres: checkpointer process ", "postgres: stats collector process ", "postgres: wal writer process ", "postgres: writer process ", "sh"]
|
||
|
|
||
|
- rule: Unexpected spawned process postgres
|
||
|
desc: Detect a process started in a postgres container outside of an expected set
|
||
|
condition: spawned_process and not proc.name in (postgres_allowed_processes) and app_postgres
|
||
|
output: Unexpected process spawned in postgres container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
|
||
|
# Restricting files read or written to specific set
|
||
|
|
||
|
- list: postgres_allowed_file_prefixes_readonly
|
||
|
items: ["/dev", "/etc", "/lib/x86_64-linux-gnu", "/usr/lib/locale", "/usr/lib/x86_64-linux-gnu", "/usr/share/locale", "/var/lib/postgresql/data", "/usr/share/zoneinfo", "/var/lib/postgresql", "/usr/lib/postgresql", "/usr/share/postgresql", "/var/run/postgresql"]
|
||
|
|
||
|
- rule: Unexpected file access readonly for postgres
|
||
|
desc: Detect an attempt to access a file readonly other than below an expected list of directories
|
||
|
condition: (open_read and evt.is_open_write=false) and not fd.name pmatch (postgres_allowed_file_prefixes_readonly) and app_postgres
|
||
|
output: Unexpected file accessed readonly for postgres (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
|
||
|
- list: postgres_allowed_file_prefixes_readwrite
|
||
|
items: ["/var/lib/postgresql/data", "/var/run/postgresql"]
|
||
|
|
||
|
- rule: Unexpected file access readwrite for postgres
|
||
|
desc: Detect an attempt to access a file readwrite other than below an expected list of directories
|
||
|
condition: (open_write) and not fd.name pmatch (postgres_allowed_file_prefixes_readwrite) and app_postgres
|
||
|
output: Unexpected file accessed readwrite for postgres (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
|
||
|
priority: NOTICE
|
||
|
|
||
|
# For OpenShit
|
||
|
scc:
|
||
|
create: false
|