From e25826794ef413cd85b4693899ebd4d11f5dc635 Mon Sep 17 00:00:00 2001
From: nold <nold@gnu.one>
Date: Sun, 28 Nov 2021 22:01:28 +0100
Subject: [PATCH] Delete: Falco

---
 projects/falco/project.yml       |   8 --
 projects/falco/values/falco.yaml | 219 -------------------------------
 2 files changed, 227 deletions(-)
 delete mode 100644 projects/falco/project.yml
 delete mode 100644 projects/falco/values/falco.yaml

diff --git a/projects/falco/project.yml b/projects/falco/project.yml
deleted file mode 100644
index ab0689d4..00000000
--- a/projects/falco/project.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-config:
-  description: Falco Security
-apps:
-- name: falco
-  disabled: true
-  repoURL: https://falcosecurity.github.io/charts
-  chart: falco
-  targetRevision: 1.16.0
diff --git a/projects/falco/values/falco.yaml b/projects/falco/values/falco.yaml
deleted file mode 100644
index 19ded07d..00000000
--- a/projects/falco/values/falco.yaml
+++ /dev/null
@@ -1,219 +0,0 @@
-docker:
-  enabled: false
-
-podSecurityPolicy:
-  create: false
-
-containerd:
-  enabled: true
-
-#extraArgs:
-#  - --disable-cri-async
-
-falco:
-  timeFormatISO8601: true
-  grpc:
-    enabled: true
-  grpcOutput:
-    enabled: false
-
-falcosidekick:
-  enabled: true
-  replicaCount: 1
-  podSecurityPolicy:
-    create: true
-
-  webui:
-    enabled: true
-    retention: 200
-    darkmode: true
-    podSecurityPolicy:
-      create: true
-    ingress:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: vault-issuer
-      hosts:
-      - host: falco.dc
-        paths: ["/ui", "/events", "/healthz", "/ws"]
-      tls:
-      - secretName: falcosidekick-tls
-        hosts:
-        - falco.dc
-
-customRules:
-  rule_exceptions.yaml: |-
-    - rule: Contact K8S API Server From Container
-      exceptions:
-      - name: proc_filenames
-        value:
-         - argocd-applicat
-      append: true
-    - rule: Write below root
-      exceptions:
-      - name: container
-        value: [ host ]
-      append: true
-    - rule: Read sensitive file untrusted
-      exceptions:
-      - name: container
-        value: [ host ]
-      append: true
-    - rule: Non sudo setuid
-      exceptions:
-      - name: container
-        value: [ host ]
-      append: true
-  nginx_rules.yaml: |-
-    - macro: nginx_consider_syscalls
-      condition: (evt.num < 0)
-    - macro: app_nginx
-      condition: container and container.image contains "nginx"
-    # Any outbound traffic raises a WARNING
-    - rule: Unauthorized process opened an outbound connection (nginx)
-      desc: A nginx process tried to open an outbound connection and is not whitelisted
-      condition: outbound and evt.rawres >= 0 and app_nginx
-      output: Non-whitelisted process opened an outbound connection (command=%proc.cmdline connection=%fd.name)
-      priority: WARNING
-    # Restricting listening ports to selected set
-    - list: nginx_allowed_inbound_ports_tcp
-      items: [80, 443, 8080, 8443]
-    - rule: Unexpected inbound tcp connection nginx
-      desc: Detect inbound traffic to nginx using tcp on a port outside of expected set
-      condition: inbound and evt.rawres >= 0 and not fd.sport in (nginx_allowed_inbound_ports_tcp) and app_nginx
-      output: Inbound network connection to nginx on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
-      priority: NOTICE
-    # Restricting spawned processes to selected set
-    - list: nginx_allowed_processes
-      items: ["nginx", "app-entrypoint.", "basename", "dirname", "grep", "nami", "node", "tini"]
-    - rule: Unexpected spawned process nginx
-      desc: Detect a process started in a nginx container outside of an expected set
-      condition: spawned_process and not proc.name in (nginx_allowed_processes) and app_nginx
-      output: Unexpected process spawned in nginx container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image)
-      priority: NOTICE
-    # Restricting files read or written to specific set
-    - list: nginx_allowed_file_prefixes_readwrite
-      items: ["/var/log/nginx", "/var/run"]
-    # Remember to add your nginx cache path
-
-    - rule: Unexpected file access readwrite for nginx
-      desc: Detect an attempt to access a file readwrite other than below an expected list of directories
-      condition: (open_write) and not fd.name pmatch (nginx_allowed_file_prefixes_readwrite) and app_nginx
-      output: Unexpected file accessed readwrite for nginx (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
-      priority: NOTICE
-    # Restricting syscalls to selected set
-    - list: nginx_allowed_syscalls
-      items: [accept, bind, clone, connect, dup, listen, mkdir, open, recvfrom, recvmsg, sendto, setgid, setuid, socket, socketpair]
-    - rule: Unexpected syscall nginx
-      desc: Detect a syscall in a nginx container outside of an expected set
-      condition: nginx_consider_syscalls and not evt.type in ("<unknown>", nginx_allowed_syscalls) and app_nginx
-      output: Unexpected syscall in nginx container (command=%proc.cmdline pid=%proc.pid user=%user.name syscall=%evt.type args=%evt.args %container.info image=%container.image)
-      priority: NOTICE
-      warn_evttypes: False
-
-  php_fpm.yaml: |-
-    - macro: php_fpm_consider_syscalls
-      condition: (evt.num < 0)
-
-    - macro: app_php_fpm
-      condition: container and container.image contains "fpm"
-
-    # Considering any inbound network connection suspect
-    - rule: Unexpected inbound connection php_fpm
-      desc: Detect any inbound connection arriving at php_fpm
-      condition: inbound and evt.rawres >= 0 and app_php_fpm
-      output: Unexpected inbound connection arriving at php_fpm (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name %container.info image=%container.image)
-      priority: NOTICE
-
-    # Restricting listening ports to selected set
-
-    - list: php_fpm_allowed_inbound_ports_tcp
-      items: [80, 443]
-
-    - rule: Unexpected inbound tcp connection php_fpm
-      desc: Detect inbound traffic to php_fpm using tcp on a port outside of expected set
-      condition: inbound and evt.rawres >= 0 and not fd.sport in (php_fpm_allowed_inbound_ports_tcp) and app_php_fpm
-      output: Inbound network connection to php_fpm on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
-      priority: NOTICE
-
-    # Restricting spawned processes to selected set
-
-    - list: php_fpm_allowed_processes
-      items: ["/usr/bin/python2", "nginx", "nginx: master process /usr/sbin/nginx -g daemon off; error_log /dev/stderr info;", "nginx: worker process", "php-fpm", "php-fpm: pool www"]
-
-    - rule: Unexpected spawned process php_fpm
-      desc: Detect a process started in a php_fpm container outside of an expected set
-      condition: spawned_process and not proc.name in (php_fpm_allowed_processes) and app_php_fpm
-      output: Unexpected process spawned in php_fpm container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image)
-      priority: NOTICE
-
-    # Restricting files read or written to specific set
-
-    - list: php_fpm_allowed_file_prefixes_readonly
-      items: ["/dev", "/var/www/errors"]
-
-    - rule: Unexpected file access readonly for php_fpm
-      desc: Detect an attempt to access a file readonly other than below an expected list of directories
-      condition: (open_read and evt.is_open_write=false) and not fd.name pmatch (php_fpm_allowed_file_prefixes_readonly) and app_php_fpm
-      output: Unexpected file accessed readonly for php_fpm (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
-      priority: NOTICE
-
-    - list: php_fpm_allowed_file_prefixes_readwrite
-      items: ["/dev", "/tmp", "/usr/local/var/log"]
-
-    - rule: Unexpected file access readwrite for php_fpm
-      desc: Detect an attempt to access a file readwrite other than below an expected list of directories
-      condition: (open_write) and not fd.name pmatch (php_fpm_allowed_file_prefixes_readwrite) and app_php_fpm
-      output: Unexpected file accessed readwrite for php_fpm (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
-      priority: NOTICE
-
-  postgres.yaml: |-
-    - macro: postgres_consider_syscalls
-      condition: (evt.num < 0)
-
-    - macro: app_postgres
-      condition: container and container.image contains "postgres"
-
-    - list: postgres_allowed_inbound_ports_tcp
-      items: [5432]
-
-    - rule: Unexpected inbound tcp connection postgres
-      desc: Detect inbound traffic to postgres using tcp on a port outside of expected set
-      condition: inbound and evt.rawres >= 0 and not fd.sport in (postgres_allowed_inbound_ports_tcp) and app_postgres
-      output: Inbound network connection to postgres on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
-      priority: NOTICE
-
-    # Restricting spawned processes to selected set
-
-    - list: postgres_allowed_processes
-      items: ["/proc/self/exe", "pg_isready", "postgres", "psql", "postgres: autovacuum launcher process", "pg_ctl" , "postgres: checkpointer process   ", "postgres: stats collector process   ", "postgres: wal writer process   ", "postgres: writer process   ", "sh"]
-
-    - rule: Unexpected spawned process postgres
-      desc: Detect a process started in a postgres container outside of an expected set
-      condition: spawned_process and not proc.name in (postgres_allowed_processes) and app_postgres
-      output: Unexpected process spawned in postgres container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image)
-      priority: NOTICE
-
-    # Restricting files read or written to specific set
-
-    - list: postgres_allowed_file_prefixes_readonly
-      items: ["/dev", "/etc", "/lib/x86_64-linux-gnu", "/usr/lib/locale", "/usr/lib/x86_64-linux-gnu", "/usr/share/locale", "/var/lib/postgresql/data", "/usr/share/zoneinfo", "/var/lib/postgresql", "/usr/lib/postgresql", "/usr/share/postgresql", "/var/run/postgresql"]
-
-    - rule: Unexpected file access readonly for postgres
-      desc: Detect an attempt to access a file readonly other than below an expected list of directories
-      condition: (open_read and evt.is_open_write=false) and not fd.name pmatch (postgres_allowed_file_prefixes_readonly) and app_postgres
-      output: Unexpected file accessed readonly for postgres (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
-      priority: NOTICE
-
-    - list: postgres_allowed_file_prefixes_readwrite
-      items: ["/var/lib/postgresql/data", "/var/run/postgresql"]
-
-    - rule: Unexpected file access readwrite for postgres
-      desc: Detect an attempt to access a file readwrite other than below an expected list of directories
-      condition: (open_write) and not fd.name pmatch (postgres_allowed_file_prefixes_readwrite) and app_postgres
-      output: Unexpected file accessed readwrite for postgres (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
-      priority: NOTICE
-
-# For OpenShit
-scc:
-  create: false