Delete: Falco

This commit is contained in:
nold 2021-11-28 22:01:28 +01:00
parent bcf7b46d1c
commit e25826794e
2 changed files with 0 additions and 227 deletions

View file

@ -1,8 +0,0 @@
config:
description: Falco Security
apps:
- name: falco
disabled: true
repoURL: https://falcosecurity.github.io/charts
chart: falco
targetRevision: 1.16.0

View file

@ -1,219 +0,0 @@
docker:
enabled: false
podSecurityPolicy:
create: false
containerd:
enabled: true
#extraArgs:
# - --disable-cri-async
falco:
timeFormatISO8601: true
grpc:
enabled: true
grpcOutput:
enabled: false
falcosidekick:
enabled: true
replicaCount: 1
podSecurityPolicy:
create: true
webui:
enabled: true
retention: 200
darkmode: true
podSecurityPolicy:
create: true
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
hosts:
- host: falco.dc
paths: ["/ui", "/events", "/healthz", "/ws"]
tls:
- secretName: falcosidekick-tls
hosts:
- falco.dc
customRules:
rule_exceptions.yaml: |-
- rule: Contact K8S API Server From Container
exceptions:
- name: proc_filenames
value:
- argocd-applicat
append: true
- rule: Write below root
exceptions:
- name: container
value: [ host ]
append: true
- rule: Read sensitive file untrusted
exceptions:
- name: container
value: [ host ]
append: true
- rule: Non sudo setuid
exceptions:
- name: container
value: [ host ]
append: true
nginx_rules.yaml: |-
- macro: nginx_consider_syscalls
condition: (evt.num < 0)
- macro: app_nginx
condition: container and container.image contains "nginx"
# Any outbound traffic raises a WARNING
- rule: Unauthorized process opened an outbound connection (nginx)
desc: A nginx process tried to open an outbound connection and is not whitelisted
condition: outbound and evt.rawres >= 0 and app_nginx
output: Non-whitelisted process opened an outbound connection (command=%proc.cmdline connection=%fd.name)
priority: WARNING
# Restricting listening ports to selected set
- list: nginx_allowed_inbound_ports_tcp
items: [80, 443, 8080, 8443]
- rule: Unexpected inbound tcp connection nginx
desc: Detect inbound traffic to nginx using tcp on a port outside of expected set
condition: inbound and evt.rawres >= 0 and not fd.sport in (nginx_allowed_inbound_ports_tcp) and app_nginx
output: Inbound network connection to nginx on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
priority: NOTICE
# Restricting spawned processes to selected set
- list: nginx_allowed_processes
items: ["nginx", "app-entrypoint.", "basename", "dirname", "grep", "nami", "node", "tini"]
- rule: Unexpected spawned process nginx
desc: Detect a process started in a nginx container outside of an expected set
condition: spawned_process and not proc.name in (nginx_allowed_processes) and app_nginx
output: Unexpected process spawned in nginx container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image)
priority: NOTICE
# Restricting files read or written to specific set
- list: nginx_allowed_file_prefixes_readwrite
items: ["/var/log/nginx", "/var/run"]
# Remember to add your nginx cache path
- rule: Unexpected file access readwrite for nginx
desc: Detect an attempt to access a file readwrite other than below an expected list of directories
condition: (open_write) and not fd.name pmatch (nginx_allowed_file_prefixes_readwrite) and app_nginx
output: Unexpected file accessed readwrite for nginx (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
priority: NOTICE
# Restricting syscalls to selected set
- list: nginx_allowed_syscalls
items: [accept, bind, clone, connect, dup, listen, mkdir, open, recvfrom, recvmsg, sendto, setgid, setuid, socket, socketpair]
- rule: Unexpected syscall nginx
desc: Detect a syscall in a nginx container outside of an expected set
condition: nginx_consider_syscalls and not evt.type in ("<unknown>", nginx_allowed_syscalls) and app_nginx
output: Unexpected syscall in nginx container (command=%proc.cmdline pid=%proc.pid user=%user.name syscall=%evt.type args=%evt.args %container.info image=%container.image)
priority: NOTICE
warn_evttypes: False
php_fpm.yaml: |-
- macro: php_fpm_consider_syscalls
condition: (evt.num < 0)
- macro: app_php_fpm
condition: container and container.image contains "fpm"
# Considering any inbound network connection suspect
- rule: Unexpected inbound connection php_fpm
desc: Detect any inbound connection arriving at php_fpm
condition: inbound and evt.rawres >= 0 and app_php_fpm
output: Unexpected inbound connection arriving at php_fpm (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name %container.info image=%container.image)
priority: NOTICE
# Restricting listening ports to selected set
- list: php_fpm_allowed_inbound_ports_tcp
items: [80, 443]
- rule: Unexpected inbound tcp connection php_fpm
desc: Detect inbound traffic to php_fpm using tcp on a port outside of expected set
condition: inbound and evt.rawres >= 0 and not fd.sport in (php_fpm_allowed_inbound_ports_tcp) and app_php_fpm
output: Inbound network connection to php_fpm on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
priority: NOTICE
# Restricting spawned processes to selected set
- list: php_fpm_allowed_processes
items: ["/usr/bin/python2", "nginx", "nginx: master process /usr/sbin/nginx -g daemon off; error_log /dev/stderr info;", "nginx: worker process", "php-fpm", "php-fpm: pool www"]
- rule: Unexpected spawned process php_fpm
desc: Detect a process started in a php_fpm container outside of an expected set
condition: spawned_process and not proc.name in (php_fpm_allowed_processes) and app_php_fpm
output: Unexpected process spawned in php_fpm container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image)
priority: NOTICE
# Restricting files read or written to specific set
- list: php_fpm_allowed_file_prefixes_readonly
items: ["/dev", "/var/www/errors"]
- rule: Unexpected file access readonly for php_fpm
desc: Detect an attempt to access a file readonly other than below an expected list of directories
condition: (open_read and evt.is_open_write=false) and not fd.name pmatch (php_fpm_allowed_file_prefixes_readonly) and app_php_fpm
output: Unexpected file accessed readonly for php_fpm (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
priority: NOTICE
- list: php_fpm_allowed_file_prefixes_readwrite
items: ["/dev", "/tmp", "/usr/local/var/log"]
- rule: Unexpected file access readwrite for php_fpm
desc: Detect an attempt to access a file readwrite other than below an expected list of directories
condition: (open_write) and not fd.name pmatch (php_fpm_allowed_file_prefixes_readwrite) and app_php_fpm
output: Unexpected file accessed readwrite for php_fpm (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
priority: NOTICE
postgres.yaml: |-
- macro: postgres_consider_syscalls
condition: (evt.num < 0)
- macro: app_postgres
condition: container and container.image contains "postgres"
- list: postgres_allowed_inbound_ports_tcp
items: [5432]
- rule: Unexpected inbound tcp connection postgres
desc: Detect inbound traffic to postgres using tcp on a port outside of expected set
condition: inbound and evt.rawres >= 0 and not fd.sport in (postgres_allowed_inbound_ports_tcp) and app_postgres
output: Inbound network connection to postgres on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
priority: NOTICE
# Restricting spawned processes to selected set
- list: postgres_allowed_processes
items: ["/proc/self/exe", "pg_isready", "postgres", "psql", "postgres: autovacuum launcher process", "pg_ctl" , "postgres: checkpointer process ", "postgres: stats collector process ", "postgres: wal writer process ", "postgres: writer process ", "sh"]
- rule: Unexpected spawned process postgres
desc: Detect a process started in a postgres container outside of an expected set
condition: spawned_process and not proc.name in (postgres_allowed_processes) and app_postgres
output: Unexpected process spawned in postgres container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image)
priority: NOTICE
# Restricting files read or written to specific set
- list: postgres_allowed_file_prefixes_readonly
items: ["/dev", "/etc", "/lib/x86_64-linux-gnu", "/usr/lib/locale", "/usr/lib/x86_64-linux-gnu", "/usr/share/locale", "/var/lib/postgresql/data", "/usr/share/zoneinfo", "/var/lib/postgresql", "/usr/lib/postgresql", "/usr/share/postgresql", "/var/run/postgresql"]
- rule: Unexpected file access readonly for postgres
desc: Detect an attempt to access a file readonly other than below an expected list of directories
condition: (open_read and evt.is_open_write=false) and not fd.name pmatch (postgres_allowed_file_prefixes_readonly) and app_postgres
output: Unexpected file accessed readonly for postgres (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
priority: NOTICE
- list: postgres_allowed_file_prefixes_readwrite
items: ["/var/lib/postgresql/data", "/var/run/postgresql"]
- rule: Unexpected file access readwrite for postgres
desc: Detect an attempt to access a file readwrite other than below an expected list of directories
condition: (open_write) and not fd.name pmatch (postgres_allowed_file_prefixes_readwrite) and app_postgres
output: Unexpected file accessed readwrite for postgres (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image)
priority: NOTICE
# For OpenShit
scc:
create: false