docker: enabled: false podSecurityPolicy: create: false containerd: enabled: true #extraArgs: # - --disable-cri-async falco: timeFormatISO8601: true grpc: enabled: true grpcOutput: enabled: false falcosidekick: enabled: true replicaCount: 1 podSecurityPolicy: create: true webui: enabled: true retention: 200 darkmode: true podSecurityPolicy: create: true ingress: enabled: true annotations: cert-manager.io/cluster-issuer: vault-issuer hosts: - host: falco.dc paths: ["/ui", "/events", "/healthz", "/ws"] tls: - secretName: falcosidekick-tls hosts: - falco.dc customRules: rule_exceptions.yaml: |- - rule: Contact K8S API Server From Container exceptions: - name: proc_filenames value: - argocd-applicat append: true - rule: Write below root exceptions: - name: container value: [ host ] append: true - rule: Read sensitive file untrusted exceptions: - name: container value: [ host ] append: true - rule: Non sudo setuid exceptions: - name: container value: [ host ] append: true nginx_rules.yaml: |- - macro: nginx_consider_syscalls condition: (evt.num < 0) - macro: app_nginx condition: container and container.image contains "nginx" # Any outbound traffic raises a WARNING - rule: Unauthorized process opened an outbound connection (nginx) desc: A nginx process tried to open an outbound connection and is not whitelisted condition: outbound and evt.rawres >= 0 and app_nginx output: Non-whitelisted process opened an outbound connection (command=%proc.cmdline connection=%fd.name) priority: WARNING # Restricting listening ports to selected set - list: nginx_allowed_inbound_ports_tcp items: [80, 443, 8080, 8443] - rule: Unexpected inbound tcp connection nginx desc: Detect inbound traffic to nginx using tcp on a port outside of expected set condition: inbound and evt.rawres >= 0 and not fd.sport in (nginx_allowed_inbound_ports_tcp) and app_nginx output: Inbound network connection to nginx on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image) priority: NOTICE # Restricting spawned processes to selected set - list: nginx_allowed_processes items: ["nginx", "app-entrypoint.", "basename", "dirname", "grep", "nami", "node", "tini"] - rule: Unexpected spawned process nginx desc: Detect a process started in a nginx container outside of an expected set condition: spawned_process and not proc.name in (nginx_allowed_processes) and app_nginx output: Unexpected process spawned in nginx container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image) priority: NOTICE # Restricting files read or written to specific set - list: nginx_allowed_file_prefixes_readwrite items: ["/var/log/nginx", "/var/run"] # Remember to add your nginx cache path - rule: Unexpected file access readwrite for nginx desc: Detect an attempt to access a file readwrite other than below an expected list of directories condition: (open_write) and not fd.name pmatch (nginx_allowed_file_prefixes_readwrite) and app_nginx output: Unexpected file accessed readwrite for nginx (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image) priority: NOTICE # Restricting syscalls to selected set - list: nginx_allowed_syscalls items: [accept, bind, clone, connect, dup, listen, mkdir, open, recvfrom, recvmsg, sendto, setgid, setuid, socket, socketpair] - rule: Unexpected syscall nginx desc: Detect a syscall in a nginx container outside of an expected set condition: nginx_consider_syscalls and not evt.type in ("", nginx_allowed_syscalls) and app_nginx output: Unexpected syscall in nginx container (command=%proc.cmdline pid=%proc.pid user=%user.name syscall=%evt.type args=%evt.args %container.info image=%container.image) priority: NOTICE warn_evttypes: False php_fpm.yaml: |- - macro: php_fpm_consider_syscalls condition: (evt.num < 0) - macro: app_php_fpm condition: container and container.image contains "fpm" # Considering any inbound network connection suspect - rule: Unexpected inbound connection php_fpm desc: Detect any inbound connection arriving at php_fpm condition: inbound and evt.rawres >= 0 and app_php_fpm output: Unexpected inbound connection arriving at php_fpm (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name %container.info image=%container.image) priority: NOTICE # Restricting listening ports to selected set - list: php_fpm_allowed_inbound_ports_tcp items: [80, 443] - rule: Unexpected inbound tcp connection php_fpm desc: Detect inbound traffic to php_fpm using tcp on a port outside of expected set condition: inbound and evt.rawres >= 0 and not fd.sport in (php_fpm_allowed_inbound_ports_tcp) and app_php_fpm output: Inbound network connection to php_fpm on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image) priority: NOTICE # Restricting spawned processes to selected set - list: php_fpm_allowed_processes items: ["/usr/bin/python2", "nginx", "nginx: master process /usr/sbin/nginx -g daemon off; error_log /dev/stderr info;", "nginx: worker process", "php-fpm", "php-fpm: pool www"] - rule: Unexpected spawned process php_fpm desc: Detect a process started in a php_fpm container outside of an expected set condition: spawned_process and not proc.name in (php_fpm_allowed_processes) and app_php_fpm output: Unexpected process spawned in php_fpm container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image) priority: NOTICE # Restricting files read or written to specific set - list: php_fpm_allowed_file_prefixes_readonly items: ["/dev", "/var/www/errors"] - rule: Unexpected file access readonly for php_fpm desc: Detect an attempt to access a file readonly other than below an expected list of directories condition: (open_read and evt.is_open_write=false) and not fd.name pmatch (php_fpm_allowed_file_prefixes_readonly) and app_php_fpm output: Unexpected file accessed readonly for php_fpm (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image) priority: NOTICE - list: php_fpm_allowed_file_prefixes_readwrite items: ["/dev", "/tmp", "/usr/local/var/log"] - rule: Unexpected file access readwrite for php_fpm desc: Detect an attempt to access a file readwrite other than below an expected list of directories condition: (open_write) and not fd.name pmatch (php_fpm_allowed_file_prefixes_readwrite) and app_php_fpm output: Unexpected file accessed readwrite for php_fpm (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image) priority: NOTICE postgres.yaml: |- - macro: postgres_consider_syscalls condition: (evt.num < 0) - macro: app_postgres condition: container and container.image contains "postgres" - list: postgres_allowed_inbound_ports_tcp items: [5432] - rule: Unexpected inbound tcp connection postgres desc: Detect inbound traffic to postgres using tcp on a port outside of expected set condition: inbound and evt.rawres >= 0 and not fd.sport in (postgres_allowed_inbound_ports_tcp) and app_postgres output: Inbound network connection to postgres on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image) priority: NOTICE # Restricting spawned processes to selected set - list: postgres_allowed_processes items: ["/proc/self/exe", "pg_isready", "postgres", "psql", "postgres: autovacuum launcher process", "pg_ctl" , "postgres: checkpointer process ", "postgres: stats collector process ", "postgres: wal writer process ", "postgres: writer process ", "sh"] - rule: Unexpected spawned process postgres desc: Detect a process started in a postgres container outside of an expected set condition: spawned_process and not proc.name in (postgres_allowed_processes) and app_postgres output: Unexpected process spawned in postgres container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image) priority: NOTICE # Restricting files read or written to specific set - list: postgres_allowed_file_prefixes_readonly items: ["/dev", "/etc", "/lib/x86_64-linux-gnu", "/usr/lib/locale", "/usr/lib/x86_64-linux-gnu", "/usr/share/locale", "/var/lib/postgresql/data", "/usr/share/zoneinfo", "/var/lib/postgresql", "/usr/lib/postgresql", "/usr/share/postgresql", "/var/run/postgresql"] - rule: Unexpected file access readonly for postgres desc: Detect an attempt to access a file readonly other than below an expected list of directories condition: (open_read and evt.is_open_write=false) and not fd.name pmatch (postgres_allowed_file_prefixes_readonly) and app_postgres output: Unexpected file accessed readonly for postgres (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image) priority: NOTICE - list: postgres_allowed_file_prefixes_readwrite items: ["/var/lib/postgresql/data", "/var/run/postgresql"] - rule: Unexpected file access readwrite for postgres desc: Detect an attempt to access a file readwrite other than below an expected list of directories condition: (open_write) and not fd.name pmatch (postgres_allowed_file_prefixes_readwrite) and app_postgres output: Unexpected file accessed readwrite for postgres (command=%proc.cmdline pid=%proc.pid file=%fd.name %container.info image=%container.image) priority: NOTICE # For OpenShit scc: create: false