Falco - kamialie/knowledge_corner GitHub Wiki
Falco
Provides runtime security across hosts, containers, Kubernetes and cloud
environments, e.g. privilege escalation, namespace changes, reading/writing
from well-known locations like /etc, /usr/bin, etc.
Rules
Rule example:
- rule: write_below_etc
desc: Detect attempts to write to any file within /etc or subdirectories
condition: >
(evt.type in (open, openat, openat2) and evt.is_open_write=true and fd.typechar="f" and fd.num>=0) and
fd.name startswith /etc and
not container.image.repository in (trusted_images)
output: >
File below /etc opened for writing (user=%user.name user_id=%user.uid
process=%proc.name parent=%proc.pname command=%proc.cmdline file=%fd.name
container=%container.id image=%container.image.repository)
priority: ERROR
tags: [filesystem, mitre_persistence, T1517.001]
- list: trusted_images
items: [busybox]
- rule: curl_with_a_bearer_token
desc: Detect usage of curl with a bearer token in Authorization header
condition: >
proc.name = "curl" and
evt.args contains "Authorization: Bearer"
output: >
Detected curl using bearer token (user=%user.name command=%proc.cmdline)
priority: WARNING
tags: [network, bearer, curl, token]
- rule: unauthorized_configmap_access
desc: Detect unauthorized access to sensitive ConfigMaps
condition: >
kevt and k8s_audit and
(ka.verb in (get, list)) and
ka.target.resource=configmaps and
ka.target.labels.sensitive=true and
not ka.user.name in (admin, kube-system, trusted-user) and
not ka.user.groups contains "system:masters"
output: >
Unauthorized access to sensitive ConfigMaps detected. (user=%ka.user.name verb=%ka.verb namespace=%ka.target.namespace)
priority: CRITICAL
source: k8s_audit
fd.num>=0 filters out invalid or uninitiated sockets. tags indicate what
the given rule is related to; ka refers to Kubernetes API.
kevt indicates a Kubernetes event, k8s_audit specifies that the event comes
from Kubernetes audit logs. ConfigMaps are filtered by sensitive=true label.