From d6a5e3d0c617c3aeeebc58ffbe04ebd644ca1482 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Thu, 26 May 2022 11:48:08 +0200 Subject: [PATCH 1/2] update(cmake): updated plugins. Moreover, add support for aarch64 plugins, even if Falco 0.32 won't be distributed with official arm64 support. Signed-off-by: Federico Di Pierro --- cmake/modules/plugins.cmake | 47 ++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/cmake/modules/plugins.cmake b/cmake/modules/plugins.cmake index e2e23d5b8e4..5df3d49642a 100644 --- a/cmake/modules/plugins.cmake +++ b/cmake/modules/plugins.cmake @@ -19,12 +19,17 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME) set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins") endif() -# todo(jasondellaluce): switch this to a stable version once this plugin gets -# released with a 1.0.0 required plugin api version +set(PLUGIN_K8S_AUDIT_VERSION "0.1.0") +if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") + set(PLUGIN_K8S_AUDIT_HASH "57863925a1e5817cb95970f532ffe3d8dfbbb5d60dd58514729b8598e4d30d96") +else() # aarch64 + set(PLUGIN_K8S_AUDIT_HASH "0142670fa0413c057fcd8c138bd9f7211858921037f99295ada22dca8c4208eb") +endif() + ExternalProject_Add( k8saudit-plugin - URL "https://download.falco.org/plugins/dev/k8saudit-0.1.0-0.0.0-0%2B680536f-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz" - URL_HASH "SHA256=d2d4080a67445b9c5db6162e18e09c4eb9a32b0324877da584f8fa936595cd43" + URL "https://download.falco.org/plugins/stable/k8saudit-${PLUGIN_K8S_AUDIT_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz" + URL_HASH "SHA256=${PLUGIN_K8S_AUDIT_HASH}" CONFIGURE_COMMAND "" BUILD_COMMAND "" INSTALL_COMMAND "") @@ -33,20 +38,25 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/ ExternalProject_Add( k8saudit-rules - URL "https://download.falco.org/plugins/dev/k8saudit-rules-0.1.0-0.0.0-0%2B680536f.tar.gz" - URL_HASH "SHA256=7e283031150b650b0387c6d644a8dbbe992d3f39e35ef3e63eca955889211510" + URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz" + URL_HASH "SHA256=0400918b63e61c61ced9a4196d03f795df1b257c44c68717380415a4806f08d7" CONFIGURE_COMMAND "" BUILD_COMMAND "" INSTALL_COMMAND "") install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}") -# todo(jasondellaluce): switch this to a stable version once this plugin gets -# released with a 1.0.0 required plugin api version +set(PLUGIN_CLOUDTRAIL_VERSION "0.3.0") +if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") + set(PLUGIN_CLOUDTRAIL_HASH "45a192b10e9bbfc82f4216b071afefd7fba56e02e856e37186430d40160e5d64") +else() # aarch64 + set(PLUGIN_CLOUDTRAIL_HASH "bae3a7f0d6149dc87fd9c96d197ccfb5fae9416d01ff49cfac382e7efcaf737f") +endif() + ExternalProject_Add( cloudtrail-plugin - URL "https://download.falco.org/plugins/dev/cloudtrail-0.2.5-0.2.5-125%2B680536f-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz" - URL_HASH "SHA256=5e949b2ebebb500325d2ec5bbb1ffdf4f7461a144a8f46ab500a1733af006bc2" + URL "https://download.falco.org/plugins/stable/cloudtrail-${PLUGIN_CLOUDTRAIL_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz" + URL_HASH "SHA256=${PLUGIN_CLOUDTRAIL_HASH}" CONFIGURE_COMMAND "" BUILD_COMMAND "" INSTALL_COMMAND "") @@ -55,20 +65,25 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu ExternalProject_Add( cloudtrail-rules - URL "https://download.falco.org/plugins/dev/cloudtrail-rules-0.2.5-0.2.5-125%2B680536f.tar.gz" - URL_HASH "SHA256=1b48708f2e948e8765c25222d3de4ebfd49ed784de72d1177382beb60c7fb343" + URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz" + URL_HASH "SHA256=8ed676f9801d987a26854827beb176eb9164dec3b09a714406348fe1096f7c6c" CONFIGURE_COMMAND "" BUILD_COMMAND "" INSTALL_COMMAND "") install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}") -# todo(jasondellaluce): switch this to a stable version once this plugin gets -# released with a 1.0.0 required plugin api version +set(PLUGIN_JSON_VERSION "0.3.0") +if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") + set(PLUGIN_JSON_HASH "e57cc4d2850370a16caeca35ceff96c9c906970d86f2009b70805b8622964178") +else() # aarch64 + set(PLUGIN_JSON_HASH "a41326fcd570e5439735a04141a460a4e9b5d999cf0e4091d69087363284c45c") +endif() + ExternalProject_Add( json-plugin - URL "https://download.falco.org/plugins/dev/json-0.2.2-0.2.2-141%2B680536f-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz" - URL_HASH "SHA256=0d947f3ace8732767fffb02bcb62cc6ee685c51afadc91db7ff3a8576c13e6d6" + URL "https://download.falco.org/plugins/stable/json-${PLUGIN_JSON_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz" + URL_HASH "SHA256=${PLUGIN_JSON_HASH}" CONFIGURE_COMMAND "" BUILD_COMMAND "" INSTALL_COMMAND "") From 2f2eefea0d36ea1711cbd7638f04027fa3d12b16 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Thu, 26 May 2022 11:52:01 +0200 Subject: [PATCH 2/2] fix(test): dropped `file://` from k8s audit log tests. Signed-off-by: Federico Di Pierro --- test/falco_k8s_audit_tests.yaml | 132 ++++++++++++++++---------------- 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/test/falco_k8s_audit_tests.yaml b/test/falco_k8s_audit_tests.yaml index 0ff16608b9b..68cb673445f 100644 --- a/test/falco_k8s_audit_tests.yaml +++ b/test/falco_k8s_audit_tests.yaml @@ -26,7 +26,7 @@ trace_files: !mux detect_counts: - Create Disallowed Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json compat_engine_v4_create_allowed_pod: detect: False @@ -35,7 +35,7 @@ trace_files: !mux - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json compat_engine_v4_create_privileged_pod: detect: True @@ -46,7 +46,7 @@ trace_files: !mux detect_counts: - Create Privileged Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json compat_engine_v4_create_privileged_trusted_pod: detect: False @@ -56,7 +56,7 @@ trace_files: !mux - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json compat_engine_v4_create_unprivileged_pod: detect: False @@ -64,7 +64,7 @@ trace_files: !mux - ../rules/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json compat_engine_v4_create_hostnetwork_pod: detect: True @@ -75,7 +75,7 @@ trace_files: !mux detect_counts: - Create HostNetwork Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json compat_engine_v4_create_hostnetwork_trusted_pod: detect: False @@ -85,7 +85,7 @@ trace_files: !mux - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json user_outside_allowed_set: detect: True @@ -97,7 +97,7 @@ trace_files: !mux detect_counts: - Disallowed K8s User: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json user_in_allowed_set: detect: False @@ -108,7 +108,7 @@ trace_files: !mux - ./rules/k8s_audit/allow_user_some-user.yaml - ./rules/k8s_audit/disallow_kactivity.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json create_disallowed_pod: detect: True @@ -120,7 +120,7 @@ trace_files: !mux detect_counts: - Create Disallowed Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json create_allowed_pod: detect: False @@ -129,7 +129,7 @@ trace_files: !mux - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/allow_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json create_privileged_pod: detect: True @@ -140,7 +140,7 @@ trace_files: !mux detect_counts: - Create Privileged Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json create_privileged_no_secctx_1st_container_2nd_container_pod: detect: True @@ -151,7 +151,7 @@ trace_files: !mux detect_counts: - Create Privileged Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json create_privileged_2nd_container_pod: detect: True @@ -162,7 +162,7 @@ trace_files: !mux detect_counts: - Create Privileged Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json create_privileged_trusted_pod: detect: False @@ -171,7 +171,7 @@ trace_files: !mux - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json create_unprivileged_pod: detect: False @@ -179,7 +179,7 @@ trace_files: !mux - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json create_unprivileged_trusted_pod: detect: False @@ -188,7 +188,7 @@ trace_files: !mux - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json create_sensitive_mount_pod: detect: True @@ -199,7 +199,7 @@ trace_files: !mux detect_counts: - Create Sensitive Mount Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json create_sensitive_mount_2nd_container_pod: detect: True @@ -210,7 +210,7 @@ trace_files: !mux detect_counts: - Create Sensitive Mount Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json create_sensitive_mount_trusted_pod: detect: False @@ -219,7 +219,7 @@ trace_files: !mux - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json create_unsensitive_mount_pod: detect: False @@ -227,7 +227,7 @@ trace_files: !mux - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json create_unsensitive_mount_trusted_pod: detect: False @@ -236,7 +236,7 @@ trace_files: !mux - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json create_hostnetwork_pod: detect: True @@ -247,7 +247,7 @@ trace_files: !mux detect_counts: - Create HostNetwork Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json create_hostnetwork_trusted_pod: detect: False @@ -256,7 +256,7 @@ trace_files: !mux - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json create_nohostnetwork_pod: detect: False @@ -264,7 +264,7 @@ trace_files: !mux - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json create_nohostnetwork_trusted_pod: detect: False @@ -273,7 +273,7 @@ trace_files: !mux - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json create_nodeport_service: detect: True @@ -285,7 +285,7 @@ trace_files: !mux detect_counts: - Create NodePort Service: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_service_nodeport.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nodeport.json create_nonodeport_service: detect: False @@ -294,7 +294,7 @@ trace_files: !mux - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/disallow_kactivity.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_service_nonodeport.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nonodeport.json create_configmap_private_creds: detect: True @@ -306,7 +306,7 @@ trace_files: !mux detect_counts: - Create/Modify Configmap With Private Credentials: 6 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap_sensitive_values.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_sensitive_values.json create_configmap_no_private_creds: detect: False @@ -315,7 +315,7 @@ trace_files: !mux - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/disallow_kactivity.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap_no_sensitive_values.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_no_sensitive_values.json anonymous_user: detect: True @@ -326,7 +326,7 @@ trace_files: !mux detect_counts: - Anonymous Request Allowed: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/anonymous_creates_namespace_foo.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/anonymous_creates_namespace_foo.json pod_exec: detect: True @@ -337,7 +337,7 @@ trace_files: !mux detect_counts: - Attach/Exec Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/exec_pod.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/exec_pod.json pod_attach: detect: True @@ -348,7 +348,7 @@ trace_files: !mux detect_counts: - Attach/Exec Pod: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/attach_pod.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_pod.json namespace_outside_allowed_set: detect: True @@ -360,7 +360,7 @@ trace_files: !mux detect_counts: - Create Disallowed Namespace: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json namespace_in_allowed_set: detect: False @@ -370,7 +370,7 @@ trace_files: !mux - ./rules/k8s_audit/allow_namespace_foo.yaml - ./rules/k8s_audit/disallow_kactivity.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/minikube_creates_namespace_foo.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/minikube_creates_namespace_foo.json create_pod_in_kube_system_namespace: detect: True @@ -381,7 +381,7 @@ trace_files: !mux detect_counts: - Pod Created in Kube Namespace: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_pod_kube_system_namespace.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_system_namespace.json create_pod_in_kube_public_namespace: detect: True @@ -392,7 +392,7 @@ trace_files: !mux detect_counts: - Pod Created in Kube Namespace: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_pod_kube_public_namespace.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_public_namespace.json create_serviceaccount_in_kube_system_namespace: detect: True @@ -403,7 +403,7 @@ trace_files: !mux detect_counts: - Service Account Created in Kube Namespace: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json create_serviceaccount_in_kube_public_namespace: detect: True @@ -414,7 +414,7 @@ trace_files: !mux detect_counts: - Service Account Created in Kube Namespace: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json system_clusterrole_deleted: detect: True @@ -425,7 +425,7 @@ trace_files: !mux detect_counts: - System ClusterRole Modified/Deleted: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json system_clusterrole_modified: detect: True @@ -436,7 +436,7 @@ trace_files: !mux detect_counts: - System ClusterRole Modified/Deleted: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json attach_cluster_admin_role: detect: True @@ -447,7 +447,7 @@ trace_files: !mux detect_counts: - Attach to cluster-admin Role: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/attach_cluster_admin_role.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_cluster_admin_role.json create_cluster_role_wildcard_resources: detect: True @@ -458,7 +458,7 @@ trace_files: !mux detect_counts: - ClusterRole With Wildcard Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_wildcard_resources.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_resources.json create_cluster_role_wildcard_verbs: detect: True @@ -469,7 +469,7 @@ trace_files: !mux detect_counts: - ClusterRole With Wildcard Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json create_writable_cluster_role: detect: True @@ -480,7 +480,7 @@ trace_files: !mux detect_counts: - ClusterRole With Write Privileges Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_write_privileges.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_write_privileges.json create_pod_exec_cluster_role: detect: True @@ -491,7 +491,7 @@ trace_files: !mux detect_counts: - ClusterRole With Pod Exec Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_pod_exec.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_pod_exec.json create_deployment: detect: True @@ -502,7 +502,7 @@ trace_files: !mux detect_counts: - K8s Deployment Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_deployment.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_deployment.json delete_deployment: detect: True @@ -513,7 +513,7 @@ trace_files: !mux detect_counts: - K8s Deployment Deleted: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_deployment.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_deployment.json create_service: detect: True @@ -524,7 +524,7 @@ trace_files: !mux detect_counts: - K8s Service Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_service.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service.json delete_service: detect: True @@ -535,7 +535,7 @@ trace_files: !mux detect_counts: - K8s Service Deleted: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_service.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_service.json create_configmap: detect: True @@ -546,7 +546,7 @@ trace_files: !mux detect_counts: - K8s ConfigMap Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap.json delete_configmap: detect: True @@ -557,7 +557,7 @@ trace_files: !mux detect_counts: - K8s ConfigMap Deleted: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_configmap.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_configmap.json create_namespace: detect: True @@ -570,7 +570,7 @@ trace_files: !mux detect_counts: - K8s Namespace Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json delete_namespace: detect: True @@ -581,7 +581,7 @@ trace_files: !mux detect_counts: - K8s Namespace Deleted: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_namespace_foo.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_namespace_foo.json create_serviceaccount: detect: True @@ -592,7 +592,7 @@ trace_files: !mux detect_counts: - K8s Serviceaccount Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount.json delete_serviceaccount: detect: True @@ -603,7 +603,7 @@ trace_files: !mux detect_counts: - K8s Serviceaccount Deleted: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_serviceaccount.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_serviceaccount.json create_clusterrole: detect: True @@ -614,7 +614,7 @@ trace_files: !mux detect_counts: - K8s Role/Clusterrole Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_clusterrole.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrole.json delete_clusterrole: detect: True @@ -625,7 +625,7 @@ trace_files: !mux detect_counts: - K8s Role/Clusterrole Deleted: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_clusterrole.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrole.json create_clusterrolebinding: detect: True @@ -636,7 +636,7 @@ trace_files: !mux detect_counts: - K8s Role/Clusterrolebinding Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_clusterrolebinding.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrolebinding.json delete_clusterrolebinding: detect: True @@ -647,7 +647,7 @@ trace_files: !mux detect_counts: - K8s Role/Clusterrolebinding Deleted: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_clusterrolebinding.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrolebinding.json create_secret: detect: True @@ -658,7 +658,7 @@ trace_files: !mux detect_counts: - K8s Secret Created: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_secret.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_secret.json # Should *not* result in any event as the secret rules skip service account token secrets create_service_account_token_secret: @@ -668,7 +668,7 @@ trace_files: !mux - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_service_account_token_secret.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service_account_token_secret.json create_kube_system_secret: detect: False @@ -677,7 +677,7 @@ trace_files: !mux - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_kube_system_secret.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_kube_system_secret.json delete_secret: detect: True @@ -688,7 +688,7 @@ trace_files: !mux detect_counts: - K8s Secret Deleted: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_secret.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_secret.json fal_01_003: detect: False @@ -697,7 +697,7 @@ trace_files: !mux - ../rules/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/fal_01_003.json + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/fal_01_003.json stderr_contains: 'data not recognized as a k8s audit event' json_pointer_correct_parse: @@ -708,4 +708,4 @@ trace_files: !mux detect_counts: - json_pointer_example: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json \ No newline at end of file + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json \ No newline at end of file