diff --git a/assets/sumologic/sumologic-2.17.0.tgz b/assets/sumologic/sumologic-2.17.0.tgz new file mode 100644 index 000000000..17972fa07 Binary files /dev/null and b/assets/sumologic/sumologic-2.17.0.tgz differ diff --git a/charts/sumologic/sumologic/2.17.0/.helmignore b/charts/sumologic/sumologic/2.17.0/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/sumologic/sumologic/2.17.0/Chart.lock b/charts/sumologic/sumologic/2.17.0/Chart.lock new file mode 100644 index 000000000..6cf631163 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/Chart.lock @@ -0,0 +1,24 @@ +dependencies: +- name: fluent-bit + repository: https://fluent.github.io/helm-charts + version: 0.20.2 +- name: kube-prometheus-stack + repository: https://prometheus-community.github.io/helm-charts + version: 12.10.0 +- name: falco + repository: https://falcosecurity.github.io/charts + version: 1.18.6 +- name: metrics-server + repository: https://charts.bitnami.com/bitnami + version: 5.11.9 +- name: telegraf-operator + repository: https://helm.influxdata.com/ + version: 1.3.5 +- name: tailing-sidecar-operator + repository: https://sumologic.github.io/tailing-sidecar + version: 0.3.4 +- name: opentelemetry-operator + repository: https://open-telemetry.github.io/opentelemetry-helm-charts + version: 0.7.0 +digest: sha256:da79b29a1e6b366c6947f3b9b0d5948badc60c51d55fb1dac5e76fc0ffcd4a44 +generated: "2022-09-15T08:31:35.45416754Z" diff --git a/charts/sumologic/sumologic/2.17.0/Chart.yaml b/charts/sumologic/sumologic/2.17.0/Chart.yaml new file mode 100644 index 000000000..54d30ec5b --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/Chart.yaml @@ -0,0 +1,48 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Sumo Logic + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: sumologic +apiVersion: v2 +appVersion: 2.17.0 +dependencies: +- condition: fluent-bit.enabled,sumologic.logs.enabled + name: fluent-bit + repository: file://./charts/fluent-bit + version: 0.20.2 +- condition: kube-prometheus-stack.enabled,sumologic.metrics.enabled + name: kube-prometheus-stack + repository: file://./charts/kube-prometheus-stack + version: 12.10.0 +- condition: falco.enabled + name: falco + repository: file://./charts/falco + version: 1.18.6 +- condition: metrics-server.enabled + name: metrics-server + repository: file://./charts/metrics-server + version: 5.11.9 +- condition: telegraf-operator.enabled + name: telegraf-operator + repository: file://./charts/telegraf-operator + version: 1.3.5 +- condition: tailing-sidecar-operator.enabled + name: tailing-sidecar-operator + repository: file://./charts/tailing-sidecar-operator + version: 0.3.4 +- condition: opentelemetry-operator.enabled + name: opentelemetry-operator + repository: file://./charts/opentelemetry-operator + version: 0.7.0 +description: A Helm chart for collecting Kubernetes logs, metrics, traces and events + into Sumo Logic. +home: https://github.com/SumoLogic/sumologic-kubernetes-collection +icon: https://raw.githubusercontent.com/SumoLogic/sumologic-kubernetes-collection/main/images/sumo_logic_logo.png +keywords: +- monitoring +- logging +name: sumologic +sources: +- https://github.com/SumoLogic/sumologic-kubernetes-collection +type: application +version: 2.17.0 diff --git a/charts/sumologic/sumologic/2.17.0/README.md b/charts/sumologic/sumologic/2.17.0/README.md new file mode 100644 index 000000000..e5a460d89 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/README.md @@ -0,0 +1,404 @@ +# Configuration + +To see all available configuration for our sub-charts, please refer to their documentation. + +- [Falco](https://github.com/falcosecurity/charts/tree/master/falco#configuration) - All Falco properties should be prefixed with `falco.` in our values.yaml to override a property not listed below. +- [Kube-Prometheus-Stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#configuration) - All Kube Prometheus Stack properties should be prefixed with `kube-prometheus-stack.` in our values.yaml to override a property not listed below. +- [Fluent Bit](https://github.com/fluent/helm-charts/blob/main/charts/fluent-bit/values.yaml) - All Fluent Bit properties should be prefixed with `fluent-bit.` in our values.yaml to override a property not listed below. +- [Metrics Server](https://github.com/bitnami/charts/tree/master/bitnami/metrics-server/#parameters) - All Metrics Server properties should be prefixed with `metrics-server.` in our values.yaml to override a property not listed below. +- [Tailing Sidecar Operator](https://github.com/SumoLogic/tailing-sidecar/tree/main/helm/tailing-sidecar-operator#configuration) - + All Tailing Sidecar Operator properties should be prefixed with `tailing-sidecar-operator` in our values.yaml to + override a property not listed below. +- [OpenTelemetry Operator](https://github.com/open-telemetry/opentelemetry-helm-charts/tree/main/charts/opentelemetry-operator#opentelemetry-operator-helm-chart) - + All OpenTelemetry Operator properties should be prefixed with `opentelemetry-operator` in our values.yaml to + override a property listed below. + +The following table lists the configurable parameters of the Sumo Logic chart and their default values. + +| Parameter | Description | Default | +|---------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------| +| `nameOverride` | Used to override the Chart name. | `Nil` | +| `fullnameOverride` | Used to override the chart's full name. | `Nil` | +| `sumologic.setupEnabled` | If enabled, a pre-install hook will create Collector and Sources in Sumo Logic. | `true` | +| `sumologic.cleanupEnabled` | If enabled, a pre-delete hook will destroy Kubernetes secret and Sumo Logic Collector. | `false` | +| `sumologic.events.enabled` | Defines whether collection of Kubernetes events is enabled. | `true` | +| `sumologic.events.provider` | Defines which provider is used for Kubernetes events collection. This can be either `fluentd` or `otelcol`. | `fluentd` | +| `sumologic.logs.enabled` | Set the enabled flag to false for disabling logs ingestion altogether. | `true` | +| `sumologic.metrics.enabled` | Set the enabled flag to false for disabling metrics ingestion altogether. | `true` | +| `sumologic.logs.fields` | Fields to be created at Sumo Logic to ensure logs are tagged with relevant metadata. [Sumo Logic help](https://help.sumologic.com/Manage/Fields#Manage_fields) | `{}` | +| `sumologic.logs.metadata.provider` | Set provider to use for logs forwarding and metadata enrichment. Can be either otelcol or fluentd. | `fluentd` | +| `sumologic.metrics.metadata.provider` | Set provider to use for metrics forwarding and metadata enrichment. Can be either otelcol or fluentd. | `fluentd` | +| `sumologic.metrics.remoteWriteProxy.enabled` | Enable a load balancing proxy for Prometheus remote writes. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `fluentd` | +| `sumologic.metrics.remoteWriteProxy.config.clientBodyBufferSize` | See the [nginx documentation](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size). Increase if you've also increased samples per send in Prometheus remote write. | `fluentd` | +| `sumologic.metrics.remoteWriteProxy.config.workerCountAutotune` | This feature autodetects how much CPU is assigned to the nginx instance and setsthe right amount of workers based on that. Disable to use the default of 8 workers. | `false` | +| `sumologic.metrics.remoteWriteProxy.replicaCount` | Number of replicas in the remote write proxy deployment. | `fluentd` | +| `sumologic.metrics.remoteWriteProxy.image` | Nginx docker image for the remote write proxy. | `fluentd` | +| `sumologic.metrics.remoteWriteProxy.resources` | Resource requests and limits for the remote write proxy container. | `fluentd` | +| `sumologic.metrics.remoteWriteProxy.livenessProbe` | Liveness probe settings for the remote write proxy container. | `fluentd` | +| `sumologic.metrics.remoteWriteProxy.readinessProbe` | Readiness probe settings for the remote write proxy container. | `fluentd` | +| `sumologic.metrics.remoteWriteProxy.securityContext` | The securityContext configuration for the remote write proxy. | `{}` | +| `sumologic.metrics.remoteWriteProxy.nodeSelector` | Node selector for the remote write proxy deployment. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `sumologic.metrics.remoteWriteProxy.tolerations` | Tolerations for the remote write proxy deployment. | `[]` | +| `sumologic.metrics.remoteWriteProxy.affinity` | Affinity for the remote write proxy deployment. | `{}` | +| `sumologic.metrics.remoteWriteProxy.priorityClassName` | Priority class name for the remote write proxy deployment. | `Nil` | +| `sumologic.metrics.remoteWriteProxy.podLabels` | Additional labels for the remote write proxy container. | `{}` | +| `sumologic.metrics.remoteWriteProxy.podAnnotations` | Additional annotations for for the remote write proxy container. | `{}` | +| `sumologic.traces.enabled` | Set the enabled flag to true to enable tracing ingestion. _Tracing must be enabled for the account first. Please contact your Sumo representative for activation details_ | `false` | +| `sumologic.envFromSecret` | If enabled, accessId and accessKey will be sourced from Secret Name given. Be sure to include at least the following env variables in your secret (1) SUMOLOGIC_ACCESSID, (2) SUMOLOGIC_ACCESSKEY | `sumo-api-secret` | +| `sumologic.accessId` | Sumo access ID. | `Nil` | +| `sumologic.accessKey` | Sumo access key. | `Nil` | +| `sumologic.endpoint` | Sumo API endpoint; Leave blank for automatic endpoint discovery and redirection. | `Nil` | +| `sumologic.collectionMonitoring` | | `false` | +| `sumologic.collectorName` | The name of the Sumo Logic collector that will be created in the SetUp job. Defaults to `clusterName` if not specified. | `Nil` | +| `sumologic.clusterName` | An identifier for the Kubernetes cluster. Whitespaces in the cluster name will be replaced with dashes. | `kubernetes` | +| `sumologic.collector.sources` | Configuration of HTTP sources. [See docs/Terraform.md for more information](../../docs/Terraform.md).. | See [values.yaml] | +| `sumologic.httpProxy` | HTTP proxy URL | `Nil` | +| `sumologic.httpsProxy` | HTTPS proxy URL | `Nil` | +| `sumologic.noProxy` | List of comma separated hostnames which should be excluded from the proxy | `kubernetes.default.svc` | +| `sumologic.pullSecrets` | Optional list of secrets that will be used for pulling images for Sumo Logic's deployments and statefulsets. | `Nil` | +| `sumologic.podLabels` | Additional labels for the pods. | `{}` | +| `sumologic.podAnnotations` | Additional annotations for the pods. | `{}` | +| `sumologic.scc.create` | Create OpenShift's Security Context Constraint | `false` | +| `sumologic.serviceAccount.annotations` | Add custom annotations to sumologic serviceAccounts | `{}` | +| `sumologic.setup.job.pullSecrets` | Optional list of secrets that will be used for pulling images for Sumo Logic's setup job. | `Nil` | +| `sumologic.setup.job.podLabels` | Additional labels for the setup Job pod. | `{}` | +| `sumologic.setup.job.podAnnotations` | Additional annotations for the setup Job pod. | `{}` | +| `sumologic.setup.job.image.repository` | Image repository for Sumo Logic setup job docker container. | `sumologic/kubernetes-fluentd` | +| `sumologic.setup.job.image.tag` | Image tag for Sumo Logic setup job docker container. | `1.3.0` | +| `sumologic.setup.job.image.pullPolicy` | Image pullPolicy for Sumo Logic docker container. | `IfNotPresent` | +| `sumologic.setup.job.nodeSelector` | Node selector for sumologic setup job. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `IfNotPresent` | +| `sumologic.setup.job.tolerations` | Add tolerations for the setup Job. | `[]` | +| `sumologic.setup.job.affinity` | Add affinity and anti-affinity for the setup Job. | `{}` | +| `sumologic.setup.monitors.enabled` | If enabled, a pre-install hook will create k8s monitors in Sumo Logic. | `true` | +| `sumologic.setup.monitors.monitorStatus` | The installed monitors default status: enabled/disabled. | `enabled` | +| `sumologic.setup.monitors.notificationEmails` | A list of emails to send notifications from monitors. | `[]` | +| `sumologic.setup.dashboards.enabled` | If enabled, a pre-install hook will install k8s dashboards in Sumo Logic. | `true` | +| `fluentd.image.repository` | Image repository for Sumo Logic docker container. | `sumologic/kubernetes-fluentd` | +| `fluentd.image.tag` | Image tag for Sumo Logic docker container. | `1.3.0` | +| `fluentd.image.pullPolicy` | Image pullPolicy for Sumo Logic docker container. | `IfNotPresent` | +| `fluentd.logLevelFilter` | Do not send fluentd logs if set to `true`. | `true` | +| `fluentd.additionalPlugins` | Additional Fluentd plugins to install from RubyGems. Please see our [documentation](../../docs/Additional_Fluentd_Plugins.md) for more information. | `[]` | +| `fluentd.compression.enabled` | Flag to control if data is sent to Sumo Logic compressed or not | `true` | +| `fluentd.compression.encoding` | Specifies which encoding should be used to compress data (either `gzip` or `deflate`) | `gzip` | +| `fluentd.logLevel` | Sets the fluentd log level. The default log level, if not specified, is info. Sumo will only ingest the error log level and some specific warnings, the info logs can be seen in kubectl logs. | `info` | +| `fluentd.verifySsl` | Verify SumoLogic HTTPS certificates. | `true` | +| `fluentd.proxyUri` | Proxy URI for sumologic output plugin. | `Nil` | +| `fluentd.securityContext` | The securityContext configuration for Fluentd | `{"fsGroup":999}` | +| `fluentd.podLabels` | Additional labels for all fluentd pods | `{}` | +| `fluentd.pvcLabels` | Additional labels for all fluentd PVCs | `{}` | +| `fluentd.podAnnotations` | Additional annotations for all fluentd pods | `{}` | +| `fluentd.podSecurityPolicy.create` | If true, create & use `podSecurityPolicy` for fluentd resources | `false` | +| `fluentd.persistence.enabled` | Persist data to a persistent volume; When enabled, fluentd uses the file buffer instead of memory buffer. After changing this value follow steps described in [Fluentd Persistence](../../docs/FluentdPersistence.md). | `true` | +| `fluentd.persistence.storageClass` | If defined, storageClassName: . If set to "-", storageClassName: "", which disables dynamic provisioning. If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. (gp2 on AWS, standard on GKE, Azure & OpenStack) | `Nil` | +| `fluentd.persistence.accessMode` | The accessMode for persistence. | `ReadWriteOnce` | +| `fluentd.persistence.size` | The size needed for persistence. | `10Gi` | +| `fluentd.buffer.type` | Option to specify the Fluentd buffer as file/memory. If `fluentd.persistence.enabled` is `true`, this will be ignored. | `memory` | +| `fluentd.buffer.flushInterval` | How frequently to push logs to Sumo Logic. | `5s` | +| `fluentd.buffer.numThreads` | Increase number of http threads to Sumo. May be required in heavy logging/high DPM clusters. | `8` | +| `fluentd.buffer.chunkLimitSize` | The max size of each chunks: events will be written into chunks until the size of chunks become this size. | `1m` | +| `fluentd.buffer.queueChunkLimitSize` | Limit the number of queued chunks. | `128` | +| `fluentd.buffer.totalLimitSize` | The size limitation of this buffer plugin instance. | `128m` | +| `fluentd.buffer.filePaths` | File paths to buffer to, if Fluentd buffer type is specified as file above. Each sumologic output plugin buffers to its own unique file. | See [values.yaml] | +| `fluentd.buffer.extraConf` | Additional config for buffer settings | `Nil` | +| `fluentd.metadata.addOwners` | Option to control the enrichment of logs and metrics with pod owner metadata like `daemonset`, `deployment`, `replicaset`, `statefulset`. | `true` | +| `fluentd.metadata.addService` | Option to control the enrichment of logs and metrics with `service` metadata. | `true` | +| `fluentd.metadata.annotation_match` | Option to control capturing of annotations by metadata filter plugin. | `['sumologic\.com.*']` | +| `fluentd.metadata.apiGroups` | List of supported kubernetes API groups. | `['apps/v1']` | +| `fluentd.metadata.apiServerUrl` | Option to specify custom API server URL instead of the default, that is taken from KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT environment variables. Example: `"https://kubernetes.default.svc:443"`. | `""` | +| `fluentd.metadata.coreApiVersions` | List of supported kubernetes API versions. | `['v1']` | +| `fluentd.metadata.cacheSize` | Option to control the enabling of metadata filter plugin cache_size. | `10000` | +| `fluentd.metadata.cacheTtl` | Option to control the enabling of metadata filter plugin cache_ttl (in seconds). | `7200` | +| `fluentd.metadata.cacheRefresh` | Option to control the interval at which metadata cache is asynchronously refreshed (in seconds). | `3600` | +| `fluentd.metadata.cacheRefreshVariation` | Option to control the variation in seconds by which the cacheRefresh option is changed for each pod separately. For example, if cache refresh is 1 hour and variation is 15 minutes, then actual cache refresh interval will be a random value between 45 minutes and 1 hour 15 minutes, different for each pod. Setting this to 0 disables cache refresh variation. | `900` | +| `fluentd.metadata.cacheRefreshApiserverRequestDelay` | Option to control the delay with which cache refresh calls hit the api server.For example, if 0 then all metadata enrichment happen immediately. Setting this to a non-zero values ensures the traffic to api server is more distributed. | `0` | +| `fluentd.metadata.cacheRefreshExcludePodRegex` | Option to add regex for selectively disabling refresh for metadata in fluentd cache. For example, if regex is `(command-[a-z0-9]*)` then all pods starting with name `command` will not have their metadata refreshed and will be cleaned up from cache | `''` | +| `fluentd.metadata.pluginLogLevel` | Option to give plugin specific log level. | `error` | +| `fluentd.logs.enabled` | Flag to control deploying the Fluentd logs statefulsets. | `true` | +| `fluentd.logs.podDisruptionBudget` | Pod Disruption Budget for logs metadata enrichment. statefulset. | `{"minAvailable": 2}` | +| `fluentd.logs.statefulset.nodeSelector` | Node selector for Fluentd log statefulset. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `fluentd.logs.statefulset.tolerations` | Tolerations for Fluentd log statefulset. | `[]` | +| `fluentd.logs.statefulset.affinity` | Affinity for Fluentd log statefulset. | `{}` | +| `fluentd.logs.statefulset.podAntiAffinity` | PodAntiAffinity for Fluentd log statefulset. | `soft` | +| `fluentd.logs.statefulset.topologySpreadConstraints` | TopologySpreadConstraints for Fluentd logs metadata enrichment statefulset. | `[]` | +| `fluentd.logs.statefulset.replicaCount` | Replica count for Fluentd log statefulset. | `3` | +| `fluentd.logs.statefulset.resources` | Resources for Fluentd log statefulset. | `{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":0.5,"memory":"768Mi"}}` | +| `fluentd.logs.statefulset.podLabels` | Additional labels for fluentd log pods. | `{}` | +| `fluentd.logs.statefulset.podAnnotations` | Additional annotations for fluentd log pods. | `{}` | +| `fluentd.logs.statefulset.priorityClassName` | Priority class name for fluentd log pods. | `Nil` | +| `fluentd.logs.statefulset.initContainers` | Define init containers that will be run for fluentd logs statefulset. | `[]` | +| `fluentd.logs.autoscaling.enabled` | Option to turn autoscaling on for fluentd and specify params for HPA. Autoscaling needs metrics-server to access cpu metrics. | `false` | +| `fluentd.logs.autoscaling.minReplicas` | Default min replicas for autoscaling. | `3` | +| `fluentd.logs.autoscaling.maxReplicas` | Default max replicas for autoscaling. | `10` | +| `fluentd.logs.autoscaling.targetCPUUtilizationPercentage` | The desired target CPU utilization for autoscaling. | `50` | +| `fluentd.logs.autoscaling.targetMemoryUtilizationPercentage` | The desired target memory utilization for autoscaling. | `Nil` | +| `fluentd.logs.rawConfig` | Default log configuration. | `@include common.conf @include logs.conf` | +| `fluentd.logs.output.logFormat` | Format to post logs into Sumo: fields, json, json_merge, or text. | `fields` | +| `fluentd.logs.output.addTimestamp` | Option to control adding timestamp to logs. | `true` | +| `fluentd.logs.output.timestampKey` | Field name when add_timestamp is on. | `timestamp` | +| `fluentd.logs.output.pluginLogLevel` | Option to give plugin specific log level. | `error` | +| `fluentd.logs.output.extraConf` | Additional config parameters for sumologic output plugin | `Nil` | +| `fluentd.logs.extraLogs` | Additional config for custom log pipelines. | `Nil` | +| `fluentd.logs.containers.overrideRawConfig` | To override the entire contents of logs.source.containers.conf file. Leave empty for the default pipeline. | `Nil` | +| `fluentd.logs.containers.outputConf` | Default output configuration for container logs. | `@include logs.output.conf` | +| `fluentd.logs.containers.overrideOutputConf` | Override output section for container logs. Leave empty for the default output section. | `Nil` | +| `fluentd.logs.containers.sourceName` | Set the _sourceName metadata field in Sumo Logic. | `%{namespace}.%{pod}.%{container}` | +| `fluentd.logs.containers.sourceCategory` | Set the _sourceCategory metadata field in Sumo Logic. | `%{namespace}/%{pod_name}` | +| `fluentd.logs.containers.sourceCategoryPrefix` | Set the prefix, for _sourceCategory metadata. | `kubernetes/` | +| `fluentd.logs.containers.sourceCategoryReplaceDash` | Used to replace - with another character. | `/` | +| `fluentd.logs.containers.excludeContainerRegex` | A regular expression for containers. Matching containers will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.containers.excludeHostRegex` | A regular expression for hosts. Matching hosts will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.containers.excludeNamespaceRegex` | A regular expression for namespaces. Matching namespaces will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.containers.excludePodRegex` | A regular expression for pods. Matching pods will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.containers.k8sMetadataFilter.watch` | Option to control the enabling of metadata filter plugin watch. | `true` | +| `fluentd.logs.containers.k8sMetadataFilter.caFile` | path to CA file for Kubernetes server certificate validation. | `Nil` | +| `fluentd.logs.containers.k8sMetadataFilter.verifySsl` | Validate SSL certificates. | `true` | +| `fluentd.logs.containers.k8sMetadataFilter.clientCert` | Path to a client cert file to authenticate to the API server. | `Nil` | +| `fluentd.logs.containers.k8sMetadataFilter.clientKey` | Path to a client key file to authenticate to the API server. | `Nil` | +| `fluentd.logs.containers.k8sMetadataFilter.bearerTokenFile` | Path to a file containing the bearer token to use for authentication. | `Nil` | +| `fluentd.logs.containers.k8sMetadataFilter.tagToMetadataRegexp` | The regular expression used to extract kubernetes metadata (pod name, container name, namespace) from the current fluentd tag. | `.+?\.containers\.(?[^_]+)_(?[^_]+)_(?.+)-(?[a-z0-9]{64})\.log$` | +| `fluentd.logs.containers.extraFilterPluginConf` | To use additional filter plugins. | `Nil` | +| `fluentd.logs.containers.extraOutputPluginConf` | To use additional output plugins. | `Nil` | +| `fluentd.logs.containers.perContainerAnnotationsEnabled` | Enable container-level pod annotations. See [fluent-plugin-kubernetes-sumologic documentation](https://github.com/SumoLogic/sumologic-kubernetes-fluentd/tree/v1.12.2-sumo-6/fluent-plugin-kubernetes-sumologic#container-level-pod-annotations_) for more details. | `false` | +| `fluentd.logs.input.forwardExtraConf` | Configuration for the forward input plugin that receives logs from FluentBit. | `` | +| `fluentd.logs.kubelet.enabled` | Collect kubelet logs. | `true` | +| `fluentd.logs.kubelet.extraFilterPluginConf` | To use additional filter plugins. | `Nil` | +| `fluentd.logs.kubelet.extraOutputPluginConf` | To use additional output plugins. | `Nil` | +| `fluentd.logs.kubelet.outputConf` | Output configuration for kubelet. | `@include logs.output.conf` | +| `fluentd.logs.kubelet.overrideOutputConf` | Override output section for kubelet logs. Leave empty for the default output section. | `Nil` | +| `fluentd.logs.kubelet.sourceName` | Set the _sourceName metadata field in Sumo Logic. | `k8s_kubelet` | +| `fluentd.logs.kubelet.sourceCategory` | Set the _sourceCategory metadata field in Sumo Logic. | `kubelet` | +| `fluentd.logs.kubelet.sourceCategoryPrefix` | Set the prefix, for _sourceCategory metadata. | `kubernetes/` | +| `fluentd.logs.kubelet.sourceCategoryReplaceDash` | Used to replace - with another character. | `/` | +| `fluentd.logs.kubelet.excludeFacilityRegex` | A regular expression for facility. Matching facility will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.kubelet.excludeHostRegex` | A regular expression for hosts. Matching hosts will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.kubelet.excludePriorityRegex` | A regular expression for priority. Matching priority will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.kubelet.excludeUnitRegex` | A regular expression for unit. Matching unit will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.systemd.enabled` | Collect systemd logs. | `true` | +| `fluentd.logs.systemd.extraFilterPluginConf` | To use additional filter plugins. | `Nil` | +| `fluentd.logs.systemd.extraOutputPluginConf` | To use additional output plugins. | `Nil` | +| `fluentd.logs.systemd.outputConf` | Output configuration for systemd. | `@include logs.output.conf` | +| `fluentd.logs.systemd.overrideOutputConf` | Override output section for systemd logs. Leave empty for the default output section. | `Nil` | +| `fluentd.logs.systemd.sourceCategory` | Set the _sourceCategory metadata field in Sumo Logic. | `system` | +| `fluentd.logs.systemd.sourceCategoryPrefix` | Set the prefix, for _sourceCategory metadata. | `kubernetes/` | +| `fluentd.logs.systemd.sourceCategoryReplaceDash` | Used to replace - with another character. | `/` | +| `fluentd.logs.systemd.excludeFacilityRegex` | A regular expression for facility. Matching facility will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.systemd.excludeHostRegex` | A regular expression for hosts. Matching hosts will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.systemd.excludePriorityRegex` | A regular expression for priority. Matching priority will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.systemd.excludeUnitRegex` | A regular expression for unit. Matching unit will be excluded from Sumo. The logs will still be sent to FluentD. | `Nil` | +| `fluentd.logs.default.extraFilterPluginConf` | To use additional filter plugins. | `Nil` | +| `fluentd.logs.default.extraOutputPluginConf` | To use additional output plugins. | `Nil` | +| `fluentd.logs.default.outputConf` | Default log configuration (catch-all). | `@include logs.output.conf` | +| `fluentd.logs.default.overrideOutputConf` | Override output section for untagged logs. Leave empty for the default output section. | `Nil` | +| `fluentd.metrics.enabled` | Flag to control deploying the Fluentd metrics statefulsets. | `true` | +| `fluentd.metrics.podDisruptionBudget` | Pod Disruption Budget for metrics metadata enrichment. statefulset. | `{"minAvailable": 2}` | +| `fluentd.metrics.statefulset.nodeSelector` | Node selector for Fluentd metrics statefulset. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `fluentd.metrics.statefulset.tolerations` | Tolerations for Fluentd metrics statefulset. | `[]` | +| `fluentd.metrics.statefulset.affinity` | Affinity for Fluentd metrics statefulset. | `{}` | +| `fluentd.metrics.statefulset.podAntiAffinity` | PodAntiAffinity for Fluentd metrics statefulset. | `soft` | +| `fluentd.metrics.statefulset.topologySpreadConstraints` | TopologySpreadConstraints for Fluentd metrics metadata enrichment statefulset. | `[]` | +| `fluentd.metrics.statefulset.replicaCount` | Replica count for Fluentd metrics statefulset. | `3` | +| `fluentd.metrics.statefulset.resources` | Resources for Fluentd metrics statefulset. | `{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":0.5,"memory":"768Mi"}}` | +| `fluentd.metrics.statefulset.podLabels` | Additional labels for fluentd metrics pods. | `{}` | +| `fluentd.metrics.statefulset.podAnnotations` | Additional annotations for fluentd metrics pods. | `{}` | +| `fluentd.metrics.statefulset.priorityClassName` | Priority class name for fluentd metrics pods. | `Nil` | +| `fluentd.metrics.statefulset.initContainers` | Define init containers that will be run for fluentd metrics statefulset. | `[]` | +| `fluentd.metrics.autoscaling.enabled` | Option to turn autoscaling on for fluentd and specify params for HPA. Autoscaling needs metrics-server to access cpu metrics. | `false` | +| `fluentd.metrics.autoscaling.minReplicas` | Default min replicas for autoscaling. | `3` | +| `fluentd.metrics.autoscaling.maxReplicas` | Default max replicas for autoscaling. | `10` | +| `fluentd.metrics.autoscaling.targetCPUUtilizationPercentage` | The desired target CPU utilization for autoscaling. | `50` | +| `fluentd.metrics.autoscaling.targetMemoryUtilizationPercentage` | The desired target memory utilization for autoscaling. | `Nil` | +| `fluentd.metrics.rawConfig` | Raw config for fluentd metrics. | `@include common.conf @include metrics.conf` | +| `fluentd.metrics.outputConf` | Configuration for sumologic output plugin. | `@include metrics.output.conf` | +| `fluentd.metrics.extraEnvVars` | Additional environment variables for metrics metadata enrichment pods. | `Nil` | +| `fluentd.metrics.extraVolumes` | Additional volumes for metrics metadata enrichment pods. | `Nil` | +| `fluentd.metrics.extraVolumeMounts` | Additional volume mounts for metrics metadata enrichment pods. | `Nil` | +| `fluentd.metrics.extraOutputConf` | Additional config parameters for sumologic output plugin | `Nil` | +| `fluentd.metrics.extraFilterPluginConf` | To use additional filter plugins. | `Nil` | +| `fluentd.metrics.extraOutputPluginConf` | To use additional output plugins. | `Nil` | +| `fluentd.metrics.overrideOutputConf` | Override output section for metrics. Leave empty for the default output section. | `Nil` | +| `fluentd.monitoring` | Configuration of fluentd monitoring metrics. Adds the `fluentd_input_status_num_records_total` metric for input and the `fluentd_output_status_num_records_total` metric for output. | `{"input": false, "output": false}` | +| `fluentd.events.enabled` | If enabled, collect K8s events. | `true` | +| `fluentd.events.statefulset.nodeSelector` | Node selector for Fluentd events statefulset. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `fluentd.events.statefulset.affinity` | Affinity for Fluentd events statefulset. | `{}` | +| `fluentd.events.statefulset.tolerations` | Tolerations for Fluentd events statefulset. | `[]` | +| `fluentd.events.statefulset.resources` | Resources for Fluentd log statefulset. | `{"limits":{"cpu":"100m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}` | +| `fluentd.events.statefulset.podLabels` | Additional labels for fluentd events pods. | `{}` | +| `fluentd.events.statefulset.podAnnotations` | Additional annotations for fluentd events pods. | `{}` | +| `fluentd.events.statefulset.priorityClassName` | Priority class name for fluentd events pods. | `Nil` | +| `fluentd.events.statefulset.initContainers` | Define init containers that will be run for fluentd events statefulset. | `[]` | +| `fluentd.events.sourceName` | Source name for the Events source. Default: "events" | `Nil` | +| `fluentd.events.sourceCategory` | Source category for the Events source. Default: "{clusterName}/events" | `Nil` | +| `fluentd.events.overrideOutputConf` | Override output section for events. Leave empty for the default output section. | `Nil` | +| `metrics-server.enabled` | Set the enabled flag to true for enabling metrics-server. This is required before enabling fluentd autoscaling unless you have an existing metrics-server in the cluster. | `false` | +| `metrics-server.fullnameOverride` | Used to override the chart's full name. | `Nil` | +| `metrics-server.args` | Arguments for metric server. | `["--kubelet-insecure-tls","--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname"]` | +| `fluent-bit.fullnameOverride` | Used to override the chart's full name. | `Nil` | +| `fluent-bit.resources` | Resources for Fluent-bit daemonsets. | `{}` | +| `fluent-bit.enabled` | Flag to control deploying Fluent-bit Helm sub-chart. | `true` | +| `fluent-bit.config.service` | Configure Fluent-bit Helm sub-chart service. | See [values.yaml] | +| `fluent-bit.config.inputs` | Configure Fluent-bit Helm sub-chart inputs. Configuration for logs from different container runtimes is described in [Container log parsing](../../docs/ContainerLogs.md). | See [values.yaml] | +| `fluent-bit.config.outputs` | Configure Fluent-bit Helm sub-chart outputs. | See [values.yaml] | +| `fluent-bit.config.customParsers` | Configure Fluent-bit Helm sub-chart customParsers. | See [values.yaml] | +| `fluent-bit.service.labels` | Labels for fluent-bit service. | `{sumologic.com/scrape: "true"}` | +| `fluent-bit.podLabels` | Additional labels for fluent-bit pods. | `{}` | +| `fluent-bit.podAnnotations` | Additional annotations for fluent-bit pods. | `{}` | +| `fluent-bit.service.flush` | Frequency to flush fluent-bit buffer to fluentd. | `5` | +| `fluent-bit.metrics.enabled` | Enable metrics from fluent-bit. | `true` | +| `fluent-bit.env` | Environment variables for fluent-bit. | See [values.yaml] | +| `fluent-bit.backend.type` | Set the backend to which Fluent-Bit should flush the information it gathers | `forward` | +| `fluent-bit.backend.forward.host` | Target host where Fluent-Bit or Fluentd are listening for Forward messages. | `${FLUENTD_LOGS_SVC}.${NAMESPACE}.svc.cluster.local.` | +| `fluent-bit.backend.forward.port` | TCP Port of the target service. | `24321` | +| `fluent-bit.backend.forward.tls` | Enable or disable TLS support. | `off` | +| `fluent-bit.backend.forward.tls_verify` | Force certificate validation. | `on` | +| `fluent-bit.backend.forward.tls_debug` | Set TLS debug verbosity level. It accept the following values: 0-4. | `1` | +| `fluent-bit.backend.forward.shared_key` | A key string known by the remote Fluentd used for authorization. | `Nil` | +| `fluent-bit.trackOffsets` | Specify whether to track the file offsets for tailing docker logs. This allows fluent-bit to pick up where it left after pod restarts but requires access to a hostPath. | `true` | +| `fluent-bit.tolerations` | Optional daemonset tolerations. | `[{"effect":"NoSchedule","operator":"Exists"}]` | +| `fluent-bit.input.systemd.enabled` | Enable systemd input. | `true` | +| `fluent-bit.parsers.enabled` | Enable custom parsers. | `true` | +| `fluent-bit.parsers.regex` | List of regex parsers. | `[{"name":"multi_line","regex":"(?\u003clog\u003e^{\"log\":\"\\d{4}-\\d{1,2}-\\d{1,2}.\\d{2}:\\d{2}:\\d{2}.*)"}]` | +| `fluent-bit.nodeSelector` | Node selector for fluent-bit. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `fluent-bit.priorityClassName` | Priority Class name for `fluent-bit` pods. | `Nil` | +| `kube-prometheus-stack.kubeTargetVersionOverride` | Provide a target gitVersion of K8S, in case .Capabilites.KubeVersion is not available (e.g. helm template). Changing this may break Sumo Logic apps. | `1.13.0-0` | +| `kube-prometheus-stack.enabled` | Flag to control deploying Prometheus Operator Helm sub-chart. | `true` | +| `kube-prometheus-stack.fullnameOverride` | Used to override the chart's full name. | `Nil` | +| `kube-prometheus-stack.alertmanager.enabled` | Deploy alertmanager. | `false` | +| `kube-prometheus-stack.grafana.enabled` | If true, deploy the grafana sub-chart. | `false` | +| `kube-prometheus-stack.grafana.defaultDashboardsEnabled` | Deploy default dashboards. These are loaded using the sidecar. | `false` | +| `kube-prometheus-stack.prometheusOperator.podLabels` | Additional labels for prometheus operator pods. | `{}` | +| `kube-prometheus-stack.prometheusOperator.podAnnotations` | Additional annotations for prometheus operator pods. | `{}` | +| `kube-prometheus-stack.prometheusOperator.resources` | Resource limits for prometheus operator. Uses sub-chart defaults. | `{}` | +| `kube-prometheus-stack.prometheusOperator.admissionWebhooks.enabled` | Create PrometheusRules admission webhooks. Mutating webhook will patch PrometheusRules objects indicating they were validated. Validating webhook will check the rules syntax. | `false` | +| `kube-prometheus-stack.prometheusOperator.tls.enabled` | Enable TLS in prometheus operator. | `false` | +| `kube-prometheus-stack.kube-state-metrics.fullnameOverride` | Used to override the chart's full name. | `Nil` | +| `kube-prometheus-stack.kube-state-metrics.resources` | Resource limits for kube state metrics. Uses sub-chart defaults. | `{}` | +| `kube-prometheus-stack.kube-state-metrics.customLabels` | Custom labels to apply to service, deployment and pods. Uses sub-chart defaults. | `{}` | +| `kube-prometheus-stack.kube-state-metrics.podAnnotations` | Additional annotations for pods in the DaemonSet. Uses sub-chart defaults. | `{}` | +| `kube-prometheus-stack.prometheus.additionalServiceMonitors` | List of ServiceMonitor objects to create. | See [values.yaml] | +| `kube-prometheus-stack.prometheus.prometheusSpec.resources` | Resource limits for prometheus. Uses sub-chart defaults. | `{}` | +| `kube-prometheus-stack.prometheus.prometheusSpec.thanos.baseImage` | Base image for Thanos container. | `quay.io/thanos/thanos` | +| `kube-prometheus-stack.prometheus.prometheusSpec.thanos.version` | Image tag for Thanos container. | `v0.10.0` | +| `kube-prometheus-stack.prometheus.prometheusSpec.containers` | Containers allows injecting additional containers. This is meant to allow adding an authentication proxy to a Prometheus pod. | See [values.yaml] | +| `kube-prometheus-stack.prometheus.prometheusSpec.podMetadata.labels` | Add custom pod labels to prometheus pods | `{}` | +| `kube-prometheus-stack.prometheus.prometheusSpec.podMetadata.annotations` | Add custom pod annotations to prometheus pods | `{}` | +| `kube-prometheus-stack.prometheus.prometheusSpec.remoteWrite` | If specified, the remote_write spec. | See [values.yaml] | +| `kube-prometheus-stack.prometheus.prometheusSpec.walCompression` | Enables walCompression in Prometheus | `true` | +| `kube-prometheus-stack.prometheus-node-exporter.fullnameOverride` | Used to override the chart's full name. | `Nil` | +| `kube-prometheus-stack.prometheus-node-exporter.podLabels` | Additional labels for prometheus-node-exporter pods. | `{}` | +| `kube-prometheus-stack.prometheus-node-exporter.podAnnotations` | Additional annotations for prometheus-node-exporter pods. | `{}` | +| `kube-prometheus-stack.prometheus-node-exporter.resources` | Resource limits for node exporter. Uses sub-chart defaults. | `{}` | +| `kube-prometheus-stack.prometheus-node-exporter.nodeSelector` | Node selector for prometheus node exporter. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `kube-prometheus-stack.kube-state-metrics.nodeSelector` | Node selector for kube-state-metrics. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `falco.enabled` | Flag to control deploying Falco Helm sub-chart. | `false` | +| `falco.fullnameOverride` | Used to override the chart's full name. | `Nil` | +| `falco.addKernelDevel` | Flag to control installation of `kernel-devel` on nodes using MachineConfig, required to build falco modules (only for OpenShift) | `true` | +| `falco.extraInitContainers` | InitContainers for Falco pod | See [values.yaml] | +| `falco.ebpf.enabled` | Enable eBPF support for Falco instead of falco-probe kernel module. Set to true for GKE. | `false` | +| `falco.falco.jsonOutput` | Output events in json. | `true` | +| `falco.pullSecrets` | Pull secrets for falco images. For more information on using Kubernetes secrets with container registries please refer to [Creating a Secret with a Docker config at kubernetes.io](https://kubernetes.io/docs/concepts/containers/images/#creating-a-secret-with-a-docker-config). | `[]` | +| `telegraf-operator.enabled` | Flag to control deploying Telegraf Operator Helm sub-chart. | `false` | +| `telegraf-operator.fullnameOverride` | Used to override the chart's full name. | `Nil` | +| `telegraf-operator.replicaCount` | Replica count for Telegraf Operator pods. | 1 | +| `telegraf-operator.classes.secretName` | Secret name in which the Telegraf Operator configuration will be stored. | `telegraf-operator-classes` | +| `telegraf-operator.default` | Name of the default output configuration. | `sumologic-prometheus` | +| `telegraf-operator.data` | Telegraf sidecar configuration. | See [values.yaml] | +| `opentelemetry-operator.enabled` | Flag to control deploying OpenTelemetry Operator Helm sub-chart. | `false` | +| `opentelemetry-operator.createDefaultInstrumentation` | Flag to control creation of default Instrumentation object | `true` | +| `opentelemetry-operator.manager.env.WATCH_NAMESPACE` | Used to set value for `WATCH_NAMESPACE` environment variable which specifies Namespace to watch and create Instrumentation objects. | `Nil` | +| `otelagent.enabled` | Enables OpenTelemetry Collector Agent mode DaemonSet. | `false` | +| `otelagent.daemonset.nodeSelector` | Node selector for otelagent daemonset. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `otelagent.daemonset.priorityClassName` | Priority class name for OpenTelemetry Agent trace pods. | If not provided then set to `RELEASE-NAME-sumologic-priorityclass`. | +| `otelcol.deployment.replicas` | Set the number of OpenTelemetry Collector replicas. | `1` | +| `otelcol.deployment.resources.limits.memory` | Sets the OpenTelemetry Collector memory limit. | `2Gi` | +| `otelcol.deployment.priorityClassName` | Priority class name for OpenTelemetry Collector log pods. | `Nil` | +| `otelcol.deployment.nodeSelector` | Node selector for otelcol deployment. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `otelcol.metrics.enabled` | Enable or disable generation of the metrics from Collector. | `true` | +| `otelcol.config.service.pipelines.traces.receivers` | Sets the list of enabled receivers. | `{jaeger, opencensus, otlp, zipkin}` | +| `otelcol.config.exporters.zipkin.timeout` | Sets the Zipkin (default) exporter timeout. Append the unit, e.g. `s` when setting the parameter | `5s` | +| `otelcol.config.exporters.logging.loglevel` | When tracing debug logging exporter is enabled, sets the verbosity level. Use either `info` or `debug`. | `info` | +| `otelcol.config.service.pipelines.traces.exporters` | Sets the list of exporters enabled within OpenTelemetry Collector. Available values: `zipkin`, `logging`. Set to `{zipkin, logging}` to enable logging debugging exporter. | `{zipkin}` | +| `otelcol.config.service.pipelines.traces.processors` | Sets the list of enabled OpenTelemetry Collector processors. | `{memory_limiter, k8s_tagger, source, resource, batch, queued_retry}` | +| `otelcol.config.processors.memory_limiter.limit_mib` | Sets the OpenTelemetry Collector memory limitter plugin value (in MiB). Should be at least 100 Mib less than the value of `otelcol.deployment.resources.limits.memory`. | `1900` | +| `otelcol.config.processors.batch.send_batch_size` | Sets the preferred size of batch (in number of spans). | `256` | +| `otelcol.config.processors.batch.send_batch_max_size` | Sets the maximum allowed size of a batch (in number of spans). Use with caution, setting too large value might cause 413 Payload Too Large errors. | `512` | +| `otelcol.logLevelFilter` | Do not send otelcol logs if `true`. | `false` | +| `otelgateway.deployment.nodeSelector` | Node selector for otelgateway deployment. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `otellogs.daemonset.nodeSelector` | Node selector for otellogs daemonset. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `otellogs.daemonset.priorityClassName` | Priority class name for OpenTelemetry Agent log pods. | If not provided then set to `RELEASE-NAME-sumologic-priorityclass`. | +| `metadata.image.repository` | Image repository for otelcol docker container. | `public.ecr.aws/sumologic/sumologic-otel-collector` | +| `metadata.image.tag` | Image tag for otelcol docker container. | `0.0.18` | +| `metadata.image.pullPolicy` | Image pullPolicy for otelcol docker container. | `IfNotPresent` | +| `metadata.securityContext` | The securityContext configuration for otelcol. | `{"fsGroup": 999}` | +| `metadata.podLabels` | Additional labels for all otelcol pods. | `{}` | +| `metadata.podAnnotations` | Additional annotations for all otelcol pods. | `{}` | +| `metadata.serviceLabels` | Additional labels for all otelcol pods. | `{}` | +| `metadata.persistence.enabled` | Flag to control persistence for OpenTelemetry Collector. | `true` | +| `metadata.persistence.storageClass` | Defines storageClassName for the PersistentVolumeClaim which is used to provide persistence for OpenTelemetry Collector. | `Nil` | +| `metadata.persistence.accessMode` | The accessMode for the volume which is used to provide persistence for OpenTelemetry Collector. | `ReadWriteOnce` | +| `metadata.persistence.size` | Size of the volume which is used to provide persistence for OpenTelemetry Collector. | `10Gi` | +| `metadata.persistence.pvcLabels` | Additional PersistentVolumeClaim labels for all OpenTelemetry Collector pods. | `{}` | +| `metadata.metrics.enabled` | Flag to control deploying the otelcol metrics statefulsets. | `true` | +| `metadata.metrics.logLevel` | Flag to control logging level for OpenTelemetry Collector for metrics. Can be `debug`, `info`, `warn`, `error`, `dpanic`, `panic`, `fatal`. | `info` | +| `metadata.metrics.config` | Configuration for metrics otelcol. See also https://github.com/SumoLogic/sumologic-otel-collector/blob/main/docs/Configuration.md. | See [values.yaml] | +| `metadata.metrics.statefulset.containers.otelcol.startupProbe` | Startup probe configuration for metrics otelcol container. | `{ periodSeconds: 3, failureThreshold: 60}` | +| `metadata.metrics.statefulset.nodeSelector` | Node selector for metrics metadata enrichment (otelcol) statefulset. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `metadata.metrics.statefulset.tolerations` | Tolerations for metrics metadata enrichment (otelcol) statefulset. | `[]` | +| `metadata.metrics.statefulset.affinity` | Affinity for metrics metadata enrichment (otelcol) statefulset. | `{}` | +| `metadata.metrics.statefulset.podAntiAffinity` | PodAntiAffinity for metrics metadata enrichment (otelcol) statefulset. | `soft` | +| `metadata.metrics.statefulset.topologySpreadConstraints` | TopologySpreadConstraints for metrics metadata enrichment (otelcol) statefulset. | `[]` | +| `metadata.metrics.statefulset.replicaCount` | Replica count for metrics metadata enrichment (otelcol) statefulset. | `3` | +| `metadata.metrics.statefulset.resources` | Resources for metrics metadata enrichment (otelcol) statefulset. | `{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":0.5,"memory":"768Mi"}}` | +| `metadata.metrics.statefulset.priorityClassName` | Priority class name for metrics metadata enrichment (otelcol) pods. | `Nil` | +| `metadata.metrics.statefulset.podLabels` | Additional labels for metrics metadata enrichment (otelcol) pods. | `{}` | +| `metadata.metrics.statefulset.podAnnotations` | Additional annotations for metrics metadata enrichment (otelcol) pods. | `{}` | +| `metadata.metrics.statefulset.containers.metadata.securityContext` | The securityContext configuration for otelcol container for metrics metadata enrichment statefulset. | `{}` | +| `metadata.metrics.statefulset.extraEnvVars` | Additional environment variables for metrics metadata enrichment (otelcol) pods. | `Nil` | +| `metadata.metrics.statefulset.extraVolumes` | Additional volumes for metrics metadata enrichment (otelcol) pods. | `Nil` | +| `metadata.metrics.statefulset.extraVolumeMounts` | Additional volume mounts for metrics metadata enrichment (otelcol) pods. | `Nil` | +| `metadata.metrics.autoscaling.enabled` | Option to turn autoscaling on for metrics metadata enrichment (otelcol) and specify params for HPA. Autoscaling needs metrics-server to access cpu metrics. | `false` | +| `metadata.metrics.autoscaling.minReplicas` | Default min replicas for autoscaling. | `3` | +| `metadata.metrics.autoscaling.maxReplicas` | Default max replicas for autoscaling | `10` | +| `metadata.metrics.autoscaling.targetCPUUtilizationPercentage` | The desired target CPU utilization for autoscaling. | `50` | +| `metadata.metrics.autoscaling.targetMemoryUtilizationPercentage` | The desired target memory utilization for autoscaling. | `Nil` | +| `metadata.metrics.podDisruptionBudget` | Pod Disruption Budget for metrics metadata enrichment (otelcol) statefulset. | `{"minAvailable": 2}` | +| `metadata.logs.enabled` | Flag to control deploying the otelcol logs statefulsets. | `true` | +| `metadata.logs.logLevel` | Flag to control logging level for OpenTelemetry Collector for logs. Can be `debug`, `info`, `warn`, `error`, `dpanic`, `panic`, `fatal`. | `info` | +| `metadata.logs.config` | Configuration for logs otelcol. See also https://github.com/SumoLogic/sumologic-otel-collector/blob/main/docs/Configuration.md. | See [values.yaml] | +| `metadata.logs.statefulset.containers.otelcol.startupProbe` | Startup probe configuration for logs otelcol container. | `{ periodSeconds: 3, failureThreshold: 60}` | +| `metadata.logs.statefulset.nodeSelector` | Node selector for logs metadata enrichment (otelcol) statefulset. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | +| `metadata.logs.statefulset.tolerations` | Tolerations for logs metadata enrichment (otelcol) statefulset. | `[]` | +| `metadata.logs.statefulset.affinity` | Affinity for logs metadata enrichment (otelcol) statefulset. | `{}` | +| `metadata.logs.statefulset.podAntiAffinity` | PodAntiAffinity for logs metadata enrichment (otelcol) statefulset. | `soft` | +| `metadata.logs.statefulset.topologySpreadConstraints` | TopologySpreadConstraints for logs metadata enrichment (otelcol) statefulset. | `[]` | +| `metadata.logs.statefulset.replicaCount` | Replica count for logs metadata enrichment (otelcol) statefulset. | `3` | +| `metadata.logs.statefulset.resources` | Resources for logs metadata enrichment (otelcol) statefulset. | `{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":0.5,"memory":"768Mi"}}` | +| `metadata.logs.statefulset.priorityClassName` | Priority class name for logs metadata enrichment (otelcol) pods. | `Nil` | +| `metadata.logs.statefulset.podLabels` | Additional labels for logs metadata enrichment (otelcol) pods. | `{}` | +| `metadata.logs.statefulset.podAnnotations` | Additional annotations for logs metadata enrichment (otelcol) pods. | `{}` | +| `metadata.logs.statefulset.containers.metadata.securityContext` | The securityContext configuration for otelcol container for logs metadata enrichment statefulset. | `{}` | +| `metadata.logs.statefulset.extraEnvVars` | Additional environment variables for logs metadata enrichment (otelcol) pods. | `Nil` | +| `metadata.logs.statefulset.extraVolumes` | Additional volumes for logs metadata enrichment (otelcol) pods. | `Nil` | +| `metadata.logs.statefulset.extraVolumeMounts` | Additional volume mounts for logs metadata enrichment (otelcol) pods. | `Nil` | +| `metadata.logs.autoscaling.enabled` | Option to turn autoscaling on for logs metadata enrichment (otelcol) and specify params for HPA. Autoscaling needs metrics-server to access cpu metrics. | `false` | +| `metadata.logs.autoscaling.minReplicas` | Default min replicas for autoscaling. | `3` | +| `metadata.logs.autoscaling.maxReplicas` | Default max replicas for autoscaling | `10` | +| `metadata.logs.autoscaling.targetCPUUtilizationPercentage` | The desired target CPU utilization for autoscaling. | `50` | +| `metadata.logs.autoscaling.targetMemoryUtilizationPercentage` | The desired target memory utilization for autoscaling. | `Nil` | +| `metadata.logs.podDisruptionBudget` | Pod Disruption Budget for logs metadata enrichment (otelcol) statefulset. | `{"minAvailable": 2}` | +| `otelevents.image.repository` | Image repository for otelcol docker container. | `public.ecr.aws/sumologic/sumologic-otel-collector` | +| `otelevents.image.tag` | Image tag for otelcol docker container. | `0.54.0-sumo-0` | +| `otelevents.image.pullPolicy` | Image pullPolicy for otelcol docker container. | `IfNotPresent` | +| `otelevents.logLevel` | Log level for the OpenTelemtry Collector. Can be `debug`, `info`, `warn`, `error`, `dpanic`, `panic`, `fatal`. | `info` | +| `otelevents.persistence.enabled` | Enable persistence for OpenTelemetry Collector. | `true` | +| `otelevents.persistence.storageClass` | Defines storageClassName for the PersistentVolumeClaim which is used to provide persistence for OpenTelemetry Collector. | `Nil` | +| `otelevents.persistence.accessMode` | The accessMode for the volume which is used to provide persistence for OpenTelemetry Collector. | `ReadWriteOnce` | +| `otelevents.persistence.size` | Size of the volume which is used to provide persistence for OpenTelemetry Collector. | `10Gi` | +| `otelevents.persistence.pvcLabels` | Additional PersistentVolumeClaim labels for all OpenTelemetry Collector pods. | `{}` | +| `otelevents.config.override` | Override configuration for OpenTelemetry Collector. See [the documentation](../../docs/opentelemetry_collector.md#customizing-opentelemetry-collector-configuration) for more details. | `{}` | +| `otelevents.statefulset` | OpenTelemetry Collector StatefulSet customization options. See values.yaml for more details. | See [values.yaml] | +| `tailing-sidecar-operator.enabled` | Flag to control deploying Tailing Sidecar Operator Helm sub-chart. | `false` | +| `tailing-sidecar-operator.fullnameOverride` | Used to override the chart's full name. | `Nil` | +| `tailing-sidecar-operator.scc.create` | Create OpenShift's Security Context Constraint | `false` | +| `prometheus.prometheusSpec.nodeSelector` | Node selector for prometheus. [See docs/Best_Practices.md for more information.](../../docs/Best_Practices.md) | `{}` | + +[values.yaml]: values.yaml diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/.helmignore b/charts/sumologic/sumologic/2.17.0/charts/falco/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/CHANGELOG.md b/charts/sumologic/sumologic/2.17.0/charts/falco/CHANGELOG.md new file mode 100644 index 000000000..4a0ebdccd --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/CHANGELOG.md @@ -0,0 +1,676 @@ +# Change Log + +This file documents all notable changes to Falco Helm Chart. The release +numbering uses [semantic versioning](http://semver.org). + +## v1.18.6 + +* Bump falcosidekick chart dependency (fix issue with the UI) + +## v1.18.5 + +* Bump falcosidekick chart dependency + +## v1.18.4 + +* Now the url to falcosidekick on NOTES.txt on falco helm chart points to the right place. + +## v1.18.3 + +* Fix for [issue 318](https://github.com/falcosecurity/charts/issues/318) - Missing comma in k8s_audit_rules.yaml. + +## v1.18.2 + +* Further fix for `--reuse-values` option after the introduction of `crio.enabled`. + +## v1.18.1 + +* Workaround to make this chart work with Helm `--reuse-values` option after the introduction of `crio.enabled`. + +## v1.18.0 + +* Added support for cri-o + +## v1.17.6 + +Remove whitespace around `falco.httpOutput.url` to fix the error `libcurl error: URL using bad/illegal format or missing URL`. + +## v1.17.5 + +* Changed `falco.httpOutput.url` so that it always overrides the default URL, even when falcosidekick is enabled. (NOTE: don't use this version, see v1.17.6) + +## v1.17.4 + +* Upgrade to Falco 0.31.1 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.31.1/CHANGELOG.md)) +* Update rulesets from Falco 0.31.1 + +## v1.17.3 + +* Fix quoting around `--k8s-node` + +## v1.17.2 + +* Add `leastPrivileged.enabled` configuration + +## v1.17.1 + +* Fixed `priority` level `info` change to `informational` + +## v1.17.0 + +* Upgrade to Falco 0.31.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.31.0/CHANGELOG.md)) +* Update rulesets from Falco 0.31.0 +* Update several configuration options under the `falco` node to reflect the new Falco version +* Initial plugins support + +## v1.16.4 + +* Bump falcosidekick chart dependency + +## v1.16.2 + +* Add `serviceAccount.annotations` configuration + +## v1.16.1 + +* Fixed string escaping for `--k8s-node` + +## v1.16.0 + +* Upgrade to Falco 0.30.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.30.0/CHANGELOG.md)) +* Update rulesets from Falco 0.30.0 +* Add `kubernetesSupport.enableNodeFilter` configuration to enable node filtering when requesting pods metadata from Kubernetes +* Add `falco.metadataDownload` configuration for fine-tuning container orchestrator metadata fetching params +* Add `falco.jsonIncludeTagsProperty` configuration to include tags in the JSON output + +## v1.15.7 + +* Removed `maxSurge` reference from comment in Falco's `values.yaml` file. + +## v1.15.6 + +* Update `Falcosidekick` chart to 0.3.13 + +## v1.15.4 + +* Update `Falcosidekick` chart to 0.3.12 + +## v1.15.3 + +* Upgrade to Falco 0.29.1 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.29.1/CHANGELOG.md)) +* Update rulesets from Falco 0.29.1 + +## v1.15.2 + +* Add ability to use an existing secret of key, cert, ca as well as pem bundle instead of creating it from files + +## v1.15.1 + +* Fixed liveness and readiness probes schema when ssl is enabled + +## v1.14.1 + +* Update `Falcosidekick` chart to 0.3.8 + +## v1.14.1 + +* Update image tag to 0.29.0 in values.yaml + +## v1.14.0 + +* Upgrade to Falco 0.29.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.29.0/CHANGELOG.md)) +* Update rulesets from Falco 0.29.0 + +## v1.13.2 + +* Fixed incorrect spelling of `fullfqdn` + +## v1.13.1 + +* Fix port for readinessProbe and livenessProbe + +## v1.13.0 + +* Add liveness and readiness probes to Falco + +## v1.12.0 + +* Add `kubernetesSupport` configuration to make Kubernetes Falco support optional in the daemonset (enabled by default) + +## v1.11.1 + +* Upgrade to Falco 0.28.1 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.28.1/CHANGELOG.md)) + +## v1.11.0 + +* Bump up version of chart for `Falcosidekick` dependency to `v3.5.0` + +## v1.10.0 + +* Add `falcosidekick.fullfqdn` option to connect `falco` to `falcosidekick` with full FQDN +* Bump up version of chart for `Falcosidekick` dependency + +## v1.9.0 + +* Upgrade to Falco 0.28.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.28.0/CHANGELOG.md)) +* Update rulesets from Falco 0.28.0 + +## v1.8.1 + +* Bump up version of chart for `Falcosidekick` dependency + +## v1.8.0 + +* Bump up version of chart for `Falcosidekick` dependency + +## v1.7.10 + +* Update rule `Write below monitored dir` description + +## v1.7.9 + +* Add a documentation section about the driver + +## v1.7.8 + +* Increase CPU limit default value + +## v1.7.7 + +* Add a documentation section about using init containers + +## v1.7.6 + +* Correct icon URL +## v1.7.5 + +* Update downstream sidekick chart + +## v1.7.4 + +* Add `ebpf.probe.path` configuration option + +## v1.7.3 + +* Bump up version of chart for `Falcosidekick` dependency + +## v1.7.2 + +* Fix `falco` configmap when `Falcosidekick` is enabled, wrong service name was used + +## v1.7.1 + +* Correct image tag for Falco 0.27.0 + +## v1.7.0 + +* Upgrade to Falco 0.27.0 (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.27.0/CHANGELOG.md)) +* Add `falco.output_timeout` configuration setting + +## v1.6.1 + +### Minor Changes + +* Add `falcosidekick` as an optional dependency + +## v1.6.0 + +### Minor Changes + +* Remove deprecated integrations (see [#123](https://github.com/falcosecurity/charts/issues/123)) + +## v1.5.8 + +### Minor Changes + +* Add value `extraVolumes`, allow adding extra volumes to falco daemonset +* Add value `extraVolumeMounts`, allow adding extra volumeMounts to falco container in falco daemonset + +## v1.5.6 + +### Minor Changes + +* Add `falco.webserver.sslEnabled` config, enabling SSL support +* Add `falco.webserver.nodePort` configuration as an alternative way for exposing the AuditLog webhook (disabled by default) + +## v1.5.5 + +### Minor Changes + +* Support release namespace configuration + +## v1.5.4 + +### Minor Changes + +* Upgrade to Falco 0.26.2, `DRIVERS_REPO` now defaults to https://download.falco.org/driver (see the [Falco changelog](https://github.com/falcosecurity/falco/blob/0.26.2/CHANGELOG.md)) + +## v1.5.3 + +### Minor Changes + +* Deprecation notice for gcscc, natsOutput, snsOutput, pubsubOutput integrations +* Clean up old references from documentation + +## v1.5.2 + +### Minor Changes + +* Add Pod Security Policy Support for the fake event generator + +## v1.5.1 + +### Minor Changes + +* Replace extensions apiGroup/apiVersion because of deprecation + +## v1.5.0 + +### Minor Changes + +* Upgrade to Falco 0.26.1 +* Update ruleset from Falco 0.26.1 +* Automatically set the appropriate apiVersion for rbac + +## v1.4.0 + +### Minor Changes + +* Allow adding InitContainers to Falco pod with `extraInitContainers` configuration + +## v1.3.0 + +### Minor Changes + +* Upgrade to Falco 0.25.0 +* Update ruleset from Falco 0.25.0 + +## v1.2.3 + +### Minor Changes + +* Fix duplicate mount point problem when both gRPC and NATS integrations are enabled + +## v1.2.2 + +### Minor Changes + +* Allow configuration using values for `imagePullSecrets` setting +* Add `docker.io/falcosecurity/falco` image to `falco_privileged_images` macro + +## v1.2.1 + +### Minor Changes + +* Add SecurityContextConstraint to allow deploying in Openshift + +## v1.2.0 + +### Minor Changes + +* Upgrade to Falco 0.24.0 +* Update ruleset from Falco 0.24.0 +* gRPC Unix Socket support +* Set default threadiness to 0 ("auto" behavior) for the gRPC server + +## v1.1.10 + +### Minor Changes + +* Switch to `falcosecurity/event-generator` +* Allow configuration using values for `fakeEventGenerator.args` setting +* Update ruleset +* New releasing mechanism + +## v1.1.9 + +### Minor Changes + +* Add missing privileges for the apps Kubernetes API group +* Allow client config url for Audit Sink with `auditLog.dynamicBackend.url` + +## v1.1.8 + +### Minor Changes + +* Upgrade to Falco 0.23.0 +* Correct socket path for `--cri` flag +* Always mount `/etc` (required by `falco-driver-loader`) + +## v1.1.7 + +### Minor Changes + +* Add pod annotation support for daemonset + +## v1.1.6 + +### Minor Changes + +* Upgrade to Falco 0.21.0 +* Upgrade rules to Falco 0.21.0 + +## v1.1.5 + +### Minor Changes + +* Add headless service for gRPC server +* Allow gRPC certificates configuration by using `--set-file` + +## v1.1.4 + +### Minor Changes + +* Make `/lib/modules` writable from the container + +## v1.1.3 + +### Minor Changes + +* Allow configuration using values for `grpc` setting +* Allow configuration using values for `grpc_output` setting + +## v1.1.2 + +### Minor Changes + +* Upgrade to Falco 0.20.0 +* Upgrade rules to Falco 0.20.0 + +## v1.1.1 + +### Minor Changes + +* Upgrade to Falco 0.19.0 +* Upgrade rules to Falco 0.19.0 +* Remove Sysdig references, Falco is a project by its own name + +## v1.1.0 + +### Minor Changes + +* Revamp auditLog feature +* Upgrade to latest version (0.18.0) +* Replace CRI references with containerD + +## v1.0.12 + +### Minor Changes + +* Support multiple lines for `falco.programOutput.program` + +## v1.0.11 + +### Minor Changes + +* Add affinity + +## v1.0.10 + +### Minor Changes + +* Migrate API versions from deprecated, removed versions to support Kubernetes v1.16 + +## v1.0.9 + +### Minor Changes + +* Restrict the access to `/dev` on underlying host to read only + +## v1.0.8 + +### Minor Changes + +* Upgrade to Falco 0.17.1 +* Upgrade rules to Falco 0.17.1 + +## v1.0.7 + +### Minor Changes + +* Allow configuration using values for `nodeSelector` setting + +## v1.0.6 + +### Minor Changes + +* Falco does a rollingUpgrade when the falco or falco-rules configMap changes + with a helm upgrade + +## v1.0.5 + +### Minor Changes + +* Add 3 resources (`daemonsets`, `deployments`, `replicasets`) to the ClusterRole resource list + Ref: [PR#514](https://github.com/falcosecurity/falco/pull/514) from Falco repository + +## v1.0.4 + +### Minor Changes + +* Upgrade to Falco 0.17.0 +* Upgrade rules to Falco 0.17.0 + +## v1.0.3 + +### Minor Changes + +* Support [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/) + +## v1.0.2 + +### Minor Changes + +* Upgrade to Falco 0.16.0 +* Upgrade rules to Falco 0.16.0 + +## v1.0.1 + +### Minor Changes + +* Extra environment variables passed to daemonset pods + +## v1.0.0 + +### Major Changes + +* Add support for K8s audit logging + +## v0.9.1 + +### Minor Changes + +* Allow configuration using values for `time_format_iso8601` setting +* Allow configuration using values for `syscall_event_drops` setting +* Allow configuration using values for `http_output` setting +* Add CHANGELOG entry for v0.8.0, [not present on its PR](https://github.com/helm/charts/pull/14813#issuecomment-506821432) + +## v0.9.0 + +### Major Changes + +* Add nestorsalceda as an approver + +## v0.8.0 + +### Major Changes + +* Allow configuration of Pod Security Policy. This is needed to get Falco + running when the Admission Controller is enabled. + +## v0.7.10 + +### Minor Changes + +* Fix bug with Google Cloud Security Command Center and Falco integration + +## v0.7.9 + +### Minor Changes + +* Upgrade to Falco 0.15.3 +* Upgrade rules to Falco 0.15.3 + +## v0.7.8 + +### Minor Changes + +* Add TZ parameter for time correlation in Falco logs + +## v0.7.7 + +### Minor Changes + +* Upgrade to Falco 0.15.1 +* Upgrade rules to Falco 0.15.1 + +## v0.7.6 + +### Major Changes + +* Allow to enable/disable usage of the docker socket +* Configurable docker socket path +* CRI support, configurable CRI socket +* Allow to enable/disable usage of the CRI socket + +## v0.7.5 + +### Minor Changes + +* Upgrade to Falco 0.15.0 +* Upgrade rules to Falco 0.15.0 + +## v0.7.4 + +### Minor Changes + +* Use the KUBERNETES_SERVICE_HOST environment variable to connect to Kubernetes + API instead of using a fixed name + +## v0.7.3 + +### Minor Changes + +* Remove the toJson pipeline when storing Google Credentials. It makes strange + stuff with double quotes and does not allow to use base64 encoded credentials + +## v0.7.2 + +### Minor Changes + +* Fix typos in README.md + +## v0.7.1 + +### Minor Changes + +* Add Google Pub/Sub Output integration + +## v0.7.0 + +### Major Changes + +* Disable eBPF by default on Falco. We activated eBPF by default to make the + CI pass, but now we found a better method to make the CI pass without + bothering our users. + +## v0.6.0 + +### Major Changes + +* Upgrade to Falco 0.14.0 +* Upgrade rules to Falco 0.14.0 +* Enable eBPF by default on Falco +* Allow to download Falco images from different registries than `docker.io` +* Use rollingUpdate strategy by default +* Provide sane defauls for falco resource management + +## v0.5.6 + +### Minor Changes + +* Allow extra container args + +## v0.5.5 + +### Minor Changes + +* Update correct slack example + +## v0.5.4 + +### Minor Changes + +* Using Falco version 0.13.0 instead of latest. + +## v0.5.3 + +### Minor Changes + +* Update falco_rules.yaml file to use the same rules that Falco 0.13.0 + +## v0.5.2 + +### Minor Changes + +* Falco was accepted as a CNCF project. Fix references and download image from + falcosecurity organization. + +## v0.5.1 + +### Minor Changes + +* Allow falco to resolve cluster hostnames when running with ebpf.hostNetwork: true + +## v0.5.0 + +### Major Changes + +* Add Amazon SNS Output integration + +## v0.4.0 + +### Major Changes + +* Allow Falco to be run with a HTTP proxy server + +## v0.3.1 + +### Minor Changes + +* Mount in memory volume for shm. It was used in volumes but was not mounted. + +## v0.3.0 + +### Major Changes + +* Add eBPF support for Falco. Falco can now read events via an eBPF program + loaded into the kernel instead of the `falco-probe` kernel module. + +## v0.2.1 + +### Minor Changes + +* Update falco_rules.yaml file to use the same rules that Falco 0.11.1 + +## v0.2.0 + +### Major Changes + +* Add NATS Output integration + +### Minor Changes + +* Fix value mismatch between code and documentation + +## v0.1.1 + +### Minor Changes + +* Fix several typos + +## v0.1.0 + +### Major Changes + +* Initial release of Sysdig Falco Helm Chart diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/Chart.lock b/charts/sumologic/sumologic/2.17.0/charts/falco/Chart.lock new file mode 100644 index 000000000..237f66ffa --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: falcosidekick + repository: https://falcosecurity.github.io/charts + version: 0.5.2 +digest: sha256:766497dd14f272cdeedc3f67509d4ad7613190ff257edf46e572a957d88459f1 +generated: "2022-06-07T09:41:13.10138558Z" diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/Chart.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/Chart.yaml new file mode 100644 index 000000000..7c0c15332 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +appVersion: 0.31.1 +dependencies: +- condition: falcosidekick.enabled + name: falcosidekick + repository: https://falcosecurity.github.io/charts + version: 0.5.2 +description: Falco +home: https://falco.org +icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/falco/horizontal/color/falco-horizontal-color.svg +keywords: +- monitoring +- security +- alerting +- metric +- troubleshooting +- run-time +maintainers: +- email: cncf-falco-dev@lists.cncf.io + name: The Falco Authors +name: falco +sources: +- https://github.com/falcosecurity/falco +version: 1.18.6 diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/OWNERS b/charts/sumologic/sumologic/2.17.0/charts/falco/OWNERS new file mode 100644 index 000000000..a424cc075 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/OWNERS @@ -0,0 +1,6 @@ +approvers: +- bencer +- nestorsalceda +reviewers: +- bencer +- nestorsalceda diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/README.md b/charts/sumologic/sumologic/2.17.0/charts/falco/README.md new file mode 100644 index 000000000..65656961a --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/README.md @@ -0,0 +1,489 @@ +# Falco + +[Falco](https://falco.org) is a *Cloud Native Runtime Security* tool designed to detect anomalous activity in your applications. You can use Falco to monitor runtime security of your Kubernetes applications and internal components. + +## Introduction + +This chart adds Falco to all nodes in your cluster using a DaemonSet. + +It also provides a Deployment for generating Falco alerts. This is useful for testing purposes. + +## Adding `falcosecurity` repository + +Before installing the chart, add the `falcosecurity` charts repository: + +```bash +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update +``` + +## Installing the Chart + +To install the chart with the release name `falco` run: + +```bash +helm install falco falcosecurity/falco +``` + +After a few seconds, Falco should be running. + +> **Tip**: List all releases using `helm list`, a release is a name used to track a specific deployment + +### About the driver + +Falco needs a driver (the [kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) or the [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe)) to work. + +The container image includes a script (`falco-driver-loader`) that either tries to build the driver on-the-fly or downloads a prebuilt driver as a fallback. Usually, no action is required. + +If a prebuilt driver is not available for your distribution/kernel, Falco needs **kernel headers** installed on the host as a prerequisite to building the driver on the fly correctly. You can find instructions on installing the kernel headers for your system under the [Install section](https://falco.org/docs/getting-started/installation/) of the official documentation. + +## Uninstalling the Chart + +To uninstall the `falco` deployment: + +```bash +helm uninstall falco +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the Falco chart and their default values. + +| Parameter | Description | Default | +|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------| +| `image.registry` | The image registry to pull from | `docker.io` | +| `image.repository` | The image repository to pull from | `falcosecurity/falco` | +| `image.tag` | The image tag to pull | `0.31.1` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `image.pullSecrets` | The image pull secretes | `[]` | +| `containerd.enabled` | Enable ContainerD support | `true` | +| `containerd.socket` | The path of the ContainerD socket | `/run/containerd/containerd.sock` | +| `crio.enabled` | Enable CRI-O support | `true` | +| `crio.socket` | The path of the CRI-O socket | `/run/crio/crio.sock` | +| `docker.enabled` | Enable Docker support | `true` | +| `docker.socket` | The path of the Docker daemon socket | `/var/run/docker.sock` | +| `kubernetesSupport.enabled` | Enable Kubernetes meta data collection via a connection to the Kubernetes API server | `true` | +| `kubernetesSupport.apiAuth` | Provide the authentication method Falco should use to connect to the Kubernetes API | `/var/run/secrets/kubernetes.io/serviceaccount/token` | +| `kubernetesSupport.apiUrl` | Provide the URL Falco should use to connect to the Kubernetes API | `https://$(KUBERNETES_SERVICE_HOST)` | +| `kubernetesSupport.enableNodeFilter` | If true, only the current node (on which Falco is running) will be considered when requesting metadata of pods | `true` | +| `podLabels` | Customized pod labels | `{}` | +| `resources.requests.cpu` | CPU requested for being run in a node | `100m` | +| `resources.requests.memory` | Memory requested for being run in a node | `512Mi` | +| `resources.limits.cpu` | CPU limit | `1000m` | +| `resources.limits.memory` | Memory limit | `1024Mi` | +| `extraArgs` | Specify additional container args | `[]` | +| `rbac.create` | If true, create & use RBAC resources | `true` | +| `serviceAccount.create` | Create serviceAccount | `true` | +| `serviceAccount.name` | Use this value as serviceAccountName | ` ` | +| `fakeEventGenerator.enabled` | Run [falcosecurity/event-generator](https://github.com/falcosecurity/event-generator) for sample events | `false` | +| `fakeEventGenerator.args` | Arguments for `falcosecurity/event-generator` | `run --loop ^syscall` | +| `fakeEventGenerator.replicas` | How many replicas of `falcosecurity/event-generator` to run | `1` | +| `daemonset.updateStrategy.type` | The updateStrategy for updating the daemonset | `RollingUpdate` | +| `daemonset.env` | Extra environment variables passed to daemonset pods | `{}` | +| `daemonset.podAnnotations` | Extra pod annotations to be added to pods created by the daemonset | `{}` | +| `podSecurityPolicy.create` | If true, create & use podSecurityPolicy | `false` | +| `proxy.httpProxy` | Set the Proxy server if is behind a firewall | ` ` | +| `proxy.httpsProxy` | Set the Proxy server if is behind a firewall | ` ` | +| `proxy.noProxy` | Set the Proxy server if is behind a firewall | ` ` | +| `timezone` | Set the daemonset's timezone | ` ` | +| `priorityClassName` | Set the daemonset's priorityClassName | ` ` | +| `ebpf.enabled` | Enable eBPF support for Falco instead of `falco-probe` kernel module | `false` | +| `ebpf.path` | Path of the eBPF probe | ` ` | +| `ebpf.settings.hostNetwork` | Needed to enable eBPF JIT at runtime for performance reasons | `true` | +| `leastPrivileged.enabled` | Use capabilities instead of running a privileged container. The kernel module driver can not be loaded if enabled. | `false` | +| `auditLog.enabled` | Enable K8s audit log support for Falco | `false` | +| `auditLog.dynamicBackend.enabled` | Deploy the Audit Sink where Falco listens for K8s audit log events | `false` | +| `auditLog.dynamicBackend.url` | Define if Audit Sink client config should point to a fixed [url](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#url) (useful for development) instead of the default webserver service. | `` | +| `falco.rulesFile` | The location of the rules files | `[/etc/falco/falco_rules.yaml, /etc/falco/falco_rules.local.yaml, /etc/falco/k8s_audit_rules.yaml, /etc/falco/rules.d]` | +| `falco.timeFormatISO8601` | Display times using ISO 8601 instead of local time zone | `false` | +| `falco.jsonOutput` | Output events in json or text | `false` | +| `falco.jsonIncludeOutputProperty` | Include output property in json output | `true` | +| `falco.jsonIncludeTagsProperty` | Include tags property in json output | `true` | +| `falco.logStderr` | Send Falco debugging information logs to stderr | `true` | +| `falco.logSyslog` | Send Falco debugging information logs to syslog | `true` | +| `falco.logLevel` | The minimum level of Falco debugging information to include in logs | `info` | +| `falco.priority` | The minimum rule priority level to load and run | `debug` | +| `falco.bufferedOutputs` | Use buffered outputs to channels | `false` | +| `falco.syscallEventDrops.actions` | Actions to be taken when system calls were dropped from the circular buffer | `[log, alert]` | +| `falco.syscallEventDrops.rate` | Rate at which log/alert messages are emitted | `.03333` | +| `falco.syscallEventDrops.maxBurst` | Max burst of messages emitted | `10` | +| `falco.outputs.output_timeout` | Duration in milliseconds to wait before considering the output timeout deadline exceed | `2000` | +| `falco.outputs.rate` | Number of tokens gained per second | `1` | +| `falco.outputs.maxBurst` | Maximum number of tokens outstanding | `1000` | +| `falco.syslogOutput.enabled` | Enable syslog output for security notifications | `true` | +| `falco.fileOutput.enabled` | Enable file output for security notifications | `false` | +| `falco.fileOutput.keepAlive` | Open file once or every time a new notification arrives | `false` | +| `falco.fileOutput.filename` | The filename for logging notifications | `./events.txt` | +| `falco.stdoutOutput.enabled` | Enable stdout output for security notifications | `true` | +| `falco.webserver.enabled` | Enable Falco embedded webserver to accept K8s audit events | `true` | +| `falco.webserver.k8sAuditEndpoint` | Endpoint where Falco embedded webserver accepts K8s audit events | `/k8s-audit` | +| `falco.webserver.k8sHealthzEndpoint` | Endpoint where Falco exposes the health status | `/healthz` | +| `falco.webserver.listenPort` | Port where Falco embedded webserver listen to connections | `8765` | +| `falco.webserver.nodePort` | Exposes the Falco embedded webserver through a NodePort | `false` | +| `falco.webserver.sslEnabled` | Enable SSL on Falco embedded webserver | `false` | +| `falco.webserver.sslCertificate` | Certificate bundle path for the Falco embedded webserver | `/etc/falco/certs/server.pem` | +| `falco.livenessProbe.initialDelaySeconds` | Tells the kubelet that it should wait X seconds before performing the first probe | `60` | +| `falco.livenessProbe.timeoutSeconds` | Number of seconds after which the probe times out | `5` | +| `falco.livenessProbe.periodSeconds` | Specifies that the kubelet should perform the check every x seconds | `15` | +| `falco.readinessProbe.initialDelaySeconds` | Tells the kubelet that it should wait X seconds before performing the first probe | `30` | +| `falco.readinessProbe.timeoutSeconds` | Number of seconds after which the probe times out | `5` | +| `falco.readinessProbe.periodSeconds` | Specifies that the kubelet should perform the check every x seconds | `15` | +| `falco.programOutput.enabled` | Enable program output for security notifications | `false` | +| `falco.programOutput.keepAlive` | Start the program once or re-spawn when a notification arrives | `false` | +| `falco.programOutput.program` | Command to execute for program output | `mail -s "Falco Notification" someone@example.com` | +| `falco.httpOutput.enabled` | Enable http output for security notifications | `false` | +| `falco.httpOutput.url` | Url to notify using the http output when a notification arrives | | +| `falco.grpc.enabled` | Enable the Falco gRPC server | `false` | +| `falco.grpc.threadiness` | Number of threads (and context) the gRPC server will use, `0` by default, which means "auto" | `0` | +| `falco.grpc.unixSocketPath` | Unix socket the gRPC server will create | `unix:///var/run/falco/falco.sock` | +| `falco.grpc.listenPort` | Port where Falco gRPC server listen to connections | `5060` | +| `falco.grpc.privateKey` | Key file path for the Falco gRPC server | `/etc/falco/certs/server.key` | +| `falco.grpc.certChain` | Cert file path for the Falco gRPC server | `/etc/falco/certs/server.crt` | +| `falco.grpc.rootCerts` | CA root file path for the Falco gRPC server | `/etc/falco/certs/ca.crt` | +| `falco.grpcOutput.enabled` | Enable the gRPC output and events will be kept in memory until you read them with a gRPC client. | `false` | +| `falco.metadataDownload.maxMb` | Max allowed response size (in Mb) when fetching metadata from Kubernetes | `100` | +| `falco.metadataDownload.chunkWaitUs` | Sleep time (in μs) for each download chunck when fetching metadata from Kubernetes | `1000` | +| `falco.metadataDownload.watchFreqSec` | Watch frequency (in seconds) when fetching metadata from Kubernetes | `1` | +| `customRules` | Third party rules enabled for Falco | `{}` | +| `certs.existingSecret` | Existing secret containing the following key, crt and ca as well as the bundle pem. | ` ` | +| `certs.server.key` | Key used by gRPC and webserver | ` ` | +| `certs.server.crt` | Certificate used by gRPC and webserver | ` ` | +| `certs.ca.crt` | CA certificate used by gRPC, webserver and AuditSink validation | ` ` | +| `nodeSelector` | The node selection constraint | `{}` | +| `affinity` | The affinity constraint | `{}` | +| `tolerations` | The tolerations for scheduling | `node-role.kubernetes.io/master:NoSchedule` | +| `scc.create` | Create OpenShift's Security Context Constraint | `true` | +| `extraInitContainers` | A list of initContainers you want to add to the falco pod in the daemonset. | `[]` | +| `extraVolumes` | A list of volumes you want to add to the falco daemonset. | `[]` | +| `extraVolumeMounts` | A list of volumeMounts you want to add to the falco container in the falco daemonset. | `[]` | +| `falcosidekick.enabled` | Enable `falcosidekick` deployment | `false` | +| `falcosidekick.fullfqdn` | Enable usage of full FQDN of `falcosidekick` service (useful when a Proxy is used) | `false` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +helm install falco --set falco.jsonOutput=true falcosecurity/falco +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +helm install falco -f values.yaml falcosecurity/falco +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Loading custom rules + +Falco ships with a nice default ruleset. It is a good starting point but sooner or later, we are going to need to add custom rules which fit our needs. + +So the question is: How can we load custom rules in our Falco deployment? + +We are going to create a file that contains custom rules so that we can keep it in a Git repository. + +```bash +cat custom-rules.yaml +``` + +And the file looks like this one: + +```yaml +customRules: + rules-traefik.yaml: |- + - macro: traefik_consider_syscalls + condition: (evt.num < 0) + + - macro: app_traefik + condition: container and container.image startswith "traefik" + + # Restricting listening ports to selected set + + - list: traefik_allowed_inbound_ports_tcp + items: [443, 80, 8080] + + - rule: Unexpected inbound tcp connection traefik + desc: Detect inbound traffic to traefik using tcp on a port outside of expected set + condition: inbound and evt.rawres >= 0 and not fd.sport in (traefik_allowed_inbound_ports_tcp) and app_traefik + output: Inbound network connection to traefik on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image) + priority: NOTICE + + # Restricting spawned processes to selected set + + - list: traefik_allowed_processes + items: ["traefik"] + + - rule: Unexpected spawned process traefik + desc: Detect a process started in a traefik container outside of an expected set + condition: spawned_process and not proc.name in (traefik_allowed_processes) and app_traefik + output: Unexpected process spawned in traefik container (command=%proc.cmdline pid=%proc.pid user=%user.name %container.info image=%container.image) + priority: NOTICE +``` + +So next step is to use the custom-rules.yaml file for installing the Falco Helm chart. + +```bash +helm install falco -f custom-rules.yaml falcosecurity/falco +``` + +And we will see in our logs something like: + +```bash +Tue Jun 5 15:08:57 2018: Loading rules from file /etc/falco/rules.d/rules-traefik.yaml: +``` + +And this means that our Falco installation has loaded the rules and is ready to help us. + +## Enabling K8s audit event support + +### Using scripts +This has been tested with Kops and Minikube. You will need the following components: + +* A Kubernetes cluster greater than v1.13 +* The apiserver must be configured with Dynamic Auditing feature, do it with the following flags: + * `--audit-dynamic-configuration` + * `--feature-gates=DynamicAuditing=true` + * `--runtime-config=auditregistration.k8s.io/v1alpha1=true` + +You can do it with the [scripts provided by Falco engineers](https://github.com/falcosecurity/evolution/tree/master/examples/k8s_audit_config) +just running: + +``` +cd examples/k8s_audit_config +bash enable-k8s-audit.sh minikube dynamic +``` + +Or in the case of Kops: + +``` +cd examples/k8s_audit_config +APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops dynamic +``` + +Then you can install Falco chart enabling the enabling the `falco.webserver` +flag: + +`helm install falco --set auditLog.enabled=true --set auditLog.dynamicBackend.enabled=true falcosecurity/falco` + +And that's it, you will start to see the K8s audit log related alerts. + +### Known validation failed error + +Perhaps you may find the case where you receive an error like the following one: + +``` +helm install falco --set auditLog.enabled=true falcosecurity/falco +Error: validation failed: unable to recognize "": no matches for kind "AuditSink" in version "auditregistration.k8s.io/v1alpha1" +``` + +This means that the apiserver cannot recognize the `auditregistration.k8s.io` +resource, which means that the dynamic auditing feature hasn't been enabled +properly. You need to enable it or ensure that your using a Kubernetes version +greater than v1.13. + +### Manual setup with NodePort on kOps + +Using `kops edit cluster`, ensure these options are present, then run `kops update cluster` and `kops rolling-update cluster`: +```yaml +spec: + kubeAPIServer: + auditLogMaxBackups: 1 + auditLogMaxSize: 10 + auditLogPath: /var/log/k8s-audit.log + auditPolicyFile: /srv/kubernetes/assets/audit-policy.yaml + auditWebhookBatchMaxWait: 5s + auditWebhookConfigFile: /srv/kubernetes/assets/webhook-config.yaml + fileAssets: + - content: | + # content of the webserver CA certificate + # remove this fileAsset and certificate-authority from webhook-config if using http + name: audit-ca.pem + roles: + - Master + - content: | + apiVersion: v1 + kind: Config + clusters: + - name: falco + cluster: + # remove 'certificate-authority' when using 'http' + certificate-authority: /srv/kubernetes/assets/audit-ca.pem + server: https://localhost:32765/k8s-audit + contexts: + - context: + cluster: falco + user: "" + name: default-context + current-context: default-context + preferences: {} + users: [] + name: webhook-config.yaml + roles: + - Master + - content: | + # ... paste audit-policy.yaml here ... + # https://raw.githubusercontent.com/falcosecurity/evolution/master/examples/k8s_audit_config/audit-policy.yaml + name: audit-policy.yaml + roles: + - Master +``` + +Then you can install the Falco chart enabling these flags: + +```shell +# without SSL (not recommended): +helm install falco --set auditLog.enabled=true --set falco.webserver.nodePort=32765 falcosecurity/falco + +# with SSL: +helm install falco \ + --set auditLog.enabled=true \ + --set falco.webserver.sslEnabled=true \ + --set falco.webserver.nodePort=32765 \ + --set-file certs.server.key=/path/to/server.key \ + --set-file certs.server.crt=/path/to/server.crt \ + --set-file certs.ca.crt=/path/to/ca.crt \ + falcosecurity/falco +``` + +The webserver reuses the gRPC certificate setup, which is [documented here](https://falco.org/docs/grpc/#generate-valid-ca). Generating the client certificate isn't required. + +## Using an init container + +This chart allows adding init containers and extra volume mounts. One common usage of the init container is to specify a different image for loading the driver (ie. [falcosecurity/driver-loader](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader)). So then a slim image can be used for running Falco (ie. [falcosecurity/falco-no-driver](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver)). + +### Using `falcosecurity/driver-loader` image + +Create a YAML file `values.yaml` as following: + +```yaml +image: + repository: falcosecurity/falco-no-driver + +extraInitContainers: + - name: driver-loader + image: docker.io/falcosecurity/falco-driver-loader:latest + imagePullPolicy: Always + securityContext: + privileged: true + volumeMounts: + - mountPath: /host/proc + name: proc-fs + readOnly: true + - mountPath: /host/boot + name: boot-fs + readOnly: true + - mountPath: /host/lib/modules + name: lib-modules + - mountPath: /host/usr + name: usr-fs + readOnly: true + - mountPath: /host/etc + name: etc-fs + readOnly: true +``` + +Then: + +```shell +helm install falco -f values.yaml falcosecurity/falco +``` + +### Using `falcosecurity/driver-loader` image with eBPF + +Create a YAML file `values.yaml` as following: + +```yaml +image: + repository: falcosecurity/falco-no-driver + +extraInitContainers: + - name: driver-loader + image: docker.io/falcosecurity/falco-driver-loader:latest + imagePullPolicy: Always + volumeMounts: + - mountPath: /host/proc + name: proc-fs + readOnly: true + - mountPath: /host/boot + name: boot-fs + readOnly: true + - mountPath: /host/lib/modules + name: lib-modules + - mountPath: /host/usr + name: usr-fs + readOnly: true + - mountPath: /host/etc + name: etc-fs + readOnly: true + - mountPath: /root/.falco + name: driver-fs + env: + - name: FALCO_BPF_PROBE + value: + +extraVolumes: + - name: driver-fs + emptyDir: {} + +extraVolumeMounts: + - mountPath: /root/.falco + name: driver-fs + +ebpf: + enabled: true +``` + +Then: + +```shell +helm install falco -f values.yaml falcosecurity/falco +``` + +## Enabling gRPC + +The Falco gRPC server and the Falco gRPC Outputs APIs are not enabled by default. +Moreover, Falco supports running a gRPC server with two main binding types: +- Over a local **Unix socket** with no authentication +- Over the **network** with mandatory mutual TLS authentication (mTLS) + +> **Tip**: Once gRPC is enabled, you can deploy [falco-exporter](https://github.com/falcosecurity/falco-exporter) to export metrics to Prometheus. + +### gRPC over unix socket (default) + +The preferred way to use the gRPC is over a Unix socket. + +To install Falco with gRPC enabled over a **unix socket**, you have to: + +```shell +helm install falco \ + --set falco.grpc.enabled=true \ + --set falco.grpcOutput.enabled=true \ + falcosecurity/falco +``` + +### gRPC over network + +The gRPC server over the network can only be used with mutual authentication between the clients and the server using TLS certificates. +How to generate the certificates is [documented here](https://falco.org/docs/grpc/#generate-valid-ca). + +To install Falco with gRPC enabled over the **network**, you have to: + +```shell +helm install falco \ + --set falco.grpc.enabled=true \ + --set falco.grpcOutput.enabled=true \ + --set falco.grpc.unixSocketPath="" \ + --set-file certs.server.key=/path/to/server.key \ + --set-file certs.server.crt=/path/to/server.crt \ + --set-file certs.ca.crt=/path/to/ca.crt \ + falcosecurity/falco +``` + +## Deploy Falcosidekick with Falco + +[`Falcosidekick`](https://github.com/falcosecurity/falcosidekick) can be installed with `Falco` by setting `--set falcosidekick.enabled=true`. This setting automatically configures all options of `Falco` for working with `Falcosidekick`. +All values for configuration of `Falcosidekick` are available by prefixing them with `falcosidekick.`. The full list of available values is [here](https://github.com/falcosecurity/charts/tree/master/falcosidekick#configuration). +For example, to enable the deployment of [`Falcosidekick-UI`](https://github.com/falcosecurity/falcosidekick-ui), add `--set falcosidekick.webui.enabled=true`. + +If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidekick` might be captured, use the full FQDN of `Falcosidekick` by using `--set falcosidekick.fullfqdn=true` to avoid that. diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/CHANGELOG.md b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/CHANGELOG.md new file mode 100644 index 000000000..2278c8fd9 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/CHANGELOG.md @@ -0,0 +1,436 @@ +# Change Log + +This file documents all notable changes to Falcosidekick Helm Chart. The release +numbering uses [semantic versioning](http://semver.org). + +Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick). + + +## 0.5.2 + +* Update Falcosidekick-UI image (fix wrong redirect to localhost when an ingress is used) + +## 0.5.1 + +* Support `ingressClassName` field in falcosidekick ingresses. + +## 0.5.0 + +### Major Changes + +* Add `Policy Report` output +* Add `Syslog` output +* Add `AWS Kinesis` output +* Add `Zoho Cliq` output +* Support IRSA for AWS authentication +* Upgrade Falcosidekick-UI to v2.0.1 + +### Minor changes + +* Allow to set custom Labels for pods + +## 0.4.5 + +* Allow additional service-ui annotations + +## 0.4.4 + +* Fix output after chart installation when ingress is enable + +## 0.4.3 + +* Support `annotation` block in service + +## 0.4.2 + +* Fix: Added the rule to use the podsecuritypolicy +* Fix: Added `ServiceAccountName` to the UI deployment + +## 0.4.1 + +* Removes duplicate `Fission` keys from secret + +## 0.4.0 + +### Major Changes + +* Support Ingress API version `networking.k8s.io/v1`, see `ingress.hosts` and `webui.ingress.hosts` in [values.yaml](values.yaml) for a breaking change in the `path` parameter + +## 0.3.17 + +* Fix: Remove the value for bucket of `Yandex S3`, it enabled the output by default + +## 0.3.16 + +### Major Changes + +* Fix: set correct new image 2.24.0 + +## 0.3.15 + +### Major Changes + +* Add `Fission` output + +## 0.3.14 + +### Major Changes + +* Add `Grafana` output +* Add `Yandex Cloud S3` output +* Add `Kafka REST` output + +### Minor changes + +* Docker image is now available on AWS ECR Public Gallery (`--set image.registry=public.ecr.aws`) + +## 0.3.13 + +### Minor changes + +* Enable extra volumes and volumemounts for `falcosidekick` via values + +## 0.3.12 + +* Add AWS configuration field `config.aws.rolearn` + +## 0.3.11 + +### Minor changes + +* Make image registries for `falcosidekick` and `falcosidekick-ui` configurable + +## 0.3.10 + +### Minor changes + +* Fix table formatting in `README.md` + +## 0.3.9 + +### Fixes + +* Add missing `imagePullSecrets` in `falcosidekick/templates/deployment-ui.yaml` + +## 0.3.8 + +### Major Changes + +* Add `GCP Cloud Run` output +* Add `GCP Cloud Functions` output +* Add `Wavefront` output +* Allow MutualTLS for some outputs +* Add basic auth for Elasticsearch output + +## 0.3.7 + +### Minor changes + +* Fix table formatting in `README.md` +* Fix `config.azure.eventHub` parameter name in `README.md` + +## 0.3.6 + +### Fixes + +* Point to the correct name of aadpodidentnity + +## 0.3.5 + +### Minor Changes + +* Fix link to Falco in the `README.md` + +## 0.3.4 + +### Major Changes + +* Bump up version (`v1.0.1`) of image for `falcosidekick-ui` + +## 0.3.3 + +### Minor Changes + +* Set default values for `OpenFaaS` output type parameters +* Fixes of documentation + +## 0.3.2 + +### Fixes + +* Add config checksum annotation to deployment pods to restart pods on config change +* Fix statsd config options in the secret to make them match the docs + +## 0.3.1 + +### Fixes + +* Fix for `s3.bucket`, it should be empty + +## 0.3.0 + +### Major Changes + +* Add `AWS S3` output +* Add `GCP Storage` output +* Add `RabbitMQ` output +* Add `OpenFaas` output + +## 0.2.9 + +### Major Changes + +* Updated falcosidekuck-ui default image version to `v0.2.0` + +## 0.2.8 + +### Fixes + +* Fixed to specify `kafka.hostPort` instead of `kafka.url` + +## 0.2.7 + +### Fixes + +* Fixed missing hyphen in podidentity + +## 0.2.6 + +### Fixes + +* Fix repo and tag for `ui` image + +## 0.2.5 + +### Major Changes + +* Add `CLOUDEVENTS` output +* Add `WEBUI` output + +### Minor Changes + +* Add details about syntax for adding `custom_fields` + +## 0.2.4 + +### Minor Changes + +* Add `DATADOG_HOST` to secret + +## 0.2.3 + +### Minor Changes + +* Allow additional pod annotations +* Remove namespace condition in aad-pod-identity + +## 0.2.2 + +### Major Changes + +* Add `Kubeless` output + +## 0.2.1 + +### Major Changes + +* Add `PagerDuty` output + +## 0.2.0 + +### Major Changes + +* Add option to use an existing secret +* Add option to add extra environment variables +* Add `Stan` output + +### Minor Changes + +* Use the Existing secret resource and add all possible variables to there, and make it simpler to read and less error-prone in the deployment resource + +## 0.1.37 + +### Minor Changes + +* Fix aws keys not being added to the deployment + +## 0.1.36 + +### Minor Changes + +* Fix helm test + +## 0.1.35 + +### Major Changes + +* Update image to use release 2.19.1 + +## 0.1.34 + +* New outputs can be set : `Kafka`, `AWS CloudWatchLogs` + +## 0.1.33 + +### Minor Changes + +* Fixed GCP Pub/Sub values references in `deployment.yaml` + +## 0.1.32 + +### Major Changes + +* Support release namespace configuration + +## 0.1.31 + +### Major Changes + +* New outputs can be set : `Googlechat` + +## 0.1.30 + +### Major changes + +* New output can be set : `GCP PubSub` +* Custom Headers can be set for `Webhook` output +* Fix typo `aipKey` for OpsGenie output + +## 0.1.29 + +* Fix falcosidekick configuration table to use full path of configuration properties in the `README.md` + +## 0.1.28 + +### Major changes + +* New output can be set : `AWS SNS` +* Metrics in `prometheus` format can be scrapped from `/metrics` URI + +## 0.1.27 + +### Minor Changes + +* Replace extensions apiGroup/apiVersion because of deprecation + +## 0.1.26 + +### Minor Changes + +* Allow the creation of a PodSecurityPolicy, disabled by default + +## 0.1.25 + +### Minor Changes + +* Allow the configuration of the Pod securityContext, set default runAsUser and fsGroup values + +## 0.1.24 + +### Minor Changes + +* Remove duplicated `webhook` block in `values.yaml` + +## 0.1.23 + +* fake release for triggering CI for auto-publishing + +## 0.1.22 + +### Major Changes + +* Add `imagePullSecrets` + +## 0.1.21 + +### Minor Changes + +* Fix `Azure Indentity` case sensitive value + +## 0.1.20 + +### Major Changes + +* New outputs can be set : `Azure Event Hubs`, `Discord` + +### Minor Changes + +* Fix wrong port name in output + +## 0.1.17 + +### Major Changes + +* New outputs can be set : `Mattermost`, `Rocketchat` + +## 0.1.11 + +### Major Changes + +* Add Pod Security Policy + +## 0.1.11 + +### Minor Changes + +* Fix wrong value reference for Elasticsearch output in deployment.yaml + +## 0.1.10 + +### Major Changes + +* New output can be set : `DogStatsD` + +## 0.1.9 + +### Major Changes + +* New output can be set : `StatsD` + +## 0.1.7 + +### Major Changes + +* New output can be set : `Opsgenie` + +## 0.1.6 + +### Major Changes + +* New output can be set : `NATS` + +## 0.1.5 + +### Major Changes + +* `Falcosidekick` and its chart are now part of `falcosecurity` organization + +## 0.1.4 + +### Minor Changes + +* Use more recent image with `Golang` 1.14 + +## 0.1.3 + +### Major Changes + +* New output can be set : `Loki` + +## 0.1.2 + +### Major Changes + +* New output can be set : `SMTP` + +## 0.1.1 + +### Major Changes + +* New outputs can be set : `AWS Lambda`, `AWS SQS`, `Teams` + +## 0.1.0 + +### Major Changes + +* Initial release of Falcosidekick Helm Chart diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/Chart.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/Chart.yaml new file mode 100644 index 000000000..be49a798d --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: 2.25.0 +description: Connect Falco to your ecosystem +home: https://github.com/falcosecurity/falcosidekick +icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png +keywords: +- monitoring +- security +- alerting +maintainers: +- email: cncf-falco-dev@lists.cncf.io + name: Issif +name: falcosidekick +sources: +- https://github.com/falcosecurity/falcosidekick +version: 0.5.2 diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/README.md b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/README.md new file mode 100644 index 000000000..81dd95d76 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/README.md @@ -0,0 +1,398 @@ +# Falcosidekick + +![falcosidekick](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/falcosidekick_color.png) + +![release](https://flat.badgen.net/github/release/falcosecurity/falcosidekick/latest?color=green) ![last commit](https://flat.badgen.net/github/last-commit/falcosecurity/falcosidekick) ![licence](https://flat.badgen.net/badge/license/MIT/blue) ![docker pulls](https://flat.badgen.net/docker/pulls/falcosecurity/falcosidekick?icon=docker) + +## Description + +A simple daemon for connecting [`Falco`](https://github.com/falcosecurity/falco) to your ecossytem. It takes a `Falco`'s events and +forward them to different outputs in a fan-out way. + +It works as a single endpoint for as many as you want `Falco` instances : + +![falco_with_falcosidekick](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/falco_with_falcosidekick.png) + +## Outputs + +`Falcosidekick` manages a large variety of outputs with different purposes. + +### Chat + +- [**Slack**](https://slack.com) +- [**Rocketchat**](https://rocket.chat/) +- [**Mattermost**](https://mattermost.com/) +- [**Teams**](https://products.office.com/en-us/microsoft-teams/group-chat-software) +- [**Discord**](https://www.discord.com/) +- [**Google Chat**](https://workspace.google.com/products/chat/) +- [**Zoho Cliq**](https://www.zoho.com/cliq/) + +### Metrics / Observability + +- [**Datadog**](https://www.datadoghq.com/) +- [**Influxdb**](https://www.influxdata.com/products/influxdb-overview/) +- [**StatsD**](https://github.com/statsd/statsd) (for monitoring of `falcosidekick`) +- [**DogStatsD**](https://docs.datadoghq.com/developers/dogstatsd/?tab=go) (for monitoring of `falcosidekick`) +- [**Prometheus**](https://prometheus.io/) (for both events and monitoring of `falcosidekick`) +- [**Wavefront**](https://www.wavefront.com) + +### Alerting + +- [**AlertManager**](https://prometheus.io/docs/alerting/alertmanager/) +- [**Opsgenie**](https://www.opsgenie.com/) +- [**PagerDuty**](https://pagerduty.com/) + +### Logs + +- [**Elasticsearch**](https://www.elastic.co/) +- [**Loki**](https://grafana.com/oss/loki) +- [**AWS CloudWatchLogs**](https://aws.amazon.com/cloudwatch/features/) +- [**Grafana**](https://grafana.com/) (annotations) +- **Syslog** + +### Object Storage + +- [**AWS S3**](https://aws.amazon.com/s3/features/) +- [**GCP Storage**](https://cloud.google.com/storage) +- [**Yandex S3 Storage**](https://cloud.yandex.com/en-ru/services/storage) + +### FaaS / Serverless + +- [**AWS Lambda**](https://aws.amazon.com/lambda/features/) +- [**Kubeless**](https://kubeless.io/) +- [**OpenFaaS**](https://www.openfaas.com) +- [**GCP Cloud Run**](https://cloud.google.com/run) +- [**GCP Cloud Functions**](https://cloud.google.com/functions) +- [**Fission**](https://fission.io) + +### Message queue / Streaming + +- [**NATS**](https://nats.io/) +- [**STAN (NATS Streaming)**](https://docs.nats.io/nats-streaming-concepts/intro) +- [**AWS SQS**](https://aws.amazon.com/sqs/features/) +- [**AWS SNS**](https://aws.amazon.com/sns/features/) +- [**AWS Kinesis**](https://aws.amazon.com/kinesis/) +- [**GCP PubSub**](https://cloud.google.com/pubsub) +- [**Apache Kafka**](https://kafka.apache.org/) +- [**Kafka Rest Proxy**](https://docs.confluent.io/platform/current/kafka-rest/index.html) +- [**RabbitMQ**](https://www.rabbitmq.com/) +- [**Azure Event Hubs**](https://azure.microsoft.com/en-in/services/event-hubs/) + +### Email + +- **SMTP** + +### Web + +- **Webhook** +- [**WebUI**](https://github.com/falcosecurity/falcosidekick-ui) (a Web UI for displaying latest events in real time) + +### Other +- [**Policy Report**](https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report/falco-adapter) + +## Adding `falcosecurity` repository + +Prior to install the chart, add the `falcosecurity` charts repository: + +```bash +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update +``` + +## Installing the Chart + +### Install Falco + Falcosidekick + Falcosidekick-ui + +To install the chart with the release name `falcosidekick` run: + +```bash +helm install falcosidekick falcosecurity/falcosidekick --set webui.enabled=true +``` + +### With Helm chart of Falco + +`Falco`, `Falcosidekick` and `Falcosidekick-ui` can be installed together in one command. All values to configure `Falcosidekick` will have to be +prefixed with `falcosidekick.`. + +```bash +helm install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true +``` + +After a few seconds, Falcosidekick should be running. + +> **Tip**: List all releases using `helm list`, a release is a name used to track a specific deployment + +## Minumiun Kubernetes version + +The minimum Kubernetes version required is 1.17.x + +## Uninstalling the Chart + +To uninstall the `falcosidekick` deployment: + +```bash +helm uninstall falcosidekick +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the main configurable parameters of the Falcosidekick chart and their default values. See `values.yaml` for full list. + +| Parameter | Description | Default | +| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | +| `replicaCount` | number of running pods | `1` | +| `podAnnotations` | additions annotations on the pods | `{}` | +| `podLabels` | additions labels on the pods | `{}` | +| `listenport` | port to listen for daemon | `2801` | +| `resources` | the resources for falcosdekick pods | `2801` | +| `config.debug` | if *true* all outputs will print in stdout the payload they send | `false` | +| `config.customfields` | a list of escaped comma separated custom fields to add to falco events, syntax is "key:value\,key:value" | | +| `config.mutualtlsfilespath` | folder which will used to store client.crt, client.key and ca.crt files for mutual tls | `/etc/certs` | +| `config.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.slack.webhookurl` | Slack Webhook URL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not `empty`, Slack output is *enabled* | | +| `config.slack.footer` | Slack Footer | https://github.com/falcosecurity/falcosidekick | +| `config.slack.icon` | Slack icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png | +| `config.slack.username` | Slack username | `falcosidekick` | +| `config.slack.outputformat` | `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Slack) | `all` | +| `config.slack.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.slack.messageformat` | a Go template to format Slack Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment | | +| `config.rocketchat.webhookurl` | Rocketchat Webhook URL (ex: https://XXXX/hooks/YYYY), if not `empty`, Rocketchat output is *enabled* | | +| `config.rocketchat.icon` | Rocketchat icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png | +| `config.rocketchat.username` | Rocketchat username | `falcosidekick` | +| `config.rocketchat.outputformat` | `all` (default), `text` (only text is displayed in Rocketcaht), `fields` (only fields are displayed in Rocketchat) | `all` | +| `config.rocketchat.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.rockerchat.messageformat` | a Go template to format Rocketchat Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment | | +| `config.rockerchat.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.rockerchat.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.mattermost.webhookurl` | Mattermost Webhook URL (ex: https://XXXX/hooks/YYYY), if not `empty`, Mattermost output is *enabled* | | +| `config.mattermost.footer` | Mattermost Footer | https://github.com/falcosecurity/falcosidekick | +| `config.mattermost.icon` | Mattermost icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png | +| `config.mattermost.username` | Mattermost username | `falcosidekick` | +| `config.mattermost.outputformat` | `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Mattermost) | `all` | +| `config.mattermost.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.mattermost.messageformat` | a Go template to format Mattermost Text above Attachment, displayed in addition to the output from `slack.outputformat`. If empty, no Text is displayed before Attachment | | +| `config.mattermost.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.mattermost.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.teams.webhookurl` | Teams Webhook URL (ex: https://outlook.office.com/webhook/XXXXXX/IncomingWebhook/YYYYYY"), if not `empty`, Teams output is *enabled* | | +| `config.teams.activityimage` | Teams section image | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png | +| `config.teams.outputformat` | `all` (default), `text` (only text is displayed in Teams), `facts` (only facts are displayed in Teams) | `all` | +| `config.teams.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.datadog.apikey` | Datadog API Key, if not `empty`, Datadog output is *enabled* | | +| `config.datadog.host` | Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://api.datadoghq.com" | https://api.datadoghq.com | +| `config.datadog.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.discord.webhookurl` | Discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is *enabled* | | +| `config.discord.icon` | Discord icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png | +| `config.discord.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.alertmanager.hostport` | AlertManager http://host:port, if not `empty`, AlertManager is *enabled* | | +| `config.alertmanager.endpoint` | alertmanager endpoint on which falcosidekick posts alerts, choice is: `"/api/v1/alerts" or "/api/v2/alerts" , default is "/api/v1/alerts"` | | +| `config.alertmanager.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.alertmanager.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.alertmanager.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.elasticsearch.hostport` | Elasticsearch http://host:port, if not `empty`, Elasticsearch is *enabled* | | +| `config.elasticsearch.index` | Elasticsearch index | `falco` | +| `config.elasticsearch.type` | Elasticsearch document type | `event` | +| `config.elasticsearch.suffix` | date suffix for index rotation : `daily`, `monthly`, `annually`, `none` | `daily` | +| `config.elasticsearch.username` | use this username to authenticate to Elasticsearch if the username is not empty | | +| `config.elasticsearch.password` | use this password to authenticate to Elasticsearch if the password is not empty | | +| `config.elasticsearch.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.elasticsearch.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.elasticsearch.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.influxdb.hostport` | Influxdb http://host:port, if not `empty`, Influxdb is *enabled* | | +| `config.influxdb.database` | Influxdb database | `falco` | +| `config.influxdb.user` | User to use if auth is *enabled* in Influxdb | | +| `config.influxdb.password` | Password to use if auth is *enabled* in Influxdb | | +| `config.influxdb.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.influxdb.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.influxdb.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.loki.hostport` | Loki http://host:port, if not `empty`, Loki is *enabled* | | +| `config.loki.endpoint` | Loki endpoint URL path, default is "/api/prom/push" more info: https://grafana.com/docs/loki/latest/api/#post-apiprompush | | +| `config.loki.tenant` | Loki tenant, if not `empty`, Loki tenant is *enabled* | | +| `config.loki.hostport` | Loki http://host:port, if not `empty`, Loki is *enabled* | | +| `config.loki.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.loki.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.loki.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.nats.hostport` | NATS "nats://host:port", if not `empty`, NATS is *enabled* | | +| `config.nats.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.nats.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.nats.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.stan.hostport` | Stan nats://{domain or ip}:{port}, if not empty, STAN output is *enabled* | | +| `config.stan.clusterid` | Cluster name, if not empty, STAN output is *enabled* | `debug` | +| `config.stan.clientid` | Client ID, if not empty, STAN output is *enabled* | | +| `config.stan.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.stan.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.stan.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.aws.accesskeyid` | AWS Access Key Id (optionnal if you use EC2 Instance Profile) | | +| `config.aws.rolearn` | AWS IAM role ARN for falcosidekick service account to associate with (optionnal if you use EC2 Instance Profile) | | +| `config.aws.secretaccesskey` | AWS Secret Access Key (optionnal if you use EC2 Instance Profile) | | +| `config.aws.region` | AWS Region (optionnal if you use EC2 Instance Profile) | | +| `config.aws.cloudwatchlogs.loggroup` | AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is *enabled* | | +| `config.aws.cloudwatchlogs.logstream` | AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream | `debug` | +| `config.aws.cloudwatchlogs.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.aws.lambda.functionname` | AWS Lambda Function Name, if not empty, AWS Lambda output is *enabled* | | +| `config.aws.lambda.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.aws.sns.topicarn` | AWS SNS TopicARN, if not empty, AWS SNS output is *enabled* | | +| `config.aws.sns.rawjson` | Send RawJSON from `falco` or parse it to AWS SNS | | +| `config.aws.sns.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.aws.sqs.url` | AWS SQS Queue URL, if not empty, AWS SQS output is *enabled* | | +| `config.aws.sqs.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.aws.s3.bucket` | AWS S3, bucket name | | +| `config.aws.s3.prefix` | AWS S3, name of prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json | | +| `config.aws.s3.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.aws.kinesis.streamname` | AWS Kinesis Stream Name, if not empty, Kinesis output is *enabled* | | +| `config.aws.kinesis.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.smtp.hostport` | "host:port" address of SMTP server, if not empty, SMTP output is *enabled* | | +| `config.smtp.user` | user to access SMTP server | | +| `config.smtp.password` | password to access SMTP server | | +| `config.smtp.from` | Sender address (mandatory if SMTP output is *enabled*) | | +| `config.smtp.to` | comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is *enabled*) | | +| `config.smtp.outputformat` | html, text | `html` | +| `config.smtp.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.opsgenie.apikey` | Opsgenie API Key, if not empty, Opsgenie output is *enabled* | | +| `config.opsgenie.region` | (`us` or `eu`) region of your domain | `us` | +| `config.opsgenie.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.opsgenie.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.opsgenie.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.statsd.forwarder` | The address for the StatsD forwarder, in the form http://host:port, if not empty StatsD is *enabled* | | +| `config.statsd.namespace` | A prefix for all metrics | `falcosidekick` | +| `config.dogstatsd.forwarder` | The address for the DogStatsD forwarder, in the form http://host:port, if not empty DogStatsD is *enabled* | | +| `config.dogstatsd.namespace` | A prefix for all metrics | `falcosidekick` | +| `config.dogstatsd.tags` | A comma-separated list of tags to add to all metrics | | +| `config.webhook.address` | Webhook address, if not empty, Webhook output is *enabled* | | +| `config.webhook.customHeaders` | a list of comma separated custom headers to add, syntax is "key:value\,key:value" | | +| `config.webhook.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.webhook.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.webhook.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.azure.eventHub.name` | Name of the Hub, if not empty, EventHub is *enabled* | | +| `config.azure.eventHub.namespace` | Name of the space the Hub is in | | +| `config.azure.eventHub.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.gcp.credentials` | Base64 encoded JSON key file for the GCP service account | | +| `config.gcp.pubsub.projectid` | ID of the GCP project | | +| `config.gcp.pubsub.topic` | Name of the Pub/Sub topic | | +| `config.gcp.eventhub.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.gcp.storage.prefix` | Name of prefix, keys will have format: gs:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json | | +| `config.gcp.storage.bucket` | The name of the bucket | | +| `config.gcp.storage.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.gcp.cloudfunctions.name` | The name of the Cloud Function which is in form `projects//locations//functions/` | | +| `config.gcp.cloudfunctions.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | +| `config.gcp.cloudrun.enpoint` | the URL of the Cloud Run function | | +| `config.gcp.cloudrun.jwt` | JWT for the private access to Cloud Run function | | +| `config.gcp.cloudrun.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | +| `config.googlechat.webhookurl` | Google Chat Webhook URL (ex: https://chat.googleapis.com/v1/spaces/XXXXXX/YYYYYY), if not `empty`, Google Chat output is *enabled* | | +| `config.googlechat.outputformat` | `all` (default), `text` (only text is displayed in Google chat) | `all` | +| `config.googlechat.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.googlechat.messageformat` | a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `config.googlechat.outputformat`. If empty, no Text is displayed before Attachment | | +| `config.kafka.hostport` | The Host:Port of the Kafka (ex: kafka:9092). if not empty, Kafka output is *enabled* | | +| `config.kafka.topic` | `all` (default), `text` (only text is displayed in Google chat) | `all` | +| `config.kafka.partition` | a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `config.googlechat.outputformat`. If empty, no Text is displayed before Attachment | | +| `config.kafka.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.pagerduty.routingkey` | Pagerduty Routing Key, if not empty, Pagerduty output is *enabled* | | +| `config.pagerduty.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.kubeless.function` | Name of Kubeless function, if not empty, EventHub is *enabled* | | +| `config.kubeless.namespace` | Namespace of Kubeless function (mandatory) | | +| `config.kubeless.port` | Port of service of Kubeless function. Default is `8080` | | +| `config.kubeless.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | +| `config.kubeless.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.kubeless.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.openfaas.functionname` | Name of OpenFaaS function, if not empty, OpenFaaS is *enabled* | | +| `config.openfaas.functionnamespace` | Namespace of OpenFaaS function, "openfaas-fn" (default) | `openfaas-fn` | +| `config.openfaas.gatewayservice` | Service of OpenFaaS Gateway, "gateway" (default) | `gateway` | +| `config.openfaas.gatewayport` | Port of service of OpenFaaS Gateway Default is `8080` | `8080` | +| `config.openfaas.gatewaynamespace` | Namespace of OpenFaaS Gateway, "openfaas" (default) | `openfaas` | +| `config.openfaas.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | | | `openfaas` +| `config.openfaas.checkcert` | check if ssl certificate of the output is valid | `true` | | `openfaas` +| `config.openfaas.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.cloudevents.address` | CloudEvents consumer http address, if not empty, CloudEvents output is *enabled* | | +| `config.cloudevents.extension` | Extensions to add in the outbound Event, useful for routing | | +| `config.cloudevents.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.rabbitmq.url` | Rabbitmq URL, if not empty, Rabbitmq output is *enabled* | | +| `config.rabbitmq.queue` | Rabbitmq Queue name | | +| `config.rabbitmq.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.wavefront.endpointtype` | Wavefront endpoint type, must be 'direct' or 'proxy'. If not empty, with endpointhost, Wavefront output is *enabled* | | +| `config.wavefront.endpointhost` | Wavefront endpoint address (only the host). If not empty, with endpointhost, Wavefront output is *enabled* | | +| `config.wavefront.endpointtoken` | Wavefront token. Must be used only when endpointtype is 'direct' | | +| `config.wavefront.endpointmetricport` | Port to send metrics. Only used when endpointtype is 'proxy' | `2878` | +| `config.wavefront.metricname` | Metric to be created in Wavefront. Defaults to falco.alert | `falco.alert` | +| `config.wavefront.batchsize` | Wavefront batch size. If empty uses the default 10000. Only used when endpointtype is 'direct' | `10000` | +| `config.wavefront.flushintervalseconds` | Wavefront flush interval in seconds. Defaults to 1 | `1` | +| `config.wavefront.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.grafana.hostport` | http://{domain or ip}:{port}, if not empty, Grafana output is *enabled* | | +| `config.grafana.apikey` | API Key to authenticate to Grafana, if not empty, Grafana output is *enabled* | | +| `config.grafana.dashboardid` | annotations are scoped to a specific dashboard. Optionnal. | | +| `config.grafana.panelid` | annotations are scoped to a specific panel. Optionnal. | | +| `config.grafana.allfieldsastags` | if true, all custom fields are added as tags | `false` | +| `config.grafana.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | `false` | +| `config.grafana.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.grafana.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.fission.function` | Name of Fission function, if not empty, Fission is *enabled* | | +| `config.fission.routernamespace` | Namespace of Fission Router | `fission` | +| `config.fission.routerservice` | Service of Fission Router | `router` | +| `config.fission.routerport` | Port of service of Fission Router | `80` | +| `config.fission.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.fission.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.fission.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | `false` | +| `config.yandex.accesskeyid` | yandex access key | | +| `config.yandex.secretaccesskey` | yandex secret access key | | +| `config.yandex.region` | yandex storage region | `u-central-1` | +| `config.yandex.s3.endpoint` | yandex storage endpoint (default: https://storage.yandexcloud.net) | | +| `config.yandex.s3.bucket` | Yandex storage, bucket name | `falcosidekick` | +| `config.yandex.s3.prefix` | name of prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json | | +| `config.yandex.s3.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.kafkarest.address` | The full URL to the topic (example "http://kafkarest:8082/topics/test") | | +| `config.kafkarest.version` | Kafka Rest Proxy API version 2 | `2` | +| `config.kafkarest.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.kafkarest.checkcert` | check if ssl certificate of the output is valid | `true` | +| `config.kafkarest.mutualtls` | if true, checkcert flag will be ignored (server cert will always be checked) | `false` | +| `config.syslog.host` | Syslog Host, if not empty, Syslog output is *enabled* | | +| `config.syslog.port` | Syslog endpoint port number | | +| `config.syslog.protocol` | Syslog transport protocol. It can be either "tcp" or "udp" | `tcp` | +| `config.syslog.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.cliq.webhookurl` | Zoho Cliq Channel URL (ex: https://cliq.zoho.eu/api/v2/channelsbyname/XXXX/message?zapikey=YYYY), if not empty, Cliq Chat output is *enabled* | | +| `config.cliq.icon` | Cliq icon (avatar) | | +| `config.cliq.useemoji` | Prefix message text with an emoji | `true` | +| `config.cliq.outputformat` | `all` (default), `text` (only text is displayed in Cliq), `fields` (only fields are displayed in Cliq) | `all` | +| `config.cliq.message format` | a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `cliq.outputformat`. If empty, no Text is displayed before sections. | | +| `config.cliq.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `config.policyreport.enabled` | if true; policyreport output is *enabled* | `false` | +| `config.policyreport.kubeconfig` | Kubeconfig file to use (only if falcosidekick is running outside the cluster) | `~/.kube/config` | +| `config.policyreport.maxevents` | the max number of events that can be in a policyreport | `1000` | +| `config.policyreport.prunebypriority` | if true; the events with lowest severity are pruned first, in FIFO order | `false` | +| `config.policyreport.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | `debug` | +| `image.registry` | The image registry to pull from | `docker.io` | +| `image.repository` | The image repository to pull from | `falcosecurity/falcosidekick` | +| `image.tag` | The image tag to pull | `2.23.1` | +| `image.pullPolicy` | The image pull policy | `IfNotPresent` | +| `extraVolumes` | Extra volumes for sidekick deployment | | +| `extraVolumeMounts` | Extra volume mounts for sidekick deployment | | +| `webui.enabled` | enable Falcosidekick-UI | `false` | +| `webui.podAnnotations` | additions annotations on the pods web UI | `{}` | +| `webui.podLabels` | additions labels on the pods web UI | `{}` | +| `webui.image.registry` | The web UI image registry to pull from | `docker.io` | +| `webui.image.repository` | The web UI image repository to pull from | `falcosecurity/falcosidekick-ui` | +| `webui.image.tag` | The web UI image tag to pull | `v1.1.0` | +| `webui.image.pullPolicy` | The web UI image pull policy | `IfNotPresent` | +| `webui.resources` | The resources for the web UI pods | `v1.1.0` | +| `webui.service.type` | The web UI service type (i. e: LoadBalancer) | `ClusterIP` | +| `webui.service.port` | The web UI service port dor the falcosidekick-ui | `2802` | +| `webui.service.nodePort` | The web UI service nodePort | `30282` | +| `webui.service.targetPort` | The web UI service targetPort | `2802` | +| `webui.service.annotations` | The web UI service annotations (use this to set a internal LB, for example.) | `{}` | +| `webui.redis.image.registry` | The web UI image registry to pull from | `docker.io` | +| `webui.redis.image.repository` | The web UI image repository to pull from | `falcosecurity/falcosidekick-ui` | +| `webui.redis.image.tag` | The web UI image tag to pull | `v1.1.0` | +| `webui.redis.image.pullPolicy` | The web UI image pull policy | `IfNotPresent` | +| `webui.redis.podAnnotations` | additions annotations on the pods | `{}` | +| `webui.redis.podLabels` | additions labels on the pods | `{}` | +| `webui.redis.resources` | The resources for the redis pod | `v1.1.0` | +| `webui.redis.storageSize` | Size of the PVC for the redis pod | `v1.1.0` | +| `webui.redis.storageClass` | Storage class of the PVC for the redis pod | `v1.1.0` | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Metrics + +A `prometheus` endpoint can be scrapped at `/metrics`. diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/NOTES.txt b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/NOTES.txt new file mode 100644 index 000000000..bee1a2193 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/NOTES.txt @@ -0,0 +1,44 @@ +1. Get the URL for Falcosidekick by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "falcosidekick.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "falcosidekick.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "falcosidekick.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + kubectl port-forward svc/{{ include "falcosidekick.name" . }} {{ .Values.service.port }}:{{ .Values.service.port }} --namespace {{ .Release.Namespace }} + echo "Visit http://127.0.0.1:{{ .Values.service.port }} to use your application" +{{- end }} +{{- if .Values.webui.enabled }} +2. Get the URL for Falcosidekick-UI (WebUI) by running these commands: +{{- if .Values.webui.ingress.enabled }} +{{- range $host := .Values.webui.ingress.hosts }} + http{{ if $.Values.webui.ingress.tls }}s{{ end }}://{{ $host.host }}{{ index .paths 0 }} +{{- end }} +{{- else if contains "NodePort" .Values.webui.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "falcosidekick.fullname" . }})-ui + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT/ui +{{- else if contains "LoadBalancer" .Values.webui.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "falcosidekick.fullname" . }}-ui' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "falcosidekick.fullname" . }}-ui -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.webui.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + kubectl port-forward svc/{{ include "falcosidekick.name" . }}-ui {{ .Values.webui.service.port }}:{{ .Values.webui.service.port }} --namespace {{ .Release.Namespace }} + echo "Visit http://127.0.0.1:{{ .Values.webui.service.port }}/ui to use your application" +{{- end }} +{{ else }} +2. Try to enable Falcosidekick-UI (WebUI) by adding this argument to your command: + --set webui.enabled=true +{{- end }} + diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/_helpers.tpl b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/_helpers.tpl new file mode 100644 index 000000000..bfb7a9cf4 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/_helpers.tpl @@ -0,0 +1,59 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "falcosidekick.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "falcosidekick.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "falcosidekick.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "falcosidekick.ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "falcosidekick.ingress.isStable" -}} + {{- eq (include "falcosidekick.ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "falcosidekick.ingress.supportsPathType" -}} + {{- or (eq (include "falcosidekick.ingress.isStable" .) "true") (and (eq (include "falcosidekick.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{- end -}} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/aadpodidentity.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/aadpodidentity.yaml new file mode 100644 index 000000000..39c961cbc --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/aadpodidentity.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.config.azure.podIdentityClientID .Values.config.azure.podIdentityName -}} +--- +apiVersion: "aadpodidentity.k8s.io/v1" +kind: AzureIdentity +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + type: 0 + resourceID: /subscriptions/{{ .Values.config.azure.subscriptionID }}/resourcegroups/{{ .Values.config.azure.resourceGroupName }}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{{ .Values.config.azure.podIdentityName }} + clientID: {{ .Values.config.azure.podIdentityClientID }} +--- +apiVersion: "aadpodidentity.k8s.io/v1" +kind: AzureIdentityBinding +metadata: + name: {{ include "falcosidekick.fullname" . }} +spec: + azureIdentity: {{ include "falcosidekick.fullname" . }} + selector: {{ include "falcosidekick.fullname" . }} +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/clusterrole.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/clusterrole.yaml new file mode 100644 index 000000000..256d10e34 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podSecurityPolicy.create }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "falcosidekick.fullname" .}} + labels: + app: {{ template "falcosidekick.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "falcosidekick.fullname" . }} + verbs: + - use +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/deployment-ui.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/deployment-ui.yaml new file mode 100644 index 000000000..07ff2871e --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/deployment-ui.yaml @@ -0,0 +1,176 @@ +{{- if .Values.webui.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }}-ui + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: {{ .Values.webui.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui + app.kubernetes.io/instance: {{ .Release.Name }}-ui + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui + app.kubernetes.io/instance: {{ .Release.Name }}-ui + {{- if .Values.webui.podLabels }} +{{ toYaml .Values.webui.podLabels | indent 8 }} + {{- end }} + {{- if .Values.webui.podAnnotations }} + annotations: +{{ toYaml .Values.webui.podAnnotations | indent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "falcosidekick.fullname" . }}-ui + {{- if .Values.webui.priorityClassName }} + priorityClassName: "{{ .Values.webui.priorityClassName }}" + {{- end }} + securityContext: + runAsUser: {{ .Values.webui.podSecurityContext.runAsUser }} + fsGroup: {{ .Values.webui.podSecurityContext.fsGroup }} + containers: + - name: {{ .Chart.Name }}-ui + image: "{{ .Values.webui.image.registry }}/{{ .Values.webui.image.repository }}:{{ .Values.webui.image.tag }}" + imagePullPolicy: {{ .Values.webui.image.pullPolicy }} + args: + - "-r" + - {{ include "falcosidekick.fullname" . }}-ui-redis{{ if .Values.webui.redis.fullfqdn }}.{{ .Release.Namespace }}.svc.cluster.local{{ end }}:{{ .Values.webui.redis.service.port | default "6379" }} + ports: + - name: http + containerPort: 2802 + protocol: TCP + livenessProbe: + httpGet: + path: /api/v1/healthz + port: http + initialDelaySeconds: 10 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /api/v1/healthz + port: http + initialDelaySeconds: 10 + periodSeconds: 5 + resources: + {{- toYaml .Values.webui.resources | nindent 12 }} + {{- with .Values.webui.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webui.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webui.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui-redis + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }}-ui + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: 1 + serviceName: {{ include "falcosidekick.fullname" . }}-ui-redis + selector: + matchLabels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui-redis + app.kubernetes.io/instance: {{ .Release.Name }}-ui-redis + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui-redis + app.kubernetes.io/instance: {{ .Release.Name }}-ui-redis + {{- if .Values.webui.redis.podLabels }} +{{ toYaml .Values.webui.redis.podLabels | indent 8 }} + {{- end }} + {{- if .Values.webui.redis.podAnnotations }} + annotations: +{{ toYaml .Values.webui.redis.podAnnotations | indent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "falcosidekick.fullname" . }}-ui + {{- if .Values.webui.redis.priorityClassName }} + priorityClassName: "{{ .Values.webui.redis.priorityClassName }}" + {{- end }} + containers: + - name: redis + image: "{{ .Values.webui.redis.image.registry }}/{{ .Values.webui.redis.image.repository }}:{{ .Values.webui.redis.image.tag }}" + imagePullPolicy: {{ .Values.webui.redis.image.pullPolicy }} + args: [] + ports: + - name: redis + containerPort: 6379 + protocol: TCP + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + volumeMounts: + - name: {{ include "falcosidekick.fullname" . }}-ui-redis-data + mountPath: /data + resources: + {{- toYaml .Values.webui.redis.resources | nindent 12 }} + {{- with .Values.webui.redis.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webui.redis.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webui.redis.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: {{ include "falcosidekick.fullname" . }}-ui-redis-data + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: {{ .Values.webui.redis.storageSize }} + {{- if .Values.webui.redis.storageClass }} + storageClassName: {{ .Values.webui.redis.storageClass }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/deployment.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/deployment.yaml new file mode 100644 index 000000000..2f2d950a4 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/deployment.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if and .Values.config.azure.podIdentityClientID .Values.config.azure.podIdentityName }} + aadpodidbinding: {{ include "falcosidekick.fullname" . }} + {{- end }} + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "falcosidekick.fullname" . }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + securityContext: + runAsUser: {{ .Values.podSecurityContext.runAsUser }} + fsGroup: {{ .Values.podSecurityContext.fsGroup }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 2801 + protocol: TCP + livenessProbe: + httpGet: + path: /ping + port: http + initialDelaySeconds: 10 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /ping + port: http + initialDelaySeconds: 10 + periodSeconds: 5 + envFrom: + - secretRef: + {{- if .Values.config.existingSecret }} + name: {{ .Values.config.existingSecret }} + {{- else }} + name: {{ include "falcosidekick.fullname" . }} + {{- end }} + env: + - name: DEBUG + value: {{ .Values.config.debug | quote }} + - name: CUSTOMFIELDS + value: {{ .Values.config.customfields | quote }} + - name: MUTUALTLSFILESPATH + value: {{ .Values.config.mutualtlsfilespath | quote }} + {{- if .Values.config.extraEnv }} + {{ toYaml .Values.config.extraEnv | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.extraVolumeMounts }} + volumeMounts: +{{ toYaml .Values.extraVolumeMounts | indent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.extraVolumes }} + volumes: +{{ toYaml .Values.extraVolumes | indent 8 }} + {{- end }} + diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/ingress-ui.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/ingress-ui.yaml new file mode 100644 index 000000000..1d4bd3de0 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/ingress-ui.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.webui.enabled .Values.webui.ingress.enabled -}} +{{- $fullName := include "falcosidekick.fullname" . -}} +{{- $ingressApiIsStable := eq (include "falcosidekick.ingress.isStable" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "falcosidekick.ingress.supportsPathType" .) "true" -}} +--- +apiVersion: {{ include "falcosidekick.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }}-ui + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }}-ui + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.webui.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.webui.ingress.ingressClassName }} + ingressClassName: {{ .Values.webui.ingress.ingressClassName }} +{{- end }} +{{- if .Values.webui.ingress.tls }} + tls: + {{- range .Values.webui.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.webui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if $ingressSupportsPathType }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }}-ui + port: + name: http + {{- else }} + serviceName: {{ $fullName }}-ui + servicePort: http + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/ingress.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/ingress.yaml new file mode 100644 index 000000000..2c1f6c058 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/ingress.yaml @@ -0,0 +1,56 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "falcosidekick.fullname" . -}} +{{- $ingressApiIsStable := eq (include "falcosidekick.ingress.isStable" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "falcosidekick.ingress.supportsPathType" .) "true" -}} +--- +apiVersion: {{ include "falcosidekick.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- end }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if $ingressSupportsPathType }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + name: http + {{- else }} + serviceName: {{ $fullName }} + servicePort: http + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/podsecuritypolicy.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..fe1d8cb25 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/podsecuritypolicy.yaml @@ -0,0 +1,35 @@ +{{- if .Values.podSecurityPolicy.create}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "falcosidekick.fullname" . }} + labels: + app: {{ template "falcosidekick.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - secret +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/rbac-ui.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/rbac-ui.yaml new file mode 100644 index 000000000..8acb6920a --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/rbac-ui.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "falcosidekick.fullname" . }}-ui +subjects: +- kind: ServiceAccount + name: {{ include "falcosidekick.fullname" . }}-ui diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/rbac.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/rbac.yaml new file mode 100644 index 000000000..3d17488cc --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/rbac.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + {{- if .Values.config.aws.rolearn }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.config.aws.rolearn }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get +{{- if .Values.podSecurityPolicy.create }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "falcosidekick.fullname" . }} + verbs: + - use +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "falcosidekick.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "falcosidekick.fullname" . }} +{{- if .Values.config.policyreport.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: + - "wgpolicyk8s.io" + resources: + - policyreports + - clusterpolicyreports + verbs: + - get + - create + - delete + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "falcosidekick.fullname" . }} +subjects: +- kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ include "falcosidekick.fullname" . }} +{{- end }} \ No newline at end of file diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/secrets.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/secrets.yaml new file mode 100644 index 000000000..e86e98ccc --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/secrets.yaml @@ -0,0 +1,296 @@ +{{- if eq .Values.config.existingSecret "" }} +{{- $fullName := include "falcosidekick.fullname" . -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +data: + # Slack Output + SLACK_WEBHOOKURL: "{{ .Values.config.slack.webhookurl | b64enc }}" + SLACK_OUTPUTFORMAT: "{{ .Values.config.slack.outputformat | b64enc }}" + SLACK_FOOTER: "{{ .Values.config.slack.footer | b64enc }}" + SLACK_ICON: "{{ .Values.config.slack.icon | b64enc }}" + SLACK_USERNAME: "{{ .Values.config.slack.username | b64enc }}" + SLACK_MINIMUMPRIORITY: "{{ .Values.config.slack.minimumpriority | b64enc }}" + SLACK_MESSAGEFORMAT: "{{ .Values.config.slack.messageformat | b64enc }}" + + # RocketChat Output + ROCKETCHAT_WEBHOOKURL: "{{ .Values.config.rocketchat.webhookurl | b64enc }}" + ROCKETCHAT_OUTPUTFORMAT: "{{ .Values.config.rocketchat.outputformat | b64enc }}" + ROCKETCHAT_ICON: "{{ .Values.config.rocketchat.icon | b64enc }}" + ROCKETCHAT_USERNAME: "{{ .Values.config.rocketchat.username | b64enc }}" + ROCKETCHAT_MINIMUMPRIORITY: "{{ .Values.config.rocketchat.minimumpriority | b64enc }}" + ROCKETCHAT_MESSAGEFORMAT: "{{ .Values.config.rocketchat.messageformat | b64enc }}" + ROCKETCHAT_MUTUALTLS: "{{ .Values.config.rocketchat.mutualtls | printf "%t" | b64enc }}" + ROCKETCHAT_CHECKCERT: "{{ .Values.config.rocketchat.checkcert | printf "%t" | b64enc }}" + + # Mattermost Output + MATTERMOST_WEBHOOKURL: "{{ .Values.config.mattermost.webhookurl | b64enc }}" + MATTERMOST_OUTPUTFORMAT: "{{ .Values.config.mattermost.outputformat | b64enc }}" + MATTERMOST_FOOTER: "{{ .Values.config.mattermost.footer | b64enc }}" + MATTERMOST_ICON: "{{ .Values.config.mattermost.icon | b64enc }}" + MATTERMOST_USERNAME: "{{ .Values.config.mattermost.username | b64enc }}" + MATTERMOST_MINIMUMPRIORITY: "{{ .Values.config.mattermost.minimumpriority | b64enc }}" + MATTERMOST_MESSAGEFORMAT: "{{ .Values.config.mattermost.messageformat | b64enc }}" + MATTERMOST_MUTUALTLS: "{{ .Values.config.mattermost.mutualtls | printf "%t" | b64enc }}" + MATTERMOST_CHECKCERT: "{{ .Values.config.mattermost.checkcert | printf "%t" | b64enc }}" + + # Teams Output + TEAMS_WEBHOOKURL: "{{ .Values.config.teams.webhookurl | b64enc }}" + TEAMS_OUTPUTFORMAT: "{{ .Values.config.teams.outputformat | b64enc }}" + TEAMS_ACTIVITYIMAGE: "{{ .Values.config.teams.activityimage | b64enc }}" + TEAMS_MINIMUMPRIORITY: "{{ .Values.config.teams.minimumpriority | b64enc }}" + + # Datadog Output + DATADOG_APIKEY: "{{ .Values.config.datadog.apikey | b64enc }}" + DATADOG_HOST: "{{ .Values.config.datadog.host | b64enc }}" + DATADOG_MINIMUMPRIORITY: "{{ .Values.config.datadog.minimumpriority | b64enc }}" + + # AlertManager Output + ALERTMANAGER_HOSTPORT: "{{ .Values.config.alertmanager.hostport | b64enc }}" + ALERTMANAGER_ENDPOINT: "{{ .Values.config.alertmanager.endpoint | b64enc }}" + ALERTMANAGER_MINIMUMPRIORITY: "{{ .Values.config.alertmanager.minimumpriority | b64enc }}" + ALERTMANAGER_MUTUALTLS: "{{ .Values.config.alertmanager.mutualtls | printf "%t" | b64enc }}" + ALERTMANAGER_CHECKCERT: "{{ .Values.config.alertmanager.checkcert | printf "%t" | b64enc }}" + + # InfluxDB Output + INFLUXDB_USER: "{{ .Values.config.influxdb.user | b64enc }}" + INFLUXDB_PASSWORD: "{{ .Values.config.influxdb.password | b64enc }}" + INFLUXDB_HOSTPORT: "{{ .Values.config.influxdb.hostport | b64enc }}" + INFLUXDB_MINIMUMPRIORITY: "{{ .Values.config.influxdb.minimumpriority | b64enc }}" + INFLUXDB_DATABASE: "{{ .Values.config.influxdb.database | b64enc }}" + INFLUXDB_MUTUALTLS: "{{ .Values.config.influxdb.mutualtls | printf "%t" | b64enc }}" + INFLUXDB_CHECKCERT: "{{ .Values.config.influxdb.checkcert | printf "%t" | b64enc }}" + + # AWS Output + AWS_ACCESSKEYID: "{{ .Values.config.aws.accesskeyid | b64enc }}" + AWS_SECRETACCESSKEY: "{{ .Values.config.aws.secretaccesskey | b64enc }}" + AWS_REGION: "{{ .Values.config.aws.region | b64enc }}" + AWS_LAMBDA_FUNCTIONNAME: "{{ .Values.config.aws.lambda.functionname | b64enc }}" + AWS_LAMBDA_MINIMUMPRIORITY: "{{ .Values.config.aws.lambda.minimumpriority | b64enc }}" + AWS_CLOUDWATCHLOGS_LOGGROUP: "{{ .Values.config.aws.cloudwatchlogs.loggroup | b64enc }}" + AWS_CLOUDWATCHLOGS_LOGSTREAM: "{{ .Values.config.aws.cloudwatchlogs.logstream | b64enc }}" + AWS_CLOUDWATCHLOGS_MINIMUMPRIORITY: "{{ .Values.config.aws.cloudwatchlogs.minimumpriority | b64enc }}" + AWS_SNS_TOPICARN: "{{ .Values.config.aws.sns.topicarn | b64enc }}" + AWS_SNS_RAWJSON: "{{ .Values.config.aws.sns.rawjson| printf "%t" | b64enc }}" + AWS_SNS_MINIMUMPRIORITY: "{{ .Values.config.aws.sns.minimumpriority | b64enc }}" + AWS_SQS_URL: "{{ .Values.config.aws.sqs.url | b64enc }}" + AWS_SQS_MINIMUMPRIORITY: "{{ .Values.config.aws.sqs.minimumpriority | b64enc }}" + AWS_S3_BUCKET: "{{ .Values.config.aws.s3.bucket | b64enc }}" + AWS_S3_PREFIX: "{{ .Values.config.aws.s3.prefix | b64enc }}" + AWS_S3_MINIMUMPRIORITY: "{{ .Values.config.aws.s3.minimumpriority | b64enc }}" + AWS_KINESIS_STREAMNAME: "{{ .Values.config.aws.kinesis.streamname | b64enc }}" + AWS_KINESIS_MINIMUMPRIORITY: "{{ .Values.config.aws.kinesis.minimumpriority | b64enc }}" + + # SMTP Output + SMTP_USER: "{{ .Values.config.smtp.user | b64enc }}" + SMTP_PASSWORD: "{{ .Values.config.smtp.password | b64enc }}" + SMTP_HOSTPORT: "{{ .Values.config.smtp.hostport | b64enc }}" + SMTP_FROM: "{{ .Values.config.smtp.from | b64enc }}" + SMTP_TO: "{{ .Values.config.smtp.to | b64enc }}" + SMTP_OUTPUTFORMAT: "{{ .Values.config.smtp.outputformat | b64enc }}" + SMTP_MINIMUMPRIORITY: "{{ .Values.config.smtp.minimumpriority | b64enc }}" + + # OpsGenie Output + OPSGENIE_APIKEY: "{{ .Values.config.opsgenie.apikey | b64enc }}" + OPSGENIE_REGION: "{{ .Values.config.opsgenie.region | b64enc }}" + OPSGENIE_MINIMUMPRIORITY: "{{ .Values.config.opsgenie.minimumpriority | b64enc }}" + OPSGENIE_MUTUALTLS: "{{ .Values.config.opsgenie.mutualtls | printf "%t" | b64enc }}" + OPSGENIE_CHECKCERT: "{{ .Values.config.opsgenie.checkcert | printf "%t" | b64enc }}" + + # Discord Output + DISCORD_WEBHOOKURL: "{{ .Values.config.discord.webhookurl | b64enc }}" + DISCORD_ICON: "{{ .Values.config.discord.icon | b64enc }}" + DISCORD_MINIMUMPRIORITY: "{{ .Values.config.discord.minimumpriority | b64enc }}" + + # GCP Output + GCP_CREDENTIALS: "{{ .Values.config.gcp.credentials | b64enc }}" + GCP_PUBSUB_PROJECTID: "{{ .Values.config.gcp.pubsub.projectid | b64enc }}" + GCP_PUBSUB_TOPIC: "{{ .Values.config.gcp.pubsub.topic | b64enc }}" + GCP_PUBSUB_MINIMUMPRIORITY: "{{ .Values.config.gcp.pubsub.minimumpriority | b64enc }}" + GCP_STORAGE_BUCKET: "{{ .Values.config.gcp.storage.bucket | b64enc }}" + GCP_STORAGE_PREFIX: "{{ .Values.config.gcp.storage.prefix | b64enc }}" + GCP_STORAGE_MINIMUMPRIORITY: "{{ .Values.config.gcp.storage.minimumpriority | b64enc }}" + GCP_CLOUDFUNCTIONS_NAME: "{{ .Values.config.gcp.cloudfunctions.name | b64enc }}" + GCP_CLOUDFUNCTIONS_MINIMUMPRIORITY: "{{ .Values.config.gcp.cloudfunctions.minimumpriority | b64enc }}" + GCP_CLOUDRUN_ENDPOINT: "{{ .Values.config.gcp.cloudrun.endpoint | b64enc }}" + GCP_CLOUDRUN_JWT: "{{ .Values.config.gcp.cloudrun.jwt | b64enc }}" + GCP_CLOUDRUN_MINIMUMPRIORITY: "{{ .Values.config.gcp.cloudrun.minimumpriority | b64enc }}" + + # GoogleChat Output + GOOGLECHAT_WEBHOOKURL: "{{ .Values.config.googlechat.webhookurl | b64enc }}" + GOOGLECHAT_OUTPUTFORMAT: "{{ .Values.config.googlechat.outputformat | b64enc }}" + GOOGLECHAT_MINIMUMPRIORITY: "{{ .Values.config.googlechat.minimumpriority | b64enc }}" + GOOGLECHAT_MESSAGEFORMAT: "{{ .Values.config.googlechat.messageformat | b64enc }}" + + # ElasticSearch Output + ELASTICSEARCH_HOSTPORT: "{{ .Values.config.elasticsearch.hostport | b64enc }}" + ELASTICSEARCH_INDEX: "{{ .Values.config.elasticsearch.index | b64enc }}" + ELASTICSEARCH_TYPE: "{{ .Values.config.elasticsearch.type | b64enc }}" + ELASTICSEARCH_MINIMUMPRIORITY: "{{ .Values.config.elasticsearch.minimumpriority | b64enc }}" + ELASTICSEARCH_MUTUALTLS: "{{ .Values.config.elasticsearch.mutualtls | printf "%t" | b64enc }}" + ELASTICSEARCH_CHECKCERT: "{{ .Values.config.elasticsearch.checkcert | printf "%t" | b64enc }}" + ELASTICSEARCH_USERNAME: "{{ .Values.config.elasticsearch.username | b64enc }}" + ELASTICSEARCH_PASSWORD: "{{ .Values.config.elasticsearch.password | b64enc }}" + + # Loki Output + LOKI_HOSTPORT: "{{ .Values.config.loki.hostport | b64enc }}" + LOKI_ENDPOINT: "{{ .Values.config.loki.endpoint | b64enc }}" + LOKI_TENANT: "{{ .Values.config.loki.tenant | b64enc }}" + LOKI_MINIMUMPRIORITY: "{{ .Values.config.loki.minimumpriority | b64enc }}" + LOKI_MUTUALTLS: "{{ .Values.config.loki.mutualtls | printf "%t" | b64enc }}" + LOKI_CHECKCERT: "{{ .Values.config.loki.checkcert | printf "%t" | b64enc }}" + + # Nats Output + NATS_HOSTPORT: "{{ .Values.config.nats.hostport | b64enc }}" + NATS_MINIMUMPRIORITY: "{{ .Values.config.nats.minimumpriority | b64enc }}" + NATS_MUTUALTLS: "{{ .Values.config.nats.mutualtls | printf "%t" | b64enc }}" + NATS_CHECKCERT: "{{ .Values.config.nats.checkcert | printf "%t" | b64enc }}" + + # Stan Output + STAN_HOSTPORT: "{{ .Values.config.stan.hostport | b64enc }}" + STAN_CLUSTERID: "{{ .Values.config.stan.clusterid | b64enc }}" + STAN_CLIENTID: "{{ .Values.config.stan.clientid | b64enc }}" + STAN_MINIMUMPRIORITY: "{{ .Values.config.stan.minimumpriority | b64enc }}" + STAN_MUTUALTLS: "{{ .Values.config.stan.mutualtls | printf "%t" | b64enc }}" + STAN_CHECKCERT: "{{ .Values.config.stan.checkcert | printf "%t" | b64enc }}" + + # Statsd + STATSD_FORWARDER: "{{ .Values.config.statsd.forwarder | b64enc }}" + STATSD_NAMESPACE: "{{ .Values.config.statsd.namespace | b64enc }}" + + # Dogstatsd + DOGSTATSD_FORWARDER: "{{ .Values.config.dogstatsd.forwarder | b64enc }}" + DOGSTATSD_NAMESPACE: "{{ .Values.config.dogstatsd.namespace | b64enc }}" + DOGSTATSD_TAGS: "{{ .Values.config.dogstatsd.tags | b64enc }}" + + # WebHook Output + WEBHOOK_ADDRESS: "{{ .Values.config.webhook.address | b64enc }}" + WEBHOOK_CUSTOMHEADERS: "{{ .Values.config.webhook.customHeaders | b64enc }}" + WEBHOOK_MINIMUMPRIORITY: "{{ .Values.config.webhook.minimumpriority | b64enc }}" + WEBHOOK_MUTUALTLS: "{{ .Values.config.webhook.mutualtls | printf "%t" | b64enc }}" + WEBHOOK_CHECKCERT: "{{ .Values.config.webhook.checkcert | printf "%t" | b64enc }}" + + # Azure Output + AZURE_EVENTHUB_NAME: "{{ .Values.config.azure.eventHub.name | b64enc }}" + AZURE_EVENTHUB_NAMESPACE: "{{ .Values.config.azure.eventHub.namespace | b64enc }}" + AZURE_EVENTHUB_MINIMUMPRIORITY: "{{ .Values.config.azure.eventHub.minimumpriority | b64enc }}" + + # Kafka Output + KAFKA_HOSTPORT: "{{ .Values.config.kafka.hostport | b64enc }}" + KAFKA_TOPIC: "{{ .Values.config.kafka.topic | b64enc }}" + KAFKA_PARTITION: "{{ .Values.config.kafka.partition | b64enc }}" + KAFKA_MINIMUMPRIORITY: "{{ .Values.config.kafka.minimumpriority | b64enc }}" + + # PagerDuty Output + PAGERDUTY_ROUTINGKEY: "{{ .Values.config.pagerduty.routingkey | b64enc }}" + PAGERDUTY_MINIMUMPRIORITY: "{{ .Values.config.pagerduty.minimumpriority | b64enc }}" + + # Kubeless Output + KUBELESS_FUNCTION: "{{ .Values.config.kubeless.function | b64enc }}" + KUBELESS_NAMESPACE: "{{ .Values.config.kubeless.namespace | b64enc }}" + KUBELESS_PORT: "{{ .Values.config.kubeless.port | toString | b64enc }}" + KUBELESS_MINIMUMPRIORITY: "{{ .Values.config.kubeless.minimumpriority | b64enc }}" + KUBELESS_MUTUALTLS: "{{ .Values.config.kubeless.mutualtls | printf "%t" | b64enc }}" + KUBELESS_CHECKCERT: "{{ .Values.config.kubeless.checkcert | printf "%t" | b64enc }}" + + # OpenFaaS + OPENFAAS_GATEWAYNAMESPACE: "{{ .Values.config.openfaas.gatewaynamespace | b64enc }}" + OPENFAAS_GATEWAYSERVICE: "{{ .Values.config.openfaas.gatewayservice | b64enc }}" + OPENFAAS_FUNCTIONNAME: "{{ .Values.config.openfaas.functionname | b64enc }}" + OPENFAAS_FUNCTIONNAMESPACE: "{{ .Values.config.openfaas.functionnamespace | b64enc }}" + OPENFAAS_GATEWAYPORT: "{{ .Values.config.openfaas.gatewayport | toString | b64enc }}" + OPENFAAS_MINIMUMPRIORITY: "{{ .Values.config.openfaas.minimumpriority | b64enc }}" + OPENFAAS_MUTUALTLS: "{{ .Values.config.openfaas.mutualtls | printf "%t" | b64enc }}" + OPENFAAS_CHECKCERT: "{{ .Values.config.openfaas.checkcert | printf "%t" | b64enc }}" + + # Cloud Events Output + CLOUDEVENTS_ADDRESS: "{{ .Values.config.cloudevents.address | b64enc }}" + CLOUDEVENTS_EXTENSION: "{{ .Values.config.cloudevents.extension | b64enc }}" + CLOUDEVENTS_MINIMUMPRIORITY: "{{ .Values.config.cloudevents.minimumpriority | b64enc }}" + + # RabbitMQ Output + RABBITMQ_URL: "{{ .Values.config.rabbitmq.url | b64enc}}" + RABBITMQ_QUEUE: "{{ .Values.config.rabbitmq.queue | b64enc}}" + RABBITMQ_MINIMUMPRIORITY: "{{ .Values.config.rabbitmq.minimumpriority | b64enc}}" + + # Wavefront Output + WAVEFRONT_ENDPOINTTYPE: "{{ .Values.config.wavefront.endpointtype | b64enc}}" + WAVEFRONT_ENDPOINTHOST: "{{ .Values.config.wavefront.endpointhost | b64enc}}" + WAVEFRONT_ENDPOINTTOKEN: "{{ .Values.config.wavefront.endpointtoken | b64enc}}" + WAVEFRONT_ENDPOINTMETRICPORT: "{{ .Values.config.wavefront.endpointmetricport | toString | b64enc}}" + WAVEFRONT_FLUSHINTERVALSECONDS: "{{ .Values.config.wavefront.flushintervalseconds | toString | b64enc}}" + WAVEFRONT_BATCHSIZE: "{{ .Values.config.wavefront.batchsize | toString | b64enc}}" + WAVEFRONT_METRICNAME: "{{ .Values.config.wavefront.metricname | b64enc}}" + WAVEFRONT_MINIMUMPRIORITY: "{{ .Values.config.wavefront.minimumpriority | b64enc}}" + + # Grafana Output + GRAFANA_HOSTPORT: "{{ .Values.config.grafana.hostport | b64enc}}" + GRAFANA_APIKEY: "{{ .Values.config.grafana.apikey | b64enc}}" + GRAFANA_DASHBOARDID: "{{ .Values.config.grafana.dashboardid | toString | b64enc}}" + GRAFANA_PANELID: "{{ .Values.config.grafana.panelid | toString | b64enc}}" + GRAFANA_ALLFIELDSASTAGS: "{{ .Values.config.grafana.allfieldsastags | printf "%t" | b64enc}}" + GRAFANA_MUTUALTLS: "{{ .Values.config.grafana.mutualtls | printf "%t" | b64enc}}" + GRAFANA_CHECKCERT: "{{ .Values.config.grafana.checkcert | printf "%t" | b64enc}}" + GRAFANA_MINIMUMPRIORITY: "{{ .Values.config.grafana.minimumpriority | b64enc}}" + + # Fission Output + FISSION_FUNCTION: "{{ .Values.config.fission.function | b64enc}}" + FISSION_ROUTERNAMESPACE: "{{ .Values.config.fission.routernamespace | b64enc}}" + FISSION_ROUTERSERVICE: "{{ .Values.config.fission.routerservice | b64enc}}" + FISSION_ROUTERPORT: "{{ .Values.config.fission.routerport | toString | b64enc}}" + FISSION_MINIMUMPRIORITY: "{{ .Values.config.fission.minimumpriority| b64enc}}" + FISSION_MUTUALTLS: "{{ .Values.config.fission.mutualtls | printf "%t" | b64enc}}" + FISSION_CHECKCERT: "{{ .Values.config.fission.checkcert | printf "%t" | b64enc}}" + + # Yandex Output + YANDEX_ACCESSKEYID: "{{ .Values.config.yandex.accesskeyid | b64enc}}" + YANDEX_SECRETACCESSKEY: "{{ .Values.config.yandex.secretaccesskey | b64enc}}" + YANDEX_REGION: "{{ .Values.config.yandex.region | b64enc}}" + YANDEX_S3_ENDPOINT: "{{ .Values.config.yandex.s3.endpoint | b64enc}}" + YANDEX_S3_BUCKET: "{{ .Values.config.yandex.s3.bucket | b64enc}}" + YANDEX_S3_PREFIX: "{{ .Values.config.yandex.s3.prefix | b64enc}}" + YANDEX_S3_MINIMUMPRIORITY: "{{ .Values.config.yandex.s3.minimumpriority | b64enc}}" + + # KafkaRest Output + KAFKAREST_ADDRESS: "{{ .Values.config.kafkarest.address | b64enc}}" + KAFKAREST_VERSION: "{{ .Values.config.kafkarest.version | toString | b64enc}}" + KAFKAREST_MINIMUMPRIORITY : "{{ .Values.config.kafkarest.minimumpriority | b64enc}}" + KAFKAREST_MUTUALTLS : "{{ .Values.config.kafkarest.mutualtls | printf "%t" | b64enc}}" + KAFKAREST_CHECKCERT : "{{ .Values.config.kafkarest.checkcert | printf "%t" | b64enc}}" + + # Syslog + SYSLOG_HOST: "{{ .Values.config.syslog.host | b64enc}}" + SYSLOG_PORT: "{{ .Values.config.syslog.port | printf "%t" | b64enc}}" + SYSLOG_PROTOCOL: "{{ .Values.config.syslog.protocol | b64enc}}" + SYSLOG_MINIMUMPRIORITY : "{{ .Values.config.syslog.minimumpriority | b64enc}}" + + # Zoho Cliq + CLIQ_WEBHOOKURL: "{{ .Values.config.cliq.webhookurl | b64enc}}" + CLIQ_ICON: "{{ .Values.config.cliq.icon | b64enc}}" + CLIQ_USEEMOJI: "{{ .Values.config.cliq.useemoji | printf "%t" | b64enc}}" + CLIQ_OUTPUTFORMAT: "{{ .Values.config.cliq.outputformat | b64enc}}" + CLIQ_MESSAGEFORMAT: "{{ .Values.config.cliq.messageformat | b64enc}}" + CLIQ_MINIMUMPRIORITY : "{{ .Values.config.cliq.minimumpriority | b64enc}}" + + # Policy Reporter + POLICYREPORT_ENABLED: "{{ .Values.config.policyreport.enabled | printf "%t"| b64enc}}" + POLICYREPORT_KUBECONFIG: "{{ .Values.config.policyreport.kubeconfig | b64enc}}" + POLICYREPORT_MAXEVENTS: "{{ .Values.config.policyreport.maxevents | toString | b64enc}}" + POLICYREPORT_PRUNEBYPRIORITY: "{{ .Values.config.policyreport.prunebypriority | printf "%t" | b64enc}}" + POLICYREPORT_MINIMUMPRIORITY : "{{ .Values.config.policyreport.minimumpriority | b64enc}}" + + # WebUI Output + {{- if .Values.webui.enabled -}} + {{ $weburl := printf "http://%s-ui:2802" (include "falcosidekick.fullname" .) }} + WEBUI_URL: "{{ $weburl | b64enc }}" + {{- end }} +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/service-ui.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/service-ui.yaml new file mode 100644 index 000000000..101a6105e --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/service-ui.yaml @@ -0,0 +1,55 @@ +{{- if .Values.webui.enabled -}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }}-ui + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.webui.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.webui.service.type }} + ports: + - port: {{ .Values.webui.service.port }} + {{ if eq .Values.webui.service.type "NodePort" }} + nodePort: {{ .Values.webui.service.nodePort }} + {{ end }} + targetPort: {{ .Values.webui.service.targetPort }} + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui + app.kubernetes.io/instance: {{ .Release.Name }}-ui +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui-redis + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }}-ui + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.webui.redis.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.webui.redis.service.port }} + targetPort: {{ .Values.webui.redis.service.targetPort }} + protocol: TCP + name: redis + selector: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }}-ui-redis + app.kubernetes.io/instance: {{ .Release.Name }}-ui-redis +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/service.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/service.yaml new file mode 100644 index 000000000..8cd9df8f7 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/service.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "falcosidekick.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/tests/test-connection.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/tests/test-connection.yaml new file mode 100644 index 000000000..d6e3fb05c --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/templates/tests/test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "falcosidekick.fullname" . }}-test-connection" + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falcosidekick.name" . }} + helm.sh/chart: {{ include "falcosidekick.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: curl + image: appropriate/curl + command: ['curl'] + args: ["-X", "POST", '{{ include "falcosidekick.fullname" . }}:{{ .Values.service.port }}/ping'] + restartPolicy: Never diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/values.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/values.yaml new file mode 100644 index 000000000..b2bf0cc1e --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/charts/falcosidekick/values.yaml @@ -0,0 +1,488 @@ +# Default values for falcosidekick. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 2 + +image: + registry: docker.io + repository: falcosecurity/falcosidekick + tag: 2.25.0 + pullPolicy: IfNotPresent + +podSecurityContext: + runAsUser: 1234 + fsGroup: 1234 + +# One or more secrets to be used when pulling images +imagePullSecrets: [] +# - registrySecretName + +nameOverride: "" +fullnameOverride: "" + +podSecurityPolicy: + create: false + +priorityClassName: "" + +podLabels: {} +podAnnotations: {} + +config: + existingSecret: "" + extraEnv: [] + debug: false + ## + ## a list of escaped comma separated custom fields to add to falco events, syntax is "key:value\,key:value" + customfields: "" + mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls (default: "/etc/certs") + + slack: + webhookurl: "" + footer: "" + icon: "" + username: "" + outputformat: "all" + minimumpriority: "" + messageformat: "" + + rocketchat: + webhookurl: "" + icon: "" + username: "" + outputformat: "all" + minimumpriority: "" + messageformat: "" + mutualtls: false + checkcert: true + + mattermost: + webhookurl: "" + footer: "" + icon: "" + username: "" + outputformat: "all" + minimumpriority: "" + messageformat: "" + mutualtls: false + checkcert: true + + teams: + webhookurl: "" + activityimage: "" + outputformat: "all" + minimumpriority: "" + + datadog: + apikey: "" + minimumpriority: "" + host: "" + + alertmanager: + hostport: "" + endpoint: "/api/v1/alerts" + minimumpriority: "" + mutualtls: false + checkcert: true + + elasticsearch: + hostport: "" + index: "falco" + type: "event" + minimumpriority: "" + mutualtls: false + checkcert: true + username: "" + password: "" + + influxdb: + hostport: "" + database: "falco" + user: "" + password: "" + minimumpriority: "" + mutualtls: false + checkcert: true + + loki: + hostport: "" + endpoint: "/api/prom/push" + tenant: "" + minimumpriority: "" + mutualtls: false + checkcert: true + + nats: + hostport: "" + minimumpriority: "" + mutualtls: false + checkcert: true + + stan: + hostport: "" + clusterid: "" + clientid: "" + minimumpriority: "" + mutualtls: false + checkcert: true + + aws: + rolearn: "" + accesskeyid: "" + secretaccesskey: "" + region: "" + cloudwatchlogs: + loggroup: "" + logstream: "" + minimumpriority: "" + lambda: + functionname: "" + minimumpriority: "" + sns: + topicarn: "" + rawjson: false + minimumpriority: "" + sqs: + url: "" + minimumpriority: "" + s3: + bucket: "" + prefix: "" + minimumpriority: "" + kinesis: + streamname: "" + minimumpriority: "" + + smtp: + hostport: "" + user: "" + password: "" + from: "" + to: "" + outputformat: "html" + minimumpriority: "" + + opsgenie: + apikey: "" + region: "" + minimumpriority: "" + mutualtls: false + checkcert: true + + statsd: + forwarder: "" + namespace: "falcosidekick." + + dogstatsd: + forwarder: "" + namespace: "falcosidekick." + tags: "" + + webhook: + address: "" + customHeaders: "" # a list of comma separated custom headers to add, syntax is "key:value\,key:value" + minimumpriority: "" + mutualtls: false + checkcert: true + + azure: + subscriptionID: "" + resourceGroupName: "" + podIdentityClientID: "" + podIdentityName: "" + eventHub: + namespace: "" + name: "" + minimumpriority: "" + + discord: + webhookurl: "" + icon: "" + minimumpriority: "" + + gcp: + credentials: "" # The base64-encoded JSON key file for the GCP service account + pubsub: + projectid: "" # The GCP Project ID containing the Pub/Sub Topic + topic: "" # The name of the Pub/Sub topic + minimumpriority: "" + storage: + prefix: "" + bucket: "" + minimumpriority: "debug" + cloudfunctions: + name: "" # The name of the Cloud Function name + minimumpriority: "" + cloudrun: + endpoint: "" # the URL of the Cloud Run function + jwt: "" # JWT for the private access to Cloud Run function + minimumpriority: "" + + googlechat: + webhookurl: "" + outputformat: "all" + minimumpriority: "" + messageformat: "" + + kafka: + hostport: "" + topic: "" + partition: "0" + messageformat: "" + minimumpriority: "" + + pagerduty: + routingkey: "" + minimumpriority: "" + + kubeless: + function: "" + namespace: "" + port: 8080 + minimumpriority: "" + mutualtls: false + checkcert: true + + openfaas: + functionname: "" + functionnamespace: "openfaas-fn" + gatewayservice: "gateway" + gatewayport: 8080 + gatewaynamespace: "openfaas" + minimumpriority: "" + mutualtls: false + checkcert: true + + cloudevents: + address: "" + extension: "" + minimumpriority: "" + + rabbitmq: + url: "" + queue: "" + minimumpriority: "debug" + + wavefront: + endpointtype: "" # Wavefront endpoint type, must be 'direct' or 'proxy'. If not empty, with endpointhost, Wavefront output is enabled + endpointhost: "" # Wavefront endpoint address (only the host). If not empty, with endpointhost, Wavefront output is enabled + endpointtoken: "" # Wavefront token. Must be used only when endpointtype is 'direct' + endpointmetricport: 2878 # Wavefront endpoint port when type is 'proxy' + metricname: "falco.alert" # Metric to be created in Wavefront. Defaults to falco.alert + batchsize: 10000 # max batch of data sent per flush interval. defaults to 10,000. Used only in direct mode + flushintervalseconds: 1 # Time in seconds between flushing metrics to Wavefront. Defaults to 1s + minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) + + grafana: + hostport: "" # http://{domain or ip}:{port}, if not empty, Grafana output is enabled + apikey: "" # API Key to authenticate to Grafana, if not empty, Grafana output is enabled + dashboardid: "" # annotations are scoped to a specific dashboard. Optionnal. + panelid: "" # annotations are scoped to a specific panel. Optionnal. + allfieldsastags: false # if true, all custom fields are added as tags (default: false) + mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked) + checkcert: true # check if ssl certificate of the output is valid (default: true) + minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) + + fission: + function: "" # Name of Fission function, if not empty, Fission is enabled + routernamespace: "fission" # Namespace of Fission Router, "fission" (default) + routerservice: "router" # Service of Fission Router, "router" (default) + routerport: 80 # Port of service of Fission Router + minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) + checkcert: true # check if ssl certificate of the output is valid (default: true) + mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked) + + yandex: + accesskeyid: "" # yandex access key + secretaccesskey: "" # yandex secret access key + region: "" # yandex storage region (default: ru-central-1) + s3: + endpoint: "" # yandex storage endpoint (default: https://storage.yandexcloud.net) + bucket: "" # Yandex storage, bucket name + prefix: "" # name of prefix, keys will have format: s3:////YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json + minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|erro + + kafkarest: + address: "" # The full URL to the topic (example "http://kafkarest:8082/topics/test") + version: 2 # Kafka Rest Proxy API version 2|1 (default: 2) + minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) + mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked) + checkcert: true # check if ssl certificate of the output is valid (default: true) + + syslog: + host: "" + port: "" + protocol: "tcp" + minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) + + cliq: + webhookurl: "" + icon: "" + useemoji: true + outputformat: "all" + messageformat: "" + minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) + + policyreport: + enabled: false + kubeconfig: "~/.kube/config" + maxevents: 1000 + prunebypriority: false + minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) + + +service: + type: ClusterIP + port: 2801 + annotations: {} + # networking.gke.io/load-balancer-type: Internal + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: falcosidekick.local + paths: + - path: / + # -- pathType (e.g. ImplementationSpecific, Prefix, .. etc.) + # pathType: Prefix + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +extraVolumes: [] +# - name: optional-mtls-volume +# configMap: +# name: falco-certs-optional +# optional: true +# items: +# - key: mtlscert.optional.tls +# path: mtlscert.optional.tls + +extraVolumeMounts: [] +# - mountPath: /etc/certs/mtlscert.optional.tls +# name: optional-mtls-volume + +webui: + enabled: false + + replicaCount: 2 + + image: + registry: docker.io + repository: falcosecurity/falcosidekick-ui + tag: "v2.0.2" + pullPolicy: IfNotPresent + + podSecurityContext: + runAsUser: 1234 + fsGroup: 1234 + + priorityClassName: "" + + podLabels: {} + podAnnotations: {} + + service: + # type: LoadBalancer + type: ClusterIP + port: 2802 + nodePort: 30282 + targetPort: 2802 + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: falcosidekick-ui.local + paths: + - path: / + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + redis: + image: + registry: docker.io + repository: redislabs/redisearch + tag: "2.2.4" + pullPolicy: IfNotPresent + + priorityClassName: "" + + podLabels: {} + podAnnotations: {} + + storageSize: "1Gi" + storageClass: "" + + service: + # type: LoadBalancer + type: ClusterIP + port: 6379 + targetPort: 6379 + annotations: {} + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: [] + + affinity: {} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/ci/ci-values.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/ci/ci-values.yaml new file mode 100644 index 000000000..5a9d858ad --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/ci/ci-values.yaml @@ -0,0 +1,5 @@ +# CI values for Falco. +# To deploy Falco on CI we need to set an argument to bypass the installation +# of the kernel module, so we bypass that. +extraArgs: + - --userspace diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/rules/application_rules.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/rules/application_rules.yaml new file mode 100644 index 000000000..32c812380 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/rules/application_rules.yaml @@ -0,0 +1,188 @@ +# +# Copyright (C) 2019 The Falco Authors. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +- required_engine_version: 2 + +################################################################ +# By default all application-related rules are disabled for +# performance reasons. Depending on the application(s) you use, +# uncomment the corresponding rule definitions for +# application-specific activity monitoring. +################################################################ + +# Elasticsearch ports +- macro: elasticsearch_cluster_port + condition: fd.sport=9300 +- macro: elasticsearch_api_port + condition: fd.sport=9200 +- macro: elasticsearch_port + condition: elasticsearch_cluster_port or elasticsearch_api_port + +# - rule: Elasticsearch unexpected network inbound traffic +# desc: inbound network traffic to elasticsearch on a port other than the standard ports +# condition: user.name = elasticsearch and inbound and not elasticsearch_port +# output: "Inbound network traffic to Elasticsearch on unexpected port (connection=%fd.name)" +# priority: WARNING + +# - rule: Elasticsearch unexpected network outbound traffic +# desc: outbound network traffic from elasticsearch on a port other than the standard ports +# condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port +# output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)" +# priority: WARNING + + +# ActiveMQ ports +- macro: activemq_cluster_port + condition: fd.sport=61616 +- macro: activemq_web_port + condition: fd.sport=8161 +- macro: activemq_port + condition: activemq_web_port or activemq_cluster_port + +# - rule: Activemq unexpected network inbound traffic +# desc: inbound network traffic to activemq on a port other than the standard ports +# condition: user.name = activemq and inbound and not activemq_port +# output: "Inbound network traffic to ActiveMQ on unexpected port (connection=%fd.name)" +# priority: WARNING + +# - rule: Activemq unexpected network outbound traffic +# desc: outbound network traffic from activemq on a port other than the standard ports +# condition: user.name = activemq and outbound and not activemq_cluster_port +# output: "Outbound network traffic from ActiveMQ on unexpected port (connection=%fd.name)" +# priority: WARNING + + +# Cassandra ports +# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html +- macro: cassandra_thrift_client_port + condition: fd.sport=9160 +- macro: cassandra_cql_port + condition: fd.sport=9042 +- macro: cassandra_cluster_port + condition: fd.sport=7000 +- macro: cassandra_ssl_cluster_port + condition: fd.sport=7001 +- macro: cassandra_jmx_port + condition: fd.sport=7199 +- macro: cassandra_port + condition: > + cassandra_thrift_client_port or + cassandra_cql_port or cassandra_cluster_port or + cassandra_ssl_cluster_port or cassandra_jmx_port + +# - rule: Cassandra unexpected network inbound traffic +# desc: inbound network traffic to cassandra on a port other than the standard ports +# condition: user.name = cassandra and inbound and not cassandra_port +# output: "Inbound network traffic to Cassandra on unexpected port (connection=%fd.name)" +# priority: WARNING + +# - rule: Cassandra unexpected network outbound traffic +# desc: outbound network traffic from cassandra on a port other than the standard ports +# condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port) +# output: "Outbound network traffic from Cassandra on unexpected port (connection=%fd.name)" +# priority: WARNING + +# Couchdb ports +# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini +- macro: couchdb_httpd_port + condition: fd.sport=5984 +- macro: couchdb_httpd_ssl_port + condition: fd.sport=6984 +# xxx can't tell what clustering ports are used. not writing rules for this +# yet. + +# Fluentd ports +- macro: fluentd_http_port + condition: fd.sport=9880 +- macro: fluentd_forward_port + condition: fd.sport=24224 + +# - rule: Fluentd unexpected network inbound traffic +# desc: inbound network traffic to fluentd on a port other than the standard ports +# condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) +# output: "Inbound network traffic to Fluentd on unexpected port (connection=%fd.name)" +# priority: WARNING + +# - rule: Tdagent unexpected network outbound traffic +# desc: outbound network traffic from fluentd on a port other than the standard ports +# condition: user.name = td-agent and outbound and not fluentd_forward_port +# output: "Outbound network traffic from Fluentd on unexpected port (connection=%fd.name)" +# priority: WARNING + +# Gearman ports +# http://gearman.org/protocol/ +# - rule: Gearman unexpected network outbound traffic +# desc: outbound network traffic from gearman on a port other than the standard ports +# condition: user.name = gearman and outbound and outbound and not fd.sport = 4730 +# output: "Outbound network traffic from Gearman on unexpected port (connection=%fd.name)" +# priority: WARNING + +# Zookeeper +- macro: zookeeper_port + condition: fd.sport = 2181 + +# Kafka ports +# - rule: Kafka unexpected network inbound traffic +# desc: inbound network traffic to kafka on a port other than the standard ports +# condition: user.name = kafka and inbound and fd.sport != 9092 +# output: "Inbound network traffic to Kafka on unexpected port (connection=%fd.name)" +# priority: WARNING + +# Memcached ports +# - rule: Memcached unexpected network inbound traffic +# desc: inbound network traffic to memcached on a port other than the standard ports +# condition: user.name = memcached and inbound and fd.sport != 11211 +# output: "Inbound network traffic to Memcached on unexpected port (connection=%fd.name)" +# priority: WARNING + +# - rule: Memcached unexpected network outbound traffic +# desc: any outbound network traffic from memcached. memcached never initiates outbound connections. +# condition: user.name = memcached and outbound +# output: "Unexpected Memcached outbound connection (connection=%fd.name)" +# priority: WARNING + + +# MongoDB ports +- macro: mongodb_server_port + condition: fd.sport = 27017 +- macro: mongodb_shardserver_port + condition: fd.sport = 27018 +- macro: mongodb_configserver_port + condition: fd.sport = 27019 +- macro: mongodb_webserver_port + condition: fd.sport = 28017 + +# - rule: Mongodb unexpected network inbound traffic +# desc: inbound network traffic to mongodb on a port other than the standard ports +# condition: > +# user.name = mongodb and inbound and not (mongodb_server_port or +# mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) +# output: "Inbound network traffic to MongoDB on unexpected port (connection=%fd.name)" +# priority: WARNING + +# MySQL ports +# - rule: Mysql unexpected network inbound traffic +# desc: inbound network traffic to mysql on a port other than the standard ports +# condition: user.name = mysql and inbound and fd.sport != 3306 +# output: "Inbound network traffic to MySQL on unexpected port (connection=%fd.name)" +# priority: WARNING + +# - rule: HTTP server unexpected network inbound traffic +# desc: inbound network traffic to a http server program on a port other than the standard ports +# condition: proc.name in (http_server_binaries) and inbound and fd.sport != 80 and fd.sport != 443 +# output: "Inbound network traffic to HTTP Server on unexpected port (connection=%fd.name)" +# priority: WARNING \ No newline at end of file diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/rules/aws_cloudtrail_rules.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/rules/aws_cloudtrail_rules.yaml new file mode 100644 index 000000000..fb8a21d36 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/rules/aws_cloudtrail_rules.yaml @@ -0,0 +1,441 @@ +# +# Copyright (C) 2022 The Falco Authors. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# All rules files related to plugins should require engine version 10 +- required_engine_version: 10 + +# These rules can be read by cloudtrail plugin version 0.1.0, or +# anything semver-compatible. +- required_plugin_versions: + - name: cloudtrail + version: 0.2.3 + - name: json + version: 0.2.2 + +# Note that this rule is disabled by default. It's useful only to +# verify that the cloudtrail plugin is sending events properly. The +# very broad condition evt.num > 0 only works because the rule source +# is limited to aws_cloudtrail. This ensures that the only events that +# are matched against the rule are from the cloudtrail plugin (or +# a different plugin with the same source). +- rule: All Cloudtrail Events + desc: Match all cloudtrail events. + condition: + evt.num > 0 + output: Some Cloudtrail Event (evtnum=%evt.num info=%evt.plugininfo ts=%evt.time.iso8601 id=%ct.id error=%ct.error) + priority: DEBUG + tags: + - cloud + - aws + source: aws_cloudtrail + enabled: false + +- rule: Console Login Through Assume Role + desc: Detect a console login through Assume Role. + condition: + ct.name="ConsoleLogin" and not ct.error exists + and ct.user.identitytype="AssumedRole" + and json.value[/responseElements/ConsoleLogin]="Success" + output: + Detected a console login through Assume Role + (principal=%ct.user.principalid, + assumedRole=%ct.user.arn, + requesting IP=%ct.srcip, + AWS region=%ct.region) + priority: WARNING + tags: + - cloud + - aws + - aws_console + - aws_iam + source: aws_cloudtrail + +- rule: Console Login Without MFA + desc: Detect a console login without MFA. + condition: + ct.name="ConsoleLogin" and not ct.error exists + and ct.user.identitytype!="AssumedRole" + and json.value[/responseElements/ConsoleLogin]="Success" + and json.value[/additionalEventData/MFAUsed]="No" + output: + Detected a console login without MFA + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region) + priority: CRITICAL + tags: + - cloud + - aws + - aws_console + - aws_iam + source: aws_cloudtrail + +- rule: Console Root Login Without MFA + desc: Detect root console login without MFA. + condition: + ct.name="ConsoleLogin" and not ct.error exists + and json.value[/additionalEventData/MFAUsed]="No" + and ct.user.identitytype!="AssumedRole" + and json.value[/responseElements/ConsoleLogin]="Success" + and ct.user.identitytype="Root" + output: + Detected a root console login without MFA. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region) + priority: CRITICAL + tags: + - cloud + - aws + - aws_console + - aws_iam + source: aws_cloudtrail + +- rule: Deactivate MFA for Root User + desc: Detect deactivating MFA configuration for root. + condition: + ct.name="DeactivateMFADevice" and not ct.error exists + and ct.user.identitytype="Root" + and ct.request.username="AWS ROOT USER" + output: + Multi Factor Authentication configuration has been disabled for root + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + MFA serial number=%ct.request.serialnumber) + priority: CRITICAL + tags: + - cloud + - aws + - aws_iam + source: aws_cloudtrail + +- rule: Create AWS user + desc: Detect creation of a new AWS user. + condition: + ct.name="CreateUser" and not ct.error exists + output: + A new AWS user has been created + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + new user created=%ct.request.username) + priority: INFO + tags: + - cloud + - aws + - aws_iam + source: aws_cloudtrail + +- rule: Create Group + desc: Detect creation of a new user group. + condition: + ct.name="CreateGroup" and not ct.error exists + output: + A new user group has been created. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + group name=%ct.request.groupname) + priority: WARNING + tags: + - cloud + - aws + - aws_iam + source: aws_cloudtrail + +- rule: Delete Group + desc: Detect deletion of a user group. + condition: + ct.name="DeleteGroup" and not ct.error exists + output: + A user group has been deleted. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + group name=%ct.request.groupname) + priority: WARNING + tags: + - cloud + - aws + - aws_iam + source: aws_cloudtrail + +- rule: ECS Service Created + desc: Detect a new service is created in ECS. + condition: + ct.src="ecs.amazonaws.com" and + ct.name="CreateService" and + not ct.error exists + output: + A new service has been created in ECS + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + cluster=%ct.request.cluster, + service name=%ct.request.servicename, + task definition=%ct.request.taskdefinition) + priority: WARNING + tags: + - cloud + - aws + - aws_ecs + - aws_fargate + source: aws_cloudtrail + +- rule: ECS Task Run or Started + desc: Detect a new task is started in ECS. + condition: + ct.src="ecs.amazonaws.com" and + (ct.name="RunTask" or ct.name="StartTask") and + not ct.error exists + output: + A new task has been started in ECS + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + cluster=%ct.request.cluster, + task definition=%ct.request.taskdefinition) + priority: WARNING + tags: + - cloud + - aws + - aws_ecs + - aws_fargate + source: aws_cloudtrail + +- rule: Create Lambda Function + desc: Detect creation of a Lambda function. + condition: + ct.name="CreateFunction20150331" and not ct.error exists + output: + Lambda function has been created. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + lambda function=%ct.request.functionname) + priority: WARNING + tags: + - cloud + - aws + - aws_lambda + source: aws_cloudtrail + +- rule: Update Lambda Function Code + desc: Detect updates to a Lambda function code. + condition: + ct.name="UpdateFunctionCode20150331v2" and not ct.error exists + output: + The code of a Lambda function has been updated. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + lambda function=%ct.request.functionname) + priority: WARNING + tags: + - cloud + - aws + - aws_lambda + source: aws_cloudtrail + +- rule: Update Lambda Function Configuration + desc: Detect updates to a Lambda function configuration. + condition: + ct.name="UpdateFunctionConfiguration20150331v2" and not ct.error exists + output: + The configuration of a Lambda function has been updated. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + lambda function=%ct.request.functionname) + priority: WARNING + tags: + - cloud + - aws + - aws_lambda + source: aws_cloudtrail + +- rule: Run Instances + desc: Detect launching of a specified number of instances. + condition: + ct.name="RunInstances" and not ct.error exists + output: + A number of instances have been launched. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + availability zone=%ct.request.availabilityzone, + subnet id=%ct.response.subnetid, + reservation id=%ct.response.reservationid) + priority: WARNING + tags: + - cloud + - aws + - aws_ec2 + source: aws_cloudtrail + +# Only instances launched on regions in this list are approved. +- list: approved_regions + items: + - us-east-0 + +- rule: Run Instances in Non-approved Region + desc: Detect launching of a specified number of instances in a non-approved region. + condition: + ct.name="RunInstances" and not ct.error exists and + not ct.region in (approved_regions) + output: + A number of instances have been launched in a non-approved region. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + availability zone=%ct.request.availabilityzone, + subnet id=%ct.response.subnetid, + reservation id=%ct.response.reservationid, + image id=%json.value[/responseElements/instancesSet/items/0/instanceId]) + priority: WARNING + tags: + - cloud + - aws + - aws_ec2 + source: aws_cloudtrail + +- rule: Delete Bucket Encryption + desc: Detect deleting configuration to use encryption for bucket storage. + condition: + ct.name="DeleteBucketEncryption" and not ct.error exists + output: + A encryption configuration for a bucket has been deleted + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + bucket=%s3.bucket) + priority: CRITICAL + tags: + - cloud + - aws + - aws_s3 + source: aws_cloudtrail + +- rule: Delete Bucket Public Access Block + desc: Detect deleting blocking public access to bucket. + condition: + ct.name="PutBucketPublicAccessBlock" and not ct.error exists and + json.value[/requestParameters/publicAccessBlock]="" and + (json.value[/requestParameters/PublicAccessBlockConfiguration/RestrictPublicBuckets]=false or + json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicPolicy]=false or + json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicAcls]=false or + json.value[/requestParameters/PublicAccessBlockConfiguration/IgnorePublicAcls]=false) + output: + A public access block for a bucket has been deleted + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + bucket=%s3.bucket) + priority: CRITICAL + tags: + - cloud + - aws + - aws_s3 + source: aws_cloudtrail + +- rule: List Buckets + desc: Detect listing of all S3 buckets. + condition: + ct.name="ListBuckets" and not ct.error exists + output: + A list of all S3 buckets has been requested. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + host=%ct.request.host) + priority: WARNING + enabled: false + tags: + - cloud + - aws + - aws_s3 + source: aws_cloudtrail + +- rule: Put Bucket ACL + desc: Detect setting the permissions on an existing bucket using access control lists. + condition: + ct.name="PutBucketAcl" and not ct.error exists + output: + The permissions on an existing bucket have been set using access control lists. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + bucket name=%s3.bucket) + priority: WARNING + tags: + - cloud + - aws + - aws_s3 + source: aws_cloudtrail + +- rule: Put Bucket Policy + desc: Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket. + condition: + ct.name="PutBucketPolicy" and not ct.error exists + output: + An Amazon S3 bucket policy has been applied to an Amazon S3 bucket. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + bucket name=%s3.bucket, + policy=%ct.request.policy) + priority: WARNING + tags: + - cloud + - aws + - aws_s3 + source: aws_cloudtrail + +- rule: CloudTrail Trail Created + desc: Detect creation of a new trail. + condition: + ct.name="CreateTrail" and not ct.error exists + output: + A new trail has been created. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + trail name=%ct.request.name) + priority: WARNING + tags: + - cloud + - aws + - aws_cloudtrail + source: aws_cloudtrail + +- rule: CloudTrail Logging Disabled + desc: The CloudTrail logging has been disabled, this could be potentially malicious. + condition: + ct.name="StopLogging" and not ct.error exists + output: + The CloudTrail logging has been disabled. + (requesting user=%ct.user, + requesting IP=%ct.srcip, + AWS region=%ct.region, + resource name=%ct.request.name) + priority: WARNING + tags: + - cloud + - aws + - aws_cloudtrail + source: aws_cloudtrail diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/rules/falco_rules.local.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/rules/falco_rules.local.yaml new file mode 100644 index 000000000..19d8430f6 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/rules/falco_rules.local.yaml @@ -0,0 +1,30 @@ +# +# Copyright (C) 2019 The Falco Authors. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +#################### +# Your custom rules! +#################### + +# Add new rules, like this one +# - rule: The program "sudo" is run in a container +# desc: An event will trigger every time you run sudo in a container +# condition: evt.type = execve and evt.dir=< and container.id != host and proc.name = sudo +# output: "Sudo run in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)" +# priority: ERROR +# tags: [users, container] + +# Or override/append to any rule, macro, or list from the Default Rules \ No newline at end of file diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/rules/falco_rules.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/rules/falco_rules.yaml new file mode 100644 index 000000000..741fa6141 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/rules/falco_rules.yaml @@ -0,0 +1,3140 @@ +# +# Copyright (C) 2022 The Falco Authors. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# The latest Falco Engine version is 9. +# Starting with version 8, the Falco engine supports exceptions. +# However the Falco rules file does not use them by default. +- required_engine_version: 9 + +# Currently disabled as read/write are ignored syscalls. The nearly +# similar open_write/open_read check for files being opened for +# reading/writing. +# - macro: write +# condition: (syscall.type=write and fd.type in (file, directory)) +# - macro: read +# condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory)) + +- macro: open_write + condition: evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0 + +- macro: open_read + condition: evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0 + +- macro: open_directory + condition: evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='d' and fd.num>=0 + +- macro: never_true + condition: (evt.num=0) + +- macro: always_true + condition: (evt.num>=0) + +# In some cases, such as dropped system call events, information about +# the process name may be missing. For some rules that really depend +# on the identity of the process performing an action such as opening +# a file, etc., we require that the process name be known. +- macro: proc_name_exists + condition: (proc.name!="") + +- macro: rename + condition: evt.type in (rename, renameat, renameat2) + +- macro: mkdir + condition: evt.type in (mkdir, mkdirat) + +- macro: remove + condition: evt.type in (rmdir, unlink, unlinkat) + +- macro: modify + condition: rename or remove + +- macro: spawned_process + condition: evt.type in (execve, execveat) and evt.dir=< + +- macro: create_symlink + condition: evt.type in (symlink, symlinkat) and evt.dir=< + +- macro: create_hardlink + condition: evt.type in (link, linkat) and evt.dir=< + +- macro: chmod + condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<) + +# File categories +- macro: bin_dir + condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) + +- macro: bin_dir_mkdir + condition: > + (evt.arg.path startswith /bin/ or + evt.arg.path startswith /sbin/ or + evt.arg.path startswith /usr/bin/ or + evt.arg.path startswith /usr/sbin/) + +- macro: bin_dir_rename + condition: > + (evt.arg.path startswith /bin/ or + evt.arg.path startswith /sbin/ or + evt.arg.path startswith /usr/bin/ or + evt.arg.path startswith /usr/sbin/ or + evt.arg.name startswith /bin/ or + evt.arg.name startswith /sbin/ or + evt.arg.name startswith /usr/bin/ or + evt.arg.name startswith /usr/sbin/ or + evt.arg.oldpath startswith /bin/ or + evt.arg.oldpath startswith /sbin/ or + evt.arg.oldpath startswith /usr/bin/ or + evt.arg.oldpath startswith /usr/sbin/ or + evt.arg.newpath startswith /bin/ or + evt.arg.newpath startswith /sbin/ or + evt.arg.newpath startswith /usr/bin/ or + evt.arg.newpath startswith /usr/sbin/) + +- macro: etc_dir + condition: fd.name startswith /etc/ + +# This detects writes immediately below / or any write anywhere below /root +- macro: root_dir + condition: (fd.directory=/ or fd.name startswith /root/) + +- list: shell_binaries + items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash] + +- list: ssh_binaries + items: [ + sshd, sftp-server, ssh-agent, + ssh, scp, sftp, + ssh-keygen, ssh-keysign, ssh-keyscan, ssh-add + ] + +- list: shell_mgmt_binaries + items: [add-shell, remove-shell] + +- macro: shell_procs + condition: proc.name in (shell_binaries) + +- list: coreutils_binaries + items: [ + truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who, + groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat, + basename, split, nice, "yes", whoami, sha224sum, hostid, users, stdbuf, + base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test, + comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname, + tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout, + tail, "[", seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred, + tac, link, chroot, vdir, chown, touch, ls, dd, uname, "true", pwd, date, + chgrp, chmod, mktemp, cat, mknod, sync, ln, "false", rm, mv, cp, echo, + readlink, sleep, stty, mkdir, df, dir, rmdir, touch + ] + +# dpkg -L login | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," +- list: login_binaries + items: [ + login, systemd, '"(systemd)"', systemd-logind, su, + nologin, faillog, lastlog, newgrp, sg + ] + +# dpkg -L passwd | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," +- list: passwd_binaries + items: [ + shadowconfig, grpck, pwunconv, grpconv, pwck, + groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod, + groupadd, groupdel, grpunconv, chgpasswd, userdel, chage, chsh, + gpasswd, chfn, expiry, passwd, vigr, cpgr, adduser, addgroup, deluser, delgroup + ] + +# repoquery -l shadow-utils | grep bin | xargs ls -ld | grep -v '^d' | +# awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," +- list: shadowutils_binaries + items: [ + chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd, + groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, grpck, grpconv, grpunconv, + newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vigr, vipw, unix_chkpwd + ] + +- list: sysdigcloud_binaries + items: [setup-backend, dragent, sdchecks] + +- list: docker_binaries + items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current] + +- list: k8s_binaries + items: [hyperkube, skydns, kube2sky, exechealthz, weave-net, loopback, bridge, openshift-sdn, openshift] + +- list: lxd_binaries + items: [lxd, lxcfs] + +- list: http_server_binaries + items: [nginx, httpd, httpd-foregroun, lighttpd, apache, apache2] + +- list: db_server_binaries + items: [mysqld, postgres, sqlplus] + +- list: postgres_mgmt_binaries + items: [pg_dumpall, pg_ctl, pg_lsclusters, pg_ctlcluster] + +- list: nosql_server_binaries + items: [couchdb, memcached, redis-server, rabbitmq-server, mongod] + +- list: gitlab_binaries + items: [gitlab-shell, gitlab-mon, gitlab-runner-b, git] + +- list: interpreted_binaries + items: [lua, node, perl, perl5, perl6, php, python, python2, python3, ruby, tcl] + +- macro: interpreted_procs + condition: > + (proc.name in (interpreted_binaries)) + +- macro: server_procs + condition: proc.name in (http_server_binaries, db_server_binaries, docker_binaries, sshd) + +# The explicit quotes are needed to avoid the - characters being +# interpreted by the filter expression. +- list: rpm_binaries + items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, rhsmcertd, subscription-ma, + repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump, + abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb] + +- list: openscap_rpm_binaries + items: [probe_rpminfo, probe_rpmverify, probe_rpmverifyfile, probe_rpmverifypackage] + +- macro: rpm_procs + condition: (proc.name in (rpm_binaries, openscap_rpm_binaries) or proc.name in (salt-minion)) + +- list: deb_binaries + items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude, + frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key, + apt-listchanges, unattended-upgr, apt-add-reposit, apt-cache, apt.systemd.dai + ] + +# The truncated dpkg-preconfigu is intentional, process names are +# truncated at the falcosecurity-libs level. +- list: package_mgmt_binaries + items: [rpm_binaries, deb_binaries, update-alternat, gem, npm, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd] + +- macro: package_mgmt_procs + condition: proc.name in (package_mgmt_binaries) + +- macro: package_mgmt_ancestor_procs + condition: proc.pname in (package_mgmt_binaries) or + proc.aname[2] in (package_mgmt_binaries) or + proc.aname[3] in (package_mgmt_binaries) or + proc.aname[4] in (package_mgmt_binaries) + +- macro: coreos_write_ssh_dir + condition: (proc.name=update-ssh-keys and fd.name startswith /home/core/.ssh) + +- macro: run_by_package_mgmt_binaries + condition: proc.aname in (package_mgmt_binaries, needrestart) + +- list: ssl_mgmt_binaries + items: [ca-certificates] + +- list: dhcp_binaries + items: [dhclient, dhclient-script, 11-dhclient] + +# A canonical set of processes that run other programs with different +# privileges or as a different user. +- list: userexec_binaries + items: [sudo, su, suexec, critical-stack, dzdo] + +- list: known_setuid_binaries + items: [ + sshd, dbus-daemon-lau, ping, ping6, critical-stack-, pmmcli, + filemng, PassengerAgent, bwrap, osdetect, nginxmng, sw-engine-fpm, + start-stop-daem + ] + +- list: user_mgmt_binaries + items: [login_binaries, passwd_binaries, shadowutils_binaries] + +- list: dev_creation_binaries + items: [blkid, rename_device, update_engine, sgdisk] + +- list: hids_binaries + items: [aide, aide.wrapper, update-aide.con, logcheck, syslog-summary, osqueryd, ossec-syscheckd] + +- list: vpn_binaries + items: [openvpn] + +- list: nomachine_binaries + items: [nxexec, nxnode.bin, nxserver.bin, nxclient.bin] + +- macro: system_procs + condition: proc.name in (coreutils_binaries, user_mgmt_binaries) + +- list: mail_binaries + items: [ + sendmail, sendmail-msp, postfix, procmail, exim4, + pickup, showq, mailq, dovecot, imap-login, imap, + mailmng-core, pop3-login, dovecot-lda, pop3 + ] + +- list: mail_config_binaries + items: [ + update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, + update_db, update_mc, ssmtp.postinst, mailq, postalias, postfix.config., + postfix.config, postfix-script, postconf + ] + +- list: sensitive_file_names + items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf] + +- list: sensitive_directory_names + items: [/, /etc, /etc/, /root, /root/] + +- macro: sensitive_files + condition: > + fd.name startswith /etc and + (fd.name in (sensitive_file_names) + or fd.directory in (/etc/sudoers.d, /etc/pam.d)) + +# Indicates that the process is new. Currently detected using time +# since process was started, using a threshold of 5 seconds. +- macro: proc_is_new + condition: proc.duration <= 5000000000 + +# Network +- macro: inbound + condition: > + (((evt.type in (accept,listen) and evt.dir=<) or + (evt.type in (recvfrom,recvmsg) and evt.dir=< and + fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and + (fd.typechar = 4 or fd.typechar = 6) and + (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and + (evt.rawres >= 0 or evt.res = EINPROGRESS)) + +# RFC1918 addresses were assigned for private network usage +- list: rfc_1918_addresses + items: ['"10.0.0.0/8"', '"172.16.0.0/12"', '"192.168.0.0/16"'] + +- macro: outbound + condition: > + (((evt.type = connect and evt.dir=<) or + (evt.type in (sendto,sendmsg) and evt.dir=< and + fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and + (fd.typechar = 4 or fd.typechar = 6) and + (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and + (evt.rawres >= 0 or evt.res = EINPROGRESS)) + +# Very similar to inbound/outbound, but combines the tests together +# for efficiency. +- macro: inbound_outbound + condition: > + ((((evt.type in (accept,listen,connect) and evt.dir=<)) and + (fd.typechar = 4 or fd.typechar = 6)) and + (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and + (evt.rawres >= 0 or evt.res = EINPROGRESS)) + +- macro: ssh_port + condition: fd.sport=22 + +# In a local/user rules file, you could override this macro to +# enumerate the servers for which ssh connections are allowed. For +# example, you might have a ssh gateway host for which ssh connections +# are allowed. +# +# In the main falco rules file, there isn't any way to know the +# specific hosts for which ssh access is allowed, so this macro just +# repeats ssh_port, which effectively allows ssh from all hosts. In +# the overridden macro, the condition would look something like +# "fd.sip="a.b.c.d" or fd.sip="e.f.g.h" or ..." +- macro: allowed_ssh_hosts + condition: ssh_port + +- rule: Disallowed SSH Connection + desc: Detect any new ssh connection to a host other than those in an allowed group of hosts + condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts + output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [network, mitre_remote_service] + +# These rules and supporting macros are more of an example for how to +# use the fd.*ip and fd.*ip.name fields to match connection +# information against ips, netmasks, and complete domain names. +# +# To use this rule, you should modify consider_all_outbound_conns and +# populate allowed_{source,destination}_{ipaddrs,networks,domains} with the +# values that make sense for your environment. +- macro: consider_all_outbound_conns + condition: (never_true) + +# Note that this can be either individual IPs or netmasks +- list: allowed_outbound_destination_ipaddrs + items: ['"127.0.0.1"', '"8.8.8.8"'] + +- list: allowed_outbound_destination_networks + items: ['"127.0.0.1/8"'] + +- list: allowed_outbound_destination_domains + items: [google.com, www.yahoo.com] + +- rule: Unexpected outbound connection destination + desc: Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names + condition: > + consider_all_outbound_conns and outbound and not + ((fd.sip in (allowed_outbound_destination_ipaddrs)) or + (fd.snet in (allowed_outbound_destination_networks)) or + (fd.sip.name in (allowed_outbound_destination_domains))) + output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [network] + +- macro: consider_all_inbound_conns + condition: (never_true) + +- list: allowed_inbound_source_ipaddrs + items: ['"127.0.0.1"'] + +- list: allowed_inbound_source_networks + items: ['"127.0.0.1/8"', '"10.0.0.0/8"'] + +- list: allowed_inbound_source_domains + items: [google.com] + +- rule: Unexpected inbound connection source + desc: Detect any inbound connection from a source outside of an allowed set of ips, networks, or domain names + condition: > + consider_all_inbound_conns and inbound and not + ((fd.cip in (allowed_inbound_source_ipaddrs)) or + (fd.cnet in (allowed_inbound_source_networks)) or + (fd.cip.name in (allowed_inbound_source_domains))) + output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [network] + +- list: bash_config_filenames + items: [.bashrc, .bash_profile, .bash_history, .bash_login, .bash_logout, .inputrc, .profile] + +- list: bash_config_files + items: [/etc/profile, /etc/bashrc] + +# Covers both csh and tcsh +- list: csh_config_filenames + items: [.cshrc, .login, .logout, .history, .tcshrc, .cshdirs] + +- list: csh_config_files + items: [/etc/csh.cshrc, /etc/csh.login] + +- list: zsh_config_filenames + items: [.zshenv, .zprofile, .zshrc, .zlogin, .zlogout] + +- list: shell_config_filenames + items: [bash_config_filenames, csh_config_filenames, zsh_config_filenames] + +- list: shell_config_files + items: [bash_config_files, csh_config_files] + +- list: shell_config_directories + items: [/etc/zsh] + +- rule: Modify Shell Configuration File + desc: Detect attempt to modify shell configuration files + condition: > + open_write and + (fd.filename in (shell_config_filenames) or + fd.name in (shell_config_files) or + fd.directory in (shell_config_directories)) + and not proc.name in (shell_binaries) + and not exe_running_docker_save + output: > + a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository) + priority: + WARNING + tags: [file, mitre_persistence] + +# This rule is not enabled by default, as there are many legitimate +# readers of shell config files. If you want to enable it, modify the +# following macro. + +- macro: consider_shell_config_reads + condition: (never_true) + +- rule: Read Shell Configuration File + desc: Detect attempts to read shell configuration files by non-shell programs + condition: > + open_read and + consider_shell_config_reads and + (fd.filename in (shell_config_filenames) or + fd.name in (shell_config_files) or + fd.directory in (shell_config_directories)) and + (not proc.name in (shell_binaries)) + output: > + a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) + priority: + WARNING + tags: [file, mitre_discovery] + +- macro: consider_all_cron_jobs + condition: (never_true) + +- macro: user_known_cron_jobs + condition: (never_true) + +- rule: Schedule Cron Jobs + desc: Detect cron jobs scheduled + condition: > + ((open_write and fd.name startswith /etc/cron) or + (spawned_process and proc.name = "crontab")) and + consider_all_cron_jobs and + not user_known_cron_jobs + output: > + Cron jobs were scheduled to run (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline + file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: + NOTICE + tags: [file, mitre_persistence] + +# Use this to test whether the event occurred within a container. + +# When displaying container information in the output field, use +# %container.info, without any leading term (file=%fd.name +# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name +# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change +# based on the context and whether or not -pk/-pm/-pc was specified on +# the command line. +- macro: container + condition: (container.id != host) + +- macro: container_started + condition: > + ((evt.type = container or + (spawned_process and proc.vpid=1)) and + container.image.repository != incomplete) + +- macro: interactive + condition: > + ((proc.aname=sshd and proc.name != sshd) or + proc.name=systemd-logind or proc.name=login) + +- list: cron_binaries + items: [anacron, cron, crond, crontab] + +# https://github.com/liske/needrestart +- list: needrestart_binaries + items: [needrestart, 10-dpkg, 20-rpm, 30-pacman] + +# Possible scripts run by sshkit +- list: sshkit_script_binaries + items: [10_etc_sudoers., 10_passwd_group] + +- list: plesk_binaries + items: [sw-engine, sw-engine-fpm, sw-engine-kv, filemng, f2bmng] + +# System users that should never log into a system. Consider adding your own +# service users (e.g. 'apache' or 'mysqld') here. +- macro: system_users + condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data) + +- macro: httpd_writing_ssl_conf + condition: > + (proc.pname=run-httpd and + (proc.cmdline startswith "sed -ri" or proc.cmdline startswith "sed -i") and + (fd.name startswith /etc/httpd/conf.d/ or fd.name startswith /etc/httpd/conf)) + +- macro: userhelper_writing_etc_security + condition: (proc.name=userhelper and fd.name startswith /etc/security) + +- macro: ansible_running_python + condition: (proc.name in (python, pypy, python3) and proc.cmdline contains ansible) + +- macro: python_running_chef + condition: (proc.name=python and (proc.cmdline contains yum-dump.py or proc.cmdline="python /usr/bin/chef-monitor.py")) + +- macro: python_running_denyhosts + condition: > + (proc.name=python and + (proc.cmdline contains /usr/sbin/denyhosts or + proc.cmdline contains /usr/local/bin/denyhosts.py)) + +# Qualys seems to run a variety of shell subprocesses, at various +# levels. This checks at a few levels without the cost of a full +# proc.aname, which traverses the full parent hierarchy. +- macro: run_by_qualys + condition: > + (proc.pname=qualys-cloud-ag or + proc.aname[2]=qualys-cloud-ag or + proc.aname[3]=qualys-cloud-ag or + proc.aname[4]=qualys-cloud-ag) + +- macro: run_by_sumologic_securefiles + condition: > + ((proc.cmdline="usermod -a -G sumologic_collector" or + proc.cmdline="groupadd sumologic_collector") and + (proc.pname=secureFiles.sh and proc.aname[2]=java)) + +- macro: run_by_yum + condition: ((proc.pname=sh and proc.aname[2]=yum) or + (proc.aname[2]=sh and proc.aname[3]=yum)) + +- macro: run_by_ms_oms + condition: > + (proc.aname[3] startswith omsagent- or + proc.aname[3] startswith scx-) + +- macro: run_by_google_accounts_daemon + condition: > + (proc.aname[1] startswith google_accounts or + proc.aname[2] startswith google_accounts or + proc.aname[3] startswith google_accounts) + +# Chef is similar. +- macro: run_by_chef + condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or + proc.aname[2]=chef-client or proc.aname[3]=chef-client or + proc.name=chef-client) + +- macro: run_by_adclient + condition: (proc.aname[2]=adclient or proc.aname[3]=adclient or proc.aname[4]=adclient) + +- macro: run_by_centrify + condition: (proc.aname[2]=centrify or proc.aname[3]=centrify or proc.aname[4]=centrify) + +# Also handles running semi-indirectly via scl +- macro: run_by_foreman + condition: > + (user.name=foreman and + ((proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or + (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby)))) + +- macro: java_running_sdjagent + condition: proc.name=java and proc.cmdline contains sdjagent.jar + +- macro: kubelet_running_loopback + condition: (proc.pname=kubelet and proc.name=loopback) + +- macro: python_mesos_marathon_scripting + condition: (proc.pcmdline startswith "python3 /marathon-lb/marathon_lb.py") + +- macro: splunk_running_forwarder + condition: (proc.pname=splunkd and proc.cmdline startswith "sh -c /opt/splunkforwarder") + +- macro: parent_supervise_running_multilog + condition: (proc.name=multilog and proc.pname=supervise) + +- macro: supervise_writing_status + condition: (proc.name in (supervise,svc) and fd.name startswith "/etc/sb/") + +- macro: pki_realm_writing_realms + condition: (proc.cmdline startswith "bash /usr/local/lib/pki/pki-realm" and fd.name startswith /etc/pki/realms) + +- macro: htpasswd_writing_passwd + condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd) + +- macro: lvprogs_writing_conf + condition: > + (proc.name in (dmeventd,lvcreate,pvscan,lvs) and + (fd.name startswith /etc/lvm/archive or + fd.name startswith /etc/lvm/backup or + fd.name startswith /etc/lvm/cache)) + +- macro: ovsdb_writing_openvswitch + condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch) + +- macro: perl_running_plesk + condition: (proc.cmdline startswith "perl /opt/psa/admin/bin/plesk_agent_manager" or + proc.pcmdline startswith "perl /opt/psa/admin/bin/plesk_agent_manager") + +- macro: perl_running_updmap + condition: (proc.cmdline startswith "perl /usr/bin/updmap") + +- macro: perl_running_centrifydc + condition: (proc.cmdline startswith "perl /usr/share/centrifydc") + +- macro: runuser_reading_pam + condition: (proc.name=runuser and fd.directory=/etc/pam.d) + +# CIS Linux Benchmark program +- macro: linux_bench_reading_etc_shadow + condition: ((proc.aname[2]=linux-bench and + proc.name in (awk,cut,grep)) and + (fd.name=/etc/shadow or + fd.directory=/etc/pam.d)) + +- macro: parent_ucf_writing_conf + condition: (proc.pname=ucf and proc.aname[2]=frontend) + +- macro: consul_template_writing_conf + condition: > + ((proc.name=consul-template and fd.name startswith /etc/haproxy) or + (proc.name=reload.sh and proc.aname[2]=consul-template and fd.name startswith /etc/ssl)) + +- macro: countly_writing_nginx_conf + condition: (proc.cmdline startswith "nodejs /opt/countly/bin" and fd.name startswith /etc/nginx) + +- list: ms_oms_binaries + items: [omi.postinst, omsconfig.posti, scx.postinst, omsadmin.sh, omiagent] + +- macro: ms_oms_writing_conf + condition: > + ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor,dsc_host) + or proc.pname in (ms_oms_binaries) + or proc.aname[2] in (ms_oms_binaries)) + and (fd.name startswith /etc/opt/omi or fd.name startswith /etc/opt/microsoft/omsagent)) + +- macro: ms_scx_writing_conf + condition: (proc.name in (GetLinuxOS.sh) and fd.name startswith /etc/opt/microsoft/scx) + +- macro: azure_scripts_writing_conf + condition: (proc.pname startswith "bash /var/lib/waagent/" and fd.name startswith /etc/azure) + +- macro: azure_networkwatcher_writing_conf + condition: (proc.name in (NetworkWatcherA) and fd.name=/etc/init.d/AzureNetworkWatcherAgent) + +- macro: couchdb_writing_conf + condition: (proc.name=beam.smp and proc.cmdline contains couchdb and fd.name startswith /etc/couchdb) + +- macro: update_texmf_writing_conf + condition: (proc.name=update-texmf and fd.name startswith /etc/texmf) + +- macro: slapadd_writing_conf + condition: (proc.name=slapadd and fd.name startswith /etc/ldap) + +- macro: openldap_writing_conf + condition: (proc.pname=run-openldap.sh and fd.name startswith /etc/openldap) + +- macro: ucpagent_writing_conf + condition: (proc.name=apiserver and container.image.repository=docker/ucp-agent and fd.name=/etc/authorization_config.cfg) + +- macro: iscsi_writing_conf + condition: (proc.name=iscsiadm and fd.name startswith /etc/iscsi) + +- macro: istio_writing_conf + condition: (proc.name=pilot-agent and fd.name startswith /etc/istio) + +- macro: symantec_writing_conf + condition: > + ((proc.name=symcfgd and fd.name startswith /etc/symantec) or + (proc.name=navdefutil and fd.name=/etc/symc-defutils.conf)) + +- macro: liveupdate_writing_conf + condition: (proc.cmdline startswith "java LiveUpdate" and fd.name in (/etc/liveupdate.conf, /etc/Product.Catalog.JavaLiveUpdate)) + +- macro: rancher_agent + condition: (proc.name=agent and container.image.repository contains "rancher/agent") + +- macro: rancher_network_manager + condition: (proc.name=rancher-bridge and container.image.repository contains "rancher/network-manager") + +- macro: sosreport_writing_files + condition: > + (proc.name=urlgrabber-ext- and proc.aname[3]=sosreport and + (fd.name startswith /etc/pkt/nssdb or fd.name startswith /etc/pki/nssdb)) + +- macro: pkgmgmt_progs_writing_pki + condition: > + (proc.name=urlgrabber-ext- and proc.pname in (yum, yum-cron, repoquery) and + (fd.name startswith /etc/pkt/nssdb or fd.name startswith /etc/pki/nssdb)) + +- macro: update_ca_trust_writing_pki + condition: (proc.pname=update-ca-trust and proc.name=trust and fd.name startswith /etc/pki) + +- macro: brandbot_writing_os_release + condition: proc.name=brandbot and fd.name=/etc/os-release + +- macro: selinux_writing_conf + condition: (proc.name in (semodule,genhomedircon,sefcontext_comp) and fd.name startswith /etc/selinux) + +- list: veritas_binaries + items: [vxconfigd, sfcache, vxclustadm, vxdctl, vxprint, vxdmpadm, vxdisk, vxdg, vxassist, vxtune] + +- macro: veritas_driver_script + condition: (proc.cmdline startswith "perl /opt/VRTSsfmh/bin/mh_driver.pl") + +- macro: veritas_progs + condition: (proc.name in (veritas_binaries) or veritas_driver_script) + +- macro: veritas_writing_config + condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom)) + +- macro: nginx_writing_conf + condition: (proc.name in (nginx,nginx-ingress-c,nginx-ingress) and (fd.name startswith /etc/nginx or fd.name startswith /etc/ingress-controller)) + +- macro: nginx_writing_certs + condition: > + (((proc.name=openssl and proc.pname=nginx-launch.sh) or proc.name=nginx-launch.sh) and fd.name startswith /etc/nginx/certs) + +- macro: chef_client_writing_conf + condition: (proc.pcmdline startswith "chef-client /opt/gitlab" and fd.name startswith /etc/gitlab) + +- macro: centrify_writing_krb + condition: (proc.name in (adjoin,addns) and fd.name startswith /etc/krb5) + +- macro: sssd_writing_krb + condition: (proc.name=adcli and proc.aname[2]=sssd and fd.name startswith /etc/krb5) + +- macro: cockpit_writing_conf + condition: > + ((proc.pname=cockpit-kube-la or proc.aname[2]=cockpit-kube-la) + and fd.name startswith /etc/cockpit) + +- macro: ipsec_writing_conf + condition: (proc.name=start-ipsec.sh and fd.directory=/etc/ipsec) + +- macro: exe_running_docker_save + condition: > + proc.name = "exe" + and (proc.cmdline contains "/var/lib/docker" + or proc.cmdline contains "/var/run/docker") + and proc.pname in (dockerd, docker, dockerd-current, docker-current) + +# Ideally we'd have a length check here as well but +# filterchecks don't have operators like len() +- macro: sed_temporary_file + condition: (proc.name=sed and fd.name startswith "/etc/sed") + +- macro: python_running_get_pip + condition: (proc.cmdline startswith "python get-pip.py") + +- macro: python_running_ms_oms + condition: (proc.cmdline startswith "python /var/lib/waagent/") + +- macro: gugent_writing_guestagent_log + condition: (proc.name=gugent and fd.name=GuestAgent.log) + +- macro: dse_writing_tmp + condition: (proc.name=dse-entrypoint and fd.name=/root/tmp__) + +- macro: zap_writing_state + condition: (proc.name=java and proc.cmdline contains "jar /zap" and fd.name startswith /root/.ZAP) + +- macro: airflow_writing_state + condition: (proc.name=airflow and fd.name startswith /root/airflow) + +- macro: rpm_writing_root_rpmdb + condition: (proc.name=rpm and fd.directory=/root/.rpmdb) + +- macro: maven_writing_groovy + condition: (proc.name=java and proc.cmdline contains "classpath /usr/local/apache-maven" and fd.name startswith /root/.groovy) + +- macro: chef_writing_conf + condition: (proc.name=chef-client and fd.name startswith /root/.chef) + +- macro: kubectl_writing_state + condition: (proc.name in (kubectl,oc) and fd.name startswith /root/.kube) + +- macro: java_running_cassandra + condition: (proc.name=java and proc.cmdline contains "cassandra.jar") + +- macro: cassandra_writing_state + condition: (java_running_cassandra and fd.directory=/root/.cassandra) + +# Istio +- macro: galley_writing_state + condition: (proc.name=galley and fd.name in (known_istio_files)) + +- list: known_istio_files + items: [/healthready, /healthliveness] + +- macro: calico_writing_state + condition: (proc.name=kube-controller and fd.name startswith /status.json and k8s.pod.name startswith calico) + +- macro: calico_writing_envvars + condition: (proc.name=start_runit and fd.name startswith "/etc/envvars" and container.image.repository endswith "calico/node") + +- list: repository_files + items: [sources.list] + +- list: repository_directories + items: [/etc/apt/sources.list.d, /etc/yum.repos.d, /etc/apt] + +- macro: access_repositories + condition: (fd.directory in (repository_directories) or + (fd.name pmatch (repository_directories) and + fd.filename in (repository_files))) + +- macro: modify_repositories + condition: (evt.arg.newpath pmatch (repository_directories)) + +- macro: user_known_update_package_registry + condition: (never_true) + +- rule: Update Package Repository + desc: Detect package repositories get updated + condition: > + ((open_write and access_repositories) or (modify and modify_repositories)) + and not package_mgmt_procs + and not package_mgmt_ancestor_procs + and not exe_running_docker_save + and not user_known_update_package_registry + output: > + Repository files get updated (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository) + priority: + NOTICE + tags: [filesystem, mitre_persistence] + +# Users should overwrite this macro to specify conditions under which a +# write under the binary dir is ignored. For example, it may be okay to +# install a binary in the context of a ci/cd build. +- macro: user_known_write_below_binary_dir_activities + condition: (never_true) + +- rule: Write below binary dir + desc: an attempt to write to any file below a set of binary directories + condition: > + bin_dir and evt.dir = < and open_write + and not package_mgmt_procs + and not exe_running_docker_save + and not python_running_get_pip + and not python_running_ms_oms + and not user_known_write_below_binary_dir_activities + output: > + File below a known binary directory opened for writing (user=%user.name user_loginuid=%user.loginuid + command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) + priority: ERROR + tags: [filesystem, mitre_persistence] + +# If you'd like to generally monitor a wider set of directories on top +# of the ones covered by the rule Write below binary dir, you can use +# the following rule and lists. + +- list: monitored_directories + items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh] + +- macro: user_ssh_directory + condition: (fd.name glob '/home/*/.ssh/*') + +# google_accounts_(daemon) +- macro: google_accounts_daemon_writing_ssh + condition: (proc.name=google_accounts and user_ssh_directory) + +- macro: cloud_init_writing_ssh + condition: (proc.name=cloud-init and user_ssh_directory) + +- macro: mkinitramfs_writing_boot + condition: (proc.pname in (mkinitramfs, update-initramf) and fd.directory=/boot) + +- macro: monitored_dir + condition: > + (fd.directory in (monitored_directories) + or user_ssh_directory) + and not mkinitramfs_writing_boot + +# Add conditions to this macro (probably in a separate file, +# overwriting this macro) to allow for specific combinations of +# programs writing below monitored directories. +# +# Its default value is an expression that always is false, which +# becomes true when the "not ..." in the rule is applied. +- macro: user_known_write_monitored_dir_conditions + condition: (never_true) + +- rule: Write below monitored dir + desc: an attempt to write to any file below a set of monitored directories + condition: > + evt.dir = < and open_write and monitored_dir + and not package_mgmt_procs + and not coreos_write_ssh_dir + and not exe_running_docker_save + and not python_running_get_pip + and not python_running_ms_oms + and not google_accounts_daemon_writing_ssh + and not cloud_init_writing_ssh + and not user_known_write_monitored_dir_conditions + output: > + File below a monitored directory opened for writing (user=%user.name user_loginuid=%user.loginuid + command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) + priority: ERROR + tags: [filesystem, mitre_persistence] + +# This rule is disabled by default as many system management tools +# like ansible, etc can read these files/paths. Enable it using this macro. + +- macro: consider_ssh_reads + condition: (never_true) + +- macro: user_known_read_ssh_information_activities + condition: (never_true) + +- rule: Read ssh information + desc: Any attempt to read files below ssh directories by non-ssh programs + condition: > + ((open_read or open_directory) and + consider_ssh_reads and + (user_ssh_directory or fd.name startswith /root/.ssh) and + not user_known_read_ssh_information_activities and + not proc.name in (ssh_binaries)) + output: > + ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid + command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository) + priority: ERROR + tags: [filesystem, mitre_discovery] + +- list: safe_etc_dirs + items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d] + +- macro: fluentd_writing_conf_files + condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf)) + +- macro: qualys_writing_conf_files + condition: (proc.name=qualys-cloud-ag and fd.name=/etc/qualys/cloud-agent/qagent-log.conf) + +- macro: git_writing_nssdb + condition: (proc.name=git-remote-http and fd.directory=/etc/pki/nssdb) + +- macro: plesk_writing_keys + condition: (proc.name in (plesk_binaries) and fd.name startswith /etc/sw/keys) + +- macro: plesk_install_writing_apache_conf + condition: (proc.cmdline startswith "bash -hB /usr/lib/plesk-9.0/services/webserver.apache configure" + and fd.name="/etc/apache2/apache2.conf.tmp") + +- macro: plesk_running_mktemp + condition: (proc.name=mktemp and proc.aname[3] in (plesk_binaries)) + +- macro: networkmanager_writing_resolv_conf + condition: proc.aname[2]=nm-dispatcher and fd.name=/etc/resolv.conf + +- macro: add_shell_writing_shells_tmp + condition: (proc.name=add-shell and fd.name=/etc/shells.tmp) + +- macro: duply_writing_exclude_files + condition: (proc.name=touch and proc.pcmdline startswith "bash /usr/bin/duply" and fd.name startswith "/etc/duply") + +- macro: xmlcatalog_writing_files + condition: (proc.name=update-xmlcatal and fd.directory=/etc/xml) + +- macro: datadog_writing_conf + condition: ((proc.cmdline startswith "python /opt/datadog-agent" or + proc.cmdline startswith "entrypoint.sh /entrypoint.sh datadog start" or + proc.cmdline startswith "agent.py /opt/datadog-agent") + and fd.name startswith "/etc/dd-agent") + +- macro: rancher_writing_conf + condition: ((proc.name in (healthcheck, lb-controller, rancher-dns)) and + (container.image.repository contains "rancher/healthcheck" or + container.image.repository contains "rancher/lb-service-haproxy" or + container.image.repository contains "rancher/dns") and + (fd.name startswith "/etc/haproxy" or fd.name startswith "/etc/rancher-dns")) + +- macro: rancher_writing_root + condition: (proc.name=rancher-metadat and + (container.image.repository contains "rancher/metadata" or container.image.repository contains "rancher/lb-service-haproxy") and + fd.name startswith "/answers.json") + +- macro: checkpoint_writing_state + condition: (proc.name=checkpoint and + container.image.repository contains "coreos/pod-checkpointer" and + fd.name startswith "/etc/kubernetes") + +- macro: jboss_in_container_writing_passwd + condition: > + ((proc.cmdline="run-java.sh /opt/jboss/container/java/run/run-java.sh" + or proc.cmdline="run-java.sh /opt/run-java/run-java.sh") + and container + and fd.name=/etc/passwd) + +- macro: curl_writing_pki_db + condition: (proc.name=curl and fd.directory=/etc/pki/nssdb) + +- macro: haproxy_writing_conf + condition: ((proc.name in (update-haproxy-,haproxy_reload.) or proc.pname in (update-haproxy-,haproxy_reload,haproxy_reload.)) + and (fd.name=/etc/openvpn/client.map or fd.name startswith /etc/haproxy)) + +- macro: java_writing_conf + condition: (proc.name=java and fd.name=/etc/.java/.systemPrefs/.system.lock) + +- macro: rabbitmq_writing_conf + condition: (proc.name=rabbitmq-server and fd.directory=/etc/rabbitmq) + +- macro: rook_writing_conf + condition: (proc.name=toolbox.sh and container.image.repository=rook/toolbox + and fd.directory=/etc/ceph) + +- macro: httpd_writing_conf_logs + condition: (proc.name=httpd and fd.name startswith /etc/httpd/) + +- macro: mysql_writing_conf + condition: > + ((proc.name in (start-mysql.sh, run-mysqld) or proc.pname=start-mysql.sh) and + (fd.name startswith /etc/mysql or fd.directory=/etc/my.cnf.d)) + +- macro: redis_writing_conf + condition: > + (proc.name in (run-redis, redis-launcher.) and (fd.name=/etc/redis.conf or fd.name startswith /etc/redis)) + +- macro: openvpn_writing_conf + condition: (proc.name in (openvpn,openvpn-entrypo) and fd.name startswith /etc/openvpn) + +- macro: php_handlers_writing_conf + condition: (proc.name=php_handlers_co and fd.name=/etc/psa/php_versions.json) + +- macro: sed_writing_temp_file + condition: > + ((proc.aname[3]=cron_start.sh and fd.name startswith /etc/security/sed) or + (proc.name=sed and (fd.name startswith /etc/apt/sources.list.d/sed or + fd.name startswith /etc/apt/sed or + fd.name startswith /etc/apt/apt.conf.d/sed))) + +- macro: cron_start_writing_pam_env + condition: (proc.cmdline="bash /usr/sbin/start-cron" and fd.name=/etc/security/pam_env.conf) + +# In some cases dpkg-reconfigur runs commands that modify /etc. Not +# putting the full set of package management programs yet. +- macro: dpkg_scripting + condition: (proc.aname[2] in (dpkg-reconfigur, dpkg-preconfigu)) + +- macro: ufw_writing_conf + condition: (proc.name=ufw and fd.directory=/etc/ufw) + +- macro: calico_writing_conf + condition: > + (((proc.name = calico-node) or + (container.image.repository=gcr.io/projectcalico-org/node and proc.name in (start_runit, cp)) or + (container.image.repository=gcr.io/projectcalico-org/cni and proc.name=sed)) + and fd.name startswith /etc/calico) + +- macro: prometheus_conf_writing_conf + condition: (proc.name=prometheus-conf and fd.name startswith /etc/prometheus/config_out) + +- macro: openshift_writing_conf + condition: (proc.name=oc and fd.name startswith /etc/origin/node) + +- macro: keepalived_writing_conf + condition: (proc.name in (keepalived, kube-keepalived) and fd.name=/etc/keepalived/keepalived.conf) + +- macro: etcd_manager_updating_dns + condition: (container and proc.name=etcd-manager and fd.name=/etc/hosts) + +- macro: automount_using_mtab + condition: (proc.pname = automount and fd.name startswith /etc/mtab) + +- macro: mcafee_writing_cma_d + condition: (proc.name=macompatsvc and fd.directory=/etc/cma.d) + +- macro: avinetworks_supervisor_writing_ssh + condition: > + (proc.cmdline="se_supervisor.p /opt/avi/scripts/se_supervisor.py -d" and + (fd.name startswith /etc/ssh/known_host_ or + fd.name startswith /etc/ssh/ssh_monitor_config_ or + fd.name startswith /etc/ssh/ssh_config_)) + +- macro: multipath_writing_conf + condition: (proc.name = multipath and fd.name startswith /etc/multipath/) + +# Add conditions to this macro (probably in a separate file, +# overwriting this macro) to allow for specific combinations of +# programs writing below specific directories below +# /etc. fluentd_writing_conf_files is a good example to follow, as it +# specifies both the program doing the writing as well as the specific +# files it is allowed to modify. +# +# In this file, it just takes one of the programs in the base macro +# and repeats it. + +- macro: user_known_write_etc_conditions + condition: proc.name=confd + +# This is a placeholder for user to extend the whitelist for write below etc rule +- macro: user_known_write_below_etc_activities + condition: (never_true) + +- macro: write_etc_common + condition: > + etc_dir and evt.dir = < and open_write + and proc_name_exists + and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries, + package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, + dev_creation_binaries, shell_mgmt_binaries, + mail_config_binaries, + sshkit_script_binaries, + ldconfig.real, ldconfig, confd, gpg, insserv, + apparmor_parser, update-mime, tzdata.config, tzdata.postinst, + systemd, systemd-machine, systemd-sysuser, + debconf-show, rollerd, bind9.postinst, sv, + gen_resolvconf., update-ca-certi, certbot, runsv, + qualys-cloud-ag, locales.postins, nomachine_binaries, + adclient, certutil, crlutil, pam-auth-update, parallels_insta, + openshift-launc, update-rc.d, puppet) + and not (container and proc.cmdline in ("cp /run/secrets/kubernetes.io/serviceaccount/ca.crt /etc/pki/ca-trust/source/anchors/openshift-ca.crt")) + and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries, dhcp_binaries) + and not fd.name pmatch (safe_etc_dirs) + and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) + and not sed_temporary_file + and not exe_running_docker_save + and not ansible_running_python + and not python_running_denyhosts + and not fluentd_writing_conf_files + and not user_known_write_etc_conditions + and not run_by_centrify + and not run_by_adclient + and not qualys_writing_conf_files + and not git_writing_nssdb + and not plesk_writing_keys + and not plesk_install_writing_apache_conf + and not plesk_running_mktemp + and not networkmanager_writing_resolv_conf + and not run_by_chef + and not add_shell_writing_shells_tmp + and not duply_writing_exclude_files + and not xmlcatalog_writing_files + and not parent_supervise_running_multilog + and not supervise_writing_status + and not pki_realm_writing_realms + and not htpasswd_writing_passwd + and not lvprogs_writing_conf + and not ovsdb_writing_openvswitch + and not datadog_writing_conf + and not curl_writing_pki_db + and not haproxy_writing_conf + and not java_writing_conf + and not dpkg_scripting + and not parent_ucf_writing_conf + and not rabbitmq_writing_conf + and not rook_writing_conf + and not php_handlers_writing_conf + and not sed_writing_temp_file + and not cron_start_writing_pam_env + and not httpd_writing_conf_logs + and not mysql_writing_conf + and not openvpn_writing_conf + and not consul_template_writing_conf + and not countly_writing_nginx_conf + and not ms_oms_writing_conf + and not ms_scx_writing_conf + and not azure_scripts_writing_conf + and not azure_networkwatcher_writing_conf + and not couchdb_writing_conf + and not update_texmf_writing_conf + and not slapadd_writing_conf + and not symantec_writing_conf + and not liveupdate_writing_conf + and not sosreport_writing_files + and not selinux_writing_conf + and not veritas_writing_config + and not nginx_writing_conf + and not nginx_writing_certs + and not chef_client_writing_conf + and not centrify_writing_krb + and not sssd_writing_krb + and not cockpit_writing_conf + and not ipsec_writing_conf + and not httpd_writing_ssl_conf + and not userhelper_writing_etc_security + and not pkgmgmt_progs_writing_pki + and not update_ca_trust_writing_pki + and not brandbot_writing_os_release + and not redis_writing_conf + and not openldap_writing_conf + and not ucpagent_writing_conf + and not iscsi_writing_conf + and not istio_writing_conf + and not ufw_writing_conf + and not calico_writing_conf + and not calico_writing_envvars + and not prometheus_conf_writing_conf + and not openshift_writing_conf + and not keepalived_writing_conf + and not rancher_writing_conf + and not checkpoint_writing_state + and not jboss_in_container_writing_passwd + and not etcd_manager_updating_dns + and not user_known_write_below_etc_activities + and not automount_using_mtab + and not mcafee_writing_cma_d + and not avinetworks_supervisor_writing_ssh + and not multipath_writing_conf + +- rule: Write below etc + desc: an attempt to write to any file below /etc + condition: write_etc_common + output: "File below /etc opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)" + priority: ERROR + tags: [filesystem, mitre_persistence] + +- list: known_root_files + items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials, + /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, /root/.babel.json, /root/.localstack, + /root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd, /root/.wget-hsts, /health, /exec.fifo] + +- list: known_root_directories + items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami] + +- macro: known_root_conditions + condition: (fd.name startswith /root/orcexec. + or fd.name startswith /root/.m2 + or fd.name startswith /root/.npm + or fd.name startswith /root/.pki + or fd.name startswith /root/.ivy2 + or fd.name startswith /root/.config/Cypress + or fd.name startswith /root/.config/pulse + or fd.name startswith /root/.config/configstore + or fd.name startswith /root/jenkins/workspace + or fd.name startswith /root/.jenkins + or fd.name startswith /root/.cache + or fd.name startswith /root/.sbt + or fd.name startswith /root/.java + or fd.name startswith /root/.glide + or fd.name startswith /root/.sonar + or fd.name startswith /root/.v8flag + or fd.name startswith /root/infaagent + or fd.name startswith /root/.local/lib/python + or fd.name startswith /root/.pm2 + or fd.name startswith /root/.gnupg + or fd.name startswith /root/.pgpass + or fd.name startswith /root/.theano + or fd.name startswith /root/.gradle + or fd.name startswith /root/.android + or fd.name startswith /root/.ansible + or fd.name startswith /root/.crashlytics + or fd.name startswith /root/.dbus + or fd.name startswith /root/.composer + or fd.name startswith /root/.gconf + or fd.name startswith /root/.nv + or fd.name startswith /root/.local/share/jupyter + or fd.name startswith /root/oradiag_root + or fd.name startswith /root/workspace + or fd.name startswith /root/jvm + or fd.name startswith /root/.node-gyp) + +# Add conditions to this macro (probably in a separate file, +# overwriting this macro) to allow for specific combinations of +# programs writing below specific directories below +# / or /root. +# +# In this file, it just takes one of the condition in the base macro +# and repeats it. +- macro: user_known_write_root_conditions + condition: fd.name=/root/.bash_history + +# This is a placeholder for user to extend the whitelist for write below root rule +- macro: user_known_write_below_root_activities + condition: (never_true) + +- macro: runc_writing_exec_fifo + condition: (proc.cmdline="runc:[1:CHILD] init" and fd.name=/exec.fifo) + +- macro: runc_writing_var_lib_docker + condition: (proc.cmdline="runc:[1:CHILD] init" and evt.arg.filename startswith /var/lib/docker) + +- macro: mysqlsh_writing_state + condition: (proc.name=mysqlsh and fd.directory=/root/.mysqlsh) + +- rule: Write below root + desc: an attempt to write to any file directly below / or /root + condition: > + root_dir and evt.dir = < and open_write + and proc_name_exists + and not fd.name in (known_root_files) + and not fd.directory pmatch (known_root_directories) + and not exe_running_docker_save + and not gugent_writing_guestagent_log + and not dse_writing_tmp + and not zap_writing_state + and not airflow_writing_state + and not rpm_writing_root_rpmdb + and not maven_writing_groovy + and not chef_writing_conf + and not kubectl_writing_state + and not cassandra_writing_state + and not galley_writing_state + and not calico_writing_state + and not rancher_writing_root + and not runc_writing_exec_fifo + and not mysqlsh_writing_state + and not known_root_conditions + and not user_known_write_root_conditions + and not user_known_write_below_root_activities + output: "File below / or /root opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)" + priority: ERROR + tags: [filesystem, mitre_persistence] + +- macro: cmp_cp_by_passwd + condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts) + +- macro: user_known_read_sensitive_files_activities + condition: (never_true) + +- rule: Read sensitive file trusted after startup + desc: > + an attempt to read any sensitive file (e.g. files containing user/password/authentication + information) by a trusted program after startup. Trusted programs might read these files + at startup to load initial state, but not afterwards. + condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" and not user_known_read_sensitive_files_activities + output: > + Sensitive file opened for reading by trusted program after startup (user=%user.name user_loginuid=%user.loginuid + command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) + priority: WARNING + tags: [filesystem, mitre_credential_access] + +- list: read_sensitive_file_binaries + items: [ + iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, + vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update, + pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport, + scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd + ] + +# Add conditions to this macro (probably in a separate file, +# overwriting this macro) to allow for specific combinations of +# programs accessing sensitive files. +# fluentd_writing_conf_files is a good example to follow, as it +# specifies both the program doing the writing as well as the specific +# files it is allowed to modify. +# +# In this file, it just takes one of the macros in the base rule +# and repeats it. + +- macro: user_read_sensitive_file_conditions + condition: cmp_cp_by_passwd + +- list: read_sensitive_file_images + items: [] + +- macro: user_read_sensitive_file_containers + condition: (container and container.image.repository in (read_sensitive_file_images)) + +# This macro detects man-db postinst, see https://salsa.debian.org/debian/man-db/-/blob/master/debian/postinst +# The rule "Read sensitive file untrusted" use this macro to avoid FPs. +- macro: mandb_postinst + condition: > + (proc.name=perl and proc.args startswith "-e" and + proc.args contains "@pwd = getpwnam(" and + proc.args contains "exec " and + proc.args contains "/usr/bin/mandb") + +- rule: Read sensitive file untrusted + desc: > + an attempt to read any sensitive file (e.g. files containing user/password/authentication + information). Exceptions are made for known trusted programs. + condition: > + sensitive_files and open_read + and proc_name_exists + and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, + cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, + vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries, + in.proftpd, mandb, salt-minion, postgres_mgmt_binaries, + google_oslogin_ + ) + and not cmp_cp_by_passwd + and not ansible_running_python + and not run_by_qualys + and not run_by_chef + and not run_by_google_accounts_daemon + and not user_read_sensitive_file_conditions + and not mandb_postinst + and not perl_running_plesk + and not perl_running_updmap + and not veritas_driver_script + and not perl_running_centrifydc + and not runuser_reading_pam + and not linux_bench_reading_etc_shadow + and not user_known_read_sensitive_files_activities + and not user_read_sensitive_file_containers + output: > + Sensitive file opened for reading by non-trusted program (user=%user.name user_loginuid=%user.loginuid program=%proc.name + command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository) + priority: WARNING + tags: [filesystem, mitre_credential_access, mitre_discovery] + +- macro: amazon_linux_running_python_yum + condition: > + (proc.name = python and + proc.pcmdline = "python -m amazon_linux_extras system_motd" and + proc.cmdline startswith "python -c import yum;") + +- macro: user_known_write_rpm_database_activities + condition: (never_true) + +# Only let rpm-related programs write to the rpm database +- rule: Write below rpm database + desc: an attempt to write to the rpm database by any non-rpm related program + condition: > + fd.name startswith /var/lib/rpm and open_write + and not rpm_procs + and not ansible_running_python + and not python_running_chef + and not exe_running_docker_save + and not amazon_linux_running_python_yum + and not user_known_write_rpm_database_activities + output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)" + priority: ERROR + tags: [filesystem, software_mgmt, mitre_persistence] + +- macro: postgres_running_wal_e + condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e") + +- macro: redis_running_prepost_scripts + condition: (proc.aname[2]=redis-server and (proc.cmdline contains "redis-server.post-up.d" or proc.cmdline contains "redis-server.pre-up.d")) + +- macro: rabbitmq_running_scripts + condition: > + (proc.pname=beam.smp and + (proc.cmdline startswith "sh -c exec ps" or + proc.cmdline startswith "sh -c exec inet_gethost" or + proc.cmdline= "sh -s unix:cmd" or + proc.cmdline= "sh -c exec /bin/sh -s unix:cmd 2>&1")) + +- macro: rabbitmqctl_running_scripts + condition: (proc.aname[2]=rabbitmqctl and proc.cmdline startswith "sh -c ") + +- macro: run_by_appdynamics + condition: (proc.pname=java and proc.pcmdline startswith "java -jar -Dappdynamics") + +- macro: user_known_db_spawned_processes + condition: (never_true) + +- rule: DB program spawned process + desc: > + a database-server related program spawned a new process other than itself. + This shouldn\'t occur and is a follow on from some SQL injection attacks. + condition: > + proc.pname in (db_server_binaries) + and spawned_process + and not proc.name in (db_server_binaries) + and not postgres_running_wal_e + and not user_known_db_spawned_processes + output: > + Database-related program spawned process other than itself (user=%user.name user_loginuid=%user.loginuid + program=%proc.cmdline parent=%proc.pname container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [process, database, mitre_execution] + +- macro: user_known_modify_bin_dir_activities + condition: (never_true) + +- rule: Modify binary dirs + desc: an attempt to modify any file below a set of binary directories. + condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save and not user_known_modify_bin_dir_activities + output: > + File below known binary directory renamed/removed (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline + pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository) + priority: ERROR + tags: [filesystem, mitre_persistence] + +- macro: user_known_mkdir_bin_dir_activities + condition: (never_true) + +- rule: Mkdir binary dirs + desc: an attempt to create a directory below a set of binary directories. + condition: > + mkdir + and bin_dir_mkdir + and not package_mgmt_procs + and not user_known_mkdir_bin_dir_activities + and not exe_running_docker_save + output: > + Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid + command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository) + priority: ERROR + tags: [filesystem, mitre_persistence] + +# This list allows for easy additions to the set of commands allowed +# to change thread namespace without having to copy and override the +# entire change thread namespace rule. +- list: user_known_change_thread_namespace_binaries + items: [crio, multus] + +- macro: user_known_change_thread_namespace_activities + condition: (never_true) + +- list: network_plugin_binaries + items: [aws-cni, azure-vnet] + +- macro: calico_node + condition: (container.image.repository endswith calico/node and proc.name=calico-node) + +- macro: weaveworks_scope + condition: (container.image.repository endswith weaveworks/scope and proc.name=scope) + +- rule: Change thread namespace + desc: > + an attempt to change a program/thread\'s namespace (commonly done + as a part of creating a container) by calling setns. + condition: > + evt.type=setns and evt.dir=< + and proc_name_exists + and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter)) + and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries) + and not proc.name in (user_known_change_thread_namespace_binaries) + and not proc.name startswith "runc" + and not proc.cmdline startswith "containerd" + and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet, protokube, dockerd, tini, aws) + and not java_running_sdjagent + and not kubelet_running_loopback + and not rancher_agent + and not rancher_network_manager + and not calico_node + and not weaveworks_scope + and not user_known_change_thread_namespace_activities + enabled: false + output: > + Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline + parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag) + priority: NOTICE + tags: [process, mitre_privilege_escalation, mitre_lateral_movement] + +# The binaries in this list and their descendents are *not* allowed +# spawn shells. This includes the binaries spawning shells directly as +# well as indirectly. For example, apache -> php/perl for +# mod_{php,perl} -> some shell is also not allowed, because the shell +# has apache as an ancestor. + +- list: protected_shell_spawning_binaries + items: [ + http_server_binaries, db_server_binaries, nosql_server_binaries, mail_binaries, + fluentd, flanneld, splunkd, consul, smbd, runsv, PM2 + ] + +- macro: parent_java_running_zookeeper + condition: (proc.pname=java and proc.pcmdline contains org.apache.zookeeper.server) + +- macro: parent_java_running_kafka + condition: (proc.pname=java and proc.pcmdline contains kafka.Kafka) + +- macro: parent_java_running_elasticsearch + condition: (proc.pname=java and proc.pcmdline contains org.elasticsearch.bootstrap.Elasticsearch) + +- macro: parent_java_running_activemq + condition: (proc.pname=java and proc.pcmdline contains activemq.jar) + +- macro: parent_java_running_cassandra + condition: (proc.pname=java and (proc.pcmdline contains "-Dcassandra.config.loader" or proc.pcmdline contains org.apache.cassandra.service.CassandraDaemon)) + +- macro: parent_java_running_jboss_wildfly + condition: (proc.pname=java and proc.pcmdline contains org.jboss) + +- macro: parent_java_running_glassfish + condition: (proc.pname=java and proc.pcmdline contains com.sun.enterprise.glassfish) + +- macro: parent_java_running_hadoop + condition: (proc.pname=java and proc.pcmdline contains org.apache.hadoop) + +- macro: parent_java_running_datastax + condition: (proc.pname=java and proc.pcmdline contains com.datastax) + +- macro: nginx_starting_nginx + condition: (proc.pname=nginx and proc.cmdline contains "/usr/sbin/nginx -c /etc/nginx/nginx.conf") + +- macro: nginx_running_aws_s3_cp + condition: (proc.pname=nginx and proc.cmdline startswith "sh -c /usr/local/bin/aws s3 cp") + +- macro: consul_running_net_scripts + condition: (proc.pname=consul and (proc.cmdline startswith "sh -c curl" or proc.cmdline startswith "sh -c nc")) + +- macro: consul_running_alert_checks + condition: (proc.pname=consul and proc.cmdline startswith "sh -c /bin/consul-alerts") + +- macro: serf_script + condition: (proc.cmdline startswith "sh -c serf") + +- macro: check_process_status + condition: (proc.cmdline startswith "sh -c kill -0 ") + +# In some cases, you may want to consider node processes run directly +# in containers as protected shell spawners. Examples include using +# pm2-docker or pm2 start some-app.js --no-daemon-mode as the direct +# entrypoint of the container, and when the node app is a long-lived +# server using something like express. +# +# However, there are other uses of node related to build pipelines for +# which node is not really a server but instead a general scripting +# tool. In these cases, shells are very likely and in these cases you +# don't want to consider node processes protected shell spawners. +# +# We have to choose one of these cases, so we consider node processes +# as unprotected by default. If you want to consider any node process +# run in a container as a protected shell spawner, override the below +# macro to remove the "never_true" clause, which allows it to take effect. +- macro: possibly_node_in_container + condition: (never_true and (proc.pname=node and proc.aname[3]=docker-containe)) + +# Similarly, you may want to consider any shell spawned by apache +# tomcat as suspect. The famous apache struts attack (CVE-2017-5638) +# could be exploited to do things like spawn shells. +# +# However, many applications *do* use tomcat to run arbitrary shells, +# as a part of build pipelines, etc. +# +# Like for node, we make this case opt-in. +- macro: possibly_parent_java_running_tomcat + condition: (never_true and proc.pname=java and proc.pcmdline contains org.apache.catalina.startup.Bootstrap) + +- macro: protected_shell_spawner + condition: > + (proc.aname in (protected_shell_spawning_binaries) + or parent_java_running_zookeeper + or parent_java_running_kafka + or parent_java_running_elasticsearch + or parent_java_running_activemq + or parent_java_running_cassandra + or parent_java_running_jboss_wildfly + or parent_java_running_glassfish + or parent_java_running_hadoop + or parent_java_running_datastax + or possibly_parent_java_running_tomcat + or possibly_node_in_container) + +- list: mesos_shell_binaries + items: [mesos-docker-ex, mesos-slave, mesos-health-ch] + +# Note that runsv is both in protected_shell_spawner and the +# exclusions by pname. This means that runsv can itself spawn shells +# (the ./run and ./finish scripts), but the processes runsv can not +# spawn shells. +- rule: Run shell untrusted + desc: an attempt to spawn a shell below a non-shell application. Specific applications are monitored. + condition: > + spawned_process + and shell_procs + and proc.pname exists + and protected_shell_spawner + and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries, + needrestart_binaries, + mesos_shell_binaries, + erl_child_setup, exechealthz, + PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf, + lb-controller, nvidia-installe, runsv, statsite, erlexec, calico-node, + "puma reactor") + and not proc.cmdline in (known_shell_spawn_cmdlines) + and not proc.aname in (unicorn_launche) + and not consul_running_net_scripts + and not consul_running_alert_checks + and not nginx_starting_nginx + and not nginx_running_aws_s3_cp + and not run_by_package_mgmt_binaries + and not serf_script + and not check_process_status + and not run_by_foreman + and not python_mesos_marathon_scripting + and not splunk_running_forwarder + and not postgres_running_wal_e + and not redis_running_prepost_scripts + and not rabbitmq_running_scripts + and not rabbitmqctl_running_scripts + and not run_by_appdynamics + and not user_shell_container_exclusions + output: > + Shell spawned by untrusted binary (user=%user.name user_loginuid=%user.loginuid shell=%proc.name parent=%proc.pname + cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] + aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository) + priority: DEBUG + tags: [shell, mitre_execution] + +- macro: allowed_openshift_registry_root + condition: > + (container.image.repository startswith openshift3/ or + container.image.repository startswith registry.redhat.io/openshift3/ or + container.image.repository startswith registry.access.redhat.com/openshift3/) + +# Source: https://docs.openshift.com/enterprise/3.2/install_config/install/disconnected_install.html +- macro: openshift_image + condition: > + (allowed_openshift_registry_root and + (container.image.repository endswith /logging-deployment or + container.image.repository endswith /logging-elasticsearch or + container.image.repository endswith /logging-kibana or + container.image.repository endswith /logging-fluentd or + container.image.repository endswith /logging-auth-proxy or + container.image.repository endswith /metrics-deployer or + container.image.repository endswith /metrics-hawkular-metrics or + container.image.repository endswith /metrics-cassandra or + container.image.repository endswith /metrics-heapster or + container.image.repository endswith /ose-haproxy-router or + container.image.repository endswith /ose-deployer or + container.image.repository endswith /ose-sti-builder or + container.image.repository endswith /ose-docker-builder or + container.image.repository endswith /ose-pod or + container.image.repository endswith /ose-node or + container.image.repository endswith /ose-docker-registry or + container.image.repository endswith /prometheus-node-exporter or + container.image.repository endswith /image-inspector)) + +# https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html +# official AWS EKS registry list. AWS has different ECR repo per region +- macro: allowed_aws_ecr_registry_root_for_eks + condition: > + (container.image.repository startswith "602401143452.dkr.ecr" or + container.image.repository startswith "877085696533.dkr.ecr" or + container.image.repository startswith "800184023465.dkr.ecr" or + container.image.repository startswith "918309763551.dkr.ecr" or + container.image.repository startswith "961992271922.dkr.ecr" or + container.image.repository startswith "590381155156.dkr.ecr" or + container.image.repository startswith "558608220178.dkr.ecr" or + container.image.repository startswith "151742754352.dkr.ecr" or + container.image.repository startswith "013241004608.dkr.ecr") + + +- macro: aws_eks_core_images + condition: > + (allowed_aws_ecr_registry_root_for_eks and + (container.image.repository endswith ".amazonaws.com/amazon-k8s-cni" or + container.image.repository endswith ".amazonaws.com/eks/kube-proxy")) + + +- macro: aws_eks_image_sensitive_mount + condition: > + (allowed_aws_ecr_registry_root_for_eks and container.image.repository endswith ".amazonaws.com/amazon-k8s-cni") + +# These images are allowed both to run with --privileged and to mount +# sensitive paths from the host filesystem. +# +# NOTE: This list is only provided for backwards compatibility with +# older local falco rules files that may have been appending to +# trusted_images. To make customizations, it's better to add images to +# either privileged_images or falco_sensitive_mount_images. +- list: trusted_images + items: [] + +# Add conditions to this macro (probably in a separate file, +# overwriting this macro) to specify additional containers that are +# trusted and therefore allowed to run privileged *and* with sensitive +# mounts. +# +# Like trusted_images, this is deprecated in favor of +# user_privileged_containers and user_sensitive_mount_containers and +# is only provided for backwards compatibility. +# +# In this file, it just takes one of the images in trusted_containers +# and repeats it. +- macro: user_trusted_containers + condition: (never_true) + +- list: sematext_images + items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent, + registry.access.redhat.com/sematext/sematext-agent-docker, + registry.access.redhat.com/sematext/agent, + registry.access.redhat.com/sematext/logagent] + +# These container images are allowed to run with --privileged +- list: falco_privileged_images + items: [ + docker.io/calico/node, + calico/node, + docker.io/cloudnativelabs/kube-router, + docker.io/docker/ucp-agent, + docker.io/falcosecurity/falco, + docker.io/mesosphere/mesos-slave, + docker.io/rook/toolbox, + docker.io/sysdig/sysdig, + falcosecurity/falco, + gcr.io/google_containers/kube-proxy, + gcr.io/google-containers/startup-script, + gcr.io/projectcalico-org/node, + gke.gcr.io/kube-proxy, + gke.gcr.io/gke-metadata-server, + gke.gcr.io/netd-amd64, + gcr.io/google-containers/prometheus-to-sd, + k8s.gcr.io/ip-masq-agent-amd64, + k8s.gcr.io/kube-proxy, + k8s.gcr.io/prometheus-to-sd, + public.ecr.aws/falcosecurity/falco, + quay.io/calico/node, + sysdig/sysdig, + sematext_images + ] + +- macro: falco_privileged_containers + condition: (openshift_image or + user_trusted_containers or + aws_eks_core_images or + container.image.repository in (trusted_images) or + container.image.repository in (falco_privileged_images) or + container.image.repository startswith istio/proxy_ or + container.image.repository startswith quay.io/sysdig/) + +# Add conditions to this macro (probably in a separate file, +# overwriting this macro) to specify additional containers that are +# allowed to run privileged +# +# In this file, it just takes one of the images in falco_privileged_images +# and repeats it. +- macro: user_privileged_containers + condition: (never_true) + +# These container images are allowed to mount sensitive paths from the +# host filesystem. +- list: falco_sensitive_mount_images + items: [ + docker.io/sysdig/sysdig, sysdig/sysdig, + docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco, + gcr.io/google_containers/hyperkube, + gcr.io/google_containers/kube-proxy, docker.io/calico/node, + docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul, + docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout, + docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter, + amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent + ] + +- macro: falco_sensitive_mount_containers + condition: (user_trusted_containers or + aws_eks_image_sensitive_mount or + container.image.repository in (trusted_images) or + container.image.repository in (falco_sensitive_mount_images) or + container.image.repository startswith quay.io/sysdig/) + +# Add conditions to this macro (probably in a separate file, +# overwriting this macro) to specify additional containers that are +# allowed to perform sensitive mounts. +# +# In this file, it just takes one of the images in falco_sensitive_mount_images +# and repeats it. +- macro: user_sensitive_mount_containers + condition: (never_true) + +- rule: Launch Privileged Container + desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images. + condition: > + container_started and container + and container.privileged=true + and not falco_privileged_containers + and not user_privileged_containers + output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + priority: INFO + tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement] + +# For now, only considering a full mount of /etc as +# sensitive. Ideally, this would also consider all subdirectories +# below /etc as well, but the globbing mechanism +# doesn't allow exclusions of a full pattern, only single characters. +- macro: sensitive_mount + condition: (container.mount.dest[/proc*] != "N/A" or + container.mount.dest[/var/run/docker.sock] != "N/A" or + container.mount.dest[/var/run/crio/crio.sock] != "N/A" or + container.mount.dest[/run/containerd/containerd.sock] != "N/A" or + container.mount.dest[/var/lib/kubelet] != "N/A" or + container.mount.dest[/var/lib/kubelet/pki] != "N/A" or + container.mount.dest[/] != "N/A" or + container.mount.dest[/home/admin] != "N/A" or + container.mount.dest[/etc] != "N/A" or + container.mount.dest[/etc/kubernetes] != "N/A" or + container.mount.dest[/etc/kubernetes/manifests] != "N/A" or + container.mount.dest[/root*] != "N/A") + +# The steps libcontainer performs to set up the root program for a container are: +# - clone + exec self to a program runc:[0:PARENT] +# - clone a program runc:[1:CHILD] which sets up all the namespaces +# - clone a second program runc:[2:INIT] + exec to the root program. +# The parent of runc:[2:INIT] is runc:0:PARENT] +# As soon as 1:CHILD is created, 0:PARENT exits, so there's a race +# where at the time 2:INIT execs the root program, 0:PARENT might have +# already exited, or might still be around. So we handle both. +# We also let runc:[1:CHILD] count as the parent process, which can occur +# when we lose events and lose track of state. + +- macro: container_entrypoint + condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], runc, docker-runc, exe, docker-runc-cur)) + +- rule: Launch Sensitive Mount Container + desc: > + Detect the initial process started by a container that has a mount from a sensitive host directory + (i.e. /proc). Exceptions are made for known trusted images. + condition: > + container_started and container + and sensitive_mount + and not falco_sensitive_mount_containers + and not user_sensitive_mount_containers + output: Container with sensitive mount started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts) + priority: INFO + tags: [container, cis, mitre_lateral_movement] + +# In a local/user rules file, you could override this macro to +# explicitly enumerate the container images that you want to run in +# your environment. In this main falco rules file, there isn't any way +# to know all the containers that can run, so any container is +# allowed, by using a filter that is guaranteed to evaluate to true. +# In the overridden macro, the condition would look something like +# (container.image.repository = vendor/container-1 or +# container.image.repository = vendor/container-2 or ...) + +- macro: allowed_containers + condition: (container.id exists) + +- rule: Launch Disallowed Container + desc: > + Detect the initial process started by a container that is not in a list of allowed containers. + condition: container_started and container and not allowed_containers + output: Container started and not in allowed list (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + priority: WARNING + tags: [container, mitre_lateral_movement] + +- macro: user_known_system_user_login + condition: (never_true) + +# Anything run interactively by root +# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive +# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" +# priority: WARNING + +- rule: System user interactive + desc: an attempt to run interactive commands by a system (i.e. non-login) user + condition: spawned_process and system_users and interactive and not user_known_system_user_login + output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id image=%container.image.repository)" + priority: INFO + tags: [users, mitre_remote_access_tools] + +# In some cases, a shell is expected to be run in a container. For example, configuration +# management software may do this, which is expected. +- macro: user_expected_terminal_shell_in_container_conditions + condition: (never_true) + +- rule: Terminal shell in container + desc: A shell was used as the entrypoint/exec point into a container with an attached terminal. + condition: > + spawned_process and container + and shell_procs and proc.tty != 0 + and container_entrypoint + and not user_expected_terminal_shell_in_container_conditions + output: > + A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info + shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [container, shell, mitre_execution] + +# For some container types (mesos), there isn't a container image to +# work with, and the container name is autogenerated, so there isn't +# any stable aspect of the software to work with. In this case, we +# fall back to allowing certain command lines. + +- list: known_shell_spawn_cmdlines + items: [ + '"sh -c uname -p 2> /dev/null"', + '"sh -c uname -s 2>&1"', + '"sh -c uname -r 2>&1"', + '"sh -c uname -v 2>&1"', + '"sh -c uname -a 2>&1"', + '"sh -c ruby -v 2>&1"', + '"sh -c getconf CLK_TCK"', + '"sh -c getconf PAGESIZE"', + '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"', + '"sh -c LANG=C /sbin/ldconfig -p 2>/dev/null"', + '"sh -c /sbin/ldconfig -p 2>/dev/null"', + '"sh -c stty -a 2>/dev/null"', + '"sh -c stty -a < /dev/tty"', + '"sh -c stty -g < /dev/tty"', + '"sh -c node index.js"', + '"sh -c node index"', + '"sh -c node ./src/start.js"', + '"sh -c node app.js"', + '"sh -c node -e \"require(''nan'')\""', + '"sh -c node -e \"require(''nan'')\")"', + '"sh -c node $NODE_DEBUG_OPTION index.js "', + '"sh -c crontab -l 2"', + '"sh -c lsb_release -a"', + '"sh -c lsb_release -is 2>/dev/null"', + '"sh -c whoami"', + '"sh -c node_modules/.bin/bower-installer"', + '"sh -c /bin/hostname -f 2> /dev/null"', + '"sh -c locale -a"', + '"sh -c -t -i"', + '"sh -c openssl version"', + '"bash -c id -Gn kafadmin"', + '"sh -c /bin/sh -c ''date +%%s''"' + ] + +# This list allows for easy additions to the set of commands allowed +# to run shells in containers without having to without having to copy +# and override the entire run shell in container macro. Once +# https://github.com/draios/falco/issues/255 is fixed this will be a +# bit easier, as someone could append of any of the existing lists. +- list: user_known_shell_spawn_binaries + items: [] + +# This macro allows for easy additions to the set of commands allowed +# to run shells in containers without having to override the entire +# rule. Its default value is an expression that always is false, which +# becomes true when the "not ..." in the rule is applied. +- macro: user_shell_container_exclusions + condition: (never_true) + +- macro: login_doing_dns_lookup + condition: (proc.name=login and fd.l4proto=udp and fd.sport=53) + +# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets +# systemd can listen on ports to launch things like sshd on demand +- rule: System procs network activity + desc: any network activity performed by system binaries that are not expected to send or receive any network traffic + condition: > + (fd.sockfamily = ip and (system_procs or proc.name in (shell_binaries))) + and (inbound_outbound) + and not proc.name in (known_system_procs_network_activity_binaries) + and not login_doing_dns_lookup + and not user_expected_system_procs_network_activity_conditions + output: > + Known system binary sent/received network traffic + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [network, mitre_exfiltration] + +# This list allows easily whitelisting system proc names that are +# expected to communicate on the network. +- list: known_system_procs_network_activity_binaries + items: [systemd, hostid, id] + +# This macro allows specifying conditions under which a system binary +# is allowed to communicate on the network. For instance, only specific +# proc.cmdline values could be allowed to be more granular in what is +# allowed. +- macro: user_expected_system_procs_network_activity_conditions + condition: (never_true) + +# When filled in, this should look something like: +# (proc.env contains "HTTP_PROXY=http://my.http.proxy.com ") +# The trailing space is intentional so avoid matching on prefixes of +# the actual proxy. +- macro: allowed_ssh_proxy_env + condition: (always_true) + +- list: http_proxy_binaries + items: [curl, wget] + +- macro: http_proxy_procs + condition: (proc.name in (http_proxy_binaries)) + +- rule: Program run with disallowed http proxy env + desc: An attempt to run a program with a disallowed HTTP_PROXY environment variable + condition: > + spawned_process and + http_proxy_procs and + not allowed_ssh_proxy_env and + proc.env icontains HTTP_PROXY + output: > + Program run with disallowed HTTP_PROXY environment variable + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [host, users] + +# In some environments, any attempt by a interpreted program (perl, +# python, ruby, etc) to listen for incoming connections or perform +# outgoing connections might be suspicious. These rules are not +# enabled by default, but you can modify the following macros to +# enable them. + +- macro: consider_interpreted_inbound + condition: (never_true) + +- macro: consider_interpreted_outbound + condition: (never_true) + +- rule: Interpreted procs inbound network activity + desc: Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.) + condition: > + (inbound and consider_interpreted_inbound + and interpreted_procs) + output: > + Interpreted program received/listened for network traffic + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [network, mitre_exfiltration] + +- rule: Interpreted procs outbound network activity + desc: Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.) + condition: > + (outbound and consider_interpreted_outbound + and interpreted_procs) + output: > + Interpreted program performed outgoing network connection + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [network, mitre_exfiltration] + +- list: openvpn_udp_ports + items: [1194, 1197, 1198, 8080, 9201] + +- list: l2tp_udp_ports + items: [500, 1701, 4500, 10000] + +- list: statsd_ports + items: [8125] + +- list: ntp_ports + items: [123] + +# Some applications will connect a udp socket to an address only to +# test connectivity. Assuming the udp connect works, they will follow +# up with a tcp connect that actually sends/receives data. +# +# With that in mind, we listed a few commonly seen ports here to avoid +# some false positives. In addition, we make the main rule opt-in, so +# it's disabled by default. + +- list: test_connect_ports + items: [0, 9, 80, 3306] + +- macro: do_unexpected_udp_check + condition: (never_true) + +- list: expected_udp_ports + items: [53, openvpn_udp_ports, l2tp_udp_ports, statsd_ports, ntp_ports, test_connect_ports] + +- macro: expected_udp_traffic + condition: fd.port in (expected_udp_ports) + +- rule: Unexpected UDP Traffic + desc: UDP traffic not on port 53 (DNS) or other commonly used ports + condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic + output: > + Unexpected UDP Traffic Seen + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [network, mitre_exfiltration] + +# With the current restriction on system calls handled by falco +# (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't +# trigger). +# - rule: Ssh error in syslog +# desc: any ssh errors (failed logins, disconnects, ...) sent to syslog +# condition: syslog and ssh_error_message and evt.dir = < +# output: "sshd sent error message to syslog (error=%evt.buffer)" +# priority: WARNING + +- macro: somebody_becoming_themselves + condition: ((user.name=nobody and evt.arg.uid=nobody) or + (user.name=www-data and evt.arg.uid=www-data) or + (user.name=_apt and evt.arg.uid=_apt) or + (user.name=postfix and evt.arg.uid=postfix) or + (user.name=pki-agent and evt.arg.uid=pki-agent) or + (user.name=pki-acme and evt.arg.uid=pki-acme) or + (user.name=nfsnobody and evt.arg.uid=nfsnobody) or + (user.name=postgres and evt.arg.uid=postgres)) + +- macro: nrpe_becoming_nagios + condition: (proc.name=nrpe and evt.arg.uid=nagios) + +# In containers, the user name might be for a uid that exists in the +# container but not on the host. (See +# https://github.com/draios/sysdig/issues/954). So in that case, allow +# a setuid. +- macro: known_user_in_container + condition: (container and user.name != "N/A") + +# Add conditions to this macro (probably in a separate file, +# overwriting this macro) to allow for specific combinations of +# programs changing users by calling setuid. +# +# In this file, it just takes one of the condition in the base macro +# and repeats it. +- macro: user_known_non_sudo_setuid_conditions + condition: user.name=root + +# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs +- rule: Non sudo setuid + desc: > + an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody" + suing to itself are also excluded, as setuid calls typically involve dropping privileges. + condition: > + evt.type=setuid and evt.dir=> + and (known_user_in_container or not container) + and not (user.name=root or user.uid=0) + and not somebody_becoming_themselves + and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries, + nomachine_binaries) + and not proc.name startswith "runc:" + and not java_running_sdjagent + and not nrpe_becoming_nagios + and not user_known_non_sudo_setuid_conditions + output: > + Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname + command=%proc.cmdline uid=%evt.arg.uid container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [users, mitre_privilege_escalation] + +- macro: user_known_user_management_activities + condition: (never_true) + +- macro: chage_list + condition: (proc.name=chage and (proc.cmdline contains "-l" or proc.cmdline contains "--list")) + +- rule: User mgmt binaries + desc: > + activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. + Activity in containers is also excluded--some containers create custom users on top + of a base linux distribution at startup. + Some innocuous command lines that don't actually change anything are excluded. + condition: > + spawned_process and proc.name in (user_mgmt_binaries) and + not proc.name in (su, sudo, lastlog, nologin, unix_chkpwd) and not container and + not proc.pname in (cron_binaries, systemd, systemd.postins, udev.postinst, run-parts) and + not proc.cmdline startswith "passwd -S" and + not proc.cmdline startswith "useradd -D" and + not proc.cmdline startswith "systemd --version" and + not run_by_qualys and + not run_by_sumologic_securefiles and + not run_by_yum and + not run_by_ms_oms and + not run_by_google_accounts_daemon and + not chage_list and + not user_known_user_management_activities + output: > + User management binary command run outside of container + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) + priority: NOTICE + tags: [host, users, mitre_persistence] + +- list: allowed_dev_files + items: [ + /dev/null, /dev/stdin, /dev/stdout, /dev/stderr, + /dev/random, /dev/urandom, /dev/console, /dev/kmsg + ] + +- macro: user_known_create_files_below_dev_activities + condition: (never_true) + +# (we may need to add additional checks against false positives, see: +# https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153) +- rule: Create files below dev + desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev. + condition: > + fd.directory = /dev and + (evt.type = creat or (evt.type in (open,openat,openat2) and evt.arg.flags contains O_CREAT)) + and not proc.name in (dev_creation_binaries) + and not fd.name in (allowed_dev_files) + and not fd.name startswith /dev/tty + and not user_known_create_files_below_dev_activities + output: "File created below /dev by untrusted program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)" + priority: ERROR + tags: [filesystem, mitre_persistence] + + +# In a local/user rules file, you could override this macro to +# explicitly enumerate the container images that you want to allow +# access to EC2 metadata. In this main falco rules file, there isn't +# any way to know all the containers that should have access, so any +# container is allowed, by repeating the "container" macro. In the +# overridden macro, the condition would look something like +# (container.image.repository = vendor/container-1 or +# container.image.repository = vendor/container-2 or ...) +- macro: ec2_metadata_containers + condition: container + +# On EC2 instances, 169.254.169.254 is a special IP used to fetch +# metadata about the instance. It may be desirable to prevent access +# to this IP from containers. +- rule: Contact EC2 Instance Metadata Service From Container + desc: Detect attempts to contact the EC2 Instance Metadata Service from a container + condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers + output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image.repository:%container.image.tag) + priority: NOTICE + tags: [network, aws, container, mitre_discovery] + + +# This rule is not enabled by default, since this rule is for cloud environment(GCP, AWS and Azure) only. +# If you want to enable this rule, overwrite the first macro, +# And you can filter the container that you want to allow access to metadata by overwriting the second macro. +- macro: consider_metadata_access + condition: (never_true) + +- macro: user_known_metadata_access + condition: (k8s.ns.name = "kube-system") + +# On GCP, AWS and Azure, 169.254.169.254 is a special IP used to fetch +# metadata about the instance. The metadata could be used to get credentials by attackers. +- rule: Contact cloud metadata service from container + desc: Detect attempts to contact the Cloud Instance Metadata Service from a container + condition: outbound and fd.sip="169.254.169.254" and container and consider_metadata_access and not user_known_metadata_access + output: Outbound connection to cloud instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image.repository:%container.image.tag) + priority: NOTICE + tags: [network, container, mitre_discovery] + +# Containers from IBM Cloud +- list: ibm_cloud_containers + items: + - icr.io/ext/sysdig/agent + - registry.ng.bluemix.net/armada-master/metrics-server-amd64 + - registry.ng.bluemix.net/armada-master/olm + +# In a local/user rules file, list the namespace or container images that are +# allowed to contact the K8s API Server from within a container. This +# might cover cases where the K8s infrastructure itself is running +# within a container. +- macro: k8s_containers + condition: > + (container.image.repository in (gcr.io/google_containers/hyperkube-amd64, + gcr.io/google_containers/kube2sky, + docker.io/sysdig/sysdig, docker.io/falcosecurity/falco, + sysdig/sysdig, falcosecurity/falco, + fluent/fluentd-kubernetes-daemonset, prom/prometheus, + ibm_cloud_containers, + public.ecr.aws/falcosecurity/falco) + or (k8s.ns.name = "kube-system")) + +- macro: k8s_api_server + condition: (fd.sip.name="kubernetes.default.svc.cluster.local") + +- macro: user_known_contact_k8s_api_server_activities + condition: (never_true) + +- rule: Contact K8S API Server From Container + desc: Detect attempts to contact the K8S API Server from a container + condition: > + evt.type=connect and evt.dir=< and + (fd.typechar=4 or fd.typechar=6) and + container and + not k8s_containers and + k8s_api_server and + not user_known_contact_k8s_api_server_activities + output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name) + priority: NOTICE + tags: [network, k8s, container, mitre_discovery] + +# In a local/user rules file, list the container images that are +# allowed to contact NodePort services from within a container. This +# might cover cases where the K8s infrastructure itself is running +# within a container. +# +# By default, all containers are allowed to contact NodePort services. +- macro: nodeport_containers + condition: container + +- rule: Unexpected K8s NodePort Connection + desc: Detect attempts to use K8s NodePorts from a container + condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers + output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) + priority: NOTICE + tags: [network, k8s, container, mitre_port_knocking] + +- list: network_tool_binaries + items: [nc, ncat, nmap, dig, tcpdump, tshark, ngrep, telnet, mitmproxy, socat, zmap] + +- macro: network_tool_procs + condition: (proc.name in (network_tool_binaries)) + +# In a local/user rules file, create a condition that matches legitimate uses +# of a package management process inside a container. +# +# For example: +# - macro: user_known_package_manager_in_container +# condition: proc.cmdline="dpkg -l" +- macro: user_known_package_manager_in_container + condition: (never_true) + +# Container is supposed to be immutable. Package management should be done in building the image. +- rule: Launch Package Management Process in Container + desc: Package management process ran inside container + condition: > + spawned_process + and container + and user.name != "_apt" + and package_mgmt_procs + and not package_mgmt_ancestor_procs + and not user_known_package_manager_in_container + output: > + Package management process launched in container (user=%user.name user_loginuid=%user.loginuid + command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: ERROR + tags: [process, mitre_persistence] + +- rule: Netcat Remote Code Execution in Container + desc: Netcat Program runs inside container that allows remote code execution + condition: > + spawned_process and container and + ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or + (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec" or proc.args contains "-e " + or proc.args contains "-c " or proc.args contains "--lua-exec")) + ) + output: > + Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid + command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: WARNING + tags: [network, process, mitre_execution] + +- macro: user_known_network_tool_activities + condition: (never_true) + +- rule: Launch Suspicious Network Tool in Container + desc: Detect network tools launched inside container + condition: > + spawned_process and container and network_tool_procs and not user_known_network_tool_activities + output: > + Network tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname + container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: NOTICE + tags: [network, process, mitre_discovery, mitre_exfiltration] + +# This rule is not enabled by default, as there are legitimate use +# cases for these tools on hosts. If you want to enable it, modify the +# following macro. +- macro: consider_network_tools_on_host + condition: (never_true) + +- rule: Launch Suspicious Network Tool on Host + desc: Detect network tools launched on the host + condition: > + spawned_process and + not container and + consider_network_tools_on_host and + network_tool_procs and + not user_known_network_tool_activities + output: > + Network tool launched on host (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname) + priority: NOTICE + tags: [network, process, mitre_discovery, mitre_exfiltration] + +- list: grep_binaries + items: [grep, egrep, fgrep] + +- macro: grep_commands + condition: (proc.name in (grep_binaries)) + +# a less restrictive search for things that might be passwords/ssh/user etc. +- macro: grep_more + condition: (never_true) + +- macro: private_key_or_password + condition: > + (proc.args icontains "BEGIN PRIVATE" or + proc.args icontains "BEGIN RSA PRIVATE" or + proc.args icontains "BEGIN DSA PRIVATE" or + proc.args icontains "BEGIN EC PRIVATE" or + (grep_more and + (proc.args icontains " pass " or + proc.args icontains " ssh " or + proc.args icontains " user ")) + ) + +- rule: Search Private Keys or Passwords + desc: > + Detect grep private keys or passwords activity. + condition: > + (spawned_process and + ((grep_commands and private_key_or_password) or + (proc.name = "find" and (proc.args contains "id_rsa" or proc.args contains "id_dsa"))) + ) + output: > + Grep private keys or passwords activities found + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name + image=%container.image.repository:%container.image.tag) + priority: + WARNING + tags: [process, mitre_credential_access] + +- list: log_directories + items: [/var/log, /dev/log] + +- list: log_files + items: [syslog, auth.log, secure, kern.log, cron, user.log, dpkg.log, last.log, yum.log, access_log, mysql.log, mysqld.log] + +- macro: access_log_files + condition: (fd.directory in (log_directories) or fd.filename in (log_files)) + +# a placeholder for whitelist log files that could be cleared. Recommend the macro as (fd.name startswith "/var/log/app1*") +- macro: allowed_clear_log_files + condition: (never_true) + +- macro: trusted_logging_images + condition: (container.image.repository endswith "splunk/fluentd-hec" or + container.image.repository endswith "fluent/fluentd-kubernetes-daemonset" or + container.image.repository endswith "openshift3/ose-logging-fluentd" or + container.image.repository endswith "containernetworking/azure-npm") + +- rule: Clear Log Activities + desc: Detect clearing of critical log files + condition: > + open_write and + access_log_files and + evt.arg.flags contains "O_TRUNC" and + not trusted_logging_images and + not allowed_clear_log_files + output: > + Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) + priority: + WARNING + tags: [file, mitre_defense_evasion] + +- list: data_remove_commands + items: [shred, mkfs, mke2fs] + +- macro: clear_data_procs + condition: (proc.name in (data_remove_commands)) + +- macro: user_known_remove_data_activities + condition: (never_true) + +- rule: Remove Bulk Data from Disk + desc: Detect process running to clear bulk data from disk + condition: spawned_process and clear_data_procs and not user_known_remove_data_activities + output: > + Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) + priority: + WARNING + tags: [process, mitre_persistence] + +- macro: modify_shell_history + condition: > + (modify and ( + evt.arg.name contains "bash_history" or + evt.arg.name endswith "zsh_history" or + evt.arg.name contains "fish_read_history" or + evt.arg.name endswith "fish_history" or + evt.arg.oldpath contains "bash_history" or + evt.arg.oldpath endswith "zsh_history" or + evt.arg.oldpath contains "fish_read_history" or + evt.arg.oldpath endswith "fish_history" or + evt.arg.path contains "bash_history" or + evt.arg.path endswith "zsh_history" or + evt.arg.path contains "fish_read_history" or + evt.arg.path endswith "fish_history")) + +- macro: truncate_shell_history + condition: > + (open_write and ( + fd.name contains "bash_history" or + fd.name endswith "zsh_history" or + fd.name contains "fish_read_history" or + fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC") + +- macro: var_lib_docker_filepath + condition: (evt.arg.name startswith /var/lib/docker or fd.name startswith /var/lib/docker) + +- rule: Delete or rename shell history + desc: Detect shell history deletion + condition: > + (modify_shell_history or truncate_shell_history) and + not var_lib_docker_filepath and + not proc.name in (docker_binaries) + output: > + Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) + priority: + WARNING + tags: [process, mitre_defense_evasion] + +# This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility. +# Rule Delete or rename shell history is the preferred rule to use now. +- rule: Delete Bash History + desc: Detect bash history deletion + condition: > + ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or + (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC")) + output: > + Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) + priority: + WARNING + tags: [process, mitre_defense_evasion] + +- macro: consider_all_chmods + condition: (always_true) + +- list: user_known_chmod_applications + items: [hyperkube, kubelet, k3s-agent] + +# This macro should be overridden in user rules as needed. This is useful if a given application +# should not be ignored altogether with the user_known_chmod_applications list, but only in +# specific conditions. +- macro: user_known_set_setuid_or_setgid_bit_conditions + condition: (never_true) + +- rule: Set Setuid or Setgid bit + desc: > + When the setuid or setgid bits are set for an application, + this means that the application will run with the privileges of the owning user or group respectively. + Detect setuid or setgid bits set via chmod + condition: > + consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") + and not proc.name in (user_known_chmod_applications) + and not exe_running_docker_save + and not user_known_set_setuid_or_setgid_bit_conditions + enabled: false + output: > + Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name + command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: + NOTICE + tags: [process, mitre_persistence] + +- list: exclude_hidden_directories + items: [/root/.cassandra] + +# To use this rule, you should modify consider_hidden_file_creation. +- macro: consider_hidden_file_creation + condition: (never_true) + +- macro: user_known_create_hidden_file_activities + condition: (never_true) + +- rule: Create Hidden Files or Directories + desc: Detect hidden files or directories created + condition: > + ((modify and evt.arg.newpath contains "/.") or + (mkdir and evt.arg.path contains "/.") or + (open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories))) and + consider_hidden_file_creation and + not user_known_create_hidden_file_activities + and not exe_running_docker_save + output: > + Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline + file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: + NOTICE + tags: [file, mitre_persistence] + +- list: remote_file_copy_binaries + items: [rsync, scp, sftp, dcp] + +- macro: remote_file_copy_procs + condition: (proc.name in (remote_file_copy_binaries)) + +# Users should overwrite this macro to specify conditions under which a +# Custom condition for use of remote file copy tool in container +- macro: user_known_remote_file_copy_activities + condition: (never_true) + +- rule: Launch Remote File Copy Tools in Container + desc: Detect remote file copy tools launched in container + condition: > + spawned_process + and container + and remote_file_copy_procs + and not user_known_remote_file_copy_activities + output: > + Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname + container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: NOTICE + tags: [network, process, mitre_lateral_movement, mitre_exfiltration] + +- rule: Create Symlink Over Sensitive Files + desc: Detect symlink created over sensitive files + condition: > + create_symlink and + (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names)) + output: > + Symlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname) + priority: WARNING + tags: [file, mitre_exfiltration] + +- rule: Create Hardlink Over Sensitive Files + desc: Detect hardlink created over sensitive files + condition: > + create_hardlink and + (evt.arg.oldpath in (sensitive_file_names)) + output: > + Hardlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.oldpath linkpath=%evt.arg.newpath parent_process=%proc.pname) + priority: WARNING + tags: [file, mitre_exfiltration] + +- list: miner_ports + items: [ + 25, 3333, 3334, 3335, 3336, 3357, 4444, + 5555, 5556, 5588, 5730, 6099, 6666, 7777, + 7778, 8000, 8001, 8008, 8080, 8118, 8333, + 8888, 8899, 9332, 9999, 14433, 14444, + 45560, 45700 + ] + +- list: miner_domains + items: [ + "asia1.ethpool.org","ca.minexmr.com", + "cn.stratum.slushpool.com","de.minexmr.com", + "eth-ar.dwarfpool.com","eth-asia.dwarfpool.com", + "eth-asia1.nanopool.org","eth-au.dwarfpool.com", + "eth-au1.nanopool.org","eth-br.dwarfpool.com", + "eth-cn.dwarfpool.com","eth-cn2.dwarfpool.com", + "eth-eu.dwarfpool.com","eth-eu1.nanopool.org", + "eth-eu2.nanopool.org","eth-hk.dwarfpool.com", + "eth-jp1.nanopool.org","eth-ru.dwarfpool.com", + "eth-ru2.dwarfpool.com","eth-sg.dwarfpool.com", + "eth-us-east1.nanopool.org","eth-us-west1.nanopool.org", + "eth-us.dwarfpool.com","eth-us2.dwarfpool.com", + "eu.stratum.slushpool.com","eu1.ethermine.org", + "eu1.ethpool.org","fr.minexmr.com", + "mine.moneropool.com","mine.xmrpool.net", + "pool.minexmr.com","pool.monero.hashvault.pro", + "pool.supportxmr.com","sg.minexmr.com", + "sg.stratum.slushpool.com","stratum-eth.antpool.com", + "stratum-ltc.antpool.com","stratum-zec.antpool.com", + "stratum.antpool.com","us-east.stratum.slushpool.com", + "us1.ethermine.org","us1.ethpool.org", + "us2.ethermine.org","us2.ethpool.org", + "xmr-asia1.nanopool.org","xmr-au1.nanopool.org", + "xmr-eu1.nanopool.org","xmr-eu2.nanopool.org", + "xmr-jp1.nanopool.org","xmr-us-east1.nanopool.org", + "xmr-us-west1.nanopool.org","xmr.crypto-pool.fr", + "xmr.pool.minergate.com", "rx.unmineable.com", + "ss.antpool.com","dash.antpool.com", + "eth.antpool.com","zec.antpool.com", + "xmc.antpool.com","btm.antpool.com", + "stratum-dash.antpool.com","stratum-xmc.antpool.com", + "stratum-btm.antpool.com" + ] + +- list: https_miner_domains + items: [ + "ca.minexmr.com", + "cn.stratum.slushpool.com", + "de.minexmr.com", + "fr.minexmr.com", + "mine.moneropool.com", + "mine.xmrpool.net", + "pool.minexmr.com", + "sg.minexmr.com", + "stratum-eth.antpool.com", + "stratum-ltc.antpool.com", + "stratum-zec.antpool.com", + "stratum.antpool.com", + "xmr.crypto-pool.fr", + "ss.antpool.com", + "stratum-dash.antpool.com", + "stratum-xmc.antpool.com", + "stratum-btm.antpool.com", + "btm.antpool.com" + ] + +- list: http_miner_domains + items: [ + "ca.minexmr.com", + "de.minexmr.com", + "fr.minexmr.com", + "mine.moneropool.com", + "mine.xmrpool.net", + "pool.minexmr.com", + "sg.minexmr.com", + "xmr.crypto-pool.fr" + ] + +# Add rule based on crypto mining IOCs +- macro: minerpool_https + condition: (fd.sport="443" and fd.sip.name in (https_miner_domains)) + +- macro: minerpool_http + condition: (fd.sport="80" and fd.sip.name in (http_miner_domains)) + +- macro: minerpool_other + condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains)) + +- macro: net_miner_pool + condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other))) + +- macro: trusted_images_query_miner_domain_dns + condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco)) + append: false + +# The rule is disabled by default. +# Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment. +- rule: Detect outbound connections to common miner pool ports + desc: Miners typically connect to miner pools on common ports. + condition: net_miner_pool and not trusted_images_query_miner_domain_dns + enabled: false + output: Outbound connection to IP/Port flagged by https://cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository) + priority: CRITICAL + tags: [network, mitre_execution] + +- rule: Detect crypto miners using the Stratum protocol + desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp' + condition: spawned_process and (proc.cmdline contains "stratum+tcp" or proc.cmdline contains "stratum2+tcp" or proc.cmdline contains "stratum+ssl" or proc.cmdline contains "stratum2+ssl") + output: Possible miner running (command=%proc.cmdline container=%container.info image=%container.image.repository) + priority: CRITICAL + tags: [process, mitre_execution] + +- list: k8s_client_binaries + items: [docker, kubectl, crictl] + +- list: user_known_k8s_ns_kube_system_images + items: [ + k8s.gcr.io/fluentd-gcp-scaler, + k8s.gcr.io/node-problem-detector/node-problem-detector + ] + +- list: user_known_k8s_images + items: [ + mcr.microsoft.com/aks/hcp/hcp-tunnel-front + ] + +# Whitelist for known docker client binaries run inside container +# - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE +- macro: user_known_k8s_client_container + condition: > + (k8s.ns.name="kube-system" and container.image.repository in (user_known_k8s_ns_kube_system_images)) or container.image.repository in (user_known_k8s_images) + +- macro: user_known_k8s_client_container_parens + condition: (user_known_k8s_client_container) + +- rule: The docker client is executed in a container + desc: Detect a k8s client tool executed inside a container + condition: spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries) + output: "Docker or kubernetes client executed in container (user=%user.name user_loginuid=%user.loginuid %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)" + priority: WARNING + tags: [container, mitre_execution] + + +# This rule is enabled by default. +# If you want to disable it, modify the following macro. +- macro: consider_packet_socket_communication + condition: (always_true) + +- list: user_known_packet_socket_binaries + items: [] + +- rule: Packet socket created in container + desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker. + condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries) + output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: NOTICE + tags: [network, mitre_discovery] + +# Change to (always_true) to enable rule 'Network connection outside local subnet' +- macro: enabled_rule_network_only_subnet + condition: (never_true) + +# Namespaces where the rule is enforce +- list: namespace_scope_network_only_subnet + items: [] + +- macro: network_local_subnet + condition: > + fd.rnet in (rfc_1918_addresses) or + fd.ip = "0.0.0.0" or + fd.net = "127.0.0.0/8" + +# # How to test: +# # Change macro enabled_rule_network_only_subnet to condition: always_true +# # Add 'default' to namespace_scope_network_only_subnet +# # Run: +# kubectl run --generator=run-pod/v1 -n default -i --tty busybox --image=busybox --rm -- wget google.com -O /var/google.html +# # Check logs running + +- rule: Network Connection outside Local Subnet + desc: Detect traffic to image outside local subnet. + condition: > + enabled_rule_network_only_subnet and + inbound_outbound and + container and + not network_local_subnet and + k8s.ns.name in (namespace_scope_network_only_subnet) + output: > + Network connection outside local subnet + (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id + image=%container.image.repository namespace=%k8s.ns.name + fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name) + priority: WARNING + tags: [network] + +- macro: allowed_port + condition: (never_true) + +- list: allowed_image + items: [] # add image to monitor, i.e.: bitnami/nginx + +- list: authorized_server_port + items: [] # add port to allow, i.e.: 80 + +# # How to test: +# kubectl run --image=nginx nginx-app --port=80 --env="DOMAIN=cluster" +# kubectl expose deployment nginx-app --port=80 --name=nginx-http --type=LoadBalancer +# # On minikube: +# minikube service nginx-http +# # On general K8s: +# kubectl get services +# kubectl cluster-info +# # Visit the Nginx service and port, should not fire. +# # Change rule to different port, then different process name, and test again that it fires. + +- rule: Outbound or Inbound Traffic not to Authorized Server Process and Port + desc: Detect traffic that is not to authorized server process and port. + condition: > + allowed_port and + inbound_outbound and + container and + container.image.repository in (allowed_image) and + not proc.name in (authorized_server_binary) and + not fd.sport in (authorized_server_port) + output: > + Network connection outside authorized port and binary + (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id + image=%container.image.repository) + priority: WARNING + tags: [network] + +- macro: user_known_stand_streams_redirect_activities + condition: (never_true) + +- rule: Redirect STDOUT/STDIN to Network Connection in Container + desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell). + condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities + output: > + Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip) + priority: WARNING + +# The two Container Drift rules below will fire when a new executable is created in a container. +# There are two ways to create executables - file is created with execution permissions or permissions change of existing file. +# We will use a new filter, is_open_exec, to find all files creations with execution permission, and will trace all chmods in a container. +# The use case we are targeting here is an attempt to execute code that was not shipped as part of a container (drift) - +# an activity that might be malicious or non-compliant. +# Two things to pay attention to: +# 1) In most cases, 'docker cp' will not be identified, but the assumption is that if an attacker gained access to the container runtime daemon, they are already privileged +# 2) Drift rules will be noisy in environments in which containers are built (e.g. docker build) +# These two rules are not enabled by default. Use `never_true` in macro condition to enable them. + +- macro: user_known_container_drift_activities + condition: (always_true) + +- rule: Container Drift Detected (chmod) + desc: New executable created in a container due to chmod + condition: > + chmod and + consider_all_chmods and + container and + not runc_writing_exec_fifo and + not runc_writing_var_lib_docker and + not user_known_container_drift_activities and + evt.rawres>=0 and + ((evt.arg.mode contains "S_IXUSR") or + (evt.arg.mode contains "S_IXGRP") or + (evt.arg.mode contains "S_IXOTH")) + output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) + priority: ERROR + +# **************************************************************************** +# * "Container Drift Detected (open+create)" requires FALCO_ENGINE_VERSION 6 * +# **************************************************************************** +- rule: Container Drift Detected (open+create) + desc: New executable created in a container due to open+create + condition: > + evt.type in (open,openat,openat2,creat) and + evt.is_open_exec=true and + container and + not runc_writing_exec_fifo and + not runc_writing_var_lib_docker and + not user_known_container_drift_activities and + evt.rawres>=0 + output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) + priority: ERROR + +- list: c2_server_ip_list + items: [] + +- rule: Outbound Connection to C2 Servers + desc: Detect outbound connection to command & control servers + condition: outbound and fd.sip in (c2_server_ip_list) + output: Outbound connection to C2 server (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) + priority: WARNING + tags: [network] + +- list: white_listed_modules + items: [] + +- rule: Linux Kernel Module Injection Detected + desc: Detect kernel module was injected (from container). + condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules) + output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag) + priority: WARNING + tags: [process] + +- list: run_as_root_image_list + items: [] + +- macro: user_known_run_as_root_container + condition: (container.image.repository in (run_as_root_image_list)) + +# The rule is disabled by default and should be enabled when non-root container policy has been applied. +# Note the rule will not work as expected when usernamespace is applied, e.g. userns-remap is enabled. +- rule: Container Run as Root User + desc: Detected container running as root user + condition: spawned_process and container and proc.vpid=1 and user.uid=0 and not user_known_run_as_root_container + enabled: false + output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: INFO + tags: [container, process] + +# This rule helps detect CVE-2021-3156: +# A privilege escalation to root through heap-based buffer overflow +- rule: Sudo Potential Privilege Escalation + desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root. + condition: spawned_process and user.uid != 0 and (proc.name=sudoedit or proc.name = sudo) and (proc.args contains -s or proc.args contains -i or proc.args contains --login) and (proc.args contains "\ " or proc.args endswith \) + output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)" + priority: CRITICAL + tags: [filesystem, mitre_privilege_escalation] + +- rule: Debugfs Launched in Privileged Container + desc: Detect file system debugger debugfs launched inside a privileged container which might lead to container escape. + condition: > + spawned_process and container + and container.privileged=true + and proc.name=debugfs + output: Debugfs launched started in a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + priority: WARNING + tags: [container, cis, mitre_lateral_movement] + +- macro: mount_info + condition: (proc.args="" or proc.args intersects ("-V", "-l", "-h")) + +- rule: Mount Launched in Privileged Container + desc: Detect file system mount happened inside a privileged container which might lead to container escape. + condition: > + spawned_process and container + and container.privileged=true + and proc.name=mount + and not mount_info + output: Mount was executed inside a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + priority: WARNING + tags: [container, cis, mitre_lateral_movement] + +- macro: consider_userfaultfd_activities + condition: (always_true) + +- list: user_known_userfaultfd_processes + items: [] + +- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process + desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs + condition: > + consider_userfaultfd_activities and + evt.type = userfaultfd and + user.uid != 0 and + (evt.rawres >= 0 or evt.res != -1) and + not proc.name in (user_known_userfaultfd_processes) + output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid process=%proc.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + priority: CRITICAL + tags: [syscall, mitre_defense_evasion] + +- list: ingress_remote_file_copy_binaries + items: [wget] + +- macro: ingress_remote_file_copy_procs + condition: (proc.name in (ingress_remote_file_copy_binaries)) + +# Users should overwrite this macro to specify conditions under which a +# Custom condition for use of ingress remote file copy tool in container +- macro: user_known_ingress_remote_file_copy_activities + condition: (never_true) + +- macro: curl_download + condition: proc.name = curl and + (proc.cmdline contains " > " or + proc.cmdline contains " >> " or + proc.cmdline contains " | " or + proc.cmdline contains " -o " or + proc.cmdline contains " --output " or + proc.cmdline contains " -O " or + proc.cmdline contains " --remote-name ") + +- rule: Launch Ingress Remote File Copy Tools in Container + desc: Detect ingress remote file copy tools launched in container + condition: > + spawned_process and + container and + (ingress_remote_file_copy_procs or curl_download) and + not user_known_ingress_remote_file_copy_activities + output: > + Ingress remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname + container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: NOTICE + tags: [network, process, mitre_command_and_control] + +# This rule helps detect CVE-2021-4034: +# A privilege escalation to root through memory corruption +- rule: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) + desc: "This rule detects an attempt to exploit a privilege escalation vulnerability in Polkit's pkexec. By running specially crafted code, a local user can leverage this flaw to gain root privileges on a compromised system" + condition: + spawned_process and user.uid != 0 and proc.name=pkexec and proc.args = '' + output: + "Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (user=%user.loginname uid=%user.loginuid command=%proc.cmdline args=%proc.args)" + priority: CRITICAL + tags: [process, mitre_privilege_escalation] + +# Application rules have moved to application_rules.yaml. Please look +# there if you want to enable them by adding to +# falco_rules.local.yaml. \ No newline at end of file diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/rules/k8s_audit_rules.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/rules/k8s_audit_rules.yaml new file mode 100644 index 000000000..bb6deb73c --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/rules/k8s_audit_rules.yaml @@ -0,0 +1,669 @@ +# +# Copyright (C) 2019 The Falco Authors. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +- required_engine_version: 2 + +# Like always_true/always_false, but works with k8s audit events +- macro: k8s_audit_always_true + condition: (jevt.rawtime exists) + +- macro: k8s_audit_never_true + condition: (jevt.rawtime=0) + +# Generally only consider audit events once the response has completed +- list: k8s_audit_stages + items: ["ResponseComplete"] + +# Generally exclude users starting with "system:" +- macro: non_system_user + condition: (not ka.user.name startswith "system:") + +# This macro selects the set of Audit Events used by the below rules. +- macro: kevt + condition: (jevt.value[/stage] in (k8s_audit_stages)) + +- macro: kevt_started + condition: (jevt.value[/stage]=ResponseStarted) + +# If you wish to restrict activity to a specific set of users, override/append to this list. +# users created by kops are included +- list: vertical_pod_autoscaler_users + items: ["vpa-recommender", "vpa-updater"] + +- list: allowed_k8s_users + items: [ + "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck", + "kubernetes-admin", + vertical_pod_autoscaler_users, + cluster-autoscaler, + "system:addon-manager", + "cloud-controller-manager", + "eks:node-manager", + "system:kube-controller-manager" + ] + +- rule: Disallowed K8s User + desc: Detect any k8s operation by users outside of an allowed set of users. + condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) + output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code) + priority: WARNING + source: k8s_audit + tags: [k8s] + +# In a local/user rules file, you could override this macro to +# explicitly enumerate the container images that you want to run in +# your environment. In this main falco rules file, there isn't any way +# to know all the containers that can run, so any container is +# allowed, by using the always_true macro. In the overridden macro, the condition +# would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image)) +- macro: allowed_k8s_containers + condition: (k8s_audit_always_true) + +- macro: response_successful + condition: (ka.response.code startswith 2) + +- macro: kcreate + condition: ka.verb=create + +- macro: kmodify + condition: (ka.verb in (create,update,patch)) + +- macro: kdelete + condition: ka.verb=delete + +- macro: pod + condition: ka.target.resource=pods and not ka.target.subresource exists + +- macro: pod_subresource + condition: ka.target.resource=pods and ka.target.subresource exists + +- macro: deployment + condition: ka.target.resource=deployments + +- macro: service + condition: ka.target.resource=services + +- macro: configmap + condition: ka.target.resource=configmaps + +- macro: namespace + condition: ka.target.resource=namespaces + +- macro: serviceaccount + condition: ka.target.resource=serviceaccounts + +- macro: clusterrole + condition: ka.target.resource=clusterroles + +- macro: clusterrolebinding + condition: ka.target.resource=clusterrolebindings + +- macro: role + condition: ka.target.resource=roles + +- macro: secret + condition: ka.target.resource=secrets + +- macro: health_endpoint + condition: ka.uri=/healthz + +- rule: Create Disallowed Pod + desc: > + Detect an attempt to start a pod with a container image outside of a list of allowed images. + condition: kevt and pod and kcreate and not allowed_k8s_containers + output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) + priority: WARNING + source: k8s_audit + tags: [k8s] + +- rule: Create Privileged Pod + desc: > + Detect an attempt to start a pod with a privileged container + condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images) + output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) + priority: WARNING + source: k8s_audit + tags: [k8s] + +- macro: sensitive_vol_mount + condition: > + (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests)) + +- rule: Create Sensitive Mount Pod + desc: > + Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc). + Exceptions are made for known trusted images. + condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images) + output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes]) + priority: WARNING + source: k8s_audit + tags: [k8s] + +# These container images are allowed to run with hostnetwork=true +- list: falco_hostnetwork_images + items: [ + gcr.io/google-containers/prometheus-to-sd, + gcr.io/projectcalico-org/typha, + gcr.io/projectcalico-org/node, + gke.gcr.io/gke-metadata-server, + gke.gcr.io/kube-proxy, + gke.gcr.io/netd-amd64, + k8s.gcr.io/ip-masq-agent-amd64 + k8s.gcr.io/prometheus-to-sd, + ] + +# Corresponds to K8s CIS Benchmark 1.7.4 +- rule: Create HostNetwork Pod + desc: Detect an attempt to start a pod using the host network. + condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images) + output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) + priority: WARNING + source: k8s_audit + tags: [k8s] + +- macro: user_known_node_port_service + condition: (k8s_audit_never_true) + +- rule: Create NodePort Service + desc: > + Detect an attempt to start a service with a NodePort service type + condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service + output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports) + priority: WARNING + source: k8s_audit + tags: [k8s] + +- macro: contains_private_credentials + condition: > + (ka.req.configmap.obj contains "aws_access_key_id" or + ka.req.configmap.obj contains "aws-access-key-id" or + ka.req.configmap.obj contains "aws_s3_access_key_id" or + ka.req.configmap.obj contains "aws-s3-access-key-id" or + ka.req.configmap.obj contains "password" or + ka.req.configmap.obj contains "passphrase") + +- rule: Create/Modify Configmap With Private Credentials + desc: > + Detect creating/modifying a configmap containing a private credential (aws key, password, etc.) + condition: kevt and configmap and kmodify and contains_private_credentials + output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj) + priority: WARNING + source: k8s_audit + tags: [k8s] + +# Corresponds to K8s CIS Benchmark, 1.1.1. +- rule: Anonymous Request Allowed + desc: > + Detect any request made by the anonymous user that was allowed + condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint + output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason)) + priority: WARNING + source: k8s_audit + tags: [k8s] + +# Roughly corresponds to K8s CIS Benchmark, 1.1.12. In this case, +# notifies an attempt to exec/attach to a privileged container. + +# Ideally, we'd add a more stringent rule that detects attaches/execs +# to a privileged pod, but that requires the engine for k8s audit +# events to be stateful, so it could know if a container named in an +# attach request was created privileged or not. For now, we have a +# less severe rule that detects attaches/execs to any pod. +# +# For the same reason, you can't use things like image names/prefixes, +# as the event that creates the pod (which has the images) is a +# separate event than the actual exec/attach to the pod. + +- macro: user_known_exec_pod_activities + condition: (k8s_audit_never_true) + +- rule: Attach/Exec Pod + desc: > + Detect any attempt to attach/exec to a pod + condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities + output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command]) + priority: NOTICE + source: k8s_audit + tags: [k8s] + +- macro: user_known_pod_debug_activities + condition: (k8s_audit_never_true) + +# Only works when feature gate EphemeralContainers is enabled +- rule: EphemeralContainers Created + desc: > + Detect any ephemeral container created + condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities + output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image]) + priority: NOTICE + source: k8s_audit + tags: [k8s] + +# In a local/user rules fie, you can append to this list to add additional allowed namespaces +- list: allowed_namespaces + items: [kube-system, kube-public, default] + +- rule: Create Disallowed Namespace + desc: Detect any attempt to create a namespace outside of a set of known namespaces + condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces) + output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name) + priority: WARNING + source: k8s_audit + tags: [k8s] + +# Only defined for backwards compatibility. Use the more specific +# user_allowed_kube_namespace_image_list instead. +- list: user_trusted_image_list + items: [] + +- list: user_allowed_kube_namespace_image_list + items: [user_trusted_image_list] + +# Only defined for backwards compatibility. Use the more specific +# allowed_kube_namespace_image_list instead. +- list: k8s_image_list + items: [] + +- list: allowed_kube_namespace_image_list + items: [ + gcr.io/google-containers/prometheus-to-sd, + gcr.io/projectcalico-org/node, + gke.gcr.io/addon-resizer, + gke.gcr.io/heapster, + gke.gcr.io/gke-metadata-server, + k8s.gcr.io/ip-masq-agent-amd64, + k8s.gcr.io/kube-apiserver, + gke.gcr.io/kube-proxy, + gke.gcr.io/netd-amd64, + k8s.gcr.io/addon-resizer, + k8s.gcr.io/prometheus-to-sd, + k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64, + k8s.gcr.io/k8s-dns-kube-dns-amd64, + k8s.gcr.io/k8s-dns-sidecar-amd64, + k8s.gcr.io/metrics-server-amd64, + kope/kube-apiserver-healthcheck, + k8s_image_list + ] + +- macro: allowed_kube_namespace_pods + condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or + ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list)) + +# Detect any new pod created in the kube-system namespace +- rule: Pod Created in Kube Namespace + desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces + condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods + output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image) + priority: WARNING + source: k8s_audit + tags: [k8s] + +- list: user_known_sa_list + items: [] + +- list: known_sa_list + items: [ + coredns, + coredns-autoscaler, + cronjob-controller, + daemon-set-controller, + deployment-controller, + disruption-controller, + endpoint-controller, + endpointslice-controller, + endpointslicemirroring-controller, + generic-garbage-collector, + horizontal-pod-autoscaler, + job-controller, + namespace-controller, + node-controller, + persistent-volume-binder, + pod-garbage-collector, + pv-protection-controller, + pvc-protection-controller, + replicaset-controller, + resourcequota-controller, + root-ca-cert-publisher, + service-account-controller, + statefulset-controller + ] + +- macro: trusted_sa + condition: (ka.target.name in (known_sa_list, user_known_sa_list)) + +# Detect creating a service account in the kube-system/kube-public namespace +- rule: Service Account Created in Kube Namespace + desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces + condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa + output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace) + priority: WARNING + source: k8s_audit + tags: [k8s] + +# Detect any modify/delete to any ClusterRole starting with +# "system:". "system:coredns" is excluded as changes are expected in +# normal operation. +- rule: System ClusterRole Modified/Deleted + desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system + condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and + not ka.target.name in (system:coredns, system:managed-certificate-controller) + output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb) + priority: WARNING + source: k8s_audit + tags: [k8s] + +# Detect any attempt to create a ClusterRoleBinding to the cluster-admin user +# (expand this to any built-in cluster role that does "sensitive" things) +- rule: Attach to cluster-admin Role + desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user + condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin + output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects) + priority: WARNING + source: k8s_audit + tags: [k8s] + +- rule: ClusterRole With Wildcard Created + desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs + condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*")) + output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules) + priority: WARNING + source: k8s_audit + tags: [k8s] + +- macro: writable_verbs + condition: > + (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection)) + +- rule: ClusterRole With Write Privileges Created + desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions + condition: kevt and (role or clusterrole) and kcreate and writable_verbs + output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules) + priority: NOTICE + source: k8s_audit + tags: [k8s] + +- rule: ClusterRole With Pod Exec Created + desc: Detect any attempt to create a Role/ClusterRole that can exec to pods + condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec") + output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules) + priority: WARNING + source: k8s_audit + tags: [k8s] + +# The rules below this point are less discriminatory and generally +# represent a stream of activity for a cluster. If you wish to disable +# these events, modify the following macro. +- macro: consider_activity_events + condition: (k8s_audit_always_true) + +- macro: kactivity + condition: (kevt and consider_activity_events) + +- rule: K8s Deployment Created + desc: Detect any attempt to create a deployment + condition: (kactivity and kcreate and deployment and response_successful) + output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Deployment Deleted + desc: Detect any attempt to delete a deployment + condition: (kactivity and kdelete and deployment and response_successful) + output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Service Created + desc: Detect any attempt to create a service + condition: (kactivity and kcreate and service and response_successful) + output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Service Deleted + desc: Detect any attempt to delete a service + condition: (kactivity and kdelete and service and response_successful) + output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s ConfigMap Created + desc: Detect any attempt to create a configmap + condition: (kactivity and kcreate and configmap and response_successful) + output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s ConfigMap Deleted + desc: Detect any attempt to delete a configmap + condition: (kactivity and kdelete and configmap and response_successful) + output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Namespace Created + desc: Detect any attempt to create a namespace + condition: (kactivity and kcreate and namespace and response_successful) + output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Namespace Deleted + desc: Detect any attempt to delete a namespace + condition: (kactivity and non_system_user and kdelete and namespace and response_successful) + output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Serviceaccount Created + desc: Detect any attempt to create a service account + condition: (kactivity and kcreate and serviceaccount and response_successful) + output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Serviceaccount Deleted + desc: Detect any attempt to delete a service account + condition: (kactivity and kdelete and serviceaccount and response_successful) + output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Role/Clusterrole Created + desc: Detect any attempt to create a cluster role/role + condition: (kactivity and kcreate and (clusterrole or role) and response_successful) + output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Role/Clusterrole Deleted + desc: Detect any attempt to delete a cluster role/role + condition: (kactivity and kdelete and (clusterrole or role) and response_successful) + output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Role/Clusterrolebinding Created + desc: Detect any attempt to create a clusterrolebinding + condition: (kactivity and kcreate and clusterrolebinding and response_successful) + output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Role/Clusterrolebinding Deleted + desc: Detect any attempt to delete a clusterrolebinding + condition: (kactivity and kdelete and clusterrolebinding and response_successful) + output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Secret Created + desc: Detect any attempt to create a secret. Service account tokens are excluded. + condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful) + output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Secret Deleted + desc: Detect any attempt to delete a secret Service account tokens are excluded. + condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful) + output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +# This rule generally matches all events, and as a result is disabled +# by default. If you wish to enable these events, modify the +# following macro. +# condition: (jevt.rawtime exists) +- macro: consider_all_events + condition: (k8s_audit_never_true) + +- macro: kall + condition: (kevt and consider_all_events) + +- rule: All K8s Audit Events + desc: Match all K8s Audit Events + condition: kall + output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj) + priority: DEBUG + source: k8s_audit + tags: [k8s] + + +# This macro disables following rule, change to k8s_audit_never_true to enable it +- macro: allowed_full_admin_users + condition: (k8s_audit_always_true) + +# This list includes some of the default user names for an administrator in several K8s installations +- list: full_admin_k8s_users + items: ["admin", "kubernetes-admin", "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"] + +# This rules detect an operation triggered by an user name that is +# included in the list of those that are default administrators upon +# cluster creation. This may signify a permission setting too broader. +# As we can't check for role of the user on a general ka.* event, this +# may or may not be an administrator. Customize the full_admin_k8s_users +# list to your needs, and activate at your discretion. + +# # How to test: +# # Execute any kubectl command connected using default cluster user, as: +# kubectl create namespace rule-test + +- rule: Full K8s Administrative Access + desc: Detect any k8s operation by a user name that may be an administrator with full access. + condition: > + kevt + and non_system_user + and ka.user.name in (full_admin_k8s_users) + and not allowed_full_admin_users + output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code) + priority: WARNING + source: k8s_audit + tags: [k8s] + +- macro: ingress + condition: ka.target.resource=ingresses + +- macro: ingress_tls + condition: (jevt.value[/requestObject/spec/tls] exists) + +# # How to test: +# # Create an ingress.yaml file with content: +# apiVersion: networking.k8s.io/v1beta1 +# kind: Ingress +# metadata: +# name: test-ingress +# annotations: +# nginx.ingress.kubernetes.io/rewrite-target: / +# spec: +# rules: +# - http: +# paths: +# - path: /testpath +# backend: +# serviceName: test +# servicePort: 80 +# # Execute: kubectl apply -f ingress.yaml + +- rule: Ingress Object without TLS Certificate Created + desc: Detect any attempt to create an ingress without TLS certification. + condition: > + (kactivity and kcreate and ingress and response_successful and not ingress_tls) + output: > + K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name + namespace=%ka.target.namespace) + source: k8s_audit + priority: WARNING + tags: [k8s, network] + +- macro: node + condition: ka.target.resource=nodes + +- macro: allow_all_k8s_nodes + condition: (k8s_audit_always_true) + +- list: allowed_k8s_nodes + items: [] + +# # How to test: +# # Create a Falco monitored cluster with Kops +# # Increase the number of minimum nodes with: +# kops edit ig nodes +# kops apply --yes + +- rule: Untrusted Node Successfully Joined the Cluster + desc: > + Detect a node successfully joined the cluster outside of the list of allowed nodes. + condition: > + kevt and node + and kcreate + and response_successful + and not allow_all_k8s_nodes + and not ka.target.name in (allowed_k8s_nodes) + output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name) + priority: ERROR + source: k8s_audit + tags: [k8s] + +- rule: Untrusted Node Unsuccessfully Tried to Join the Cluster + desc: > + Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes. + condition: > + kevt and node + and kcreate + and not response_successful + and not allow_all_k8s_nodes + and not ka.target.name in (allowed_k8s_nodes) + output: Node not in allowed list tried unsuccessfully to join the cluster (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason) + priority: WARNING + source: k8s_audit + tags: [k8s] diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/NOTES.txt b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/NOTES.txt new file mode 100644 index 000000000..ed8ba80c6 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/NOTES.txt @@ -0,0 +1,24 @@ +Falco agents are spinning up on each node in your cluster. After a few +seconds, they are going to start monitoring your containers looking for +security issues. +{{printf "\n" }} + +{{- if .Values.integrations }} +WARNING: The following integrations have been deprecated and removed + - gcscc + - natsOutput + - snsOutput + - pubsubOutput +Consider to use falcosidekick (https://github.com/falcosecurity/falcosidekick) as replacement. +{{- else }} +No further action should be required. +{{- end }} +{{printf "\n" }} + +{{- if not .Values.falcosidekick.enabled }} +Tip: +You can easily forward Falco events to Slack, Kafka, AWS Lambda and more with falcosidekick. +Full list of outputs: https://github.com/falcosecurity/charts/tree/master/falcosidekick. +You can enable its deployment with `--set falcosidekick.enabled=true` or in your values.yaml. +See: https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml for configuration values. +{{- end}} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/_helpers.tpl b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/_helpers.tpl new file mode 100644 index 000000000..3f03dddb0 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/_helpers.tpl @@ -0,0 +1,86 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "falco.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "falco.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "falco.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "falco.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "falco.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Falco image name +*/}} +{{- define "falco.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Extract the unixSocket's directory path +*/}} +{{- define "falco.unixSocketDir" -}} +{{- if .Values.falco.grpc.unixSocketPath -}} +{{- .Values.falco.grpc.unixSocketPath | trimPrefix "unix://" | dir -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "rbac.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/auditsink.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/auditsink.yaml new file mode 100644 index 000000000..a581f9eb7 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/auditsink.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.auditLog.enabled .Values.auditLog.dynamicBackend.enabled) }} +apiVersion: auditregistration.k8s.io/v1alpha1 +kind: AuditSink +metadata: + name: {{ template "falco.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + policy: + level: RequestResponse + stages: + - ResponseComplete + - ResponseStarted + webhook: + throttle: + qps: 10 + burst: 15 + clientConfig: + {{- if .Values.auditLog.dynamicBackend.url }} + url: {{ .Values.auditLog.dynamicBackend.url }} + {{- else }} + service: + namespace: {{ .Release.Namespace }} + name: {{ template "falco.fullname" . }} + port: {{ .Values.falco.webserver.listenPort }} + path: {{ .Values.falco.webserver.k8sAuditEndpoint }} + {{- end }} + {{- if .Values.falco.webserver.sslEnabled }} + caBundle: {{ .Values.certs.ca.crt | b64enc | quote }} + {{- end}} +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/clusterrole.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/clusterrole.yaml new file mode 100644 index 000000000..a4dea4fe8 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/clusterrole.yaml @@ -0,0 +1,59 @@ +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: {{ template "rbac.apiVersion" . }} +metadata: + name: {{ template "falco.fullname" .}} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +rules: + - apiGroups: + - extensions + - "" + resources: + - nodes + - namespaces + - pods + - replicationcontrollers + - replicasets + - services + - daemonsets + - deployments + - events + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - nonResourceURLs: + - /healthz + - /healthz/* + verbs: + - get +{{- if .Values.podSecurityPolicy.create }} + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "falco.fullname" . }} +{{- if .Values.fakeEventGenerator.enabled }} + - event-generator-{{ template "falco.fullname" . }} +{{- end }} + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/clusterrolebinding.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..dff364ebd --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: {{ template "rbac.apiVersion" . }} +metadata: + name: {{ template "falco.fullname" .}} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +subjects: + - kind: ServiceAccount + name: {{ template "falco.serviceAccountName" .}} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ template "falco.fullname" .}} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/configmap-rules.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/configmap-rules.yaml new file mode 100644 index 000000000..8460fe765 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/configmap-rules.yaml @@ -0,0 +1,17 @@ +{{- if .Values.customRules }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "falco.fullname" . }}-rules + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: +{{- range $file, $content := .Values.customRules }} + {{ $file }}: |- +{{ $content | indent 4}} +{{- end }} +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/configmap.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/configmap.yaml new file mode 100644 index 000000000..74e51a2df --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/configmap.yaml @@ -0,0 +1,270 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "falco.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + falco.yaml: |- + # File(s) or Directories containing Falco rules, loaded at startup. + # The name "rules_file" is only for backwards compatibility. + # If the entry is a file, it will be read directly. If the entry is a directory, + # every file in that directory will be read, in alphabetical order. + # + # falco_rules.yaml ships with the falco package and is overridden with + # every new software version. falco_rules.local.yaml is only created + # if it doesn't exist. If you want to customize the set of rules, add + # your customizations to falco_rules.local.yaml. + # + # The files will be read in the order presented here, so make sure if + # you have overrides they appear in later files. + rules_file: + {{- range .Values.falco.rulesFile }} + - {{ . }} + {{- end }} + + plugins: +{{ toYaml .Values.falco.plugins | indent 8 }} + + # Setting this list to empty ensures that the above plugins are *not* + # loaded and enabled by default. If you want to use the above plugins, + # set a meaningful init_config/open_params for the cloudtrail plugin + # and then change this to: + # load_plugins: [cloudtrail, json] + load_plugins: +{{ toYaml .Values.falco.loadPlugins | indent 8 }} + + # If true, the times displayed in log messages and output messages + # will be in ISO 8601. By default, times are displayed in the local + # time zone, as governed by /etc/localtime. + time_format_iso_8601: {{ .Values.falco.timeFormatISO8601 }} + + # Whether to output events in json or text + {{- if .Values.falcosidekick.enabled }} + json_output: true + {{- else }} + json_output: {{ .Values.falco.jsonOutput }} + {{- end }} + + # When using json output, whether or not to include the "output" property + # itself (e.g. "File below a known binary directory opened for writing + # (user=root ....") in the json output. + + {{- if .Values.falcosidekick.enabled }} + json_include_output_property: true + {{- else }} + json_include_output_property: {{ .Values.falco.jsonIncludeOutputProperty }} + {{- end }} + + # When using json output, whether or not to include the "tags" property + # itself in the json output. If set to true, outputs caused by rules + # with no tags will have a "tags" field set to an empty array. If set to + # false, the "tags" field will not be included in the json output at all. + json_include_tags_property: {{ .Values.falco.jsonIncludeTagsProperty }} + + # Send information logs to stderr and/or syslog Note these are *not* security + # notification logs! These are just Falco lifecycle (and possibly error) logs. + log_stderr: {{ .Values.falco.logStderr }} + log_syslog: {{ .Values.falco.logSyslog }} + + # Minimum log level to include in logs. Note: these levels are + # separate from the priority field of rules. This refers only to the + # log level of falco's internal logging. Can be one of "emergency", + # "alert", "critical", "error", "warning", "notice", "info", "debug". + log_level: {{ .Values.falco.logLevel }} + + # Minimum rule priority level to load and run. All rules having a + # priority more severe than this level will be loaded/run. Can be one + # of "emergency", "alert", "critical", "error", "warning", "notice", + # "info", "debug". + priority: {{ .Values.falco.priority }} + + # Whether or not output to any of the output channels below is + # buffered. Defaults to false + buffered_outputs: {{ .Values.falco.bufferedOutputs }} + + # Falco uses a shared buffer between the kernel and userspace to pass + # system call information. When Falco detects that this buffer is + # full and system calls have been dropped, it can take one or more of + # the following actions: + # - ignore: do nothing (default when list of actions is empty) + # - log: log a DEBUG message noting that the buffer was full + # - alert: emit a Falco alert noting that the buffer was full + # - exit: exit Falco with a non-zero rc + # + # Notice it is not possible to ignore and log/alert messages at the same time. + # + # The rate at which log/alert messages are emitted is governed by a + # token bucket. The rate corresponds to one message every 30 seconds + # with a burst of one message (by default). + # + # The messages are emitted when the percentage of dropped system calls + # with respect the number of events in the last second + # is greater than the given threshold (a double in the range [0, 1]). + # + # For debugging/testing it is possible to simulate the drops using + # the `simulate_drops: true`. In this case the threshold does not apply. + syscall_event_drops: + threshold: {{ .Values.falco.syscallEventDrops.threshold }} + actions: + {{- range .Values.falco.syscallEventDrops.actions }} + - {{ . }} + {{- end }} + rate: {{ .Values.falco.syscallEventDrops.rate }} + max_burst: {{ .Values.falco.syscallEventDrops.maxBurst }} + + # Falco uses a shared buffer between the kernel and userspace to receive + # the events (eg., system call information) in userspace. + # + # Anyways, the underlying libraries can also timeout for various reasons. + # For example, there could have been issues while reading an event. + # Or the particular event needs to be skipped. + # Normally, it's very unlikely that Falco does not receive events consecutively. + # + # Falco is able to detect such uncommon situation. + # + # Here you can configure the maximum number of consecutive timeouts without an event + # after which you want Falco to alert. + # By default this value is set to 1000 consecutive timeouts without an event at all. + # How this value maps to a time interval depends on the CPU frequency. + syscall_event_timeouts: + max_consecutives: {{ .Values.falco.syscallEventTimeouts.maxConsecutives }} + + # Falco continuously monitors outputs performance. When an output channel does not allow + # to deliver an alert within a given deadline, an error is reported indicating + # which output is blocking notifications. + # The timeout error will be reported to the log according to the above log_* settings. + # Note that the notification will not be discarded from the output queue; thus, + # output channels may indefinitely remain blocked. + # An output timeout error indeed indicate a misconfiguration issue or I/O problems + # that cannot be recovered by Falco and should be fixed by the user. + # + # The "output_timeout" value specifies the duration in milliseconds to wait before + # considering the deadline exceed. + # + # With a 2000ms default, the notification consumer can block the Falco output + # for up to 2 seconds without reaching the timeout. + output_timeout: {{ .Values.falco.output_timeout }} + + # A throttling mechanism implemented as a token bucket limits the + # rate of falco notifications. This throttling is controlled by the following configuration + # options: + # - rate: the number of tokens (i.e. right to send a notification) + # gained per second. Defaults to 1. + # - max_burst: the maximum number of tokens outstanding. Defaults to 1000. + # + # With these defaults, falco could send up to 1000 notifications after + # an initial quiet period, and then up to 1 notification per second + # afterward. It would gain the full burst back after 1000 seconds of + # no activity. + outputs: + rate: {{ .Values.falco.outputs.rate }} + max_burst: {{ .Values.falco.outputs.maxBurst }} + + # Where security notifications should go. + # Multiple outputs can be enabled. + syslog_output: + enabled: {{ .Values.falco.syslogOutput.enabled }} + + # If keep_alive is set to true, the file will be opened once and + # continuously written to, with each output message on its own + # line. If keep_alive is set to false, the file will be re-opened + # for each output message. + # + # Also, the file will be closed and reopened if falco is signaled with + # SIGUSR1. + file_output: + enabled: {{ .Values.falco.fileOutput.enabled }} + keep_alive: {{ .Values.falco.fileOutput.keepAlive }} + filename: {{ .Values.falco.fileOutput.filename }} + + stdout_output: + enabled: {{ .Values.falco.stdoutOutput.enabled }} + + # Falco contains an embedded webserver that can be used to accept K8s + # Audit Events. These config options control the behavior of that + # webserver. (By default, the webserver is disabled). + # + # The ssl_certificate is a combination SSL Certificate and corresponding + # key contained in a single file. You can generate a key/cert as follows: + # + # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem + # $ cat certificate.pem key.pem > falco.pem + # $ sudo cp falco.pem /etc/falco/falco.pem + webserver: + enabled: {{ .Values.falco.webserver.enabled }} + listen_port: {{ .Values.falco.webserver.listenPort }} + k8s_audit_endpoint: {{ .Values.falco.webserver.k8sAuditEndpoint }} + k8s_healthz_endpoint: {{ .Values.falco.webserver.k8sHealthzEndpoint }} + ssl_enabled: {{ .Values.falco.webserver.sslEnabled }} + ssl_certificate: {{ .Values.falco.webserver.sslCertificate }} + + # If keep_alive is set to true, the program will be started once and + # continuously written to, with each output message on its own + # line. If keep_alive is set to false, the program will be re-spawned + # for each output message. + # + # Also, the program will be closed and reopened if falco is signaled with + # SIGUSR1. + program_output: + enabled: {{ .Values.falco.programOutput.enabled }} + keep_alive: {{ .Values.falco.programOutput.keepAlive }} + program: | +{{ .Values.falco.programOutput.program | indent 8 }} + + http_output: + enabled: {{ if .Values.falcosidekick.enabled }}true{{ else }}{{ .Values.falco.httpOutput.enabled }}{{ end }} + url: '{{ if .Values.falco.httpOutput.url }}{{ .Values.falco.httpOutput.url }}{{ else }}http://{{ template "falco.fullname" . }}-falcosidekick{{ if .Values.falcosidekick.fullfqdn }}.{{ .Release.Namespace }}.svc.cluster.local{{ end }}:{{ .Values.falcosidekick.listenport | default "2801" }}{{ end }}' + user_agent: {{ .Values.falco.httpOutput.userAgent }} + + + # Falco supports running a gRPC server with two main binding types + # 1. Over the network with mandatory mutual TLS authentication (mTLS) + # 2. Over a local unix socket with no authentication + # By default, the gRPC server is disabled, with no enabled services (see grpc_output) + # please comment/uncomment and change accordingly the options below to configure it. + # Important note: if Falco has any troubles creating the gRPC server + # this information will be logged, however the main Falco daemon will not be stopped. + # gRPC server over network with (mandatory) mutual TLS configuration. + # This gRPC server is secure by default so you need to generate certificates and update their paths here. + # By default the gRPC server is off. + # You can configure the address to bind and expose it. + # By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use. + # grpc: + # enabled: true + # bind_address: "0.0.0.0:5060" + # # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores + # threadiness: 0 + # private_key: "/etc/falco/certs/server.key" + # cert_chain: "/etc/falco/certs/server.crt" + # root_certs: "/etc/falco/certs/ca.crt" + grpc: + enabled: {{ .Values.falco.grpc.enabled }} + threadiness: {{ .Values.falco.grpc.threadiness }} + {{- if .Values.falco.grpc.unixSocketPath }} + bind_address: "{{ .Values.falco.grpc.unixSocketPath }}" + {{ else }} + bind_address: "0.0.0.0:{{ .Values.falco.grpc.listenPort }}" + private_key: {{ .Values.falco.grpc.privateKey }} + cert_chain: {{ .Values.falco.grpc.certChain }} + root_certs: {{ .Values.falco.grpc.rootCerts }} + {{- end }} + + # gRPC output service. + # By default it is off. + # By enabling this all the output events will be kept in memory until you read them with a gRPC client. + # Make sure to have a consumer for them or leave this disabled. + grpc_output: + enabled: {{ .Values.falco.grpcOutput.enabled }} + + # Container orchestrator metadata fetching params + metadata_download: + max_mb: {{ .Values.falco.metadataDownload.maxMb }} + chunk_wait_us: {{ .Values.falco.metadataDownload.chunkWaitUs }} + watch_freq_sec: {{ .Values.falco.metadataDownload.watchFreqSec }} + +{{ (.Files.Glob "rules/*").AsConfig | indent 2 }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/daemonset.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/daemonset.yaml new file mode 100644 index 000000000..cda0ec29f --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/daemonset.yaml @@ -0,0 +1,273 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "falco.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + selector: + matchLabels: + app: {{ template "falco.fullname" .}} + role: security + template: + metadata: + name: {{ template "falco.fullname" .}} + labels: + app: {{ template "falco.fullname" .}} + role: security +{{- with .Values.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/rules: {{ include (print $.Template.BasePath "/configmap-rules.yaml") . | sha256sum }} + {{- if and .Values.certs (not .Values.certs.existingSecret) }} + checksum/certs: {{ include (print $.Template.BasePath "/secret-certs.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.daemonset.podAnnotations }} +{{ toYaml .Values.daemonset.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "falco.serviceAccountName" .}} + {{- if (and .Values.ebpf.enabled .Values.ebpf.settings.hostNetwork) }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + {{- end }} +{{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" +{{- end }} +{{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} +{{- if .Values.image.pullSecrets }} + imagePullSecrets: {{ toYaml .Values.image.pullSecrets | nindent 8 }} +{{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ template "falco.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: +{{ toYaml .Values.resources | indent 12 }} + securityContext: + privileged: {{ not .Values.leastPrivileged.enabled }} + {{- if .Values.leastPrivileged.enabled }} + capabilities: + add: + - BPF + - SYS_RESOURCE + - PERFMON + {{- end }} + args: + - /usr/bin/falco + {{- if and .Values.containerd .Values.containerd.enabled }} + - --cri + - /run/containerd/containerd.sock + {{- end }} + {{- if and .Values.crio .Values.crio.enabled }} + - --cri + - /run/crio/crio.sock + {{- end }} + {{- if .Values.kubernetesSupport.enabled }} + - -K + - {{ .Values.kubernetesSupport.apiAuth }} + - -k + - {{ .Values.kubernetesSupport.apiUrl }} + {{- if .Values.kubernetesSupport.enableNodeFilter }} + - --k8s-node + - "$(FALCO_K8S_NODE_NAME)" + {{- end }} + {{- end }} + - -pk + {{- if .Values.extraArgs }} +{{ toYaml .Values.extraArgs | indent 12 }} + {{- end }} + env: + - name: FALCO_K8S_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.ebpf.enabled }} + - name: FALCO_BPF_PROBE + value: {{ .Values.ebpf.path }} + {{- end }} + {{- if .Values.proxy.httpProxy }} + - name: http_proxy + value: {{ .Values.proxy.httpProxy }} + {{- end }} + {{- if .Values.proxy.httpsProxy }} + - name: https_proxy + value: {{ .Values.proxy.httpsProxy }} + {{- end }} + {{- if .Values.proxy.noProxy }} + - name: no_proxy + value: {{ .Values.proxy.noProxy }} + {{- end }} + {{- if .Values.timezone }} + - name: TZ + value: {{ .Values.timezone }} + {{- end }} + {{- range $key, $value := .Values.daemonset.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.falco.webserver.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.falco.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.falco.livenessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.falco.livenessProbe.periodSeconds }} + httpGet: + path: {{ .Values.falco.webserver.k8sHealthzEndpoint }} + port: {{ .Values.falco.webserver.listenPort }} + {{- if .Values.falco.webserver.sslEnabled }} + scheme: HTTPS + {{- end }} + readinessProbe: + initialDelaySeconds: {{ .Values.falco.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.falco.readinessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.falco.readinessProbe.periodSeconds }} + httpGet: + path: {{ .Values.falco.webserver.k8sHealthzEndpoint }} + port: {{ .Values.falco.webserver.listenPort }} + {{- if .Values.falco.webserver.sslEnabled }} + scheme: HTTPS + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.docker.enabled }} + - mountPath: /host/var/run/docker.sock + name: docker-socket + {{- end}} + {{- if .Values.containerd.enabled }} + - mountPath: /host/run/containerd/containerd.sock + name: containerd-socket + {{- end}} + {{- if and .Values.crio .Values.crio.enabled }} + - mountPath: /host/run/crio/crio.sock + name: crio-socket + {{- end}} + - mountPath: /host/dev + name: dev-fs + readOnly: true + - mountPath: /host/proc + name: proc-fs + readOnly: true + - mountPath: /host/boot + name: boot-fs + readOnly: true + - mountPath: /host/lib/modules + name: lib-modules + - mountPath: /host/usr + name: usr-fs + readOnly: true + - mountPath: /host/etc + name: etc-fs + readOnly: true + - mountPath: /etc/falco + name: config-volume + {{- if .Values.customRules }} + - mountPath: /etc/falco/rules.d + name: rules-volume + {{- end }} + {{- if and .Values.falco.grpc.enabled .Values.falco.grpc.unixSocketPath }} + - mountPath: {{ include "falco.unixSocketDir" . }} + name: grpc-socket-dir + {{- end }} + {{- if or .Values.falco.webserver.sslEnabled (and .Values.falco.grpc.enabled (not .Values.falco.grpc.unixSocketPath)) }} + - mountPath: /etc/falco/certs + name: certs-volume + readOnly: true + {{- end }} + {{- if .Values.extraVolumeMounts }} +{{ toYaml .Values.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.extraInitContainers }} + initContainers: +{{ toYaml .Values.extraInitContainers | indent 12 }} + {{- end }} + volumes: + {{- if .Values.docker.enabled }} + - name: docker-socket + hostPath: + path: {{ .Values.docker.socket }} + {{- end}} + {{- if .Values.containerd.enabled }} + - name: containerd-socket + hostPath: + path: {{ .Values.containerd.socket }} + {{- end}} + {{- if and .Values.crio .Values.crio.enabled }} + - name: crio-socket + hostPath: + path: {{ .Values.crio.socket }} + {{- end}} + - name: dev-fs + hostPath: + path: /dev + - name: proc-fs + hostPath: + path: /proc + - name: boot-fs + hostPath: + path: /boot + - name: lib-modules + hostPath: + path: /lib/modules + - name: usr-fs + hostPath: + path: /usr + - name: etc-fs + hostPath: + path: /etc + - name: config-volume + configMap: + name: {{ template "falco.fullname" . }} + items: + - key: falco.yaml + path: falco.yaml + - key: falco_rules.yaml + path: falco_rules.yaml + - key: falco_rules.local.yaml + path: falco_rules.local.yaml + - key: application_rules.yaml + path: rules.available/application_rules.yaml + {{- if .Values.auditLog.enabled }} + - key: k8s_audit_rules.yaml + path: k8s_audit_rules.yaml + {{- end }} + - key: aws_cloudtrail_rules.yaml + path: aws_cloudtrail_rules.yaml + {{- if .Values.customRules }} + - name: rules-volume + configMap: + name: {{ template "falco.fullname" . }}-rules + {{- end }} + {{- if and .Values.falco.grpc.enabled .Values.falco.grpc.unixSocketPath }} + - name: grpc-socket-dir + hostPath: + path: {{ include "falco.unixSocketDir" . }} + {{- end }} + {{- if or .Values.falco.webserver.sslEnabled (and .Values.falco.grpc.enabled (not .Values.falco.grpc.unixSocketPath)) }} + - name: certs-volume + secret: + {{- if .Values.certs.existingSecret }} + secretName: {{ .Values.certs.existingSecret }} + {{- else }} + secretName: {{ template "falco.fullname" . }}-certs + {{- end }} + {{- end }} + {{- if .Values.extraVolumes }} +{{ toYaml .Values.extraVolumes | indent 8 }} + {{- end }} + updateStrategy: +{{ toYaml .Values.daemonset.updateStrategy | indent 4 }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/deployment.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/deployment.yaml new file mode 100644 index 000000000..7885efe86 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/deployment.yaml @@ -0,0 +1,35 @@ +{{- if .Values.fakeEventGenerator.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "falco.fullname" . }}-event-generator + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "falco.fullname" . }}-event-generator + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + replicas: {{ .Values.fakeEventGenerator.replicas }} + selector: + matchLabels: + app: {{ template "falco.fullname" . }}-event-generator + template: + metadata: + labels: + app: {{ template "falco.fullname" . }}-event-generator +{{- with .Values.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ template "falco.serviceAccountName" .}} + containers: + - name: {{ template "falco.fullname" . }}-event-generator + securityContext: + privileged: false + image: falcosecurity/event-generator:latest +{{- with .Values.fakeEventGenerator.args }} + args: +{{ toYaml . | indent 10 }} +{{- end }} +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/podsecuritypolicy.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..c31f3f8e2 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/podsecuritypolicy.yaml @@ -0,0 +1,52 @@ +{{- if .Values.podSecurityPolicy.create}} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "falco.fullname" . }} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + privileged: true + hostNetwork: true + allowedCapabilities: ['*'] + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: ['*'] +{{- end }} +{{- if (and .Values.podSecurityPolicy.create .Values.fakeEventGenerator.enabled) }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: event-generator-{{ template "falco.fullname" . }} + labels: + app: {{ template "falco.fullname" . }}-event-generator + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + privileged: false + hostNetwork: false + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: [] +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/secret-certs.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/secret-certs.yaml new file mode 100644 index 000000000..70b1a6b8a --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/secret-certs.yaml @@ -0,0 +1,21 @@ +{{- if and (not .Values.certs.existingSecret) (or .Values.falco.webserver.sslEnabled (and .Values.falco.grpc.enabled (not .Values.falco.grpc.unixSocketPath))) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "falco.fullname" . }}-certs + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + {{ $key := .Values.certs.server.key }} + server.key: {{ $key | b64enc | quote }} + {{ $crt := .Values.certs.server.crt }} + server.crt: {{ $crt | b64enc | quote }} + server.pem: {{ print $key $crt | b64enc | quote }} + ca.crt: {{ .Values.certs.ca.crt | b64enc | quote }} +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/securitycontextconstraints.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/securitycontextconstraints.yaml new file mode 100644 index 000000000..86e77f9f0 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/securitycontextconstraints.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.scc.create (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: | + This provides the minimum requirements Falco to run in Openshift. + name: {{ template "falco.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: true +allowHostPID: true +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: [] +allowedUnsafeSysctls: [] +defaultAddCapabilities: [] +fsGroup: + type: RunAsAny +groups: [] +priority: 0 +readOnlyRootFilesystem: false +requiredDropCapabilities: [] +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: +- '*' +supplementalGroups: + type: RunAsAny +users: +- system:serviceaccount:{{ .Release.Namespace }}:{{ template "falco.serviceAccountName" .}} +volumes: +- hostPath +- emptyDir +- secret +- configMap +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/service.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/service.yaml new file mode 100644 index 000000000..2d38d32b3 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/service.yaml @@ -0,0 +1,44 @@ +{{- if .Values.auditLog.enabled }} +kind: Service +apiVersion: v1 +metadata: + name: {{ template "falco.fullname" .}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + {{- if .Values.falco.webserver.nodePort }} + type: NodePort + {{- end }} + selector: + app: {{ template "falco.fullname" .}} + ports: + - protocol: TCP + port: {{ .Values.falco.webserver.listenPort }} + {{- with .Values.falco.webserver.nodePort }} + nodePort: {{ . }} + {{- end }} +{{- end }} +{{- if and .Values.falco.grpc.enabled (not .Values.falco.grpc.unixSocketPath)}} +--- +kind: Service +apiVersion: v1 +metadata: + name: {{ template "falco.fullname" .}}-grpc + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + clusterIP: None + selector: + app: {{ template "falco.fullname" .}} + ports: + - protocol: TCP + port: {{ .Values.falco.grpc.listenPort }} +{{- end }} \ No newline at end of file diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/templates/serviceaccount.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/serviceaccount.yaml new file mode 100644 index 000000000..a11106e71 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "falco.serviceAccountName" .}} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "falco.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + {{- if .Values.serviceAccount.annotations }} + annotations: +{{ toYaml .Values.serviceAccount.annotations | indent 4 }} + {{- end }} +{{- end }} diff --git a/charts/sumologic/sumologic/2.17.0/charts/falco/values.yaml b/charts/sumologic/sumologic/2.17.0/charts/falco/values.yaml new file mode 100644 index 000000000..050e3a992 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/falco/values.yaml @@ -0,0 +1,455 @@ +# Default values for Falco. + +image: + registry: docker.io + repository: falcosecurity/falco + tag: 0.31.1 + pullPolicy: IfNotPresent + pullSecrets: [] + +docker: + enabled: true + socket: /var/run/docker.sock + +containerd: + enabled: true + socket: /run/containerd/containerd.sock + +crio: + enabled: true + socket: /run/crio/crio.sock + +kubernetesSupport: + # Enables Kubernetes meta data collection via a connection to the Kubernetes API server. + enabled: true + # The apiAuth value is to provide the authentication method Falco should use to connect to the Kubernetes API. + # The argument's documentation from Falco is provided here for reference: + # + # | :[:], --k8s-api-cert | :[:] + # Use the provided files names to authenticate user and (optionally) verify the K8S API server identity. + # Each entry must specify full (absolute, or relative to the current directory) path to the respective file. + # Private key password is optional (needed only if key is password protected). + # CA certificate is optional. For all files, only PEM file format is supported. + # Specifying CA certificate only is obsoleted - when single entry is provided + # for this option, it will be interpreted as the name of a file containing bearer token. + # Note that the format of this command-line option prohibits use of files whose names contain + # ':' or '#' characters in the file name. + apiAuth: /var/run/secrets/kubernetes.io/serviceaccount/token + apiUrl: "https://$(KUBERNETES_SERVICE_HOST)" + # If true, only the current node (on which Falco is running) will be considered when requesting metadata of pods + # to the API server. Disabling this option may have a performance penalty on large clusters. + enableNodeFilter: true + +resources: + # Although resources needed are subjective on the actual workload we provide + # a sane defaults ones. If you have more questions or concerns, please refer + # to #falco slack channel for more info about it + requests: + cpu: 100m + memory: 512Mi + limits: + cpu: 1000m + memory: 1024Mi + +extraArgs: [] +nodeSelector: {} +affinity: {} + +rbac: + # Create and use rbac resources + create: true + +podSecurityPolicy: + # Create a podSecurityPolicy + create: false + +serviceAccount: + # Create and use serviceAccount resources + create: true + # Use this value as serviceAccountName + name: + annotations: {} + +fakeEventGenerator: + enabled: false + args: + - run + - --loop + - ^syscall + replicas: 1 + +daemonset: + # Perform rolling updates by default in the DaemonSet agent + # ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + updateStrategy: + # You can also customize maxUnavailable or minReadySeconds if you + # need it + type: RollingUpdate + + ## Extra environment variables that will be pass onto deployment pods + env: {} + + ## Add aditional pod annotations on pods created by DaemonSet + podAnnotations: {} + +# Additional labels to add to the pods: +# podLabels: +# key: value +podLabels: {} + +# If is behind a proxy you can set the proxy server +proxy: + httpProxy: + httpsProxy: + noProxy: + +# Set daemonset timezone +timezone: + +# Set daemonset priorityClassName +priorityClassName: + +ebpf: + # Enable eBPF support for Falco + enabled: false + path: + + settings: + # Needed to enable eBPF JIT at runtime for performance reasons. + # Can be skipped if eBPF JIT is enabled from outside the container + hostNetwork: true + +leastPrivileged: + # Constrain Falco with capabilities instead of running a privileged container. + # This option is only supported with the eBPF driver and a kernel >= 5.8. + # Ensure the eBPF driver is enabled (i.e., setting the `ebpf.enabled` option to true). + enabled: false + +auditLog: + # true here activates the K8s Audit Log feature for Falco + enabled: false + + dynamicBackend: + # true here configures an AuditSink who will receive the K8s audit logs + enabled: false + # define if auditsink client config should point to a fixed url, not the + # default webserver service + url: "" + +falco: + # The location of the rules file(s). This can contain one or more paths to + # separate rules files. + rulesFile: + - /etc/falco/falco_rules.yaml + - /etc/falco/falco_rules.local.yaml + - /etc/falco/k8s_audit_rules.yaml + # - /etc/falco/aws_cloudtrail_rules.yaml + - /etc/falco/rules.d + # - /etc/falco/rules.optional.d + + plugins: + - name: cloudtrail + library_path: libcloudtrail.so + init_config: "" + open_params: "" + - name: json + library_path: libjson.so + init_config: "" + + # Setting this list to empty ensures that the above plugins are *not* + # loaded and enabled by default. If you want to use the above plugins, + # set a meaningful init_config/open_params for the cloudtrail plugin + # and then change this to: + # load_plugins: [cloudtrail, json] + loadPlugins: [] + + # If true, the times displayed in log messages and output messages + # will be in ISO 8601. By default, times are displayed in the local + # time zone, as governed by /etc/localtime. + timeFormatISO8601: false + + # Whether to output events in json or text + jsonOutput: false + + # When using json output, whether or not to include the "output" property + # itself (e.g. "File below a known binary directory opened for writing + # (user=root ....") in the json output. + jsonIncludeOutputProperty: true + + # When using json output, whether or not to include the "tags" property + # itself in the json output. If set to true, outputs caused by rules + # with no tags will have a "tags" field set to an empty array. If set to + # false, the "tags" field will not be included in the json output at all. + jsonIncludeTagsProperty: true + + # Send information logs to stderr and/or syslog Note these are *not* security + # notification logs! These are just Falco lifecycle (and possibly error) logs. + logStderr: true + logSyslog: true + + # Minimum log level to include in logs. Note: these levels are + # separate from the priority field of rules. This refers only to the + # log level of Falco's internal logging. Can be one of "emergency", + # "alert", "critical", "error", "warning", "notice", "info", "debug". + logLevel: info + + # Minimum rule priority level to load and run. All rules having a + # priority more severe than this level will be loaded/run. Can be one + # of "emergency", "alert", "critical", "error", "warning", "notice", + # "informational", "debug". + priority: debug + + # Whether or not output to any of the output channels below is + # buffered. + bufferedOutputs: false + + # Falco uses a shared buffer between the kernel and userspace to pass + # system call information. When Falco detects that this buffer is + # full and system calls have been dropped, it can take one or more of + # the following actions: + # - ignore: do nothing (default when list of actions is empty) + # - log: log a DEBUG message noting that the buffer was full + # - alert: emit a Falco alert noting that the buffer was full + # - exit: exit Falco with a non-zero rc + # + # Notice it is not possible to ignore and log/alert messages at the same time. + # + # The rate at which log/alert messages are emitted is governed by a + # token bucket. The rate corresponds to one message every 30 seconds + # with a burst of one message (by default). + # + # The messages are emitted when the percentage of dropped system calls + # with respect the number of events in the last second + # is greater than the given threshold (a double in the range [0, 1]). + # + # For debugging/testing it is possible to simulate the drops using + # the `simulate_drops: true`. In this case the threshold does not apply. + syscallEventDrops: + threshold: .1 + actions: + - log + - alert + rate: .03333 + maxBurst: 1 + + # Falco uses a shared buffer between the kernel and userspace to receive + # the events (eg., system call information) in userspace. + # + # Anyways, the underlying libraries can also timeout for various reasons. + # For example, there could have been issues while reading an event. + # Or the particular event needs to be skipped. + # Normally, it's very unlikely that Falco does not receive events consecutively. + # + # Falco is able to detect such uncommon situation. + # + # Here you can configure the maximum number of consecutive timeouts without an event + # after which you want Falco to alert. + # By default this value is set to 1000 consecutive timeouts without an event at all. + # How this value maps to a time interval depends on the CPU frequency. + syscallEventTimeouts: + maxConsecutives: 1000 + + # Falco continuously monitors outputs performance. When an output channel does not allow + # to deliver an alert within a given deadline, an error is reported indicating + # which output is blocking notifications. + # The timeout error will be reported to the log according to the above log_* settings. + # Note that the notification will not be discarded from the output queue; thus, + # output channels may indefinitely remain blocked. + # An output timeout error indeed indicate a misconfiguration issue or I/O problems + # that cannot be recovered by Falco and should be fixed by the user. + # + # The "output_timeout" value specifies the duration in milliseconds to wait before + # considering the deadline exceed. + # + # With a 2000ms default, the notification consumer can block the Falco output + # for up to 2 seconds without reaching the timeout. + + output_timeout: 2000 + + # A throttling mechanism implemented as a token bucket limits the + # rate of Falco notifications. This throttling is controlled by the following configuration + # options: + # - rate: the number of tokens (i.e. right to send a notification) + # gained per second. Defaults to 1. + # - max_burst: the maximum number of tokens outstanding. Defaults to 1000. + # + # With these defaults, Falco could send up to 1000 notifications after + # an initial quiet period, and then up to 1 notification per second + # afterward. It would gain the full burst back after 1000 seconds of + # no activity. + outputs: + rate: 1 + maxBurst: 1000 + + # Where security notifications should go. + # Multiple outputs can be enabled. + syslogOutput: + enabled: true + + # If keep_alive is set to true, the file will be opened once and + # continuously written to, with each output message on its own + # line. If keep_alive is set to false, the file will be re-opened + # for each output message. + # + # Also, the file will be closed and reopened if Falco is signaled with + # SIGUSR1. + fileOutput: + enabled: false + keepAlive: false + filename: ./events.txt + + stdoutOutput: + enabled: true + + # Falco contains an embedded webserver that can be used to accept K8s + # Audit Events. These config options control the behavior of that + # webserver. (By default, the webserver is enabled). + webserver: + enabled: true + listenPort: 8765 + nodePort: false + k8sAuditEndpoint: /k8s-audit + k8sHealthzEndpoint: /healthz + sslEnabled: false + sslCertificate: /etc/falco/certs/server.pem + + livenessProbe: + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 15 + + readinessProbe: + initialDelaySeconds: 30 + timeoutSeconds: 5 + periodSeconds: 15 + + # Possible additional things you might want to do with program output: + # - send to a slack webhook: + # program: "\"jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX\"" + # - logging (alternate method than syslog): + # program: logger -t falco-test + # - send over a network connection: + # program: nc host.example.com 80 + + # If keep_alive is set to true, the program will be started once and + # continuously written to, with each output message on its own + # line. If keep_alive is set to false, the program will be re-spawned + # for each output message. + # + # Also, the program will be closed and reopened if Falco is signaled with + # SIGUSR1. + programOutput: + enabled: false + keepAlive: false + program: mail -s "Falco Notification" someone@example.com + # program: | + # jq 'if .priority == "Emergency" or .priority == "Critical" or .priority == "Error" then + # { attachments: [{ text: .output, color: "danger" }]} + # elif .priority == "Warning" or .priority == "Notice" then + # { attachments: [{ text: .output, color: "warning" }]} + # elif .priority == "Informational" then + # { attachments: [{ text: .output, color: "good" }]} + # else + # { attachments: [{ text: .output }]} + # end' | curl -d @- -X POST https://hooks.slack.com/services/xxxxxxxxx/xxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx + + httpOutput: + enabled: false + # When set, this will override an auto-generated URL which matches the falcosidekick Service. + # When including Falco inside a parent helm chart, you must set this since the auto-generated URL won't match (#280). + url: "" + userAgent: "falcosecurity/falco" + + # Falco supports running a gRPC server with two main binding types + # 1. Over the network with mandatory mutual TLS authentication (mTLS) + # 2. Over a local unix socket with no authentication + # By default, the gRPC server is disabled, with no enabled services (see grpc_output) + # please comment/uncomment and change accordingly the options below to configure it. + # Important note: if Falco has any troubles creating the gRPC server + # this information will be logged, however the main Falco daemon will not be stopped. + # gRPC server over network with (mandatory) mutual TLS configuration. + # This gRPC server is secure by default so you need to generate certificates and update their paths here. + # By default the gRPC server is off. + # You can configure the address to bind and expose it. + # By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use. + grpc: + enabled: false + threadiness: 0 + + # gRPC unix socket with no authentication + unixSocketPath: "unix:///var/run/falco/falco.sock" + + # gRPC over the network (mTLS) / required when unixSocketPath is empty + listenPort: 5060 + privateKey: "/etc/falco/certs/server.key" + certChain: "/etc/falco/certs/server.crt" + rootCerts: "/etc/falco/certs/ca.crt" + + # gRPC output service. + # By default it is off. + # By enabling this all the output events will be kept in memory until you read them with a gRPC client. + # Make sure to have a consumer for them or leave this disabled. + grpcOutput: + enabled: false + + # Container orchestrator metadata fetching params + metadataDownload: + maxMb: 100 + chunkWaitUs: 1000 + watchFreqSec: 1 + +customRules: + {} + # Although Falco comes with a nice default rule set for detecting weird + # behavior in containers, our users are going to customize the run-time + # security rule sets or policies for the specific container images and + # applications they run. This feature can be handled in this section. + # + # Example: + # + # rules-traefik.yaml: |- + # [ rule body ] + +# certificates used by webserver and grpc server +# paste certificate content or use helm with --set-file +# or use existing secret containing key, crt, ca as well as pem bundle +certs: + existingSecret: "" + server: + key: "" + crt: "" + ca: + crt: "" + +# Allow Falco to run on Kubernetes 1.6 masters. +tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + +scc: + # true here enabled creation of Security Context Constraints in Openshift + create: true + +# Add initContainers to Falco pod +extraInitContainers: [] + +# Add extra volumes to Falco daemonset +extraVolumes: [] +# - name: optional-rules-volume +# configMap: +# name: falco-rules-optional +# optional: true +# items: +# - key: falco_rules.optional.yaml +# path: falco_rules.optional.yaml + +# Add extra volumeMounts to Falco container in Falco daemonset +extraVolumeMounts: [] +# - mountPath: /etc/falco/rules.optional.d +# name: optional-rules-volume + +falcosidekick: + # enable falcosidekick deployment + enabled: false + fullfqdn: false + # for configuration values, see https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml diff --git a/charts/sumologic/sumologic/2.17.0/charts/fluent-bit/.helmignore b/charts/sumologic/sumologic/2.17.0/charts/fluent-bit/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/fluent-bit/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/sumologic/sumologic/2.17.0/charts/fluent-bit/Chart.yaml b/charts/sumologic/sumologic/2.17.0/charts/fluent-bit/Chart.yaml new file mode 100644 index 000000000..94951e37a --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/fluent-bit/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + artifacthub.io/changes: | + - kind: changed + description: "Update fluent-bit image to 1.9.4." +apiVersion: v1 +appVersion: 1.9.4 +description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD + family operating systems. +home: https://fluentbit.io/ +icon: https://fluentbit.io/assets/img/logo1-default.png +keywords: +- logging +- fluent-bit +- fluentd +maintainers: +- email: eduardo@calyptia.com + name: edsiper +- email: naseem@transit.app + name: naseemkullah +- email: towmeykaw@gmail.com + name: Towmeykaw +- email: steve.hipwell@gmail.com + name: stevehipwell +name: fluent-bit +sources: +- https://github.com/fluent/fluent-bit/ +version: 0.20.2 diff --git a/charts/sumologic/sumologic/2.17.0/charts/fluent-bit/README.md b/charts/sumologic/sumologic/2.17.0/charts/fluent-bit/README.md new file mode 100644 index 000000000..bf95f3c9f --- /dev/null +++ b/charts/sumologic/sumologic/2.17.0/charts/fluent-bit/README.md @@ -0,0 +1,57 @@ +# Fluent Bit Helm chart + +[Fluent Bit](https://fluentbit.io) is a fast and lightweight log processor and forwarder or Linux, OSX and BSD family operating systems. + +## Installation + +To add the `fluent` helm repo, run: + +```sh +helm repo add fluent https://fluent.github.io/helm-charts +``` + +To install a release named `fluent-bit`, run: + +```sh +helm install fluent-bit fluent/fluent-bit +``` + +## Chart values + +```sh +helm show values fluent/fluent-bit +``` + +## Using Lua scripts +Fluent Bit allows us to build filter to modify the incoming records using custom [Lua scripts.](https://docs.fluentbit.io/manual/pipeline/filters/lua) + +### How to use Lua scripts with this Chart + +First, you should add your Lua scripts to `luaScripts` in values.yaml, for example: + +```yaml +luaScripts: + filter_example.lua: | + function filter_name(tag, timestamp, record) + -- put your lua code here. + end +``` + +After that, the Lua scripts will be ready to be used as filters. So next step is to add your Fluent bit [filter](https://docs.fluentbit.io/manual/concepts/data-pipeline/filter) to `config.filters` in values.yaml, for example: + +```yaml +config: + filters: | + [FILTER] + Name lua + Match + script /fluent-bit/scripts/filter_example.lua + call filter_name +``` +Under the hood, the chart will: +- Create a configmap using `luaScripts`. +- Add a volumeMounts for each Lua scripts using the path `/fluent-bit/scripts/