charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Kubernetes Audit Events

Open ajinkya1986 opened this issue 2 years ago • 7 comments

Motivation

To enable kubernetes audit events in Cloud Environments

Feature

How do we enable kubernetes audit events in Cloud like AWS,Azure and GCP.

ajinkya1986 avatar May 30 '22 09:05 ajinkya1986

Hello,

Few months ago, we introduced the plugins to extend the number of inputs for Falco. We already prepared a plugin to replace the current implementation for audit logs and the plugins for managed k8s will follow in next weeks.

Issif avatar Jun 05 '22 12:06 Issif

Hi , I am working with falco-1.19.0, once I have enabled k8saudit plugin , i see below error and i do not see this plugin is available with version mentioned in drivers folder. can someone upload file

`[SUCCESS] Cleaning phase correctly terminated.

================ Cleaning phase ================

  • Looking for a falco module locally (kernel 4.18.0-1.2007201736.el7_7.emrs.altmvl.x86_64)
  • Trying to download a prebuilt falco module from https://download.falco.org/driver/39ae7d40496793cf3d3e7890c9bbdc202263836b/falco_centos_4.18.0-1.2007201736.el7_7.emrs.altmvl.x86_64_1.ko curl: (22) The requested URL returned error: 404 Unable to find a prebuilt falco module
  • Trying to dkms install falco module with GCC /usr/bin/gcc DIRECTIVE: MAKE="'/tmp/falco-dkms-make'" `

srinijalagam avatar Jun 10 '22 21:06 srinijalagam

I'm getting the following error when I try to enable auditlog

2022-06-13T19:32:30.575962573Z

  • Setting up /usr/src links from host
  • Running falco-driver-loader for: falco version=0.32.0, driver version=39ae7d40496793cf3d3e7890c9bbdc202263836b
  • Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
  • Mounting debugfs
  • Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/39ae7d40496793cf3d3e7890c9bbdc202263836b/falco_amazonlinux2_5.4.156-83.273.amzn2.x86_64_1.o
  • Skipping compilation, eBPF probe is already present in /root/.falco/falco_amazonlinux2_5.4.156-83.273.amzn2.x86_64_1.o
  • eBPF probe located in /root/.falco/falco_amazonlinux2_5.4.156-83.273.amzn2.x86_64_1.o
  • Success: eBPF probe symlinked to /root/.falco/falco-bpf.o Mon Jun 13 19:35:15 2022: Falco version 0.32.0 (driver version 39ae7d40496793cf3d3e7890c9bbdc202263836b) Mon Jun 13 19:35:15 2022: Falco initialized with configuration file /etc/falco/falco.yaml Mon Jun 13 19:35:15 2022: Loading plugin (k8saudit) from file /usr/share/falco/plugins/libk8saudit.so Mon Jun 13 19:35:15 2022: Loading rules from file /etc/falco/falco_rules.yaml: Mon Jun 13 19:35:15 2022: Loading rules from file /etc/falco/falco_rules.local.yaml: Mon Jun 13 19:35:16 2022: Loading rules from file /etc/falco/k8s_audit_rules.yaml: Error: Could not load rules file /etc/falco/k8s_audit_rules.yaml: 1 errors: Rule Disallowed K8s User: error filter_check called with nonexistent field jevt.value[/stage]
  • rule: Disallowed K8s User desc: Detect any k8s operation by users outside of an allowed set of users. condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users) output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code) priority: WARNING source: k8s_audit tags: [k8s]

# In a local/user rules file, you could override this macro to # explicitly enumerate the container images that you want to run in # your environment. In this main falco rules file, there isn't any way # to know all the containers that can run, so any container is # allowed, by using the always_true macro. In the overridden macro, the condition # would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))

eric-engberg avatar Jun 13 '22 19:06 eric-engberg

@eric-engberg Can you add your configurations (i.e. values.yaml) when you enable audit logs?

SanaZulfiqar73 avatar Jun 14 '22 15:06 SanaZulfiqar73

https://gist.github.com/eric-engberg/899e8d19de0c400c5ec4223dece6aad3

eric-engberg avatar Jun 14 '22 15:06 eric-engberg

@eric-engberg I run in the same issue. The problem was solved, after I enabled the json plugin too.

MueChr avatar Jun 28 '22 14:06 MueChr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Sep 26 '22 15:09 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Oct 26 '22 15:10 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Nov 25 '22 21:11 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Nov 25 '22 21:11 poiana