plugins icon indicating copy to clipboard operation
plugins copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

rules of k8saudit-eks plugin use lists defined in falco_rules.yaml, not possible to overwrite

Open jtl-novatec opened this issue 1 year ago • 5 comments

Describe the bug

When I looked at the k8s_audit_rules.yaml of my falco deployment (uses the k8saudit-eks plugin), I noticed that there are rules that use variables which aren't defined anywhere. For example:

  • falco_privileged_images -> only exists inside falco_rules.yaml
  • falco_sensitive_mount_images -> doesn't get defined anywhere (there is only a comment about it in falco_rules.yaml)

The rules_file example of the plugin's documentation suggest that you don't mount falco_rules.yaml in the deployment. Therefore, users cannot specify an overwrite to append items to that list.

Expected behaviour

The following commit seems to related to this problem as it tries to introduce / rename lists from falco_ to k8s_audit_. The current version of the rules files already addresses this problem (see). However, it looks like the k8saudit-eks plugin hasn't been updated accordingly.

Environment

Kubernetes via Helm Chart falco-4.3.0

jtl-novatec avatar Apr 19 '24 13:04 jtl-novatec

Hopefully #468 fixes this as well, as this seems to be related to the standard k8saudit rules.

sboschman avatar Apr 22 '24 07:04 sboschman

https://github.com/falcosecurity/plugins/blob/4494313fc7a2d0272f5f865da0734b84303f4a2e/plugins/k8saudit-eks/pkg/k8sauditeks/k8sauditeks.go#L66

The EKS audit plugin has a similar version property, does this have to be bumped as well?

jtl-novatec avatar Apr 22 '24 08:04 jtl-novatec

I don't think so, as the k8saudit-eks plugin itself defines no rules. It uses the default k8saudit rules (from the k8saudit plugin).

falcosecurity	k8saudit              	plugin   	ghcr.io 	falcosecurity/plugins/plugin/k8saudit
falcosecurity	k8saudit-eks          	plugin   	ghcr.io 	falcosecurity/plugins/plugin/k8saudit-eks
falcosecurity	k8saudit-gke          	plugin   	ghcr.io 	falcosecurity/plugins/plugin/k8saudit-gke
falcosecurity	k8saudit-gke-rules    	rulesfile	ghcr.io 	falcosecurity/plugins/ruleset/k8saudit-gke
falcosecurity	k8saudit-rules        	rulesfile	ghcr.io 	falcosecurity/plugins/ruleset/k8saudit

sboschman avatar Apr 22 '24 08:04 sboschman

Exactly, the k8saudit-eks plugin relies on the k8saudit-rules. By installing the latest version, it should be ok thanks to @sboschman.

Issif avatar Apr 24 '24 17:04 Issif

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jul 23 '24 22:07 poiana

can we close this issue? thanks

Issif avatar Aug 20 '24 14:08 Issif

yes

jtl-novatec avatar Aug 21 '24 07:08 jtl-novatec