Write below binary dir desc: an attempt to write to any file below a set of binary directories condition: > bin_dir and open_write output: > File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2]) priority: ERROR tags: [filesystem] この場合は bin_dir を write 権限で open しようとすると検知してくれる ちなみに bin_dir は別の場所で定義されていて /bin, /sbin, /usr/bin, /usr/sbin が相当する HOW TO MONITOR?
# falco ͷ log 11:46:38.977124899: Error File below a known binary directory opened for writing (user=root command=touch / usr/bin/you_are_shock file=/usr/bin/you_are_shock parent=sudo pcmdline=sudo touch /usr/bin/you_are_shock gparent=bash) このように検知してくれる HOW TO MONITOR?
apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived" rules: # Log pod changes at RequestResponse level - level: RequestResponse resources: - group: "" # Resource "pods" doesn't match requests to any subresource of pods, # which is consistent with the RBAC policy. resources: ["pods", "deployments"] . . . .
--audit-policy-file=/etc/falco/audit-policy.yaml あとは audit log を発火させれば OK “demo” user が kubectl get deployment をした時にはこんな感じで通知される K8S AUDIT LOGGING 10:20:20.540762112: Warning K8s Operation performed by user not in allowed list of users (user=demo target=<NA>/deployments verb=list uri=/apis/extensions/v1beta1/namespaces/ default/deployments?limit=500 resp=200) ね?簡単でしょ?