From 4998f57d81a799a883cab05f9cfb796473a9e6f0 Mon Sep 17 00:00:00 2001 From: auricom Date: Sat, 24 Apr 2021 01:56:42 +0200 Subject: [PATCH] feat: add falco-security --- .../falco-exporter/helm-release.yaml | 27 +++++++ .../falco-exporter/kustomization.yaml | 4 + .../apps/falco-system/falco/helm-release.yaml | 76 +++++++++++++++++++ .../falco-system/falco/kustomization.yaml | 4 + cluster/apps/falco-system/kustomization.yaml | 5 ++ cluster/apps/kustomization.yaml | 1 + cluster/core/namespaces/falco-system.yaml | 5 ++ cluster/core/namespaces/kustomization.yaml | 1 + 8 files changed, 123 insertions(+) create mode 100644 cluster/apps/falco-system/falco-exporter/helm-release.yaml create mode 100644 cluster/apps/falco-system/falco-exporter/kustomization.yaml create mode 100644 cluster/apps/falco-system/falco/helm-release.yaml create mode 100644 cluster/apps/falco-system/falco/kustomization.yaml create mode 100644 cluster/apps/falco-system/kustomization.yaml diff --git a/cluster/apps/falco-system/falco-exporter/helm-release.yaml b/cluster/apps/falco-system/falco-exporter/helm-release.yaml new file mode 100644 index 000000000..63b46aee0 --- /dev/null +++ b/cluster/apps/falco-system/falco-exporter/helm-release.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: falco-exporter + namespace: falco-system +spec: + interval: 5m + chart: + spec: + # renovate: registryUrl=https://falcosecurity.github.io/charts + chart: falco-exporter + version: 0.5.1 + sourceRef: + kind: HelmRepository + name: falco-security-charts + namespace: flux-system + interval: 5m + values: + serviceMonitor: + enabled: true + grafanaDashboard: + enabled: true + namespace: falco-system + tolerations: + - effect: NoSchedule + operator: Exists diff --git a/cluster/apps/falco-system/falco-exporter/kustomization.yaml b/cluster/apps/falco-system/falco-exporter/kustomization.yaml new file mode 100644 index 000000000..db69d0013 --- /dev/null +++ b/cluster/apps/falco-system/falco-exporter/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- helm-release.yaml \ No newline at end of file diff --git a/cluster/apps/falco-system/falco/helm-release.yaml b/cluster/apps/falco-system/falco/helm-release.yaml new file mode 100644 index 000000000..727cfe714 --- /dev/null +++ b/cluster/apps/falco-system/falco/helm-release.yaml @@ -0,0 +1,76 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: falco + namespace: falco-system +spec: + interval: 5m + chart: + spec: + # renovate: registryUrl=https://falcosecurity.github.io/charts + chart: falco + version: 1.10.0 + sourceRef: + kind: HelmRepository + name: falco-security-charts + namespace: flux-system + interval: 5m + values: + timezone: "Europe/Paris" + containerd: + enabled: true + socket: /var/run/k3s/containerd/containerd.sock + docker: + enabled: false + ebpf: + enabled: true + settings: + hostNetwork: true + falco: + grpc: + enabled: true + grpcOutput: + enabled: true + tolerations: + - effect: NoSchedule + operator: Exists + # https://securityhub.dev/ + customRules: + rules-admin-activities.yaml: |- + - rule: Detect su or sudo + desc: detect sudo activities + condition: + spawned_process and proc.name in (sudo, su) + output: > + Detected sudo or su privilege escalation activity (user=%user.name command=%proc.cmdline) + priority: WARNING + tags: [process] + - rule: Package Management Launched + desc: detect package management launched + condition: > + spawned_process and user.name != "_apt" and package_mgmt_procs and not package_mgmt_ancestor_procs + output: > + Package management process launched in container (user=%user.name + command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: ERROR + tags: [process] + rules-ssh-connections.yaml: |- + - rule: Inbound SSH Connection + desc: Detect Inbound SSH Connection + condition: > + ((evt.type in (accept,listen) and evt.dir=<) or + (evt.type in (recvfrom,recvmsg))) and ssh_port + output: > + Inbound SSH connection (user=%user.name client_ip=%fd.cip client_port=%fd.cport server_ip=%fd.sip) + priority: WARNING + tags: [network] + - rule: Outbound SSH Connection + desc: Detect Outbound SSH Connection + condition: > + ((evt.type = connect and evt.dir=<) or + (evt.type in (sendto,sendmsg))) and ssh_port + output: > + Outbound SSH connection (user=%user.name server_ip=%fd.sip server_port=%fd.sport client_ip=%fd.cip) + priority: WARNING + tags: [network] \ No newline at end of file diff --git a/cluster/apps/falco-system/falco/kustomization.yaml b/cluster/apps/falco-system/falco/kustomization.yaml new file mode 100644 index 000000000..db69d0013 --- /dev/null +++ b/cluster/apps/falco-system/falco/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- helm-release.yaml \ No newline at end of file diff --git a/cluster/apps/falco-system/kustomization.yaml b/cluster/apps/falco-system/kustomization.yaml new file mode 100644 index 000000000..33c239819 --- /dev/null +++ b/cluster/apps/falco-system/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- falco +- falco-exporter \ No newline at end of file diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml index 8a880cd9d..05e765206 100644 --- a/cluster/apps/kustomization.yaml +++ b/cluster/apps/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - data - development + - falco-system - home - kasten-io - media diff --git a/cluster/core/namespaces/falco-system.yaml b/cluster/core/namespaces/falco-system.yaml index e69de29bb..1d5d00dad 100644 --- a/cluster/core/namespaces/falco-system.yaml +++ b/cluster/core/namespaces/falco-system.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: falco-system diff --git a/cluster/core/namespaces/kustomization.yaml b/cluster/core/namespaces/kustomization.yaml index b97d7ef4b..83ea24b96 100644 --- a/cluster/core/namespaces/kustomization.yaml +++ b/cluster/core/namespaces/kustomization.yaml @@ -5,6 +5,7 @@ resources: - data.yaml - default.yaml - development.yaml + - falco-system.yaml - flux-system.yaml - home.yaml - kasten-io.yaml