feat: add falco-security

cluster/apps/falco-system/falco-exporter/helm-release.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: falco-exporter
+  namespace: falco-system
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://falcosecurity.github.io/charts
+      chart: falco-exporter
+      version: 0.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: falco-security-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    serviceMonitor:
+      enabled: true
+    grafanaDashboard:
+      enabled: true
+      namespace: falco-system
+    tolerations:
+    - effect: NoSchedule
+      operator: Exists

cluster/apps/falco-system/falco-exporter/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- helm-release.yaml

cluster/apps/falco-system/falco/helm-release.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: falco
+  namespace: falco-system
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://falcosecurity.github.io/charts
+      chart: falco
+      version: 1.10.0
+      sourceRef:
+        kind: HelmRepository
+        name: falco-security-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    timezone: "Europe/Paris"
+    containerd:
+      enabled: true
+      socket: /var/run/k3s/containerd/containerd.sock
+    docker:
+      enabled: false
+    ebpf:
+      enabled: true
+      settings:
+        hostNetwork: true
+    falco:
+      grpc:
+        enabled: true
+      grpcOutput:
+        enabled: true
+    tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    # https://securityhub.dev/
+    customRules:
+      rules-admin-activities.yaml: |-
+        - rule: Detect su or sudo
+          desc: detect sudo activities
+          condition:
+            spawned_process and proc.name in (sudo, su)
+          output: >
+            Detected sudo or su privilege escalation activity (user=%user.name command=%proc.cmdline)
+          priority: WARNING
+          tags: [process]
+        - rule: Package Management Launched
+          desc: detect package management launched
+          condition: >
+            spawned_process and user.name != "_apt" and package_mgmt_procs and not package_mgmt_ancestor_procs
+          output: >
+            Package management process launched in container (user=%user.name
+            command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+          priority: ERROR
+          tags: [process]
+      rules-ssh-connections.yaml: |-
+        - rule: Inbound SSH Connection
+          desc: Detect Inbound SSH Connection
+          condition: >
+            ((evt.type in (accept,listen) and evt.dir=<) or
+              (evt.type in (recvfrom,recvmsg))) and ssh_port
+          output: >
+            Inbound SSH connection (user=%user.name client_ip=%fd.cip client_port=%fd.cport server_ip=%fd.sip)
+          priority: WARNING
+          tags: [network]
+        - rule: Outbound SSH Connection
+          desc: Detect Outbound SSH Connection
+          condition: >
+            ((evt.type = connect and evt.dir=<) or
+              (evt.type in (sendto,sendmsg))) and ssh_port
+          output: >
+            Outbound SSH connection (user=%user.name server_ip=%fd.sip server_port=%fd.sport client_ip=%fd.cip)
+          priority: WARNING
+          tags: [network]

cluster/apps/falco-system/falco/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- helm-release.yaml

cluster/apps/falco-system/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- falco
+- falco-exporter

cluster/apps/kustomization.yaml

@@ -3,6 +3,7 @@ kind: Kustomization
 resources:
   - data
   - development
+  - falco-system
   - home
   - kasten-io
   - media

cluster/core/namespaces/falco-system.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: falco-system

cluster/core/namespaces/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - data.yaml
   - default.yaml
   - development.yaml
+  - falco-system.yaml
   - flux-system.yaml
   - home.yaml
   - kasten-io.yaml