-
Notifications
You must be signed in to change notification settings - Fork 2
/
helmfile-step-3.yaml
56 lines (55 loc) · 2.2 KB
/
helmfile-step-3.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
repositories:
- name: falcosecurity
url: https://falcosecurity.github.io/charts
- name: prometheus-community
url: https://prometheus-community.github.io/helm-charts
releases:
- name: falco
namespace: falco
chart: falcosecurity/falco
atomic: true
values:
- tty: true
- falcosidekick:
enabled: true
webui:
enabled: true
- customRules:
custom-busybox-rule.yaml: |-
- rule: Terminal busybox instance in container
desc: A busybox instance was used as the entrypoint/exec point into a container with an attached terminal.
condition: >
spawned_process and container
and proc.name = "busybox"
and proc.tty != 0
and container_entrypoint
and not user_expected_terminal_shell_in_container_conditions
output: >
A BUSYBOX instance was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id image=%container.image.repository)
priority: WARNING
tags: [container, shell, mitre_execution, T1059]
exception_prometheus_rule.yaml: |-
- rule: Contact K8S API Server From Container
append: true
exceptions:
- name: local_prometheus_exception
fields: [k8s.ns.name, k8s.pod.name, container.image.repository]
comps: [=,startswith,in]
values:
- [prometheus, prometheus-grafana-, [quay.io/kiwigrid/k8s-sidecar]]
- name: prometheus
namespace: prometheus
chart: prometheus-community/kube-prometheus-stack
atomic: true
values:
- prometheus:
prometheusSpec:
additionalScrapeConfigs:
- job_name: 'falco'
scrape_interval: 30s
scrape_timeout: 10s
metrics_path: /metrics
scheme: http
static_configs:
- targets: ['falco-falcosidekick.falco:2801']