eks audit plugin shows events for system users.

[eric-engberg]

Describe the bug

the eks audit plugin is emitting events for "disallowed k8s user" for system users. There are rules to exclude system users but they are apparently not being honored.

User is system:node:ip-10-30-63-166.ec2.internal

How to reproduce it

Deploy falco with only the eks k8s plugin enabled using the falco 4.2.4 helm chart.

Expected behaviour

Events done by system users should be ignored.

Screenshots

Environment

• Falco version: falco-no-driver:0.37.1
• System info:

  {
  "machine": "x86_64",
  "nodename": "falco-audit-7f6dc75785-srq7t",
  "release": "6.1.77",
  "sysname": "Linux",
  "version": "#1 SMP PREEMPT_DYNAMIC Fri Feb 23 02:26:25 UTC 2024"
  }

• Cloud provider or hardware configuration: AWS EKS
• OS: Bottlerocket
• Kernel:
• Installation method: Helm

Additional context

[eric-engberg]

Anyone got any ideas here? anyone else experiencing this?

[Issif]

Hi,

This alert is totally legit, it indicates the credentials of the node are used to reached the K8s API. If you take a look at the EKS documentation, it's pretty clear: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-remediate-kubernetes.html#compromised-kubernetes-user

I guess your config is not correct for the usage of some ServiceAccount. In my own EKS cluster, the list: https://github.com/falcosecurity/plugins/blob/main/plugins/k8saudit/rules/k8s_audit_rules.yaml#L70,L71 is enough.

[eric-engberg]

This rule should prevent the alert from firing but it's not

- rule: Disallowed K8s User
  desc: Detect any k8s operation by users outside of an allowed set of users.
  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
  output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]

# Generally exclude users starting with "system:"
- macro: non_system_user
  condition: (not ka.user.name startswith "system:")

[Issif]

Have you try:

- rule: Disallowed K8s User
  desc: Detect any k8s operation by users outside of an allowed set of users.
  condition: kevt and not system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
  output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]

# Generally exclude users starting with "system:"
- macro: system_user
  condition: ka.user.name startswith system:

Just to be sure it's not an issue of double negation or quotes?

[eric-engberg]

I have not. These are the default rules provided from this repo though. If I get a chance I will test it but currently swamped with higher priority things right now.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Issif]

what's the status of this issue? can we close it? thanks

[eric-engberg]

I have not had a chance to test. I assume there is a newer version released and I should test that first. I'll take a look now i guess.

[eric-engberg]

/remove-lifecycle stale

[eric-engberg]

I think this is fixed now. Installed the latest version and I don't see disallowed system users.. I do see others though.. doesn't look like there's a way to add your own users to the list? You have to copy the whole role instead of just overriding an existing list like regular falco rules?