Falco alerts mapping - Githubissues

openrca / orca

Root Cause Analysis for Kubernetes

https://openrca.io

Apache License 2.0

88 stars 10 forks source link

Falco alerts mapping #35

Closed bzurkowski closed 4 years ago

bzurkowski commented 4 years ago

Falco provides a comprehensive set of alerting rules for Kubernetes such as:

Create Sensitive Mount Pod
Create HostNetwork Pod

Open RCA enables connecting some of these alerts to elements present in the infra graph by using a mapping file. The entries in the file are of the form:

- name: "Create Sensitive Mount Pod"
  source_mapping:
    origin: kubernetes
    kind: pod
    properties:
      name: ka.resp.name
      namespace: ka.target.namespace

The example above describes that whenever there is a Create Sensitive Mount Pod alert detected, it should be mapped to graph element of kubernetes origin and pod kind, and connected to an element with properties name and namespace with values fetched from labels in alert payload, named correspondingly ka.resp.name and ka.target.namespace.

The mapping file is not complete. There is still a significant number of alerts that Open RCA cannot recognize. The remaining alerting rules should be reviewed and integrated into the mapping.

bzurkowski commented 4 years ago

This enhancement might be partially blocked by https://github.com/openrca/orca/issues/13.

aleksandra-galara commented 4 years ago

Hi, I'd like to work on this issue, so if you can.. assign it to me! ;)

aleksandra-galara commented 4 years ago

Hi, I've created the list of Falco alerts:

[ ] Disallowed K8s User
[ ] Create Disallowed Pod
[x] Create Privileged Pod
[x] Create Sensitive Mount Pod
[ ] Create HostNetwork Pod
[ ] Create NodePort Service
[ ] Create/Modify Configmap With Private Credentials
[ ] Anonymous Request Allowed
[ ] Attach/Exec Pod
[ ] Create Disallowed Namespace
[ ] Pod Created in Kube Namespace
[ ] Service Account Created in Kube Namespace
[ ] System ClusterRole Modified/Deleted
[ ] Attach to cluster-admin Role
[ ] ClusterRole With Wildcard Created
[ ] ClusterRole With Write Privileges Created
[ ] ClusterRole With Pod Exec Created
[ ] K8s Deployment Created
[ ] K8s Deployment Deleted
[ ] K8s Service Created
[ ] K8s Service Deleted
[ ] K8s ConfigMap Created
[ ] K8s ConfigMap Deleted
[ ] K8s Namespace Created
[ ] K8s Namespace Deleted
[ ] K8s Serviceaccount Created
[ ] K8s Serviceaccount Deleted
[ ] K8s Role/Clusterrole Created
[ ] K8s Role/Clusterrole Deleted
[ ] K8s Role/Clusterrolebinding Created
[ ] K8s Role/Clusterrolebinding Deleted
[ ] All K8s Audit Events
[ ] Full K8s Administrative Access
[ ] Ingress Object without TLS Certificate Created
[ ] Untrusted Node Successfully Joined the Cluster
[ ] Untrusted Node Unsuccessfully Tried to Join the Cluster

Are there any alerts, which shouldn't be mapped? ;)

bzurkowski commented 4 years ago

It's actually easier to point out the ones that could be mapped 😄

[ ] Create Disallowed Pod
[ ] Create Privileged Pod
[ ] Create Sensitive Mount Pod
[ ] Create HostNetwork Pod
[ ] Create/Modify Configmap With Private Credentials
[ ] Attach/Exec Pod
[ ] Create Disallowed Namespace
[ ] Ingress Object without TLS Certificate Created
[ ] Untrusted Node Successfully Joined the Cluster
[ ] Untrusted Node Unsuccessfully Tried to Join the Cluster

Others, as you suggested offline, warn about creation/deletion of K8S entities. Since OpenRCA records all cluster events, we can skip them.