Issif · January 21, 2022 23:14
diff --git a/bootstrap-talon.sh b/bootstrap-talon.sh
 #!/bin/bash

 # Create custom-rules.yaml
 cat <<EOF > custom-rules.yaml
 falco:
  rulesFile:
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d/custom-rules.yaml
 customRules:
  custom-rules.yaml: |-
    - macro: spawned_process
      condition: evt.type = execve and evt.dir=<
    - macro: container
      condition: (container.id != host)
    - list: shell_binaries
      items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]
    - macro: shell_procs
      condition: proc.name in (shell_binaries)
    - macro: never_true
      condition: (evt.num=0)
    - macro: container_entrypoint
      condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], runc, docker-runc, exe, docker-runc-cur))
    - macro: user_expected_terminal_shell_in_container_conditions
      condition: (never_true)
    - rule: Terminal shell in container
      desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
      condition: >
        spawned_process and container
        and shell_procs and proc.tty != 0
        and container_entrypoint
        and not user_expected_terminal_shell_in_container_conditions
      output: >
        A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
        shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
      priority: Critical
      tags: [container, shell, mitre_execution]
 EOF

 # Install falco + falcosdekick + webui
 helm repo add falcosecurity https://falcosecurity.github.io/charts
 helm install falco falcosecurity/falco -f custom-rules.yaml  --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true --set falcosidekick.config.webhook.address=http://falco-talon:2803 --set kubernetesSupport.enableNodeFilter=false --create-namespace -n falco

 # Install falco-talon
 git clone git@github.com:Issif/falco-talon.git
 cd falco-talon/deployment/helm
 helm install falco-talon .  -n falco
	#!/bin/bash

	# Create custom-rules.yaml
	cat <<EOF > custom-rules.yaml
	falco:
	rulesFile:
	- /etc/falco/k8s_audit_rules.yaml
	- /etc/falco/rules.d/custom-rules.yaml
	customRules:
	custom-rules.yaml: \|-
	- macro: spawned_process
	condition: evt.type = execve and evt.dir=<
	- macro: container
	condition: (container.id != host)
	- list: shell_binaries
	items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]
	- macro: shell_procs
	condition: proc.name in (shell_binaries)
	- macro: never_true
	condition: (evt.num=0)
	- macro: container_entrypoint
	condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], runc, docker-runc, exe, docker-runc-cur))
	- macro: user_expected_terminal_shell_in_container_conditions
	condition: (never_true)
	- rule: Terminal shell in container
	desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
	condition: >
	spawned_process and container
	and shell_procs and proc.tty != 0
	and container_entrypoint
	and not user_expected_terminal_shell_in_container_conditions
	output: >
	A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
	shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
	priority: Critical
	tags: [container, shell, mitre_execution]
	EOF

	# Install falco + falcosdekick + webui
	helm repo add falcosecurity https://falcosecurity.github.io/charts
	helm install falco falcosecurity/falco -f custom-rules.yaml --set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true --set falcosidekick.config.webhook.address=http://falco-talon:2803 --set kubernetesSupport.enableNodeFilter=false --create-namespace -n falco

	# Install falco-talon
	git clone git@github.com:Issif/falco-talon.git
	cd falco-talon/deployment/helm
	helm install falco-talon . -n falco
No results found