saving uncommitted changes in /etc prior to dnf run

2021-11-20 01:22:49 +02:00
parent 169425f7ea
commit 0c926bb810
37 changed files with 3 additions and 4695 deletions
--- a/.etckeeper
+++ b/.etckeeper
@@ -21,23 +21,22 @@ mkdir -p './dbus-1/session.d'
 mkdir -p './dnf/aliases.d'
 mkdir -p './dnf/modules.defaults.d'
 mkdir -p './dnf/plugins/copr.d'
 mkdir -p './egl/egl_external_platform.d'
 mkdir -p './exports.d'
 mkdir -p './fail2ban/fail2ban.d'
 mkdir -p './falco/rules.d'
 mkdir -p './firewalld/helpers'
 mkdir -p './firewalld/icmptypes'
 mkdir -p './firewalld/ipsets'
 mkdir -p './firewalld/policies'
 mkdir -p './firewalld/services'
-mkdir -p './glvnd/egl_vendor.d'
+mkdir -p './glvnd'
 mkdir -p './gnupg'
 mkdir -p './groff/site-font'
 mkdir -p './immortal'
 mkdir -p './incron.d'
 mkdir -p './java/security/security.d'
 mkdir -p './jvm'
 mkdir -p './jvm-commmon'
 mkdir -p './kernel/postinst.d'
 mkdir -p './kernel/prerm.d'
 mkdir -p './keyutils'
 mkdir -p './letsencrypt/renewal-hooks/deploy'
 mkdir -p './letsencrypt/renewal-hooks/post'
@@ -101,7 +100,6 @@ mkdir -p './systemd/system/php-fpm.service.d'
 mkdir -p './terminfo'
 mkdir -p './tuned/recommend.d'
 mkdir -p './udev/hwdb.d'
 mkdir -p './xdg/QtProject'
 maybe chmod 0755 '.'
 maybe chmod 0700 '.etckeeper'
 maybe chmod 0640 '.gitignore'
@@ -148,7 +146,6 @@ maybe chmod 0755 'X11/applnk'
 maybe chmod 0755 'X11/fontpath.d'
 maybe chmod 0755 'X11/xinit'
 maybe chmod 0755 'X11/xinit/xinitrc.d'
 maybe chmod 0755 'X11/xinit/xinitrc.d/10-qt5-check-opengl2.sh'
 maybe chmod 0755 'X11/xinit/xinitrc.d/50-systemd-user.sh'
 maybe chmod 0755 'X11/xorg.conf.d'
 maybe chmod 0600 'aide.conf'
@@ -484,11 +481,6 @@ maybe chmod 0750 'dhcp'
 maybe chmod 0644 'dhcp/dhclient.conf'
 maybe chmod 0755 'dhcp/dhclient.d'
 maybe chmod 0755 'dhcp/dhclient.d/chrony.sh'
 maybe chmod 0755 'dkms'
 maybe chmod 0644 'dkms/framework.conf'
 maybe chmod 0755 'dkms/sign_helper.sh'
 maybe chmod 0644 'dkms/template-dkms-mkrpm.spec'
 maybe chmod 0644 'dkms/template-dkms-redhat-kmod.spec'
 maybe chmod 0755 'dnf'
 maybe chmod 0755 'dnf/aliases.d'
 maybe chmod 0644 'dnf/dnf.conf'
@@ -618,8 +610,6 @@ maybe chmod 0640 'dovecot/trash.conf'
 maybe chmod 0644 'dracut.conf'
 maybe chmod 0755 'dracut.conf.d'
 maybe chmod 0644 'dracut.conf.d/40-fips.conf'
 maybe chmod 0755 'egl'
 maybe chmod 0755 'egl/egl_external_platform.d'
 maybe chmod 0644 'environment'
 maybe chmod 0755 'environment-modules'
 maybe chmod 0644 'environment-modules/initrc'
@@ -846,14 +836,6 @@ maybe chmod 0644 'fail2ban/jail.d/recidive.conf'
 maybe chmod 0640 'fail2ban/jail.local'
 maybe chmod 0644 'fail2ban/paths-common.conf'
 maybe chmod 0644 'fail2ban/paths-fedora.conf'
 maybe chmod 0755 'falco'
 maybe chmod 0644 'falco/falco.yaml'
 maybe chmod 0644 'falco/falco_rules.local.yaml'
 maybe chmod 0644 'falco/falco_rules.yaml'
 maybe chmod 0644 'falco/k8s_audit_rules.yaml'
 maybe chmod 0755 'falco/rules.available'
 maybe chmod 0644 'falco/rules.available/application_rules.yaml'
 maybe chmod 0755 'falco/rules.d'
 maybe chmod 0644 'filesystems'
 maybe chmod 0750 'firewalld'
 maybe chmod 0644 'firewalld/firewalld.conf'
@@ -884,7 +866,6 @@ maybe chmod 0644 'gdbinit.d/golang.gdb'
 maybe chmod 0755 'glances'
 maybe chmod 0644 'glances/glances.conf'
 maybe chmod 0755 'glvnd'
 maybe chmod 0755 'glvnd/egl_vendor.d'
 maybe chmod 0755 'gnupg'
 maybe chmod 0640 'grc.conf'
 maybe chmod 0640 'grc.fish'
@@ -964,7 +945,6 @@ maybe chmod 0644 'httpd/conf.modules.d/README'
 maybe chmod 0644 'httpd/conf/httpd.conf'
 maybe chmod 0644 'httpd/conf/magic'
 maybe chmod 0644 'idmapd.conf'
 maybe chmod 0755 'immortal'
 maybe chmod 0644 'incron.conf'
 maybe chmod 0755 'incron.d'
 maybe chmod 0644 'inittab'
@@ -1010,11 +990,8 @@ maybe chmod 0755 'kernel'
 maybe chmod 0755 'kernel/install.d'
 maybe chmod 0644 'kernel/install.d/20-grubby.install'
 maybe chmod 0644 'kernel/install.d/90-loaderentry.install'
 maybe chmod 0755 'kernel/install.d/dkms'
 maybe chmod 0755 'kernel/postinst.d'
 maybe chmod 0755 'kernel/postinst.d/dkms'
 maybe chmod 0755 'kernel/prerm.d'
 maybe chmod 0755 'kernel/prerm.d/dkms'
 maybe chmod 0755 'keyutils'
 maybe chmod 0644 'krb5.conf'
 maybe chmod 0755 'krb5.conf.d'
@@ -4496,8 +4473,6 @@ maybe chmod 0755 'qemu-kvm'
 maybe chmod 0755 'rc.d'
 maybe chmod 0755 'rc.d/init.d'
 maybe chmod 0644 'rc.d/init.d/README'
 maybe chmod 0755 'rc.d/init.d/bestcrypt'
 maybe chmod 0755 'rc.d/init.d/falco'
 maybe chmod 0644 'rc.d/init.d/functions'
 maybe chmod 0755 'rc.d/init.d/network'
 maybe chmod 0755 'rc.d/init.d/rundeckd'
@@ -5062,7 +5037,6 @@ maybe chmod 0644 'udev/rules.d/70-persistent-ipoib.rules'
 maybe chmod 0644 'udev/rules.d/70-snap.snapd.rules'
 maybe chmod 0644 'udev/rules.d/75-cd-aliases-generator.rules'
 maybe chmod 0644 'udev/rules.d/75-persistent-net-generator.rules'
 maybe chmod 0644 'udev/rules.d/90-bcrypt-device-permissions.rules'
 maybe chmod 0644 'udev/udev.conf'
 maybe chmod 0755 'unbound'
 maybe chmod 0644 'unbound/icannbundle.pem'
@@ -5113,12 +5087,8 @@ maybe chmod 0700 'wireguard'
 maybe chmod 0644 'wireguard/wg0.conf'
 maybe chmod 0644 'xattr.conf'
 maybe chmod 0755 'xdg'
 maybe chmod 0755 'xdg/QtProject'
 maybe chmod 0755 'xdg/autostart'
 maybe chmod 0644 'xdg/autostart/bestcrypt-panel.desktop'
 maybe chmod 0644 'xdg/autostart/snap-userd-autostart.desktop'
 maybe chmod 0755 'xdg/qtchooser'
 maybe chmod 0644 'xdg/qtchooser/5-64.conf'
 maybe chmod 0755 'xdg/systemd'
 maybe chmod 0600 'xinetd.conf'
 maybe chmod 0755 'xinetd.d'
--- a/X11/xinit/xinitrc.d/10-qt5-check-opengl2.sh
+++ b/X11/xinit/xinitrc.d/10-qt5-check-opengl2.sh
@@ -1,14 +0,0 @@
 #!/bin/bash
 if [ -z "$QT_XCB_FORCE_SOFTWARE_OPENGL" ]; then
 QT5_CHECK_OPENGL_VERSION=`LANG=C glxinfo 2> /dev/null | grep '^OpenGL version string: ' | head -n 1 | sed -e 's/^OpenGL version string: \([0-9]\).*$/\1/g'` ||:
 if [ "$QT5_CHECK_OPENGL_VERSION" == "1" ]; then
  QT_XCB_FORCE_SOFTWARE_OPENGL=1
  export QT_XCB_FORCE_SOFTWARE_OPENGL
 fi
 unset QT5_CHECK_OPENGL_VERSION
 fi
--- a/alternatives/qtchooser-5
+++ b/alternatives/qtchooser-5
@@ -1 +0,0 @@
 /etc/xdg/qtchooser/5-64.conf
--- a/alternatives/qtchooser-default
+++ b/alternatives/qtchooser-default
@@ -1 +0,0 @@
 /etc/xdg/qtchooser/5.conf
--- a/dkms/framework.conf
+++ b/dkms/framework.conf
@@ -1,32 +0,0 @@
 ## This configuration file modifies the behavior of
 ## DKMS (Dynamic Kernel Module Support) and is sourced
 ## in by DKMS every time it is run.
 ## Source Tree Location (default: /usr/src)
 # source_tree="/usr/src"
 ## DKMS Tree Location (default: /var/lib/dkms)
 # dkms_tree="/var/lib/dkms"
 ## Install Tree Location (default: /lib/modules)
 # install_tree="/lib/modules"
 ## tmp Location (default: /tmp)
 # tmp_location="/tmp"
 ## verbosity setting (verbose will be active if you set it to a non-null value)
 # verbose=""
 ## symlink kernel modules (will be active if you set it to a non-null value)
 ## This creates symlinks from the install_tree into the dkms_tree instead of
 ## copying the modules. This preserves some space on the costs of being less
 ## safe.
 # symlink_modules=""
 ## Automatic installation and upgrade for all installed kernels (if set to a
 ## non-null value)
 # autoinstall_all_kernels=""
 ## Script to sign modules during build, script is called with kernel version
 ## and module name
 # sign_tool="/etc/dkms/sign_helper.sh"
--- a/dkms/sign_helper.sh
+++ b/dkms/sign_helper.sh
@@ -1,2 +0,0 @@
 #!/bin/sh
 /lib/modules/"$1"/build/scripts/sign-file sha512 /root/dkms.key /root/dkms.der "$2"
--- a/dkms/template-dkms-mkrpm.spec
+++ b/dkms/template-dkms-mkrpm.spec
@@ -1,82 +0,0 @@
 %{?!module_name: %{error: You did not specify a module name (%%module_name)}}
 %{?!version: %{error: You did not specify a module version (%%version)}}
 %{?!kernel_versions: %{error: You did not specify kernel versions (%%kernel_version)}}
 %{?!packager: %define packager DKMS <dkms-devel@lists.us.dell.com>}
 %{?!license: %define license Unknown}
 %{?!_dkmsdir: %define _dkmsdir /var/lib/dkms}
 %{?!_srcdir: %define _srcdir %_prefix/src}
 %{?!_datarootdir: %define _datarootdir %{_datadir}}
 Summary:	%{module_name} %{version} dkms package
 Name:		%{module_name}
 Version:	%{version}
 License:	%license
 Release:	1dkms
 BuildArch:	noarch
 Group:		System/Kernel
 Requires: 	dkms >= 1.95
 BuildRequires: 	dkms
 BuildRoot: 	%{_tmppath}/%{name}-%{version}-%{release}-root/
 %description
 Kernel modules for %{module_name} %{version} in a DKMS wrapper.
 %prep
 if [ "%mktarball_line" != "none" ]; then
        /usr/sbin/dkms mktarball -m %module_name -v %version %mktarball_line --archive `basename %{module_name}-%{version}.dkms.tar.gz`
        cp -af %{_dkmsdir}/%{module_name}/%{version}/tarball/`basename %{module_name}-%{version}.dkms.tar.gz` %{module_name}-%{version}.dkms.tar.gz
 fi
 %install
 if [ "$RPM_BUILD_ROOT" != "/" ]; then
        rm -rf $RPM_BUILD_ROOT
 fi
 mkdir -p $RPM_BUILD_ROOT/%{_srcdir}
 mkdir -p $RPM_BUILD_ROOT/%{_datarootdir}/%{module_name}
 if [ -d %{_sourcedir}/%{module_name}-%{version} ]; then
        cp -Lpr %{_sourcedir}/%{module_name}-%{version} $RPM_BUILD_ROOT/%{_srcdir}
 fi
 if [ -f %{module_name}-%{version}.dkms.tar.gz ]; then
        install -m 644 %{module_name}-%{version}.dkms.tar.gz $RPM_BUILD_ROOT/%{_datarootdir}/%{module_name}
 fi
 if [ -f %{_sourcedir}/common.postinst ]; then
        install -m 755 %{_sourcedir}/common.postinst $RPM_BUILD_ROOT/%{_datarootdir}/%{module_name}/postinst
 fi
 %clean
 if [ "$RPM_BUILD_ROOT" != "/" ]; then
        rm -rf $RPM_BUILD_ROOT
 fi
 %post
 for POSTINST in %{_prefix}/lib/dkms/common.postinst %{_datarootdir}/%{module_name}/postinst; do
        if [ -f $POSTINST ]; then
                $POSTINST %{module_name} %{version} %{_datarootdir}/%{module_name}
                exit $?
        fi
        echo "WARNING: $POSTINST does not exist."
 done
 echo -e "ERROR: DKMS version is too old and %{module_name} was not"
 echo -e "built with legacy DKMS support."
 echo -e "You must either rebuild %{module_name} with legacy postinst"
 echo -e "support or upgrade DKMS to a more current version."
 exit 1
 %preun
 echo -e
 echo -e "Uninstall of %{module_name} module (version %{version}) beginning:"
 dkms remove -m %{module_name} -v %{version} --all --rpm_safe_upgrade
 exit 0
 %files
 %defattr(-,root,root)
 %{_srcdir}
 %{_datarootdir}/%{module_name}/
 %changelog
 * %(date "+%a %b %d %Y") %packager %{version}-%{release}
 - Automatic build by DKMS
--- a/dkms/template-dkms-redhat-kmod.spec
+++ b/dkms/template-dkms-redhat-kmod.spec
@@ -1,37 +0,0 @@
 %{?!module_name: %{error: You did not specify a module name (%%module_name)}}
 %{?!version: %{error: You did not specify a module version (%%version)}}
 Name:		%{module_name}
 Version:	%{version}
 Release:	1%{?dist}
 Summary:	%{module_name}-%{version} RHEL Driver Update Program package
 License:	Unknown
 Source0:	%{module_name}-%{version}.tar.bz2
 BuildRequires:	%kernel_module_package_buildreqs
 %kernel_module_package default
 %description
 %{module_name}-%{version} RHEL Driver Update package.
 %prep
 %setup
 set -- *
 mkdir source
 mv "$@" source/
 mkdir obj
 %build
 for flavor in %flavors_to_build; do
 	rm -rf obj/$flavor
 	cp -r source obj/$flavor
 	make -C %{kernel_source $flavor} M=$PWD/obj/$flavor
 done
 %install
 export INSTALL_MOD_PATH=$RPM_BUILD_ROOT
 export INSTALL_MOD_DIR=extra/%{name}
 for flavor in %flavors_to_build ; do
 	make -C %{kernel_source $flavor} modules_install \
 		M=$PWD/obj/$flavor
 done
--- a/falco/falco.yaml
+++ b/falco/falco.yaml
@@ -1,220 +0,0 @@
 #
 # Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # File(s) or Directories containing Falco rules, loaded at startup.
 # The name "rules_file" is only for backwards compatibility.
 # If the entry is a file, it will be read directly. If the entry is a directory,
 # every file in that directory will be read, in alphabetical order.
 #
 # falco_rules.yaml ships with the falco package and is overridden with
 # every new software version. falco_rules.local.yaml is only created
 # if it doesn't exist. If you want to customize the set of rules, add
 # your customizations to falco_rules.local.yaml.
 #
 # The files will be read in the order presented here, so make sure if
 # you have overrides they appear in later files.
 rules_file:
  - /etc/falco/falco_rules.yaml
  - /etc/falco/falco_rules.local.yaml
  - /etc/falco/k8s_audit_rules.yaml
  - /etc/falco/rules.d
 # If true, the times displayed in log messages and output messages
 # will be in ISO 8601. By default, times are displayed in the local
 # time zone, as governed by /etc/localtime.
 time_format_iso_8601: false
 # Whether to output events in json or text
 json_output: false
 # When using json output, whether or not to include the "output" property
 # itself (e.g. "File below a known binary directory opened for writing
 # (user=root ....") in the json output.
 json_include_output_property: true
 # Send information logs to stderr and/or syslog Note these are *not* security
 # notification logs! These are just Falco lifecycle (and possibly error) logs.
 log_stderr: true
 log_syslog: true
 # Minimum log level to include in logs. Note: these levels are
 # separate from the priority field of rules. This refers only to the
 # log level of falco's internal logging. Can be one of "emergency",
 # "alert", "critical", "error", "warning", "notice", "info", "debug".
 log_level: info
 # Minimum rule priority level to load and run. All rules having a
 # priority more severe than this level will be loaded/run.  Can be one
 # of "emergency", "alert", "critical", "error", "warning", "notice",
 # "info", "debug".
 priority: debug
 # Whether or not output to any of the output channels below is
 # buffered. Defaults to false
 buffered_outputs: false
 # Falco uses a shared buffer between the kernel and userspace to pass
 # system call information. When falco detects that this buffer is
 # full and system calls have been dropped, it can take one or more of
 # the following actions:
 #   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
 #   - "log": log a CRITICAL message noting that the buffer was full.
 #   - "alert": emit a falco alert noting that the buffer was full.
 #   - "exit": exit falco with a non-zero rc.
 #
 # The rate at which log/alert messages are emitted is governed by a
 # token bucket. The rate corresponds to one message every 30 seconds
 # with a burst of 10 messages.
 syscall_event_drops:
  actions:
    - log
    - alert
  rate: .03333
  max_burst: 10
 # Falco continuously monitors outputs performance. When an output channel does not allow
 # to deliver an alert within a given deadline, an error is reported indicating
 # which output is blocking notifications.
 # The timeout error will be reported to the log according to the above log_* settings.
 # Note that the notification will not be discarded from the output queue; thus,
 # output channels may indefinitely remain blocked.
 # An output timeout error indeed indicate a misconfiguration issue or I/O problems
 # that cannot be recovered by Falco and should be fixed by the user.
 #
 # The "output_timeout" value specifies the duration in milliseconds to wait before
 # considering the deadline exceed.
 #
 # With a 2000ms default, the notification consumer can block the Falco output
 # for up to 2 seconds without reaching the timeout.
 output_timeout: 2000
 # A throttling mechanism implemented as a token bucket limits the
 # rate of falco notifications. This throttling is controlled by the following configuration
 # options:
 #  - rate: the number of tokens (i.e. right to send a notification)
 #    gained per second. Defaults to 1.
 #  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
 #
 # With these defaults, falco could send up to 1000 notifications after
 # an initial quiet period, and then up to 1 notification per second
 # afterward. It would gain the full burst back after 1000 seconds of
 # no activity.
 outputs:
  rate: 1
  max_burst: 1000
 # Where security notifications should go.
 # Multiple outputs can be enabled.
 syslog_output:
  enabled: true
 # If keep_alive is set to true, the file will be opened once and
 # continuously written to, with each output message on its own
 # line. If keep_alive is set to false, the file will be re-opened
 # for each output message.
 #
 # Also, the file will be closed and reopened if falco is signaled with
 # SIGUSR1.
 file_output:
  enabled: false
  keep_alive: false
  filename: ./events.txt
 stdout_output:
  enabled: true
 # Falco contains an embedded webserver that can be used to accept K8s
 # Audit Events. These config options control the behavior of that
 # webserver. (By default, the webserver is enabled).
 #
 # The ssl_certificate is a combination SSL Certificate and corresponding
 # key contained in a single file. You can generate a key/cert as follows:
 #
 # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
 # $ cat certificate.pem key.pem > falco.pem
 # $ sudo cp falco.pem /etc/falco/falco.pem
 webserver:
  enabled: true
  listen_port: 8765
  k8s_audit_endpoint: /k8s-audit
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem
 # Possible additional things you might want to do with program output:
 #   - send to a slack webhook:
 #         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
 #   - logging (alternate method than syslog):
 #         program: logger -t falco-test
 #   - send over a network connection:
 #         program: nc host.example.com 80
 # If keep_alive is set to true, the program will be started once and
 # continuously written to, with each output message on its own
 # line. If keep_alive is set to false, the program will be re-spawned
 # for each output message.
 #
 # Also, the program will be closed and reopened if falco is signaled with
 # SIGUSR1.
 program_output:
  enabled: false
  keep_alive: false
  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
 http_output:
  enabled: false
  url: http://some.url
 # Falco supports running a gRPC server with two main binding types
 # 1. Over the network with mandatory mutual TLS authentication (mTLS)
 # 2. Over a local unix socket with no authentication
 # By default, the gRPC server is disabled, with no enabled services (see grpc_output)
 # please comment/uncomment and change accordingly the options below to configure it.
 # Important note: if Falco has any troubles creating the gRPC server
 # this information will be logged, however the main Falco daemon will not be stopped.
 # gRPC server over network with (mandatory) mutual TLS configuration.
 # This gRPC server is secure by default so you need to generate certificates and update their paths here.
 # By default the gRPC server is off.
 # You can configure the address to bind and expose it.
 # By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
 # grpc:
 #   enabled: true
 #   bind_address: "0.0.0.0:5060"
 #   # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
 #   threadiness: 0
 #   private_key: "/etc/falco/certs/server.key"
 #   cert_chain: "/etc/falco/certs/server.crt"
 #   root_certs: "/etc/falco/certs/ca.crt"
 # gRPC server using an unix socket
 grpc:
  enabled: false
  bind_address: "unix:///var/run/falco.sock"
  # when threadiness is 0, Falco automatically guesses it depending on the number of online cores
  threadiness: 0
 # gRPC output service.
 # By default it is off.
 # By enabling this all the output events will be kept in memory until you read them with a gRPC client.
 # Make sure to have a consumer for them or leave this disabled.
 grpc_output:
  enabled: false
--- a/falco/falco_rules.local.yaml
+++ b/falco/falco_rules.local.yaml
@@ -1,30 +0,0 @@
 #
 # Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 ####################
 # Your custom rules!
 ####################
 # Add new rules, like this one
 # - rule: The program "sudo" is run in a container
 #   desc: An event will trigger every time you run sudo in a container
 #   condition: evt.type = execve and evt.dir=< and container.id != host and proc.name = sudo
 #   output: "Sudo run in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
 #   priority: ERROR
 #   tags: [users, container]
 # Or override/append to any rule, macro, or list from the Default Rules
--- a/falco/falco_rules.yaml
+++ b/falco/falco_rules.yaml
--- a/falco/k8s_audit_rules.yaml
+++ b/falco/k8s_audit_rules.yaml
@@ -1,624 +0,0 @@
 #
 # Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - required_engine_version: 2
 # Like always_true/always_false, but works with k8s audit events
 - macro: k8s_audit_always_true
  condition: (jevt.rawtime exists)
 - macro: k8s_audit_never_true
  condition: (jevt.rawtime=0)
 # Generally only consider audit events once the response has completed
 - list: k8s_audit_stages
  items: ["ResponseComplete"]
 # Generally exclude users starting with "system:"
 - macro: non_system_user
  condition: (not ka.user.name startswith "system:")
 # This macro selects the set of Audit Events used by the below rules.
 - macro: kevt
  condition: (jevt.value[/stage] in (k8s_audit_stages))
 - macro: kevt_started
  condition: (jevt.value[/stage]=ResponseStarted)
 # If you wish to restrict activity to a specific set of users, override/append to this list.
 # users created by kops are included
 - list: vertical_pod_autoscaler_users
  items: ["vpa-recommender", "vpa-updater"]
 - list: allowed_k8s_users
  items: [
    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
    "kubernetes-admin",
    vertical_pod_autoscaler_users,
    cluster-autoscaler,
    "system:addon-manager",
    "cloud-controller-manager"
    ]
 - rule: Disallowed K8s User
  desc: Detect any k8s operation by users outside of an allowed set of users.
  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
  output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 # In a local/user rules file, you could override this macro to
 # explicitly enumerate the container images that you want to run in
 # your environment. In this main falco rules file, there isn't any way
 # to know all the containers that can run, so any container is
 # allowed, by using the always_true macro. In the overridden macro, the condition
 # would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))
 - macro: allowed_k8s_containers
  condition: (k8s_audit_always_true)
 - macro: response_successful
  condition: (ka.response.code startswith 2)
 - macro: kcreate
  condition: ka.verb=create
 - macro: kmodify
  condition: (ka.verb in (create,update,patch))
 - macro: kdelete
  condition: ka.verb=delete
 - macro: pod
  condition: ka.target.resource=pods and not ka.target.subresource exists
 - macro: pod_subresource
  condition: ka.target.resource=pods and ka.target.subresource exists
 - macro: deployment
  condition: ka.target.resource=deployments
 - macro: service
  condition: ka.target.resource=services
 - macro: configmap
  condition: ka.target.resource=configmaps
 - macro: namespace
  condition: ka.target.resource=namespaces
 - macro: serviceaccount
  condition: ka.target.resource=serviceaccounts
 - macro: clusterrole
  condition: ka.target.resource=clusterroles
 - macro: clusterrolebinding
  condition: ka.target.resource=clusterrolebindings
 - macro: role
  condition: ka.target.resource=roles
 - macro: secret
  condition: ka.target.resource=secrets
 - macro: health_endpoint
  condition: ka.uri=/healthz
 - rule: Create Disallowed Pod
  desc: >
    Detect an attempt to start a pod with a container image outside of a list of allowed images.
  condition: kevt and pod and kcreate and not allowed_k8s_containers
  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - rule: Create Privileged Pod
  desc: >
    Detect an attempt to start a pod with a privileged container
  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
  output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - macro: sensitive_vol_mount
  condition: >
    (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests))
 - rule: Create Sensitive Mount Pod
  desc: >
    Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
    Exceptions are made for known trusted images.
  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
  output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
  desc: Detect an attempt to start a pod using the host network.
  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - macro: user_known_node_port_service
  condition: (k8s_audit_never_true)
 - rule: Create NodePort Service
  desc: >
    Detect an attempt to start a service with a NodePort service type
  condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
  output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - macro: contains_private_credentials
  condition: >
    (ka.req.configmap.obj contains "aws_access_key_id" or
     ka.req.configmap.obj contains "aws-access-key-id" or
     ka.req.configmap.obj contains "aws_s3_access_key_id" or
     ka.req.configmap.obj contains "aws-s3-access-key-id" or
     ka.req.configmap.obj contains "password" or
     ka.req.configmap.obj contains "passphrase")
 - rule: Create/Modify Configmap With Private Credentials
  desc: >
     Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
  condition: kevt and configmap and kmodify and contains_private_credentials
  output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 # Corresponds to K8s CIS Benchmark, 1.1.1.
 - rule: Anonymous Request Allowed
  desc: >
    Detect any request made by the anonymous user that was allowed
  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
  output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 # Roughly corresponds to K8s CIS Benchmark, 1.1.12. In this case,
 # notifies an attempt to exec/attach to a privileged container.
 # Ideally, we'd add a more stringent rule that detects attaches/execs
 # to a privileged pod, but that requires the engine for k8s audit
 # events to be stateful, so it could know if a container named in an
 # attach request was created privileged or not. For now, we have a
 # less severe rule that detects attaches/execs to any pod.
 - macro: user_known_exec_pod_activities
  condition: (k8s_audit_never_true)
 - rule: Attach/Exec Pod
  desc: >
    Detect any attempt to attach/exec to a pod
  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
  output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
  priority: NOTICE
  source: k8s_audit
  tags: [k8s]
 - macro: user_known_pod_debug_activities
  condition: (k8s_audit_never_true)
 # Only works when feature gate EphemeralContainers is enabled
 - rule: EphemeralContainers Created
  desc: >
    Detect any ephemeral container created
  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
  priority: NOTICE
  source: k8s_audit
  tags: [k8s]
 # In a local/user rules fie, you can append to this list to add additional allowed namespaces
 - list: allowed_namespaces
  items: [kube-system, kube-public, default]
 - rule: Create Disallowed Namespace
  desc: Detect any attempt to create a namespace outside of a set of known namespaces
  condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
  output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 # Only defined for backwards compatibility. Use the more specific
 # user_allowed_kube_namespace_image_list instead.
 - list: user_trusted_image_list
  items: []
 - list: user_allowed_kube_namespace_image_list
  items: [user_trusted_image_list]
 # Only defined for backwards compatibility. Use the more specific
 # allowed_kube_namespace_image_list instead.
 - list: k8s_image_list
  items: []
 - list: allowed_kube_namespace_image_list
  items: [
    gcr.io/google-containers/prometheus-to-sd,
    gcr.io/projectcalico-org/node,
    gke.gcr.io/addon-resizer,
    gke.gcr.io/heapster,
    gke.gcr.io/gke-metadata-server,
    k8s.gcr.io/ip-masq-agent-amd64,
    k8s.gcr.io/kube-apiserver,
    gke.gcr.io/kube-proxy,
    gke.gcr.io/netd-amd64,
    k8s.gcr.io/addon-resizer
    k8s.gcr.io/prometheus-to-sd,
    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
    k8s.gcr.io/k8s-dns-kube-dns-amd64,
    k8s.gcr.io/k8s-dns-sidecar-amd64,
    k8s.gcr.io/metrics-server-amd64,
    kope/kube-apiserver-healthcheck,
    k8s_image_list
    ]
 - macro: allowed_kube_namespace_pods
  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace
  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - list: user_known_sa_list
  items: []
 - macro: trusted_sa
  condition: (ka.target.name in (user_known_sa_list))
 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace
  desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
  output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 # Detect any modify/delete to any ClusterRole starting with
 # "system:". "system:coredns" is excluded as changes are expected in
 # normal operation.
 - rule: System ClusterRole Modified/Deleted
  desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
             not ka.target.name in (system:coredns, system:managed-certificate-controller)
  output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 # Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
 # (exapand this to any built-in cluster role that does "sensitive" things)
 - rule: Attach to cluster-admin Role
  desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
  condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
  output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - rule: ClusterRole With Wildcard Created
  desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
  output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - macro: writable_verbs
  condition: >
    (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))
 - rule: ClusterRole With Write Privileges Created
  desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
  condition: kevt and (role or clusterrole) and kcreate and writable_verbs
  output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
  priority: NOTICE
  source: k8s_audit
  tags: [k8s]
 - rule: ClusterRole With Pod Exec Created
  desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
  output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 # The rules below this point are less discriminatory and generally
 # represent a stream of activity for a cluster. If you wish to disable
 # these events, modify the following macro.
 - macro: consider_activity_events
  condition: (k8s_audit_always_true)
 - macro: kactivity
  condition: (kevt and consider_activity_events)
 - rule: K8s Deployment Created
  desc: Detect any attempt to create a deployment
  condition: (kactivity and kcreate and deployment and response_successful)
  output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Deployment Deleted
  desc: Detect any attempt to delete a deployment
  condition: (kactivity and kdelete and deployment and response_successful)
  output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Service Created
  desc: Detect any attempt to create a service
  condition: (kactivity and kcreate and service and response_successful)
  output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Service Deleted
  desc: Detect any attempt to delete a service
  condition: (kactivity and kdelete and service and response_successful)
  output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s ConfigMap Created
  desc: Detect any attempt to create a configmap
  condition: (kactivity and kcreate and configmap and response_successful)
  output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s ConfigMap Deleted
  desc: Detect any attempt to delete a configmap
  condition: (kactivity and kdelete and configmap and response_successful)
  output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Namespace Created
  desc: Detect any attempt to create a namespace
  condition: (kactivity and kcreate and namespace and response_successful)
  output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Namespace Deleted
  desc: Detect any attempt to delete a namespace
  condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
  output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Serviceaccount Created
  desc: Detect any attempt to create a service account
  condition: (kactivity and kcreate and serviceaccount and response_successful)
  output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Serviceaccount Deleted
  desc: Detect any attempt to delete a service account
  condition: (kactivity and kdelete and serviceaccount and response_successful)
  output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Role/Clusterrole Created
  desc: Detect any attempt to create a cluster role/role
  condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
  output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Role/Clusterrole Deleted
  desc: Detect any attempt to delete a cluster role/role
  condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
  output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Role/Clusterrolebinding Created
  desc: Detect any attempt to create a clusterrolebinding
  condition: (kactivity and kcreate and clusterrolebinding and response_successful)
  output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Role/Clusterrolebinding Deleted
  desc: Detect any attempt to delete a clusterrolebinding
  condition: (kactivity and kdelete and clusterrolebinding and response_successful)
  output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Secret Created
  desc: Detect any attempt to create a secret. Service account tokens are excluded.
  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
  output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 - rule: K8s Secret Deleted
  desc: Detect any attempt to delete a secret Service account tokens are excluded.
  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
  output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
 # This rule generally matches all events, and as a result is disabled
 # by default. If you wish to enable these events, modify the
 # following macro.
 #  condition: (jevt.rawtime exists)
 - macro: consider_all_events
  condition: (k8s_audit_never_true)
 - macro: kall
  condition: (kevt and consider_all_events)
 - rule: All K8s Audit Events
  desc: Match all K8s Audit Events
  condition: kall
  output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
  priority: DEBUG
  source: k8s_audit
  tags: [k8s]
 # This macro disables following rule, change to k8s_audit_never_true to enable it
 - macro: allowed_full_admin_users
  condition: (k8s_audit_always_true)
 # This list includes some of the default user names for an administrator in several K8s installations
 - list: full_admin_k8s_users
  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
 # This rules detect an operation triggered by an user name that is 
 # included in the list of those that are default administrators upon 
 # cluster creation. This may signify a permission setting too broader. 
 # As we can't check for role of the user on a general ka.* event, this 
 # may or may not be an administrator. Customize the full_admin_k8s_users 
 # list to your needs, and activate at your discrection.
 # # How to test:
 # # Execute any kubectl command connected using default cluster user, as:
 # kubectl create namespace rule-test
 - rule: Full K8s Administrative Access
  desc: Detect any k8s operation by a user name that may be an administrator with full access.
  condition: >
    kevt 
    and non_system_user 
    and ka.user.name in (full_admin_k8s_users)
    and not allowed_full_admin_users
  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
 - macro: ingress
  condition: ka.target.resource=ingresses
 - macro: ingress_tls
  condition: (jevt.value[/requestObject/spec/tls] exists)
 # # How to test:
 # # Create an ingress.yaml file with content:
 # apiVersion: networking.k8s.io/v1beta1
 # kind: Ingress
 # metadata:
 #   name: test-ingress
 #   annotations:
 #     nginx.ingress.kubernetes.io/rewrite-target: /
 # spec:
 #   rules:
 #   - http:
 #       paths:
 #       - path: /testpath
 #         backend:
 #           serviceName: test
 #           servicePort: 80
 # # Execute: kubectl apply -f ingress.yaml
 - rule: Ingress Object without TLS Certificate Created
  desc: Detect any attempt to create an ingress without TLS certification.
  condition: >
    (kactivity and kcreate and ingress and response_successful and not ingress_tls)
  output: >
    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
    namespace=%ka.target.namespace)
  source: k8s_audit    
  priority: WARNING
  tags: [k8s, network]
 - macro: node
  condition: ka.target.resource=nodes
 - macro: allow_all_k8s_nodes
  condition: (k8s_audit_always_true)
 - list: allowed_k8s_nodes
  items: []
 # # How to test:
 # # Create a Falco monitored cluster with Kops
 # # Increase the number of minimum nodes with:
 # kops edit ig nodes
 # kops apply --yes
 - rule: Untrusted Node Successfully Joined the Cluster
  desc: >
    Detect a node successfully joined the cluster outside of the list of allowed nodes.
  condition: >
    kevt and node 
    and kcreate 
    and response_successful 
    and not allow_all_k8s_nodes 
    and not ka.target.name in (allowed_k8s_nodes)
  output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
  priority: ERROR
  source: k8s_audit
  tags: [k8s]
 - rule: Untrusted Node Unsuccessfully Tried to Join the Cluster
  desc: >
    Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
  condition: >
    kevt and node 
    and kcreate 
    and not response_successful 
    and not allow_all_k8s_nodes 
    and not ka.target.name in (allowed_k8s_nodes)
  output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
--- a/falco/rules.available/application_rules.yaml
+++ b/falco/rules.available/application_rules.yaml
@@ -1,188 +0,0 @@
 #
 # Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - required_engine_version: 2
 ################################################################
 # By default all application-related rules are disabled for
 # performance reasons. Depending on the application(s) you use,
 # uncomment the corresponding rule definitions for
 # application-specific activity monitoring.
 ################################################################
 # Elasticsearch ports
 - macro: elasticsearch_cluster_port
  condition: fd.sport=9300
 - macro: elasticsearch_api_port
  condition: fd.sport=9200
 - macro: elasticsearch_port
  condition: elasticsearch_cluster_port or elasticsearch_api_port
 # - rule: Elasticsearch unexpected network inbound traffic
 #   desc: inbound network traffic to elasticsearch on a port other than the standard ports
 #   condition: user.name = elasticsearch and inbound and not elasticsearch_port
 #   output: "Inbound network traffic to Elasticsearch on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # - rule: Elasticsearch unexpected network outbound traffic
 #   desc: outbound network traffic from elasticsearch on a port other than the standard ports
 #   condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
 #   output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # ActiveMQ ports
 - macro: activemq_cluster_port
  condition: fd.sport=61616
 - macro: activemq_web_port
  condition: fd.sport=8161
 - macro: activemq_port
  condition: activemq_web_port or activemq_cluster_port
 # - rule: Activemq unexpected network inbound traffic
 #   desc: inbound network traffic to activemq on a port other than the standard ports
 #   condition: user.name = activemq and inbound and not activemq_port
 #   output: "Inbound network traffic to ActiveMQ on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # - rule: Activemq unexpected network outbound traffic
 #   desc: outbound network traffic from activemq on a port other than the standard ports
 #   condition: user.name = activemq and outbound and not activemq_cluster_port
 #   output: "Outbound network traffic from ActiveMQ on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # Cassandra ports
 # https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
 - macro: cassandra_thrift_client_port
  condition: fd.sport=9160
 - macro: cassandra_cql_port
  condition: fd.sport=9042
 - macro: cassandra_cluster_port
  condition: fd.sport=7000
 - macro: cassandra_ssl_cluster_port
  condition: fd.sport=7001
 - macro: cassandra_jmx_port
  condition: fd.sport=7199
 - macro: cassandra_port
  condition: >
    cassandra_thrift_client_port or
    cassandra_cql_port or cassandra_cluster_port or
    cassandra_ssl_cluster_port or cassandra_jmx_port
 # - rule: Cassandra unexpected network inbound traffic
 #   desc: inbound network traffic to cassandra on a port other than the standard ports
 #   condition: user.name = cassandra and inbound and not cassandra_port
 #   output: "Inbound network traffic to Cassandra on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # - rule: Cassandra unexpected network outbound traffic
 #   desc: outbound network traffic from cassandra on a port other than the standard ports
 #   condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
 #   output: "Outbound network traffic from Cassandra on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # Couchdb ports
 # https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
 - macro: couchdb_httpd_port
  condition: fd.sport=5984
 - macro: couchdb_httpd_ssl_port
  condition: fd.sport=6984
 # xxx can't tell what clustering ports are used. not writing rules for this
 # yet.
 # Fluentd ports
 - macro: fluentd_http_port
  condition: fd.sport=9880
 - macro: fluentd_forward_port
  condition: fd.sport=24224
 # - rule: Fluentd unexpected network inbound traffic
 #   desc: inbound network traffic to fluentd on a port other than the standard ports
 #   condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
 #   output: "Inbound network traffic to Fluentd on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # - rule: Tdagent unexpected network outbound traffic
 #   desc: outbound network traffic from fluentd on a port other than the standard ports
 #   condition: user.name = td-agent and outbound and not fluentd_forward_port
 #   output: "Outbound network traffic from Fluentd on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # Gearman ports
 # http://gearman.org/protocol/
 # - rule: Gearman unexpected network outbound traffic
 #   desc: outbound network traffic from gearman on a port other than the standard ports
 #   condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
 #   output: "Outbound network traffic from Gearman on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # Zookeeper
 - macro: zookeeper_port
  condition: fd.sport = 2181
 # Kafka ports
 # - rule: Kafka unexpected network inbound traffic
 #   desc: inbound network traffic to kafka on a port other than the standard ports
 #   condition: user.name = kafka and inbound and fd.sport != 9092
 #   output: "Inbound network traffic to Kafka on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # Memcached ports
 # - rule: Memcached unexpected network inbound traffic
 #   desc: inbound network traffic to memcached on a port other than the standard ports
 #   condition: user.name = memcached and inbound and fd.sport != 11211
 #   output: "Inbound network traffic to Memcached on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # - rule: Memcached unexpected network outbound traffic
 #   desc: any outbound network traffic from memcached. memcached never initiates outbound connections.
 #   condition: user.name = memcached and outbound
 #   output: "Unexpected Memcached outbound connection (connection=%fd.name)"
 #   priority: WARNING
 # MongoDB ports
 - macro: mongodb_server_port
  condition: fd.sport = 27017
 - macro: mongodb_shardserver_port
  condition: fd.sport = 27018
 - macro: mongodb_configserver_port
  condition: fd.sport = 27019
 - macro: mongodb_webserver_port
  condition: fd.sport = 28017
 # - rule: Mongodb unexpected network inbound traffic
 #   desc: inbound network traffic to mongodb on a port other than the standard ports
 #   condition: >
 #     user.name = mongodb and inbound and not (mongodb_server_port or
 #     mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
 #   output: "Inbound network traffic to MongoDB on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # MySQL ports
 # - rule: Mysql unexpected network inbound traffic
 #   desc: inbound network traffic to mysql on a port other than the standard ports
 #   condition: user.name = mysql and inbound and fd.sport != 3306
 #   output: "Inbound network traffic to MySQL on unexpected port (connection=%fd.name)"
 #   priority: WARNING
 # - rule: HTTP server unexpected network inbound traffic
 #   desc: inbound network traffic to a http server program on a port other than the standard ports
 #   condition: proc.name in (http_server_binaries) and inbound and fd.sport != 80 and fd.sport != 443
 #   output: "Inbound network traffic to HTTP Server on unexpected port (connection=%fd.name)"
 #   priority: WARNING
--- a/kernel/install.d/dkms
+++ b/kernel/install.d/dkms
@@ -1,9 +0,0 @@
 #!/usr/bin/bash
 if [[ "$1" == "add" ]]; then
 	/etc/kernel/postinst.d/dkms $2
 fi
 if [[ "$1" == "remove" ]]; then
 	/etc/kernel/prerm.d/dkms $2
 fi
--- a/kernel/postinst.d/dkms
+++ b/kernel/postinst.d/dkms
@@ -1,45 +0,0 @@
 #!/bin/bash
 # We're passed the version of the kernel being installed
 inst_kern=$1
 uname_s=$(uname -s)
 _get_kernel_dir() {
    KVER=$1
    case ${uname_s} in
       Linux)          DIR="/lib/modules/$KVER/build" ;;
       GNU/kFreeBSD)   DIR="/usr/src/kfreebsd-headers-$KVER/sys" ;;
    esac
    echo $DIR
 }
 _check_kernel_dir() {
    DIR=$(_get_kernel_dir $1)
    case ${uname_s} in
       Linux)          test -e $DIR/include ;;
       GNU/kFreeBSD)   test -e $DIR/kern && test -e $DIR/conf/kmod.mk ;;
       *)              return 1 ;;
    esac
    return $?
 }
 case "${uname_s}" in
    Linux)
        header_pkg="linux-headers-$inst_kern"
        kernel="Linux"
    ;;
    GNU/kFreeBSD)
        header_pkg="kfreebsd-headers-$inst_kern"
        kernel="kFreeBSD"
    ;;
 esac
 if [ -x /usr/lib/dkms/dkms_autoinstaller ]; then
    exec /usr/lib/dkms/dkms_autoinstaller start $inst_kern
 fi
 if ! _check_kernel_dir $inst_kern ; then
    echo "dkms: WARNING: $kernel headers are missing, which may explain the above failures." >&2
    echo "      please install the $header_pkg package to fix this." >&2
 fi
--- a/kernel/prerm.d/dkms
+++ b/kernel/prerm.d/dkms
@@ -1,30 +0,0 @@
 #!/bin/bash
 # We're passed the version of the kernel being removed
 inst_kern=$1
 # This is applied from make_initrd function in dkms command, which
 # creates the possible initrd backup file.
 remove_initrd_backup() {
 	for initrd in "initrd-$1.img" "initramfs-$1.img" "initrd.img-$1" "initrd-$1"; do
 		rm -fv /boot/"${initrd}".old-dkms >&2
 	done
 }
 if [ -x /usr/sbin/dkms ]; then
 while read line; do
   name=`echo "$line" | awk '{print $1}' | sed 's/,$//'`
   vers=`echo "$line" | awk '{print $2}' | sed 's/,$//'`
   arch=`echo "$line" | awk '{print $4}' | sed 's/:$//'`
   echo "dkms: removing: $name $vers ($inst_kern) ($arch)" >&2
   dkms remove -m $name -v $vers -k $inst_kern -a $arch
 done < <(dkms status -k $inst_kern 2>/dev/null | grep ": installed")
 fi
 remove_initrd_backup "$inst_kern"
 rmdir --ignore-fail-on-non-empty \
 	"/lib/modules/$inst_kern/updates/dkms" \
 	"/lib/modules/$inst_kern/updates" 2>/dev/null
 exit 0
--- a/rc.d/init.d/bestcrypt
+++ b/rc.d/init.d/bestcrypt
@@ -1,93 +0,0 @@
 #!/bin/sh
 # Copyright 2010-2016 Jetico Inc. Oy
 # All rights reserved.
 # chkconfig: 345 99 01
 # description: BestCrypt for Linux
 #
 ### BEGIN INIT INFO
 # Provides: bestcrypt
 # Required-Start: dkms
 # Required-Stop:
 # Default-Start: 2 3 4 5
 # Default-Stop: 0 1 6
 # Short-Description: BestCrypt for Linux
 # Description: BestCrypt for Linux
 ### END INIT INFO
 KERNEL_VERSION=`uname -r|sed 's/\(.\..\).*/\1/'`
 case "$1" in
  start)
 	echo "Starting BestCrypt..."
 	rm -rf /dev/bcrypt?* 2>/dev/null
 	depmod -a
    modprobe bestcrypt
    modprobe bc_blowfish
 	modprobe bc_des
 	modprobe bc_gost
 	modprobe bc_camellia
 	modprobe bc_twofish
 	modprobe bc_bf448
 	modprobe bc_bf128
 	modprobe bc_3des
 	modprobe bc_idea
 	modprobe bc_rijn
 	modprobe bc_cast
 	modprobe bc_serpent
 	modprobe bc_rc6
 #modprobe bc_noop
    echo "Started."
 	;;
  stop)
    echo "Stopping BestCrypt..."
    if bctool is_guard_on ; then
        echo "on" > "$HOME"/.config/Jetico/guard_status
    else
        echo "off" > "$HOME"/.config/Jetico/guard_status
    fi
 	bctool umountall
 	for i in `lsmod | egrep "^\"?bc_.*\"?" | awk '{print $1}' `; do
        rmmod $i;
    done
    rmmod bestcrypt
    echo "Stopped."
 	;;
  status)
 	if [ -f /sys/class/misc/bestcrypt ] ; then
        echo "BestCrypt driver is loaded. List of loaded algorithms:\n"
 	    ls /sys/class/misc/bectcrypt/plugins
 	else
 		echo "SysFS entry unavailable, possibly driver is not running."
 	fi
    if bctool is_guard_on ; then
      echo "BestCrypt container file guard is on"
    fi
 	;;
  restart)
 	$0 stop
 	$0 start
 	;;
  *)
 	echo "Usage: $0 {start|stop|restart|status}"
 	exit 1
 esac
 exit 0
--- a/rc.d/init.d/falco
+++ b/rc.d/init.d/falco
@@ -1,127 +0,0 @@
 #!/bin/sh
 #
 # Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 #
 # falco syscall monitoring agent
 #
 # chkconfig:   2345 55 45
 # description: Falco syscall monitoring agent
 #
 ### BEGIN INIT INFO
 # Provides:
 # Required-Start:
 # Required-Stop:
 # Should-Start:
 # Should-Stop:
 # Default-Start:
 # Default-Stop:
 # Short-Description:
 # Description:
 ### END INIT INFO
 # Source function library.
 . /etc/rc.d/init.d/functions
 exec="/usr/bin/falco"
 prog="falco"
 # config="<path to major config file>"
 [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
 lockfile=/var/lock/subsys/$prog
 pidfile="/var/run/falco.pid"
 start() {
    [ -x $exec ] || exit 5
    # [ -f $config ] || exit 6
    echo -n $"Starting $prog: "
    daemon $exec --daemon --pidfile=$pidfile
    if [ ! -d /sys/module/falco ]; then
        /sbin/modprobe falco || return $?
    fi
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
 }
 stop() {
    echo -n $"Stopping $prog: "
    killproc -p $pidfile
    retval=$?
    echo
    /sbin/rmmod falco
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
 }
 restart() {
    stop
    start
 }
 reload() {
    restart
 }
 force_reload() {
    restart
 }
 rh_status() {
    status -p $pidfile $prog
 }
 rh_status_q() {
    rh_status >/dev/null 2>&1
 }
 case "$1" in
    start)
        rh_status_q && exit 0
        $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart)
        $1
        ;;
    reload)
        rh_status_q || exit 7
        $1
        ;;
    force-reload)
        force_reload
        ;;
    status)
        rh_status
        ;;
    condrestart|try-restart)
        rh_status_q || exit 0
        restart
        ;;
    *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
        exit 2
 esac
 exit $?
--- a/rc.d/rc0.d/K01bestcrypt
+++ b/rc.d/rc0.d/K01bestcrypt
@@ -1 +0,0 @@
 ../init.d/bestcrypt
--- a/rc.d/rc0.d/K45falco
+++ b/rc.d/rc0.d/K45falco
@@ -1 +0,0 @@
 ../init.d/falco
--- a/rc.d/rc1.d/K01bestcrypt
+++ b/rc.d/rc1.d/K01bestcrypt
@@ -1 +0,0 @@
 ../init.d/bestcrypt
--- a/rc.d/rc1.d/K45falco
+++ b/rc.d/rc1.d/K45falco
@@ -1 +0,0 @@
 ../init.d/falco
--- a/rc.d/rc2.d/K45falco
+++ b/rc.d/rc2.d/K45falco
@@ -1 +0,0 @@
 ../init.d/falco
--- a/rc.d/rc2.d/S99bestcrypt
+++ b/rc.d/rc2.d/S99bestcrypt
@@ -1 +0,0 @@
 ../init.d/bestcrypt
--- a/rc.d/rc3.d/K45falco
+++ b/rc.d/rc3.d/K45falco
@@ -1 +0,0 @@
 ../init.d/falco
--- a/rc.d/rc3.d/S99bestcrypt
+++ b/rc.d/rc3.d/S99bestcrypt
@@ -1 +0,0 @@
 ../init.d/bestcrypt
--- a/rc.d/rc4.d/K45falco
+++ b/rc.d/rc4.d/K45falco
@@ -1 +0,0 @@
 ../init.d/falco
--- a/rc.d/rc4.d/S99bestcrypt
+++ b/rc.d/rc4.d/S99bestcrypt
@@ -1 +0,0 @@
 ../init.d/bestcrypt
--- a/rc.d/rc5.d/K45falco
+++ b/rc.d/rc5.d/K45falco
@@ -1 +0,0 @@
 ../init.d/falco
--- a/rc.d/rc5.d/S99bestcrypt
+++ b/rc.d/rc5.d/S99bestcrypt
@@ -1 +0,0 @@
 ../init.d/bestcrypt
--- a/rc.d/rc6.d/K01bestcrypt
+++ b/rc.d/rc6.d/K01bestcrypt
@@ -1 +0,0 @@
 ../init.d/bestcrypt
--- a/rc.d/rc6.d/K45falco
+++ b/rc.d/rc6.d/K45falco
@@ -1 +0,0 @@
 ../init.d/falco
--- a/udev/rules.d/90-bcrypt-device-permissions.rules
+++ b/udev/rules.d/90-bcrypt-device-permissions.rules
@@ -1,2 +0,0 @@
 KERNEL=="bcrypt*", MODE="0666", ENV{UDISKS_PRESENTATION_NOPOLICY}="1"
 KERNEL=="bestcrypt", MODE="0755"
--- a/xdg/autostart/bestcrypt-panel.desktop
+++ b/xdg/autostart/bestcrypt-panel.desktop
@@ -1,10 +0,0 @@
 [Desktop Entry]
 Version=1.0
 Name=BestCrypt Control Panel
 Comment=Create or mount encrypted containers.
 Icon=application-x-bestcrypt
 Exec=/usr/bin/bestcrypt-panel --minimized
 Terminal=false
 Type=Application
 Categories=Utility
 MimeType=application/x-bestcrypt-container
--- a/xdg/qtchooser/5-64.conf
+++ b/xdg/qtchooser/5-64.conf
@@ -1,2 +0,0 @@
 /usr/lib64/qt5/bin
 /usr
--- a/xdg/qtchooser/5.conf
+++ b/xdg/qtchooser/5.conf
@@ -1 +0,0 @@
 /etc/alternatives/qtchooser-5
--- a/xdg/qtchooser/default.conf
+++ b/xdg/qtchooser/default.conf
@@ -1 +0,0 @@
 /etc/alternatives/qtchooser-default
		`@@ -1,2 +0,0 @@`
			`#!/bin/sh`
			`/lib/modules/"$1"/build/scripts/sign-file sha512 /root/dkms.key /root/dkms.der "$2"`
		`@@ -1,2 +0,0 @@`
			`KERNEL=="bcrypt*", MODE="0666", ENV{UDISKS_PRESENTATION_NOPOLICY}="1"`
			`KERNEL=="bestcrypt", MODE="0755"`