saving uncommitted changes in /etc prior to dnf run
This commit is contained in:
36
.etckeeper
36
.etckeeper
@@ -21,23 +21,22 @@ mkdir -p './dbus-1/session.d'
|
||||
mkdir -p './dnf/aliases.d'
|
||||
mkdir -p './dnf/modules.defaults.d'
|
||||
mkdir -p './dnf/plugins/copr.d'
|
||||
mkdir -p './egl/egl_external_platform.d'
|
||||
mkdir -p './exports.d'
|
||||
mkdir -p './fail2ban/fail2ban.d'
|
||||
mkdir -p './falco/rules.d'
|
||||
mkdir -p './firewalld/helpers'
|
||||
mkdir -p './firewalld/icmptypes'
|
||||
mkdir -p './firewalld/ipsets'
|
||||
mkdir -p './firewalld/policies'
|
||||
mkdir -p './firewalld/services'
|
||||
mkdir -p './glvnd/egl_vendor.d'
|
||||
mkdir -p './glvnd'
|
||||
mkdir -p './gnupg'
|
||||
mkdir -p './groff/site-font'
|
||||
mkdir -p './immortal'
|
||||
mkdir -p './incron.d'
|
||||
mkdir -p './java/security/security.d'
|
||||
mkdir -p './jvm'
|
||||
mkdir -p './jvm-commmon'
|
||||
mkdir -p './kernel/postinst.d'
|
||||
mkdir -p './kernel/prerm.d'
|
||||
mkdir -p './keyutils'
|
||||
mkdir -p './letsencrypt/renewal-hooks/deploy'
|
||||
mkdir -p './letsencrypt/renewal-hooks/post'
|
||||
@@ -101,7 +100,6 @@ mkdir -p './systemd/system/php-fpm.service.d'
|
||||
mkdir -p './terminfo'
|
||||
mkdir -p './tuned/recommend.d'
|
||||
mkdir -p './udev/hwdb.d'
|
||||
mkdir -p './xdg/QtProject'
|
||||
maybe chmod 0755 '.'
|
||||
maybe chmod 0700 '.etckeeper'
|
||||
maybe chmod 0640 '.gitignore'
|
||||
@@ -148,7 +146,6 @@ maybe chmod 0755 'X11/applnk'
|
||||
maybe chmod 0755 'X11/fontpath.d'
|
||||
maybe chmod 0755 'X11/xinit'
|
||||
maybe chmod 0755 'X11/xinit/xinitrc.d'
|
||||
maybe chmod 0755 'X11/xinit/xinitrc.d/10-qt5-check-opengl2.sh'
|
||||
maybe chmod 0755 'X11/xinit/xinitrc.d/50-systemd-user.sh'
|
||||
maybe chmod 0755 'X11/xorg.conf.d'
|
||||
maybe chmod 0600 'aide.conf'
|
||||
@@ -484,11 +481,6 @@ maybe chmod 0750 'dhcp'
|
||||
maybe chmod 0644 'dhcp/dhclient.conf'
|
||||
maybe chmod 0755 'dhcp/dhclient.d'
|
||||
maybe chmod 0755 'dhcp/dhclient.d/chrony.sh'
|
||||
maybe chmod 0755 'dkms'
|
||||
maybe chmod 0644 'dkms/framework.conf'
|
||||
maybe chmod 0755 'dkms/sign_helper.sh'
|
||||
maybe chmod 0644 'dkms/template-dkms-mkrpm.spec'
|
||||
maybe chmod 0644 'dkms/template-dkms-redhat-kmod.spec'
|
||||
maybe chmod 0755 'dnf'
|
||||
maybe chmod 0755 'dnf/aliases.d'
|
||||
maybe chmod 0644 'dnf/dnf.conf'
|
||||
@@ -618,8 +610,6 @@ maybe chmod 0640 'dovecot/trash.conf'
|
||||
maybe chmod 0644 'dracut.conf'
|
||||
maybe chmod 0755 'dracut.conf.d'
|
||||
maybe chmod 0644 'dracut.conf.d/40-fips.conf'
|
||||
maybe chmod 0755 'egl'
|
||||
maybe chmod 0755 'egl/egl_external_platform.d'
|
||||
maybe chmod 0644 'environment'
|
||||
maybe chmod 0755 'environment-modules'
|
||||
maybe chmod 0644 'environment-modules/initrc'
|
||||
@@ -846,14 +836,6 @@ maybe chmod 0644 'fail2ban/jail.d/recidive.conf'
|
||||
maybe chmod 0640 'fail2ban/jail.local'
|
||||
maybe chmod 0644 'fail2ban/paths-common.conf'
|
||||
maybe chmod 0644 'fail2ban/paths-fedora.conf'
|
||||
maybe chmod 0755 'falco'
|
||||
maybe chmod 0644 'falco/falco.yaml'
|
||||
maybe chmod 0644 'falco/falco_rules.local.yaml'
|
||||
maybe chmod 0644 'falco/falco_rules.yaml'
|
||||
maybe chmod 0644 'falco/k8s_audit_rules.yaml'
|
||||
maybe chmod 0755 'falco/rules.available'
|
||||
maybe chmod 0644 'falco/rules.available/application_rules.yaml'
|
||||
maybe chmod 0755 'falco/rules.d'
|
||||
maybe chmod 0644 'filesystems'
|
||||
maybe chmod 0750 'firewalld'
|
||||
maybe chmod 0644 'firewalld/firewalld.conf'
|
||||
@@ -884,7 +866,6 @@ maybe chmod 0644 'gdbinit.d/golang.gdb'
|
||||
maybe chmod 0755 'glances'
|
||||
maybe chmod 0644 'glances/glances.conf'
|
||||
maybe chmod 0755 'glvnd'
|
||||
maybe chmod 0755 'glvnd/egl_vendor.d'
|
||||
maybe chmod 0755 'gnupg'
|
||||
maybe chmod 0640 'grc.conf'
|
||||
maybe chmod 0640 'grc.fish'
|
||||
@@ -964,7 +945,6 @@ maybe chmod 0644 'httpd/conf.modules.d/README'
|
||||
maybe chmod 0644 'httpd/conf/httpd.conf'
|
||||
maybe chmod 0644 'httpd/conf/magic'
|
||||
maybe chmod 0644 'idmapd.conf'
|
||||
maybe chmod 0755 'immortal'
|
||||
maybe chmod 0644 'incron.conf'
|
||||
maybe chmod 0755 'incron.d'
|
||||
maybe chmod 0644 'inittab'
|
||||
@@ -1010,11 +990,8 @@ maybe chmod 0755 'kernel'
|
||||
maybe chmod 0755 'kernel/install.d'
|
||||
maybe chmod 0644 'kernel/install.d/20-grubby.install'
|
||||
maybe chmod 0644 'kernel/install.d/90-loaderentry.install'
|
||||
maybe chmod 0755 'kernel/install.d/dkms'
|
||||
maybe chmod 0755 'kernel/postinst.d'
|
||||
maybe chmod 0755 'kernel/postinst.d/dkms'
|
||||
maybe chmod 0755 'kernel/prerm.d'
|
||||
maybe chmod 0755 'kernel/prerm.d/dkms'
|
||||
maybe chmod 0755 'keyutils'
|
||||
maybe chmod 0644 'krb5.conf'
|
||||
maybe chmod 0755 'krb5.conf.d'
|
||||
@@ -4496,8 +4473,6 @@ maybe chmod 0755 'qemu-kvm'
|
||||
maybe chmod 0755 'rc.d'
|
||||
maybe chmod 0755 'rc.d/init.d'
|
||||
maybe chmod 0644 'rc.d/init.d/README'
|
||||
maybe chmod 0755 'rc.d/init.d/bestcrypt'
|
||||
maybe chmod 0755 'rc.d/init.d/falco'
|
||||
maybe chmod 0644 'rc.d/init.d/functions'
|
||||
maybe chmod 0755 'rc.d/init.d/network'
|
||||
maybe chmod 0755 'rc.d/init.d/rundeckd'
|
||||
@@ -5062,7 +5037,6 @@ maybe chmod 0644 'udev/rules.d/70-persistent-ipoib.rules'
|
||||
maybe chmod 0644 'udev/rules.d/70-snap.snapd.rules'
|
||||
maybe chmod 0644 'udev/rules.d/75-cd-aliases-generator.rules'
|
||||
maybe chmod 0644 'udev/rules.d/75-persistent-net-generator.rules'
|
||||
maybe chmod 0644 'udev/rules.d/90-bcrypt-device-permissions.rules'
|
||||
maybe chmod 0644 'udev/udev.conf'
|
||||
maybe chmod 0755 'unbound'
|
||||
maybe chmod 0644 'unbound/icannbundle.pem'
|
||||
@@ -5113,12 +5087,8 @@ maybe chmod 0700 'wireguard'
|
||||
maybe chmod 0644 'wireguard/wg0.conf'
|
||||
maybe chmod 0644 'xattr.conf'
|
||||
maybe chmod 0755 'xdg'
|
||||
maybe chmod 0755 'xdg/QtProject'
|
||||
maybe chmod 0755 'xdg/autostart'
|
||||
maybe chmod 0644 'xdg/autostart/bestcrypt-panel.desktop'
|
||||
maybe chmod 0644 'xdg/autostart/snap-userd-autostart.desktop'
|
||||
maybe chmod 0755 'xdg/qtchooser'
|
||||
maybe chmod 0644 'xdg/qtchooser/5-64.conf'
|
||||
maybe chmod 0755 'xdg/systemd'
|
||||
maybe chmod 0600 'xinetd.conf'
|
||||
maybe chmod 0755 'xinetd.d'
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ -z "$QT_XCB_FORCE_SOFTWARE_OPENGL" ]; then
|
||||
|
||||
QT5_CHECK_OPENGL_VERSION=`LANG=C glxinfo 2> /dev/null | grep '^OpenGL version string: ' | head -n 1 | sed -e 's/^OpenGL version string: \([0-9]\).*$/\1/g'` ||:
|
||||
|
||||
if [ "$QT5_CHECK_OPENGL_VERSION" == "1" ]; then
|
||||
QT_XCB_FORCE_SOFTWARE_OPENGL=1
|
||||
export QT_XCB_FORCE_SOFTWARE_OPENGL
|
||||
fi
|
||||
|
||||
unset QT5_CHECK_OPENGL_VERSION
|
||||
|
||||
fi
|
||||
@@ -1 +0,0 @@
|
||||
/etc/xdg/qtchooser/5-64.conf
|
||||
@@ -1 +0,0 @@
|
||||
/etc/xdg/qtchooser/5.conf
|
||||
@@ -1,32 +0,0 @@
|
||||
## This configuration file modifies the behavior of
|
||||
## DKMS (Dynamic Kernel Module Support) and is sourced
|
||||
## in by DKMS every time it is run.
|
||||
|
||||
## Source Tree Location (default: /usr/src)
|
||||
# source_tree="/usr/src"
|
||||
|
||||
## DKMS Tree Location (default: /var/lib/dkms)
|
||||
# dkms_tree="/var/lib/dkms"
|
||||
|
||||
## Install Tree Location (default: /lib/modules)
|
||||
# install_tree="/lib/modules"
|
||||
|
||||
## tmp Location (default: /tmp)
|
||||
# tmp_location="/tmp"
|
||||
|
||||
## verbosity setting (verbose will be active if you set it to a non-null value)
|
||||
# verbose=""
|
||||
|
||||
## symlink kernel modules (will be active if you set it to a non-null value)
|
||||
## This creates symlinks from the install_tree into the dkms_tree instead of
|
||||
## copying the modules. This preserves some space on the costs of being less
|
||||
## safe.
|
||||
# symlink_modules=""
|
||||
|
||||
## Automatic installation and upgrade for all installed kernels (if set to a
|
||||
## non-null value)
|
||||
# autoinstall_all_kernels=""
|
||||
|
||||
## Script to sign modules during build, script is called with kernel version
|
||||
## and module name
|
||||
# sign_tool="/etc/dkms/sign_helper.sh"
|
||||
@@ -1,2 +0,0 @@
|
||||
#!/bin/sh
|
||||
/lib/modules/"$1"/build/scripts/sign-file sha512 /root/dkms.key /root/dkms.der "$2"
|
||||
@@ -1,82 +0,0 @@
|
||||
%{?!module_name: %{error: You did not specify a module name (%%module_name)}}
|
||||
%{?!version: %{error: You did not specify a module version (%%version)}}
|
||||
%{?!kernel_versions: %{error: You did not specify kernel versions (%%kernel_version)}}
|
||||
%{?!packager: %define packager DKMS <dkms-devel@lists.us.dell.com>}
|
||||
%{?!license: %define license Unknown}
|
||||
%{?!_dkmsdir: %define _dkmsdir /var/lib/dkms}
|
||||
%{?!_srcdir: %define _srcdir %_prefix/src}
|
||||
%{?!_datarootdir: %define _datarootdir %{_datadir}}
|
||||
|
||||
Summary: %{module_name} %{version} dkms package
|
||||
Name: %{module_name}
|
||||
Version: %{version}
|
||||
License: %license
|
||||
Release: 1dkms
|
||||
BuildArch: noarch
|
||||
Group: System/Kernel
|
||||
Requires: dkms >= 1.95
|
||||
BuildRequires: dkms
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root/
|
||||
|
||||
%description
|
||||
Kernel modules for %{module_name} %{version} in a DKMS wrapper.
|
||||
|
||||
%prep
|
||||
if [ "%mktarball_line" != "none" ]; then
|
||||
/usr/sbin/dkms mktarball -m %module_name -v %version %mktarball_line --archive `basename %{module_name}-%{version}.dkms.tar.gz`
|
||||
cp -af %{_dkmsdir}/%{module_name}/%{version}/tarball/`basename %{module_name}-%{version}.dkms.tar.gz` %{module_name}-%{version}.dkms.tar.gz
|
||||
fi
|
||||
|
||||
%install
|
||||
if [ "$RPM_BUILD_ROOT" != "/" ]; then
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
fi
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_srcdir}
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_datarootdir}/%{module_name}
|
||||
|
||||
if [ -d %{_sourcedir}/%{module_name}-%{version} ]; then
|
||||
cp -Lpr %{_sourcedir}/%{module_name}-%{version} $RPM_BUILD_ROOT/%{_srcdir}
|
||||
fi
|
||||
|
||||
if [ -f %{module_name}-%{version}.dkms.tar.gz ]; then
|
||||
install -m 644 %{module_name}-%{version}.dkms.tar.gz $RPM_BUILD_ROOT/%{_datarootdir}/%{module_name}
|
||||
fi
|
||||
|
||||
if [ -f %{_sourcedir}/common.postinst ]; then
|
||||
install -m 755 %{_sourcedir}/common.postinst $RPM_BUILD_ROOT/%{_datarootdir}/%{module_name}/postinst
|
||||
fi
|
||||
|
||||
%clean
|
||||
if [ "$RPM_BUILD_ROOT" != "/" ]; then
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
fi
|
||||
|
||||
%post
|
||||
for POSTINST in %{_prefix}/lib/dkms/common.postinst %{_datarootdir}/%{module_name}/postinst; do
|
||||
if [ -f $POSTINST ]; then
|
||||
$POSTINST %{module_name} %{version} %{_datarootdir}/%{module_name}
|
||||
exit $?
|
||||
fi
|
||||
echo "WARNING: $POSTINST does not exist."
|
||||
done
|
||||
echo -e "ERROR: DKMS version is too old and %{module_name} was not"
|
||||
echo -e "built with legacy DKMS support."
|
||||
echo -e "You must either rebuild %{module_name} with legacy postinst"
|
||||
echo -e "support or upgrade DKMS to a more current version."
|
||||
exit 1
|
||||
|
||||
%preun
|
||||
echo -e
|
||||
echo -e "Uninstall of %{module_name} module (version %{version}) beginning:"
|
||||
dkms remove -m %{module_name} -v %{version} --all --rpm_safe_upgrade
|
||||
exit 0
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%{_srcdir}
|
||||
%{_datarootdir}/%{module_name}/
|
||||
|
||||
%changelog
|
||||
* %(date "+%a %b %d %Y") %packager %{version}-%{release}
|
||||
- Automatic build by DKMS
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
%{?!module_name: %{error: You did not specify a module name (%%module_name)}}
|
||||
%{?!version: %{error: You did not specify a module version (%%version)}}
|
||||
Name: %{module_name}
|
||||
Version: %{version}
|
||||
Release: 1%{?dist}
|
||||
Summary: %{module_name}-%{version} RHEL Driver Update Program package
|
||||
|
||||
License: Unknown
|
||||
Source0: %{module_name}-%{version}.tar.bz2
|
||||
BuildRequires: %kernel_module_package_buildreqs
|
||||
|
||||
%kernel_module_package default
|
||||
|
||||
%description
|
||||
%{module_name}-%{version} RHEL Driver Update package.
|
||||
|
||||
%prep
|
||||
%setup
|
||||
set -- *
|
||||
mkdir source
|
||||
mv "$@" source/
|
||||
mkdir obj
|
||||
|
||||
%build
|
||||
for flavor in %flavors_to_build; do
|
||||
rm -rf obj/$flavor
|
||||
cp -r source obj/$flavor
|
||||
make -C %{kernel_source $flavor} M=$PWD/obj/$flavor
|
||||
done
|
||||
|
||||
%install
|
||||
export INSTALL_MOD_PATH=$RPM_BUILD_ROOT
|
||||
export INSTALL_MOD_DIR=extra/%{name}
|
||||
for flavor in %flavors_to_build ; do
|
||||
make -C %{kernel_source $flavor} modules_install \
|
||||
M=$PWD/obj/$flavor
|
||||
done
|
||||
220
falco/falco.yaml
220
falco/falco.yaml
@@ -1,220 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
# File(s) or Directories containing Falco rules, loaded at startup.
|
||||
# The name "rules_file" is only for backwards compatibility.
|
||||
# If the entry is a file, it will be read directly. If the entry is a directory,
|
||||
# every file in that directory will be read, in alphabetical order.
|
||||
#
|
||||
# falco_rules.yaml ships with the falco package and is overridden with
|
||||
# every new software version. falco_rules.local.yaml is only created
|
||||
# if it doesn't exist. If you want to customize the set of rules, add
|
||||
# your customizations to falco_rules.local.yaml.
|
||||
#
|
||||
# The files will be read in the order presented here, so make sure if
|
||||
# you have overrides they appear in later files.
|
||||
rules_file:
|
||||
- /etc/falco/falco_rules.yaml
|
||||
- /etc/falco/falco_rules.local.yaml
|
||||
- /etc/falco/k8s_audit_rules.yaml
|
||||
- /etc/falco/rules.d
|
||||
|
||||
# If true, the times displayed in log messages and output messages
|
||||
# will be in ISO 8601. By default, times are displayed in the local
|
||||
# time zone, as governed by /etc/localtime.
|
||||
time_format_iso_8601: false
|
||||
|
||||
# Whether to output events in json or text
|
||||
json_output: false
|
||||
|
||||
# When using json output, whether or not to include the "output" property
|
||||
# itself (e.g. "File below a known binary directory opened for writing
|
||||
# (user=root ....") in the json output.
|
||||
json_include_output_property: true
|
||||
|
||||
# Send information logs to stderr and/or syslog Note these are *not* security
|
||||
# notification logs! These are just Falco lifecycle (and possibly error) logs.
|
||||
log_stderr: true
|
||||
log_syslog: true
|
||||
|
||||
# Minimum log level to include in logs. Note: these levels are
|
||||
# separate from the priority field of rules. This refers only to the
|
||||
# log level of falco's internal logging. Can be one of "emergency",
|
||||
# "alert", "critical", "error", "warning", "notice", "info", "debug".
|
||||
log_level: info
|
||||
|
||||
# Minimum rule priority level to load and run. All rules having a
|
||||
# priority more severe than this level will be loaded/run. Can be one
|
||||
# of "emergency", "alert", "critical", "error", "warning", "notice",
|
||||
# "info", "debug".
|
||||
priority: debug
|
||||
|
||||
# Whether or not output to any of the output channels below is
|
||||
# buffered. Defaults to false
|
||||
buffered_outputs: false
|
||||
|
||||
# Falco uses a shared buffer between the kernel and userspace to pass
|
||||
# system call information. When falco detects that this buffer is
|
||||
# full and system calls have been dropped, it can take one or more of
|
||||
# the following actions:
|
||||
# - "ignore": do nothing. If an empty list is provided, ignore is assumed.
|
||||
# - "log": log a CRITICAL message noting that the buffer was full.
|
||||
# - "alert": emit a falco alert noting that the buffer was full.
|
||||
# - "exit": exit falco with a non-zero rc.
|
||||
#
|
||||
# The rate at which log/alert messages are emitted is governed by a
|
||||
# token bucket. The rate corresponds to one message every 30 seconds
|
||||
# with a burst of 10 messages.
|
||||
|
||||
syscall_event_drops:
|
||||
actions:
|
||||
- log
|
||||
- alert
|
||||
rate: .03333
|
||||
max_burst: 10
|
||||
|
||||
# Falco continuously monitors outputs performance. When an output channel does not allow
|
||||
# to deliver an alert within a given deadline, an error is reported indicating
|
||||
# which output is blocking notifications.
|
||||
# The timeout error will be reported to the log according to the above log_* settings.
|
||||
# Note that the notification will not be discarded from the output queue; thus,
|
||||
# output channels may indefinitely remain blocked.
|
||||
# An output timeout error indeed indicate a misconfiguration issue or I/O problems
|
||||
# that cannot be recovered by Falco and should be fixed by the user.
|
||||
#
|
||||
# The "output_timeout" value specifies the duration in milliseconds to wait before
|
||||
# considering the deadline exceed.
|
||||
#
|
||||
# With a 2000ms default, the notification consumer can block the Falco output
|
||||
# for up to 2 seconds without reaching the timeout.
|
||||
|
||||
output_timeout: 2000
|
||||
|
||||
# A throttling mechanism implemented as a token bucket limits the
|
||||
# rate of falco notifications. This throttling is controlled by the following configuration
|
||||
# options:
|
||||
# - rate: the number of tokens (i.e. right to send a notification)
|
||||
# gained per second. Defaults to 1.
|
||||
# - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
|
||||
#
|
||||
# With these defaults, falco could send up to 1000 notifications after
|
||||
# an initial quiet period, and then up to 1 notification per second
|
||||
# afterward. It would gain the full burst back after 1000 seconds of
|
||||
# no activity.
|
||||
|
||||
outputs:
|
||||
rate: 1
|
||||
max_burst: 1000
|
||||
|
||||
# Where security notifications should go.
|
||||
# Multiple outputs can be enabled.
|
||||
|
||||
syslog_output:
|
||||
enabled: true
|
||||
|
||||
# If keep_alive is set to true, the file will be opened once and
|
||||
# continuously written to, with each output message on its own
|
||||
# line. If keep_alive is set to false, the file will be re-opened
|
||||
# for each output message.
|
||||
#
|
||||
# Also, the file will be closed and reopened if falco is signaled with
|
||||
# SIGUSR1.
|
||||
|
||||
file_output:
|
||||
enabled: false
|
||||
keep_alive: false
|
||||
filename: ./events.txt
|
||||
|
||||
stdout_output:
|
||||
enabled: true
|
||||
|
||||
# Falco contains an embedded webserver that can be used to accept K8s
|
||||
# Audit Events. These config options control the behavior of that
|
||||
# webserver. (By default, the webserver is enabled).
|
||||
#
|
||||
# The ssl_certificate is a combination SSL Certificate and corresponding
|
||||
# key contained in a single file. You can generate a key/cert as follows:
|
||||
#
|
||||
# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
|
||||
# $ cat certificate.pem key.pem > falco.pem
|
||||
# $ sudo cp falco.pem /etc/falco/falco.pem
|
||||
|
||||
webserver:
|
||||
enabled: true
|
||||
listen_port: 8765
|
||||
k8s_audit_endpoint: /k8s-audit
|
||||
ssl_enabled: false
|
||||
ssl_certificate: /etc/falco/falco.pem
|
||||
|
||||
# Possible additional things you might want to do with program output:
|
||||
# - send to a slack webhook:
|
||||
# program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
|
||||
# - logging (alternate method than syslog):
|
||||
# program: logger -t falco-test
|
||||
# - send over a network connection:
|
||||
# program: nc host.example.com 80
|
||||
|
||||
# If keep_alive is set to true, the program will be started once and
|
||||
# continuously written to, with each output message on its own
|
||||
# line. If keep_alive is set to false, the program will be re-spawned
|
||||
# for each output message.
|
||||
#
|
||||
# Also, the program will be closed and reopened if falco is signaled with
|
||||
# SIGUSR1.
|
||||
program_output:
|
||||
enabled: false
|
||||
keep_alive: false
|
||||
program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
|
||||
|
||||
http_output:
|
||||
enabled: false
|
||||
url: http://some.url
|
||||
|
||||
# Falco supports running a gRPC server with two main binding types
|
||||
# 1. Over the network with mandatory mutual TLS authentication (mTLS)
|
||||
# 2. Over a local unix socket with no authentication
|
||||
# By default, the gRPC server is disabled, with no enabled services (see grpc_output)
|
||||
# please comment/uncomment and change accordingly the options below to configure it.
|
||||
# Important note: if Falco has any troubles creating the gRPC server
|
||||
# this information will be logged, however the main Falco daemon will not be stopped.
|
||||
# gRPC server over network with (mandatory) mutual TLS configuration.
|
||||
# This gRPC server is secure by default so you need to generate certificates and update their paths here.
|
||||
# By default the gRPC server is off.
|
||||
# You can configure the address to bind and expose it.
|
||||
# By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
|
||||
# grpc:
|
||||
# enabled: true
|
||||
# bind_address: "0.0.0.0:5060"
|
||||
# # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
|
||||
# threadiness: 0
|
||||
# private_key: "/etc/falco/certs/server.key"
|
||||
# cert_chain: "/etc/falco/certs/server.crt"
|
||||
# root_certs: "/etc/falco/certs/ca.crt"
|
||||
|
||||
# gRPC server using an unix socket
|
||||
grpc:
|
||||
enabled: false
|
||||
bind_address: "unix:///var/run/falco.sock"
|
||||
# when threadiness is 0, Falco automatically guesses it depending on the number of online cores
|
||||
threadiness: 0
|
||||
|
||||
# gRPC output service.
|
||||
# By default it is off.
|
||||
# By enabling this all the output events will be kept in memory until you read them with a gRPC client.
|
||||
# Make sure to have a consumer for them or leave this disabled.
|
||||
grpc_output:
|
||||
enabled: false
|
||||
@@ -1,30 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
####################
|
||||
# Your custom rules!
|
||||
####################
|
||||
|
||||
# Add new rules, like this one
|
||||
# - rule: The program "sudo" is run in a container
|
||||
# desc: An event will trigger every time you run sudo in a container
|
||||
# condition: evt.type = execve and evt.dir=< and container.id != host and proc.name = sudo
|
||||
# output: "Sudo run in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
|
||||
# priority: ERROR
|
||||
# tags: [users, container]
|
||||
|
||||
# Or override/append to any rule, macro, or list from the Default Rules
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,624 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
- required_engine_version: 2
|
||||
|
||||
# Like always_true/always_false, but works with k8s audit events
|
||||
- macro: k8s_audit_always_true
|
||||
condition: (jevt.rawtime exists)
|
||||
|
||||
- macro: k8s_audit_never_true
|
||||
condition: (jevt.rawtime=0)
|
||||
|
||||
# Generally only consider audit events once the response has completed
|
||||
- list: k8s_audit_stages
|
||||
items: ["ResponseComplete"]
|
||||
|
||||
# Generally exclude users starting with "system:"
|
||||
- macro: non_system_user
|
||||
condition: (not ka.user.name startswith "system:")
|
||||
|
||||
# This macro selects the set of Audit Events used by the below rules.
|
||||
- macro: kevt
|
||||
condition: (jevt.value[/stage] in (k8s_audit_stages))
|
||||
|
||||
- macro: kevt_started
|
||||
condition: (jevt.value[/stage]=ResponseStarted)
|
||||
|
||||
# If you wish to restrict activity to a specific set of users, override/append to this list.
|
||||
# users created by kops are included
|
||||
- list: vertical_pod_autoscaler_users
|
||||
items: ["vpa-recommender", "vpa-updater"]
|
||||
|
||||
- list: allowed_k8s_users
|
||||
items: [
|
||||
"minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
|
||||
"kubernetes-admin",
|
||||
vertical_pod_autoscaler_users,
|
||||
cluster-autoscaler,
|
||||
"system:addon-manager",
|
||||
"cloud-controller-manager"
|
||||
]
|
||||
|
||||
- rule: Disallowed K8s User
|
||||
desc: Detect any k8s operation by users outside of an allowed set of users.
|
||||
condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
|
||||
output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# In a local/user rules file, you could override this macro to
|
||||
# explicitly enumerate the container images that you want to run in
|
||||
# your environment. In this main falco rules file, there isn't any way
|
||||
# to know all the containers that can run, so any container is
|
||||
# allowed, by using the always_true macro. In the overridden macro, the condition
|
||||
# would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))
|
||||
- macro: allowed_k8s_containers
|
||||
condition: (k8s_audit_always_true)
|
||||
|
||||
- macro: response_successful
|
||||
condition: (ka.response.code startswith 2)
|
||||
|
||||
- macro: kcreate
|
||||
condition: ka.verb=create
|
||||
|
||||
- macro: kmodify
|
||||
condition: (ka.verb in (create,update,patch))
|
||||
|
||||
- macro: kdelete
|
||||
condition: ka.verb=delete
|
||||
|
||||
- macro: pod
|
||||
condition: ka.target.resource=pods and not ka.target.subresource exists
|
||||
|
||||
- macro: pod_subresource
|
||||
condition: ka.target.resource=pods and ka.target.subresource exists
|
||||
|
||||
- macro: deployment
|
||||
condition: ka.target.resource=deployments
|
||||
|
||||
- macro: service
|
||||
condition: ka.target.resource=services
|
||||
|
||||
- macro: configmap
|
||||
condition: ka.target.resource=configmaps
|
||||
|
||||
- macro: namespace
|
||||
condition: ka.target.resource=namespaces
|
||||
|
||||
- macro: serviceaccount
|
||||
condition: ka.target.resource=serviceaccounts
|
||||
|
||||
- macro: clusterrole
|
||||
condition: ka.target.resource=clusterroles
|
||||
|
||||
- macro: clusterrolebinding
|
||||
condition: ka.target.resource=clusterrolebindings
|
||||
|
||||
- macro: role
|
||||
condition: ka.target.resource=roles
|
||||
|
||||
- macro: secret
|
||||
condition: ka.target.resource=secrets
|
||||
|
||||
- macro: health_endpoint
|
||||
condition: ka.uri=/healthz
|
||||
|
||||
- rule: Create Disallowed Pod
|
||||
desc: >
|
||||
Detect an attempt to start a pod with a container image outside of a list of allowed images.
|
||||
condition: kevt and pod and kcreate and not allowed_k8s_containers
|
||||
output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: Create Privileged Pod
|
||||
desc: >
|
||||
Detect an attempt to start a pod with a privileged container
|
||||
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
|
||||
output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- macro: sensitive_vol_mount
|
||||
condition: >
|
||||
(ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests))
|
||||
|
||||
- rule: Create Sensitive Mount Pod
|
||||
desc: >
|
||||
Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
|
||||
Exceptions are made for known trusted images.
|
||||
condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
|
||||
output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# Corresponds to K8s CIS Benchmark 1.7.4
|
||||
- rule: Create HostNetwork Pod
|
||||
desc: Detect an attempt to start a pod using the host network.
|
||||
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
|
||||
output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- macro: user_known_node_port_service
|
||||
condition: (k8s_audit_never_true)
|
||||
|
||||
- rule: Create NodePort Service
|
||||
desc: >
|
||||
Detect an attempt to start a service with a NodePort service type
|
||||
condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
|
||||
output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- macro: contains_private_credentials
|
||||
condition: >
|
||||
(ka.req.configmap.obj contains "aws_access_key_id" or
|
||||
ka.req.configmap.obj contains "aws-access-key-id" or
|
||||
ka.req.configmap.obj contains "aws_s3_access_key_id" or
|
||||
ka.req.configmap.obj contains "aws-s3-access-key-id" or
|
||||
ka.req.configmap.obj contains "password" or
|
||||
ka.req.configmap.obj contains "passphrase")
|
||||
|
||||
- rule: Create/Modify Configmap With Private Credentials
|
||||
desc: >
|
||||
Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
|
||||
condition: kevt and configmap and kmodify and contains_private_credentials
|
||||
output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# Corresponds to K8s CIS Benchmark, 1.1.1.
|
||||
- rule: Anonymous Request Allowed
|
||||
desc: >
|
||||
Detect any request made by the anonymous user that was allowed
|
||||
condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
|
||||
output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# Roughly corresponds to K8s CIS Benchmark, 1.1.12. In this case,
|
||||
# notifies an attempt to exec/attach to a privileged container.
|
||||
|
||||
# Ideally, we'd add a more stringent rule that detects attaches/execs
|
||||
# to a privileged pod, but that requires the engine for k8s audit
|
||||
# events to be stateful, so it could know if a container named in an
|
||||
# attach request was created privileged or not. For now, we have a
|
||||
# less severe rule that detects attaches/execs to any pod.
|
||||
|
||||
- macro: user_known_exec_pod_activities
|
||||
condition: (k8s_audit_never_true)
|
||||
|
||||
- rule: Attach/Exec Pod
|
||||
desc: >
|
||||
Detect any attempt to attach/exec to a pod
|
||||
condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
|
||||
output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
|
||||
priority: NOTICE
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- macro: user_known_pod_debug_activities
|
||||
condition: (k8s_audit_never_true)
|
||||
|
||||
# Only works when feature gate EphemeralContainers is enabled
|
||||
- rule: EphemeralContainers Created
|
||||
desc: >
|
||||
Detect any ephemeral container created
|
||||
condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
|
||||
output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
|
||||
priority: NOTICE
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# In a local/user rules fie, you can append to this list to add additional allowed namespaces
|
||||
- list: allowed_namespaces
|
||||
items: [kube-system, kube-public, default]
|
||||
|
||||
- rule: Create Disallowed Namespace
|
||||
desc: Detect any attempt to create a namespace outside of a set of known namespaces
|
||||
condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
|
||||
output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# Only defined for backwards compatibility. Use the more specific
|
||||
# user_allowed_kube_namespace_image_list instead.
|
||||
- list: user_trusted_image_list
|
||||
items: []
|
||||
|
||||
- list: user_allowed_kube_namespace_image_list
|
||||
items: [user_trusted_image_list]
|
||||
|
||||
# Only defined for backwards compatibility. Use the more specific
|
||||
# allowed_kube_namespace_image_list instead.
|
||||
- list: k8s_image_list
|
||||
items: []
|
||||
|
||||
- list: allowed_kube_namespace_image_list
|
||||
items: [
|
||||
gcr.io/google-containers/prometheus-to-sd,
|
||||
gcr.io/projectcalico-org/node,
|
||||
gke.gcr.io/addon-resizer,
|
||||
gke.gcr.io/heapster,
|
||||
gke.gcr.io/gke-metadata-server,
|
||||
k8s.gcr.io/ip-masq-agent-amd64,
|
||||
k8s.gcr.io/kube-apiserver,
|
||||
gke.gcr.io/kube-proxy,
|
||||
gke.gcr.io/netd-amd64,
|
||||
k8s.gcr.io/addon-resizer
|
||||
k8s.gcr.io/prometheus-to-sd,
|
||||
k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
|
||||
k8s.gcr.io/k8s-dns-kube-dns-amd64,
|
||||
k8s.gcr.io/k8s-dns-sidecar-amd64,
|
||||
k8s.gcr.io/metrics-server-amd64,
|
||||
kope/kube-apiserver-healthcheck,
|
||||
k8s_image_list
|
||||
]
|
||||
|
||||
- macro: allowed_kube_namespace_pods
|
||||
condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
|
||||
ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
|
||||
|
||||
# Detect any new pod created in the kube-system namespace
|
||||
- rule: Pod Created in Kube Namespace
|
||||
desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
|
||||
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
|
||||
output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- list: user_known_sa_list
|
||||
items: []
|
||||
|
||||
- macro: trusted_sa
|
||||
condition: (ka.target.name in (user_known_sa_list))
|
||||
|
||||
# Detect creating a service account in the kube-system/kube-public namespace
|
||||
- rule: Service Account Created in Kube Namespace
|
||||
desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
|
||||
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
|
||||
output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# Detect any modify/delete to any ClusterRole starting with
|
||||
# "system:". "system:coredns" is excluded as changes are expected in
|
||||
# normal operation.
|
||||
- rule: System ClusterRole Modified/Deleted
|
||||
desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
|
||||
condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
|
||||
not ka.target.name in (system:coredns, system:managed-certificate-controller)
|
||||
output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
|
||||
# (exapand this to any built-in cluster role that does "sensitive" things)
|
||||
- rule: Attach to cluster-admin Role
|
||||
desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
|
||||
condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
|
||||
output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: ClusterRole With Wildcard Created
|
||||
desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
|
||||
condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
|
||||
output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- macro: writable_verbs
|
||||
condition: >
|
||||
(ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))
|
||||
|
||||
- rule: ClusterRole With Write Privileges Created
|
||||
desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
|
||||
condition: kevt and (role or clusterrole) and kcreate and writable_verbs
|
||||
output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
|
||||
priority: NOTICE
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: ClusterRole With Pod Exec Created
|
||||
desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
|
||||
condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
|
||||
output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# The rules below this point are less discriminatory and generally
|
||||
# represent a stream of activity for a cluster. If you wish to disable
|
||||
# these events, modify the following macro.
|
||||
- macro: consider_activity_events
|
||||
condition: (k8s_audit_always_true)
|
||||
|
||||
- macro: kactivity
|
||||
condition: (kevt and consider_activity_events)
|
||||
|
||||
- rule: K8s Deployment Created
|
||||
desc: Detect any attempt to create a deployment
|
||||
condition: (kactivity and kcreate and deployment and response_successful)
|
||||
output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Deployment Deleted
|
||||
desc: Detect any attempt to delete a deployment
|
||||
condition: (kactivity and kdelete and deployment and response_successful)
|
||||
output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Service Created
|
||||
desc: Detect any attempt to create a service
|
||||
condition: (kactivity and kcreate and service and response_successful)
|
||||
output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Service Deleted
|
||||
desc: Detect any attempt to delete a service
|
||||
condition: (kactivity and kdelete and service and response_successful)
|
||||
output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s ConfigMap Created
|
||||
desc: Detect any attempt to create a configmap
|
||||
condition: (kactivity and kcreate and configmap and response_successful)
|
||||
output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s ConfigMap Deleted
|
||||
desc: Detect any attempt to delete a configmap
|
||||
condition: (kactivity and kdelete and configmap and response_successful)
|
||||
output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Namespace Created
|
||||
desc: Detect any attempt to create a namespace
|
||||
condition: (kactivity and kcreate and namespace and response_successful)
|
||||
output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Namespace Deleted
|
||||
desc: Detect any attempt to delete a namespace
|
||||
condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
|
||||
output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Serviceaccount Created
|
||||
desc: Detect any attempt to create a service account
|
||||
condition: (kactivity and kcreate and serviceaccount and response_successful)
|
||||
output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Serviceaccount Deleted
|
||||
desc: Detect any attempt to delete a service account
|
||||
condition: (kactivity and kdelete and serviceaccount and response_successful)
|
||||
output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Role/Clusterrole Created
|
||||
desc: Detect any attempt to create a cluster role/role
|
||||
condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
|
||||
output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Role/Clusterrole Deleted
|
||||
desc: Detect any attempt to delete a cluster role/role
|
||||
condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
|
||||
output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Role/Clusterrolebinding Created
|
||||
desc: Detect any attempt to create a clusterrolebinding
|
||||
condition: (kactivity and kcreate and clusterrolebinding and response_successful)
|
||||
output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Role/Clusterrolebinding Deleted
|
||||
desc: Detect any attempt to delete a clusterrolebinding
|
||||
condition: (kactivity and kdelete and clusterrolebinding and response_successful)
|
||||
output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Secret Created
|
||||
desc: Detect any attempt to create a secret. Service account tokens are excluded.
|
||||
condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
|
||||
output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Secret Deleted
|
||||
desc: Detect any attempt to delete a secret Service account tokens are excluded.
|
||||
condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
|
||||
output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# This rule generally matches all events, and as a result is disabled
|
||||
# by default. If you wish to enable these events, modify the
|
||||
# following macro.
|
||||
# condition: (jevt.rawtime exists)
|
||||
- macro: consider_all_events
|
||||
condition: (k8s_audit_never_true)
|
||||
|
||||
- macro: kall
|
||||
condition: (kevt and consider_all_events)
|
||||
|
||||
- rule: All K8s Audit Events
|
||||
desc: Match all K8s Audit Events
|
||||
condition: kall
|
||||
output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
|
||||
priority: DEBUG
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
|
||||
# This macro disables following rule, change to k8s_audit_never_true to enable it
|
||||
- macro: allowed_full_admin_users
|
||||
condition: (k8s_audit_always_true)
|
||||
|
||||
# This list includes some of the default user names for an administrator in several K8s installations
|
||||
- list: full_admin_k8s_users
|
||||
items: ["admin", "kubernetes-admin", "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
|
||||
|
||||
# This rules detect an operation triggered by an user name that is
|
||||
# included in the list of those that are default administrators upon
|
||||
# cluster creation. This may signify a permission setting too broader.
|
||||
# As we can't check for role of the user on a general ka.* event, this
|
||||
# may or may not be an administrator. Customize the full_admin_k8s_users
|
||||
# list to your needs, and activate at your discrection.
|
||||
|
||||
# # How to test:
|
||||
# # Execute any kubectl command connected using default cluster user, as:
|
||||
# kubectl create namespace rule-test
|
||||
|
||||
- rule: Full K8s Administrative Access
|
||||
desc: Detect any k8s operation by a user name that may be an administrator with full access.
|
||||
condition: >
|
||||
kevt
|
||||
and non_system_user
|
||||
and ka.user.name in (full_admin_k8s_users)
|
||||
and not allowed_full_admin_users
|
||||
output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- macro: ingress
|
||||
condition: ka.target.resource=ingresses
|
||||
|
||||
- macro: ingress_tls
|
||||
condition: (jevt.value[/requestObject/spec/tls] exists)
|
||||
|
||||
# # How to test:
|
||||
# # Create an ingress.yaml file with content:
|
||||
# apiVersion: networking.k8s.io/v1beta1
|
||||
# kind: Ingress
|
||||
# metadata:
|
||||
# name: test-ingress
|
||||
# annotations:
|
||||
# nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
# spec:
|
||||
# rules:
|
||||
# - http:
|
||||
# paths:
|
||||
# - path: /testpath
|
||||
# backend:
|
||||
# serviceName: test
|
||||
# servicePort: 80
|
||||
# # Execute: kubectl apply -f ingress.yaml
|
||||
|
||||
- rule: Ingress Object without TLS Certificate Created
|
||||
desc: Detect any attempt to create an ingress without TLS certification.
|
||||
condition: >
|
||||
(kactivity and kcreate and ingress and response_successful and not ingress_tls)
|
||||
output: >
|
||||
K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
|
||||
namespace=%ka.target.namespace)
|
||||
source: k8s_audit
|
||||
priority: WARNING
|
||||
tags: [k8s, network]
|
||||
|
||||
- macro: node
|
||||
condition: ka.target.resource=nodes
|
||||
|
||||
- macro: allow_all_k8s_nodes
|
||||
condition: (k8s_audit_always_true)
|
||||
|
||||
- list: allowed_k8s_nodes
|
||||
items: []
|
||||
|
||||
# # How to test:
|
||||
# # Create a Falco monitored cluster with Kops
|
||||
# # Increase the number of minimum nodes with:
|
||||
# kops edit ig nodes
|
||||
# kops apply --yes
|
||||
|
||||
- rule: Untrusted Node Successfully Joined the Cluster
|
||||
desc: >
|
||||
Detect a node successfully joined the cluster outside of the list of allowed nodes.
|
||||
condition: >
|
||||
kevt and node
|
||||
and kcreate
|
||||
and response_successful
|
||||
and not allow_all_k8s_nodes
|
||||
and not ka.target.name in (allowed_k8s_nodes)
|
||||
output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
|
||||
priority: ERROR
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: Untrusted Node Unsuccessfully Tried to Join the Cluster
|
||||
desc: >
|
||||
Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
|
||||
condition: >
|
||||
kevt and node
|
||||
and kcreate
|
||||
and not response_successful
|
||||
and not allow_all_k8s_nodes
|
||||
and not ka.target.name in (allowed_k8s_nodes)
|
||||
output: Node not in allowed list tried unsuccessfully to join the cluster (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
@@ -1,188 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
- required_engine_version: 2
|
||||
|
||||
################################################################
|
||||
# By default all application-related rules are disabled for
|
||||
# performance reasons. Depending on the application(s) you use,
|
||||
# uncomment the corresponding rule definitions for
|
||||
# application-specific activity monitoring.
|
||||
################################################################
|
||||
|
||||
# Elasticsearch ports
|
||||
- macro: elasticsearch_cluster_port
|
||||
condition: fd.sport=9300
|
||||
- macro: elasticsearch_api_port
|
||||
condition: fd.sport=9200
|
||||
- macro: elasticsearch_port
|
||||
condition: elasticsearch_cluster_port or elasticsearch_api_port
|
||||
|
||||
# - rule: Elasticsearch unexpected network inbound traffic
|
||||
# desc: inbound network traffic to elasticsearch on a port other than the standard ports
|
||||
# condition: user.name = elasticsearch and inbound and not elasticsearch_port
|
||||
# output: "Inbound network traffic to Elasticsearch on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# - rule: Elasticsearch unexpected network outbound traffic
|
||||
# desc: outbound network traffic from elasticsearch on a port other than the standard ports
|
||||
# condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
|
||||
# output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
|
||||
# ActiveMQ ports
|
||||
- macro: activemq_cluster_port
|
||||
condition: fd.sport=61616
|
||||
- macro: activemq_web_port
|
||||
condition: fd.sport=8161
|
||||
- macro: activemq_port
|
||||
condition: activemq_web_port or activemq_cluster_port
|
||||
|
||||
# - rule: Activemq unexpected network inbound traffic
|
||||
# desc: inbound network traffic to activemq on a port other than the standard ports
|
||||
# condition: user.name = activemq and inbound and not activemq_port
|
||||
# output: "Inbound network traffic to ActiveMQ on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# - rule: Activemq unexpected network outbound traffic
|
||||
# desc: outbound network traffic from activemq on a port other than the standard ports
|
||||
# condition: user.name = activemq and outbound and not activemq_cluster_port
|
||||
# output: "Outbound network traffic from ActiveMQ on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
|
||||
# Cassandra ports
|
||||
# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
|
||||
- macro: cassandra_thrift_client_port
|
||||
condition: fd.sport=9160
|
||||
- macro: cassandra_cql_port
|
||||
condition: fd.sport=9042
|
||||
- macro: cassandra_cluster_port
|
||||
condition: fd.sport=7000
|
||||
- macro: cassandra_ssl_cluster_port
|
||||
condition: fd.sport=7001
|
||||
- macro: cassandra_jmx_port
|
||||
condition: fd.sport=7199
|
||||
- macro: cassandra_port
|
||||
condition: >
|
||||
cassandra_thrift_client_port or
|
||||
cassandra_cql_port or cassandra_cluster_port or
|
||||
cassandra_ssl_cluster_port or cassandra_jmx_port
|
||||
|
||||
# - rule: Cassandra unexpected network inbound traffic
|
||||
# desc: inbound network traffic to cassandra on a port other than the standard ports
|
||||
# condition: user.name = cassandra and inbound and not cassandra_port
|
||||
# output: "Inbound network traffic to Cassandra on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# - rule: Cassandra unexpected network outbound traffic
|
||||
# desc: outbound network traffic from cassandra on a port other than the standard ports
|
||||
# condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
|
||||
# output: "Outbound network traffic from Cassandra on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# Couchdb ports
|
||||
# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
|
||||
- macro: couchdb_httpd_port
|
||||
condition: fd.sport=5984
|
||||
- macro: couchdb_httpd_ssl_port
|
||||
condition: fd.sport=6984
|
||||
# xxx can't tell what clustering ports are used. not writing rules for this
|
||||
# yet.
|
||||
|
||||
# Fluentd ports
|
||||
- macro: fluentd_http_port
|
||||
condition: fd.sport=9880
|
||||
- macro: fluentd_forward_port
|
||||
condition: fd.sport=24224
|
||||
|
||||
# - rule: Fluentd unexpected network inbound traffic
|
||||
# desc: inbound network traffic to fluentd on a port other than the standard ports
|
||||
# condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
|
||||
# output: "Inbound network traffic to Fluentd on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# - rule: Tdagent unexpected network outbound traffic
|
||||
# desc: outbound network traffic from fluentd on a port other than the standard ports
|
||||
# condition: user.name = td-agent and outbound and not fluentd_forward_port
|
||||
# output: "Outbound network traffic from Fluentd on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# Gearman ports
|
||||
# http://gearman.org/protocol/
|
||||
# - rule: Gearman unexpected network outbound traffic
|
||||
# desc: outbound network traffic from gearman on a port other than the standard ports
|
||||
# condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
|
||||
# output: "Outbound network traffic from Gearman on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# Zookeeper
|
||||
- macro: zookeeper_port
|
||||
condition: fd.sport = 2181
|
||||
|
||||
# Kafka ports
|
||||
# - rule: Kafka unexpected network inbound traffic
|
||||
# desc: inbound network traffic to kafka on a port other than the standard ports
|
||||
# condition: user.name = kafka and inbound and fd.sport != 9092
|
||||
# output: "Inbound network traffic to Kafka on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# Memcached ports
|
||||
# - rule: Memcached unexpected network inbound traffic
|
||||
# desc: inbound network traffic to memcached on a port other than the standard ports
|
||||
# condition: user.name = memcached and inbound and fd.sport != 11211
|
||||
# output: "Inbound network traffic to Memcached on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# - rule: Memcached unexpected network outbound traffic
|
||||
# desc: any outbound network traffic from memcached. memcached never initiates outbound connections.
|
||||
# condition: user.name = memcached and outbound
|
||||
# output: "Unexpected Memcached outbound connection (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
|
||||
# MongoDB ports
|
||||
- macro: mongodb_server_port
|
||||
condition: fd.sport = 27017
|
||||
- macro: mongodb_shardserver_port
|
||||
condition: fd.sport = 27018
|
||||
- macro: mongodb_configserver_port
|
||||
condition: fd.sport = 27019
|
||||
- macro: mongodb_webserver_port
|
||||
condition: fd.sport = 28017
|
||||
|
||||
# - rule: Mongodb unexpected network inbound traffic
|
||||
# desc: inbound network traffic to mongodb on a port other than the standard ports
|
||||
# condition: >
|
||||
# user.name = mongodb and inbound and not (mongodb_server_port or
|
||||
# mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
|
||||
# output: "Inbound network traffic to MongoDB on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# MySQL ports
|
||||
# - rule: Mysql unexpected network inbound traffic
|
||||
# desc: inbound network traffic to mysql on a port other than the standard ports
|
||||
# condition: user.name = mysql and inbound and fd.sport != 3306
|
||||
# output: "Inbound network traffic to MySQL on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# - rule: HTTP server unexpected network inbound traffic
|
||||
# desc: inbound network traffic to a http server program on a port other than the standard ports
|
||||
# condition: proc.name in (http_server_binaries) and inbound and fd.sport != 80 and fd.sport != 443
|
||||
# output: "Inbound network traffic to HTTP Server on unexpected port (connection=%fd.name)"
|
||||
# priority: WARNING
|
||||
@@ -1,9 +0,0 @@
|
||||
#!/usr/bin/bash
|
||||
|
||||
if [[ "$1" == "add" ]]; then
|
||||
/etc/kernel/postinst.d/dkms $2
|
||||
fi
|
||||
|
||||
if [[ "$1" == "remove" ]]; then
|
||||
/etc/kernel/prerm.d/dkms $2
|
||||
fi
|
||||
@@ -1,45 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# We're passed the version of the kernel being installed
|
||||
inst_kern=$1
|
||||
|
||||
uname_s=$(uname -s)
|
||||
|
||||
_get_kernel_dir() {
|
||||
KVER=$1
|
||||
case ${uname_s} in
|
||||
Linux) DIR="/lib/modules/$KVER/build" ;;
|
||||
GNU/kFreeBSD) DIR="/usr/src/kfreebsd-headers-$KVER/sys" ;;
|
||||
esac
|
||||
echo $DIR
|
||||
}
|
||||
|
||||
_check_kernel_dir() {
|
||||
DIR=$(_get_kernel_dir $1)
|
||||
case ${uname_s} in
|
||||
Linux) test -e $DIR/include ;;
|
||||
GNU/kFreeBSD) test -e $DIR/kern && test -e $DIR/conf/kmod.mk ;;
|
||||
*) return 1 ;;
|
||||
esac
|
||||
return $?
|
||||
}
|
||||
|
||||
case "${uname_s}" in
|
||||
Linux)
|
||||
header_pkg="linux-headers-$inst_kern"
|
||||
kernel="Linux"
|
||||
;;
|
||||
GNU/kFreeBSD)
|
||||
header_pkg="kfreebsd-headers-$inst_kern"
|
||||
kernel="kFreeBSD"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -x /usr/lib/dkms/dkms_autoinstaller ]; then
|
||||
exec /usr/lib/dkms/dkms_autoinstaller start $inst_kern
|
||||
fi
|
||||
|
||||
if ! _check_kernel_dir $inst_kern ; then
|
||||
echo "dkms: WARNING: $kernel headers are missing, which may explain the above failures." >&2
|
||||
echo " please install the $header_pkg package to fix this." >&2
|
||||
fi
|
||||
@@ -1,30 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# We're passed the version of the kernel being removed
|
||||
inst_kern=$1
|
||||
|
||||
# This is applied from make_initrd function in dkms command, which
|
||||
# creates the possible initrd backup file.
|
||||
remove_initrd_backup() {
|
||||
for initrd in "initrd-$1.img" "initramfs-$1.img" "initrd.img-$1" "initrd-$1"; do
|
||||
rm -fv /boot/"${initrd}".old-dkms >&2
|
||||
done
|
||||
}
|
||||
|
||||
if [ -x /usr/sbin/dkms ]; then
|
||||
while read line; do
|
||||
name=`echo "$line" | awk '{print $1}' | sed 's/,$//'`
|
||||
vers=`echo "$line" | awk '{print $2}' | sed 's/,$//'`
|
||||
arch=`echo "$line" | awk '{print $4}' | sed 's/:$//'`
|
||||
echo "dkms: removing: $name $vers ($inst_kern) ($arch)" >&2
|
||||
dkms remove -m $name -v $vers -k $inst_kern -a $arch
|
||||
done < <(dkms status -k $inst_kern 2>/dev/null | grep ": installed")
|
||||
fi
|
||||
|
||||
remove_initrd_backup "$inst_kern"
|
||||
|
||||
rmdir --ignore-fail-on-non-empty \
|
||||
"/lib/modules/$inst_kern/updates/dkms" \
|
||||
"/lib/modules/$inst_kern/updates" 2>/dev/null
|
||||
|
||||
exit 0
|
||||
@@ -1,93 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Copyright 2010-2016 Jetico Inc. Oy
|
||||
# All rights reserved.
|
||||
|
||||
# chkconfig: 345 99 01
|
||||
# description: BestCrypt for Linux
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: bestcrypt
|
||||
# Required-Start: dkms
|
||||
# Required-Stop:
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: BestCrypt for Linux
|
||||
# Description: BestCrypt for Linux
|
||||
### END INIT INFO
|
||||
|
||||
|
||||
KERNEL_VERSION=`uname -r|sed 's/\(.\..\).*/\1/'`
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
echo "Starting BestCrypt..."
|
||||
rm -rf /dev/bcrypt?* 2>/dev/null
|
||||
|
||||
depmod -a
|
||||
|
||||
modprobe bestcrypt
|
||||
modprobe bc_blowfish
|
||||
modprobe bc_des
|
||||
modprobe bc_gost
|
||||
modprobe bc_camellia
|
||||
modprobe bc_twofish
|
||||
modprobe bc_bf448
|
||||
modprobe bc_bf128
|
||||
modprobe bc_3des
|
||||
modprobe bc_idea
|
||||
modprobe bc_rijn
|
||||
modprobe bc_cast
|
||||
modprobe bc_serpent
|
||||
modprobe bc_rc6
|
||||
|
||||
#modprobe bc_noop
|
||||
|
||||
echo "Started."
|
||||
;;
|
||||
|
||||
stop)
|
||||
echo "Stopping BestCrypt..."
|
||||
|
||||
if bctool is_guard_on ; then
|
||||
echo "on" > "$HOME"/.config/Jetico/guard_status
|
||||
else
|
||||
echo "off" > "$HOME"/.config/Jetico/guard_status
|
||||
fi
|
||||
|
||||
bctool umountall
|
||||
|
||||
for i in `lsmod | egrep "^\"?bc_.*\"?" | awk '{print $1}' `; do
|
||||
rmmod $i;
|
||||
done
|
||||
|
||||
rmmod bestcrypt
|
||||
|
||||
echo "Stopped."
|
||||
;;
|
||||
|
||||
status)
|
||||
if [ -f /sys/class/misc/bestcrypt ] ; then
|
||||
echo "BestCrypt driver is loaded. List of loaded algorithms:\n"
|
||||
ls /sys/class/misc/bectcrypt/plugins
|
||||
else
|
||||
echo "SysFS entry unavailable, possibly driver is not running."
|
||||
fi
|
||||
|
||||
if bctool is_guard_on ; then
|
||||
echo "BestCrypt container file guard is on"
|
||||
fi
|
||||
|
||||
;;
|
||||
|
||||
restart)
|
||||
$0 stop
|
||||
$0 start
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|status}"
|
||||
exit 1
|
||||
esac
|
||||
|
||||
exit 0
|
||||
|
||||
@@ -1,127 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
#
|
||||
# falco syscall monitoring agent
|
||||
#
|
||||
# chkconfig: 2345 55 45
|
||||
# description: Falco syscall monitoring agent
|
||||
#
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides:
|
||||
# Required-Start:
|
||||
# Required-Stop:
|
||||
# Should-Start:
|
||||
# Should-Stop:
|
||||
# Default-Start:
|
||||
# Default-Stop:
|
||||
# Short-Description:
|
||||
# Description:
|
||||
### END INIT INFO
|
||||
|
||||
# Source function library.
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
exec="/usr/bin/falco"
|
||||
prog="falco"
|
||||
# config="<path to major config file>"
|
||||
|
||||
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
|
||||
|
||||
lockfile=/var/lock/subsys/$prog
|
||||
pidfile="/var/run/falco.pid"
|
||||
|
||||
start() {
|
||||
[ -x $exec ] || exit 5
|
||||
# [ -f $config ] || exit 6
|
||||
echo -n $"Starting $prog: "
|
||||
daemon $exec --daemon --pidfile=$pidfile
|
||||
if [ ! -d /sys/module/falco ]; then
|
||||
/sbin/modprobe falco || return $?
|
||||
fi
|
||||
retval=$?
|
||||
echo
|
||||
[ $retval -eq 0 ] && touch $lockfile
|
||||
return $retval
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n $"Stopping $prog: "
|
||||
killproc -p $pidfile
|
||||
retval=$?
|
||||
echo
|
||||
/sbin/rmmod falco
|
||||
[ $retval -eq 0 ] && rm -f $lockfile
|
||||
return $retval
|
||||
}
|
||||
|
||||
restart() {
|
||||
stop
|
||||
start
|
||||
}
|
||||
|
||||
reload() {
|
||||
restart
|
||||
}
|
||||
|
||||
force_reload() {
|
||||
restart
|
||||
}
|
||||
|
||||
rh_status() {
|
||||
status -p $pidfile $prog
|
||||
}
|
||||
|
||||
rh_status_q() {
|
||||
rh_status >/dev/null 2>&1
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
rh_status_q && exit 0
|
||||
$1
|
||||
;;
|
||||
stop)
|
||||
rh_status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart)
|
||||
$1
|
||||
;;
|
||||
reload)
|
||||
rh_status_q || exit 7
|
||||
$1
|
||||
;;
|
||||
force-reload)
|
||||
force_reload
|
||||
;;
|
||||
status)
|
||||
rh_status
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
rh_status_q || exit 0
|
||||
restart
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
|
||||
exit 2
|
||||
esac
|
||||
exit $?
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/bestcrypt
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/falco
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/bestcrypt
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/falco
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/falco
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/bestcrypt
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/falco
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/bestcrypt
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/falco
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/bestcrypt
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/falco
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/bestcrypt
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/bestcrypt
|
||||
@@ -1 +0,0 @@
|
||||
../init.d/falco
|
||||
@@ -1,2 +0,0 @@
|
||||
KERNEL=="bcrypt*", MODE="0666", ENV{UDISKS_PRESENTATION_NOPOLICY}="1"
|
||||
KERNEL=="bestcrypt", MODE="0755"
|
||||
@@ -1,10 +0,0 @@
|
||||
[Desktop Entry]
|
||||
Version=1.0
|
||||
Name=BestCrypt Control Panel
|
||||
Comment=Create or mount encrypted containers.
|
||||
Icon=application-x-bestcrypt
|
||||
Exec=/usr/bin/bestcrypt-panel --minimized
|
||||
Terminal=false
|
||||
Type=Application
|
||||
Categories=Utility
|
||||
MimeType=application/x-bestcrypt-container
|
||||
@@ -1,2 +0,0 @@
|
||||
/usr/lib64/qt5/bin
|
||||
/usr
|
||||
@@ -1 +0,0 @@
|
||||
/etc/alternatives/qtchooser-5
|
||||
@@ -1 +0,0 @@
|
||||
/etc/alternatives/qtchooser-default
|
||||
Reference in New Issue
Block a user