Skip to content

Instantly share code, notes, and snippets.

View Issif's full-sized avatar
💭
Open To Work

Thomas Labarussias Issif

💭
Open To Work
151 followers · 105 following
View GitHub Profile
@Issif
Issif / falco_grafana_dashboard.json
Created September 26, 2024 13:40
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
@Issif
Issif / event.json
Created May 2, 2024 15:56
{
"hostname": "falco-6vmwl",
"output": "15:26:08.771336620: Notice Ingress remote file copy tool launched in container (user=sonarqube user_loginuid=-1 command=wget --no-proxy --quiet -O /dev/null --timeout=1 --header=X-Sonar-Passcode: define_it http://10.X.Y.Z:9000/api/system/liveness pid=73098 parent_process=sh container_id=e5824e25f127 container_name=sonarqube image=docker.io/library/sonarqube:10.1.0-community exe_flags=0) k8s.ns=sonarqube k8s.pod=sonarqube-sonarqube-0 container=e5824e25f127",
"priority": "Notice",
"rule": "Launch Ingress Remote File Copy Tools in Container",
"source": "syscall",
"tags": [
"TA0011",
"container",
"mitre_command_and_control",
@Issif
Issif / debug_rules.yaml
Last active May 2, 2024 15:54
- rule: Launch Ingress Remote File Copy Tools in Container
desc: >
Detect ingress remote file copy tools (such as curl or wget) launched inside containers. This rule can be
considered a valuable auditing tool, but it has the potential to generate notable noise and requires careful
profiling before full operationalization.
condition: >
spawned_process
and container
and (ingress_remote_file_copy_procs or curl_download)
and not user_known_ingress_remote_file_copy_activities
@Issif
Issif / talos.md
Last active June 24, 2024 17:26

Talos

cat << EOF > patch.yaml
cluster:
  proxy:
    disabled: true
  network:
    cni:
      name: none
@Issif
Issif / install_falco_and_co.md
Last active April 8, 2024 14:47
Install Falco + Falcosidekick + UI + Talon
  • Install Falco Talon
git clone https://github.com/falco-talon/falco-talon.git``
cd falco-talon/deployment/helm
cat <<EOF > rules.yaml
- action: Terminate Pod
  actionner: kubernetes:terminate
@Issif
Issif / multitenant_falcosidekick_ui.md
Last active March 31, 2024 20:44

Cluster A - Falco + Falcosidekick

helm install falco falcosecurity/falco -n falco \
--set falcosidekick.enabled=true \
--set falcosidekick.customfields="cluster.name:A" \
--set falcosidekick.config.webhook.address="http://<falcosidekick.cluster-c>" \
--create-namespace

Cluster B - Falco + Falcosidekick

@Issif
Issif / main.go
Last active February 26, 2024 14:01
package main
import (
"fmt"
"log"
"sync"
"time"
"github.com/nats-io/nats.go"
@Issif
Issif / procedure.md
Last active October 16, 2023 14:38
Monitor audit-logs with Falco in a Kind cluster
  • Create the audit-policy.yaml.
cat << EOF > audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
@Issif
Issif / finops-en.md
Created June 15, 2023 13:01

author: "Issif" date: 2021-06-17T12:00:00+02:00 title: "FinOps" description: "What I learned from my FinOps experience" categories: ["cloud", "finops"]

featured: "falcosidekick-feature.png"

featuredalt: "falcosidekick feature"

@Issif
Issif / gist:622499c5e990d64eec463bbc89f82a58
Created June 15, 2023 12:02
customRules:
override-k8saudit.yaml: |-
- list: allowed_k8s_users
append: true
items: [eks:cloud-controller-manager, eks:vpc-resource-controller, eks:az-poller]
- macro: live_endpoint
append: true
condition: or ka.uri="/readyz?exclude=kms-provider-0" or ka.uri="/livez?exclude=kms-provider-0"
falco: