rule(k8s): secret get detection for both successful and unsuccessful attempts

[Dentrax]

Signed-off-by: Furkan [email protected]

Success case: (ERROR)

{"priority":"Error","rule":"K8s Secret Get Successfully","source":"k8s_audit","tags":["k8s"],"time":"2022-03-19T20:00:07.793262080Z", "output_fields": {"jevt.time":"20:00:07.793262080","ka.auth.decision":"allow","ka.auth.reason":"","ka.response.code":"200","ka.target.name":"falco-token-xdkwt","ka.target.namespace":"security","ka.user.name":"kubernetes-admin"}}

Fail case: (WARNING):

1. Get developer token from kube-system

DEVELOPER_TOKEN=$(kubectl get secrets -n kube-system $(kubectl get serviceaccounts developer -n kube-system -o json \
  | jq -r '.secrets[0].name') -o json \
  | jq -r '.data.token' \
  | base64 -D)

2. Edit your kubeconfig:

users:
- name: developer
  user:
    token: $DEVELOPER_TOKEN

3. Test:

$ KUBECONFIG=1poc.yaml k get secrets falco-token-xdkwt

Error from server (Forbidden): secrets "falco-token-xdkwt" is forbidden: User "system:serviceaccount:kube-system:developer" cannot get resource "secrets" in API group "" in the namespace "security"

{"priority":"Warning","rule":"K8s Secret Get Unsuccessfully Tried","source":"k8s_audit","tags":["k8s"],"time":"2022-03-19T20:41:16.571718912Z", "output_fields": {"jevt.time":"20:41:16.571718912","ka.auth.decision":"forbid","ka.auth.reason":"","ka.response.code":"403","ka.target.name":"falco-token-xdkwt","ka.target.namespace":"security","ka.user.name":"system:serviceaccount:kube-system:developer"}}

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

I don't add non_system_user condition because in general practice, cluster admins deploys cluster role (i.e., with restricted role) into kube-system namespace. Which would ended up false-negative. I think we should remove this condition in both secret create and delete rules.

Does this PR introduce a user-facing change?:

NONE

rule(k8s: secret): detect `get` attempts for both successful and unsuccessful attempts

[poiana]

Welcome @Dentrax! It looks like this is your first PR to falcosecurity/falco 🎉

[jasondellaluce]

/milestone 0.32.0

[Kaizhe]

@Dentrax , thank you for your contribution. There are already audit like k8s Falco rules. We need to be careful not to turn Falco into a k8s auditing tool.

[poiana]

LGTM label has been added.

Git tree hash: 79a51c94156764c8a7fd7998e3604427deec575b

[leogr]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Dentrax, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• rules/OWNERS [leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment