K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PERF(falco): optimize falco rules

Browse Source 
- and add sidekick memory limit
- Add macros to exclude trivy, postgres, minio, vault from rules
- Disable Container Drift Detection (too noisy)
- Remove /etc/passwd from sensitive file access (normal lookups)
- Add 256Mi memory limit to falcosidekick (was using 1.1GB)
This commit is contained in:
Mayne0213
2026-01-02 23:00:23 +09:00
parent 8d46ae9e49
commit 1a551b47ca
1 changed files with 36 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
falco/helm-values.yaml
View File

@@ -45,12 +45,32 @@ falco:
customRules: customRules:
custom-rules.yaml: |- custom-rules.yaml: |-
# Custom Falco Rules for your cluster # Custom Falco Rules for your cluster
# Optimized to reduce noise from trivy, postgres, minio, vault, etc.
# Macro for known safe processes
- macro: known_safe_processes
condition: >
proc.name in (sh, bash, node, python, java, nginx, postgres,
trivy, minio, vault, containerd-shim, runc,
pidof, cat, ls, grep, find, head, tail,
kubectl, helm, git, curl, wget)
# Macro for known safe container images
- macro: known_safe_images
condition: >
(container.image.repository contains "trivy" or
container.image.repository contains "aquasec" or
container.image.repository contains "postgres" or
container.image.repository contains "minio" or
container.image.repository contains "vault" or
container.image.repository contains "falco")
- rule: Unauthorized Process in Container - rule: Unauthorized Process in Container
desc: Detect unexpected processes in containers desc: Detect unexpected processes in containers
condition: > condition: >
spawned_process and container and spawned_process and container and
not proc.name in (sh, bash, node, python, java, nginx, postgres) not known_safe_processes and
not known_safe_images
output: > output: >
Unauthorized process started in container Unauthorized process started in container
(user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository) (user=%user.name command=%proc.cmdline container=%container.name image=%container.image.repository)
@@ -58,27 +78,22 @@ customRules:
tags: [container, process] tags: [container, process]
- rule: Sensitive File Access - rule: Sensitive File Access
desc: Detect access to sensitive files desc: Detect access to sensitive files (excluding /etc/passwd for normal lookups)
condition: > condition: >
open_read and container and open_read and container and
fd.name in (/etc/shadow, /etc/passwd, /root/.ssh/id_rsa, /root/.ssh/authorized_keys) fd.name in (/etc/shadow, /root/.ssh/id_rsa, /root/.ssh/authorized_keys) and
not known_safe_images
output: > output: >
Sensitive file accessed Sensitive file accessed
(user=%user.name file=%fd.name container=%container.name image=%container.image.repository) (user=%user.name file=%fd.name container=%container.name image=%container.image.repository)
priority: CRITICAL priority: CRITICAL
tags: [file, security] tags: [file, security]
- rule: Container Drift Detection # Disabled: Too noisy, causes excessive events
desc: Detect file modifications in containers # - rule: Container Drift Detection
condition: > # desc: Detect file modifications in containers
container and # condition: ...
open_write and # Reason: trivy, postgres, minio constantly write files
not proc.name in (apt, yum, dnf, apk, npm, pip)
output: >
File modified in container
(user=%user.name file=%fd.name proc=%proc.name container=%container.name)
priority: WARNING
tags: [container, drift]
# Enable Prometheus metrics # Enable Prometheus metrics
metrics: metrics:
@@ -99,6 +114,13 @@ falcosidekick:
fullfqdn: false fullfqdn: false
replicaCount: 1 replicaCount: 1
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
memory: 256Mi # Prevent memory leak from accumulating events
config: config:
# Output to stdout/logs # Output to stdout/logs
debug: false debug: false