The module lifecycle stage: General Availability
The module has requirements for installation

Built-in Audit Rules

Summary

Rule set	Rule	Description	Priority	Source	Tags
fstec	Launch Package Management Process in container	Detects execution of package management processes (apt/yum/dnf/apk, etc.) inside a container. Often indicates container drift, runtime tool installation, or post-compromise activity.	Error		`fstec`, `container_drift`
fstec	Drop and execute new binary in container	Detects execution of a binary in a container that is not part of the base image (overlayfs upper-layer executable). Typical “drop & execute” behavior after gaining a foothold in a container.	Critical		`fstec`, `container_drift`
fstec	Container drift detected (chmod)	Detects chmod operations inside a container that result in an executable (execute bits) being created/enabled. May indicate container drift or preparation of a malicious tool for execution.	Error		`fstec`, `container_drift`
fstec	Container drift detected (open+create)	Detects creation of an executable file inside a container via open/create followed by execution. Common in container drift scenarios or when downloading and running malicious binaries.	Error		`fstec`, `container_drift`
fstec	Modify binary dirs	Detects rename/remove operations under standard binary directories (/bin, /sbin, /usr/bin, /usr/sbin) inside a container. May indicate system utility tampering or attempts to hide traces.	Error		`fstec`, `container_drift`
fstec	K8s Pod created	Detects successful Kubernetes Pod creation from audit logs. Useful for tracking new workloads and investigating unexpected launches.	Informational	K8sAudit	`fstec`, `container_drift`
fstec	K8s Pod deleted	Detects successful Kubernetes Pod deletion from audit logs. Useful for spotting sabotage, cover-up attempts, and incident analysis.	Informational	K8sAudit	`fstec`, `container_drift`
fstec	ServiceAccount created in a system namespace	Detects ServiceAccount creation in system namespaces (kube-system/kube-public/default or d8-*). Can indicate an attempt to establish persistence and gain additional privileges.	Warning	K8sAudit	`fstec`, `rbac_drift`
fstec	Attach to cluster-admin Role	Detects creation of a ClusterRoleBinding that grants the cluster-admin role. This is a critical action providing full administrative access to the cluster.	Warning	K8sAudit	`fstec`, `rbac_drift`
fstec	ClusterRole with wildcard created	Detects creation of a Role/ClusterRole with wildcard resources or verbs ("*") in RBAC rules. Such roles greatly expand privileges and often indicate misconfiguration or privilege escalation.	Warning	K8sAudit	`fstec`, `rbac_drift`
fstec	Attach/Exec Pod	Detects attempts to exec/attach to a Pod (exec/attach subresources) from audit logs. May indicate interactive container access and manual runtime actions.	Notice	K8sAudit	`fstec`, `container_image_access`
fstec	EphemeralContainers created	Detects adding ephemeral containers to a Pod. Ephemeral containers are often used for debugging but can also be abused for stealthy access.	Notice	K8sAudit	`fstec`, `container_image_access`
fstec	ClusterRole with write privileges created	Detects creation of a Role/ClusterRole with write privileges (create/update/patch/delete). Such roles can modify cluster objects and may be used for escalation or unauthorized changes.	Notice	K8sAudit	`fstec`, `rbac_drift`
fstec	ClusterRole with Pod Exec created	Detects creation of a Role/ClusterRole granting access to pods/exec. Exec access allows running commands in containers and often implies high control over workloads.	Warning	K8sAudit	`fstec`, `rbac_drift`
fstec	System ClusterRole modified/deleted	Detects modification or deletion of system Role/ClusterRole objects (system:*), with some allowed exceptions. May indicate an attempt to disrupt cluster operation or weaken security.	Warning	K8sAudit	`fstec`, `rbac_drift`
fstec	K8s ServiceAccount created	Detects ServiceAccount creation outside system namespaces. Can be normal for apps but is also used to prepare access and later grant RBAC privileges.	Notice	K8sAudit	`fstec`, `rbac_drift`
fstec	K8s ModuleConfig modified	Detects modifications to ModuleConfig objects from audit logs. ModuleConfig changes can affect component behavior and security settings and should be monitored.	Notice	K8sAudit	`fstec`, `rbac_drift`
fstec	K8s ServiceAccount deleted	Detects ServiceAccount deletion from audit logs. May indicate access artifact cleanup or changes in application/service configuration.	Notice	K8sAudit	`fstec`, `rbac_drift`
fstec	K8s Role/ClusterRole created	Detects Role/ClusterRole creation from audit logs. Used to monitor RBAC changes and spot unexpected privilege expansion.	Notice	K8sAudit	`fstec`, `rbac_drift`
fstec	K8s Role/ClusterRole deleted	Detects Role/ClusterRole deletion from audit logs. May indicate cover-up attempts, rollback of access configuration, or disruptive changes.	Notice	K8sAudit	`fstec`, `rbac_drift`
fstec	K8s ClusterRoleBinding created	Detects ClusterRoleBinding creation from audit logs. ClusterRoleBindings change cluster-wide permission assignments and can be a privilege escalation vector.	Notice	K8sAudit	`fstec`, `rbac_drift`
fstec	K8s ClusterRoleBinding deleted	Detects ClusterRoleBinding deletion from audit logs. May cause loss of access or be used to hide unauthorized bindings.	Notice	K8sAudit	`fstec`, `rbac_drift`
fstec	Read below containerd images dir	Detects reading files under containerd directories related to CRI container data. May indicate attempts to extract container/image information or unusual runtime data access.	Notice		`fstec`, `container_image_access`
fstec	Write below containerd images dir	Detects writes/modifications under containerd directories. May indicate runtime data tampering, drift, or supply-chain related attacks targeting container data.	Error		`fstec`, `container_image_drift`
fstec	Container tag is not @sha256	Detects Pod creation in a system namespace using an image not pinned by digest (@sha256:). Using mutable tags weakens integrity controls and increases the risk of image substitution.	Notice	K8sAudit	`fstec`, `integrity_control`
fstec	Inbound SSH Connection	Detects inbound SSH connections to port 22 on the host. Can be legitimate administration, but is also a common initial access vector and should be investigated.	Notice		`fstec`, `auth_attempts`
fstec	Unauthorized request to Kubernetes API	Detects Kubernetes API requests resulting in HTTP 401 (Unauthorized) in audit logs (excluding common health/version endpoints). May indicate token guessing, misconfigured clients, or attacker activity.	Warning	K8sAudit	`fstec`, `auth_attempts`
fstec	Security Reports Created	Detects creation of security report resources (configauditreports/vulnerabilityreports). May indicate a scan run, new vulnerability findings, or security-related container activity.	Notice	K8sAudit	`fstec`, `security_reports`

Rule sets

fstec

fstec

Launch Package Management Process in container

Detects execution of package management processes (apt/yum/dnf/apk, etc.) inside a container. Often indicates container drift, runtime tool installation, or post-compromise activity.

Priority: Error
Tags: fstec, container_drift

Condition

spawned_process and container and user.name != "_apt" and package_mgmt_procs and not package_mgmt_ancestor_procs

Output

Package management process launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)

How to test

Environment: container

Commands:

apt -h

Drop and execute new binary in container

Detects execution of a binary in a container that is not part of the base image (overlayfs upper-layer executable). Typical “drop & execute” behavior after gaining a foothold in a container.

Priority: Critical
Tags: fstec, container_drift

Condition

spawned_process and container and proc.is_exe_upper_layer=true and not container.image.repository in (known_drop_and_execute_containers)

Output

Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res)

How to test

Environment: container

Commands:

echo "echo Hello, Falco!" > /tmp/test.sh
chmod +x /tmp/test.sh
/tmp/test.sh

Container drift detected (chmod)

Detects chmod operations inside a container that result in an executable (execute bits) being created/enabled. May indicate container drift or preparation of a malicious tool for execution.

Priority: Error
Tags: fstec, container_drift

Condition

chmod and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not kubelet_pod_volume and not image_scanner_drift and not deckhouse_controller_drift and not neuvector_container and not vault_env_injector_drift and evt.rawres>=0 and (
  (evt.arg.mode contains "S_IXUSR")
  or (evt.arg.mode contains "S_IXGRP")
  or (evt.arg.mode contains "S_IXOTH")
)

Output

Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type container_id=%container.id image=%container.image.repository)

How to test

Environment: container

Commands:

echo "echo Hello, Falco!" > /tmp/test.sh
chmod +x /tmp/test.sh
/tmp/test.sh

Container drift detected (open+create)

Detects creation of an executable file inside a container via open/create followed by execution. Common in container drift scenarios or when downloading and running malicious binaries.

Priority: Error
Tags: fstec, container_drift

Condition

evt.type in (open,openat,openat2,creat) and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not runc_writing_var_lib_containerd and not kubelet_pod_volume and not image_scanner_drift and not deckhouse_controller_drift and not neuvector_container and not vault_env_injector_drift and evt.rawres>=0

Output

Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type container_id=%container.id image=%container.image.repository)

How to test

Environment: container

Commands:

cat << 'EOF' > /tmp/drift_exec.c
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/stat.h>
int main() {
    char path[] = "/tmp/zzz-exec";
    char *text = "#!/bin/sh\necho HACKED\n";
    int fd = open(path, O_RDWR | O_CREAT | O_TRUNC, 0755);
    write(fd, text, strlen(text));
    fchmod(fd, 0755);
    char *const args[] = {path, NULL};
    execv(path, args);
}
EOF
gcc /tmp/drift_exec.c -o /tmp/drift_exec
/tmp/drift_exec

Modify binary dirs

Detects rename/remove operations under standard binary directories (/bin, /sbin, /usr/bin, /usr/sbin) inside a container. May indicate system utility tampering or attempts to hide traces.

Priority: Error
Tags: fstec, container_drift

Condition

container and bin_dir_rename and modify and not package_mgmt_procs and evt.rawres>=0

Output

File below known binary directory renamed/removed (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository)

How to test

Environment: container

Commands:

touch /usr/bin/evilfile
mv /usr/bin/evilfile /usr/bin/eviltwin
rm /usr/bin/eviltwin

K8s Pod created

Detects successful Kubernetes Pod creation from audit logs. Useful for tracking new workloads and investigating unexpected launches.

Priority: Informational
Source: K8sAudit
Tags: fstec, container_drift

Condition

(kevt and kcreate and pod and response_successful)

Output

K8s Pod Created (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl run testpod --image=alpine:latest -- /bin/sh -c "while true; do sleep 3600; done"
kubectl delete pod testpod --grace-period=0

K8s Pod deleted

Detects successful Kubernetes Pod deletion from audit logs. Useful for spotting sabotage, cover-up attempts, and incident analysis.

Priority: Informational
Source: K8sAudit
Tags: fstec, container_drift

Condition

(kevt and kdelete and pod and response_successful)

Output

K8s Pod Deleted (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl run testpod --image=alpine:latest -- /bin/sh -c "while true; do sleep 3600; done"
kubectl delete pod testpod --grace-period=0

ServiceAccount created in a system namespace

Detects ServiceAccount creation in system namespaces (kube-system/kube-public/default or d8-*). Can indicate an attempt to establish persistence and gain additional privileges.

Priority: Warning
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kevt and serviceaccount and kcreate and system_namespace and response_successful

Output

Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name resource=%ka.target.resource ns=%ka.target.namespace sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl -n default create serviceaccount test-sa
kubectl -n default delete serviceaccount test-sa

kubectl -n kube-public create serviceaccount test-sa2
kubectl -n kube-public delete serviceaccount test-sa2

kubectl -n kube-system create serviceaccount test-sa3
kubectl -n kube-system delete serviceaccount test-sa3

kubectl -n d8-system create serviceaccount test-sa4
kubectl -n d8-system delete serviceaccount test-sa4

Attach to cluster-admin Role

Detects creation of a ClusterRoleBinding that grants the cluster-admin role. This is a critical action providing full administrative access to the cluster.

Priority: Warning
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kactivity and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin

Output

Cluster Role Binding to cluster-admin role (user=%ka.user.name binding=%ka.target.name resource=%ka.target.resource subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --serviceaccount=default:test
kubectl delete clusterrolebinding cluster-admin-binding

ClusterRole with wildcard created

Detects creation of a Role/ClusterRole with wildcard resources or verbs ("*") in RBAC rules. Such roles greatly expand privileges and often indicate misconfiguration or privilege escalation.

Priority: Warning
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kevt and (role or clusterrole) and kcreate and role_with_wildcard

Output

Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource rules=%ka.req.role.rules sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl create role test-role1 --verb=create --resource=*
kubectl delete role test-role1

kubectl create role test-role2 --verb=* --resource=pod
kubectl delete role test-role2

kubectl create role test-role3 --verb=* --resource=*
kubectl delete role test-role3

Attach/Exec Pod

Detects attempts to exec/attach to a Pod (exec/attach subresources) from audit logs. May indicate interactive container access and manual runtime actions.

Priority: Notice
Source: K8sAudit
Tags: fstec, container_image_access

Condition

kevt and (jevt.value[/verb] in (get,create,connect)) and (jevt.value[/requestURI] contains "/pods/") and (jevt.value[/requestURI] contains "/exec" or jevt.value[/requestURI] contains "/attach") and not (jevt.value[/impersonatedUser/username] exists and jevt.value[/impersonatedUser/username] in (exec_attach_allowed_users))

Output

Attach/Exec to pod (user=%jevt.value[/user/username] pod=%jevt.value[/objectRef/name] resource=%jevt.value[/objectRef/resource] ns=%jevt.value[/objectRef/namespace] action=%jevt.value[/objectRef/subresource] container_name=%ka.uri.param[container] command=%ka.uri.param[command] sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl run testpod --image=ubuntu:latest -- /bin/sh -c "while true; do sleep 3600; done"
kubectl create serviceaccount exec-user
kubectl create role exec-user-pod-exec --verb=get,list --resource=pods
kubectl create role exec-user-pod-exec-subresource --verb=create,get --resource=pods/exec,pods/attach
kubectl create rolebinding exec-user-pod-exec --role=exec-user-pod-exec --serviceaccount=default:exec-user
kubectl create rolebinding exec-user-pod-exec-subresource --role=exec-user-pod-exec-subresource --serviceaccount=default:exec-user
kubectl wait pod/testpod --for=condition=Ready --timeout=60s
kubectl exec testpod --as=system:serviceaccount:default:exec-user -- ls
kubectl delete rolebinding exec-user-pod-exec-subresource
kubectl delete rolebinding exec-user-pod-exec
kubectl delete role exec-user-pod-exec-subresource
kubectl delete role exec-user-pod-exec
kubectl delete serviceaccount exec-user
kubectl delete pod testpod --grace-period=0

EphemeralContainers created

Detects adding ephemeral containers to a Pod. Ephemeral containers are often used for debugging but can also be abused for stealthy access.

Priority: Notice
Source: K8sAudit
Tags: fstec, container_image_access

Condition

kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers)

Output

Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name resource=%ka.target.resource ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/spec/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/spec/ephemeralContainers/0/image] sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl run test --image=ubuntu:latest -- /bin/sh -c "while true; do sleep 3600; done"
kubectl wait pod/test --for=condition=Ready --timeout=60s
kubectl debug test --image=alpine --target=test
kubectl delete pod test --grace-period=0

ClusterRole with write privileges created

Detects creation of a Role/ClusterRole with write privileges (create/update/patch/delete). Such roles can modify cluster objects and may be used for escalation or unauthorized changes.

Priority: Notice
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kevt and (role or clusterrole) and kcreate and role_with_write_privs and not role_with_wildcard and not role_with_pod_exec

Output

Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource rules=%ka.req.role.rules sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl create role test-role --verb=create,delete --resource=pods
kubectl delete role test-role

kubectl create clusterrole test-role2 --verb=create,delete --resource=pods
kubectl delete clusterrole test-role2

ClusterRole with Pod Exec created

Detects creation of a Role/ClusterRole granting access to pods/exec. Exec access allows running commands in containers and often implies high control over workloads.

Priority: Warning
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kevt and (jevt.value[/stage]=ResponseComplete) and (jevt.value[/verb]=create) and (jevt.value[/objectRef/resource] in (roles,clusterroles) or jevt.value[/requestURI] contains "/roles" or jevt.value[/requestURI] contains "/clusterroles") and role_with_pod_exec and not (jevt.value[/requestObject/rules] contains "\"*\"" or jevt.value[/requestObject] contains "\"*\"") and not (jevt.value[/impersonatedUser/username] exists and jevt.value[/impersonatedUser/username] in (exec_attach_allowed_users))

Output

Created Role/ClusterRole with pod exec privileges (user=%jevt.value[/user/username] role=%jevt.value[/objectRef/name] resource=%jevt.value[/objectRef/resource] rules=%jevt.value[/requestObject/rules] sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl create serviceaccount pod-exec-role-user
kubectl create role pod-exec-role-manager --verb=create,delete --resource=roles
kubectl create role pod-exec-role-required --verb=create --resource=pods/exec
kubectl create rolebinding pod-exec-role-manager --role=pod-exec-role-manager --serviceaccount=default:pod-exec-role-user
kubectl create rolebinding pod-exec-role-required --role=pod-exec-role-required --serviceaccount=default:pod-exec-role-user
kubectl create role test --verb=create --resource=pods/exec --as=system:serviceaccount:default:pod-exec-role-user
kubectl delete role test --as=system:serviceaccount:default:pod-exec-role-user
kubectl delete rolebinding pod-exec-role-required
kubectl delete rolebinding pod-exec-role-manager
kubectl delete role pod-exec-role-required
kubectl delete role pod-exec-role-manager
kubectl delete serviceaccount pod-exec-role-user

kubectl create serviceaccount pod-exec-clusterrole-user
kubectl create clusterrole pod-exec-clusterrole-manager --verb=create,delete --resource=clusterroles
kubectl create clusterrole pod-exec-clusterrole-required --verb=create --resource=pods/exec
kubectl create clusterrolebinding pod-exec-clusterrole-manager --clusterrole=pod-exec-clusterrole-manager --serviceaccount=default:pod-exec-clusterrole-user
kubectl create clusterrolebinding pod-exec-clusterrole-required --clusterrole=pod-exec-clusterrole-required --serviceaccount=default:pod-exec-clusterrole-user
kubectl create clusterrole test2 --verb=create --resource=pods/exec --as=system:serviceaccount:default:pod-exec-clusterrole-user
kubectl delete clusterrole test2 --as=system:serviceaccount:default:pod-exec-clusterrole-user
kubectl delete clusterrolebinding pod-exec-clusterrole-required
kubectl delete clusterrolebinding pod-exec-clusterrole-manager
kubectl delete clusterrole pod-exec-clusterrole-required
kubectl delete clusterrole pod-exec-clusterrole-manager
kubectl delete serviceaccount pod-exec-clusterrole-user

System ClusterRole modified/deleted

Detects modification or deletion of system Role/ClusterRole objects (system:*), with some allowed exceptions. May indicate an attempt to disrupt cluster operation or weaken security.

Priority: Warning
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and not ka.target.name in (system:coredns, system:managed-certificate-controller)

Output

System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource action=%ka.verb sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl -n kube-system create role system:test1 --verb=create --resource=pods
kubectl -n kube-system delete role system:test1

kubectl -n kube-system create clusterrole system:test2 --verb=create --resource=pods
kubectl -n kube-system delete clusterrole system:test2

K8s ServiceAccount created

Detects ServiceAccount creation outside system namespaces. Can be normal for apps but is also used to prepare access and later grant RBAC privileges.

Priority: Notice
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kactivity and kcreate and serviceaccount and not system_namespace and response_successful

Output

K8s Serviceaccount Created (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl get ns test || kubectl create ns test
kubectl -n test create serviceaccount test
kubectl -n test delete serviceaccount test

K8s ModuleConfig modified

Detects modifications to ModuleConfig objects from audit logs. ModuleConfig changes can affect component behavior and security settings and should be monitored.

Priority: Notice
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kactivity and writable_verbs and moduleconfig and response_successful

Output

K8s ModuleConfig changed (user=%ka.user.name verb=%ka.verb moduleconfig=%ka.target.name resource=%ka.target.resource ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl patch moduleconfig deckhouse --type=merge -p '{"spec":{"settings":{"allowExperimentalModules":false}}}'
kubectl patch moduleconfig deckhouse --type=merge -p '{"spec":{"settings":{"allowExperimentalModules":true}}}'

K8s ServiceAccount deleted

Detects ServiceAccount deletion from audit logs. May indicate access artifact cleanup or changes in application/service configuration.

Priority: Notice
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kactivity and kdelete and serviceaccount and response_successful

Output

K8s Serviceaccount Deleted (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl create serviceaccount deletetest
kubectl delete serviceaccount deletetest

K8s Role/ClusterRole created

Detects Role/ClusterRole creation from audit logs. Used to monitor RBAC changes and spot unexpected privilege expansion.

Priority: Notice
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kactivity and kcreate and (clusterrole or role) and response_successful and not role_with_wildcard and not role_with_pod_exec and not role_with_write_privs

Output

K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl create role test1 --verb=create --resource=pods
kubectl delete role test1

kubectl create clusterrole test2 --verb=get --resource=pods
kubectl delete clusterrole test2

K8s Role/ClusterRole deleted

Detects Role/ClusterRole deletion from audit logs. May indicate cover-up attempts, rollback of access configuration, or disruptive changes.

Priority: Notice
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kactivity and kdelete and (clusterrole or role) and response_successful and not (ka.target.name startswith "system:")

Output

K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl create role test1 --verb=create --resource=pods
kubectl delete role test1

kubectl create clusterrole test2 --verb=create --resource=pods
kubectl delete clusterrole test2

K8s ClusterRoleBinding created

Detects ClusterRoleBinding creation from audit logs. ClusterRoleBindings change cluster-wide permission assignments and can be a privilege escalation vector.

Priority: Notice
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kactivity and kcreate and clusterrolebinding and response_successful and not ka.req.binding.role=cluster-admin

Output

K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name resource=%ka.target.resource subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl create clusterrolebinding view-binding --clusterrole=view --serviceaccount=default:test
kubectl delete clusterrolebinding view-binding

K8s ClusterRoleBinding deleted

Detects ClusterRoleBinding deletion from audit logs. May cause loss of access or be used to hide unauthorized bindings.

Priority: Notice
Source: K8sAudit
Tags: fstec, rbac_drift

Condition

kactivity and kdelete and clusterrolebinding and response_successful

Output

K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host

Commands:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --serviceaccount=default:test
kubectl delete clusterrolebinding cluster-admin-binding

Read below containerd images dir

Detects reading files under containerd directories related to CRI container data. May indicate attempts to extract container/image information or unusual runtime data access.

Priority: Notice
Tags: fstec, container_image_access

Condition

fd.name startswith /var/lib/containerd/io.containerd.grpc.v1.cri/containers/  and open_read and not (proc.name in (alllowd_proc_names) or proc.pname in (alllowd_proc_names))

Output

File below a known containerd directory opened for reading (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)

How to test

Environment: host

Commands:

mkdir -p /var/lib/containerd/io.containerd.grpc.v1.cri/containers
echo "Hello Falco!" > /var/lib/containerd/io.containerd.grpc.v1.cri/containers/testfile
cat /var/lib/containerd/io.containerd.grpc.v1.cri/containers/testfile
rm /var/lib/containerd/io.containerd.grpc.v1.cri/containers/testfile

Write below containerd images dir

Detects writes/modifications under containerd directories. May indicate runtime data tampering, drift, or supply-chain related attacks targeting container data.

Priority: Error
Tags: fstec, container_image_drift

Condition

fd.directory startswith /var/lib/containerd and open_write and not (proc.name in (alllowd_proc_names) or proc.pname in (alllowd_proc_names))

Output

File below a known containerd directory opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)

How to test

Environment: host

Commands:

mkdir -p /var/lib/containerd/io.containerd.grpc.v1.cri/containers
echo Hello Falco! > /var/lib/containerd/io.containerd.grpc.v1.cri/containers/testfile
cat /var/lib/containerd/io.containerd.grpc.v1.cri/containers/testfile
rm /var/lib/containerd/io.containerd.grpc.v1.cri/containers/testfile

Container tag is not @sha256

Detects Pod creation in a system namespace using an image not pinned by digest (@sha256:). Using mutable tags weakens integrity controls and increases the risk of image substitution.

Priority: Notice
Source: K8sAudit
Tags: fstec, integrity_control

Condition

kactivity and kcreate and pod and response_successful and system_namespace and not (ka.req.container.image contains @sha256:) and not (ka.target.namespace="d8-system" and ka.target.name startswith "deckhouse-")

Output

Not all containers are running with the sha256 sum as a tag in a system namespace, which is a potential integrity control mechanism misconfiguration (user=%ka.user.name binding=%ka.target.name resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason image=%ka.req.pod.containers.image sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])

How to test

Environment: host
Conditions:
- bundle: CSE

Commands:

kubectl -n d8-system run test --image=ubuntu:latest -- /bin/sh -c "while true; do sleep 3600; done"
kubectl -n d8-system delete pod test --grace-period=0

Inbound SSH Connection

Detects inbound SSH connections to port 22 on the host. Can be legitimate administration, but is also a common initial access vector and should be investigated.

Priority: Notice
Tags: fstec, auth_attempts

Condition

evt.type in (accept,listen) and fd.sport=22

Output

Inbound SSH Connection (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid type=%evt.type src_ip=%fd.cip container_id=%container.id)

How to test

Environment: host

Commands:

rm -f ./ed25519*
ssh-keygen -t ed25519 -N '' -f ./id_ed25519 -q

kubectl apply -f -<<EOF
apiVersion: deckhouse.io/v1
kind: NodeUser
metadata:
  name: falco-test
spec:
  isSudoer: false
  nodeGroups:
  - '*'
  sshPublicKeys:
  - $(cat ./id_ed25519.pub)
  uid: 1224
EOF

kubectl wait nodeuser/falco-test --for=jsonpath='{.metadata.name}'=falco-test --timeout=300s
sleep 60
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null falco-test@$(kubectl get nodes -l node.deckhouse.io/deckhouse-ready=true -o json | jq -r '.items[0].status.addresses[] | select(.type=="ExternalIP") | .address') -i ./id_ed25519 "ls -la && sleep 30"
kubectl delete nodeuser/falco-test

Unauthorized request to Kubernetes API

Detects Kubernetes API requests resulting in HTTP 401 (Unauthorized) in audit logs (excluding common health/version endpoints). May indicate token guessing, misconfigured clients, or attacker activity.

Priority: Warning
Source: K8sAudit
Tags: fstec, auth_attempts

Condition

ka.response.code=401 and not jevt.value[/requestURI] startswith /version and not jevt.value[/requestURI] in (/healthz, /readyz, /livez)

Output

Unauthorized K8s API request detected
user=%jevt.value[/user/username]
agents=%jevt.value[/userAgent]
verb=%jevt.value[/verb]
uri=%jevt.value[/requestURI]
src_ip=%jevt.value[/sourceIPs]
dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0]
dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0]

How to test

Environment: host

Commands:

curl -k https://$(kubectl -n default get svc kubernetes -o json | jq -r ".spec.clusterIP")/auth/test -H 'Authorization: Bearer TEST'

Security Reports Created

Detects creation of security report resources (configauditreports/vulnerabilityreports). May indicate a scan run, new vulnerability findings, or security-related container activity.

Priority: Notice
Source: K8sAudit
Tags: fstec, security_reports

Condition

kevt and kcreate and ka.target.resource in (security_reports)

Output

K8s Security Reports Created. The report may contain vulnerability information. Check the object in the cluster (user=%ka.user.name, verb=%ka.verb, ns=%ka.target.namespace, resource=%ka.target.resource, object=%ka.target.name sourceIP=%jevt.value[/sourceIPs] dex_name=%jevt.value[/user/extra/user-authn.deckhouse.io~1name/0] dex_provider=%jevt.value[/user/extra/user-authn.deckhouse.io~1dex-provider/0])