Reference Library for Kubernetes Audit Falco Threat Detection Rules

Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment. This topic provides all the fields and events that apply to Falco rules for Kubernetes Audit.

Fields

Field Class: JSON

Name	Type	Description
`json.value`	CHARBUF	Extracts a value from a JSON-encoded input. Syntax is json.value[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901)
`json.obj`	CHARBUF	The full json message as a text string.
`json.rawtime`	CHARBUF	The time of the event, identical to evt.rawtime.
`jevt.value`	CHARBUF	Alias for json.value, provided for backwards compatibility.
`jevt.obj`	CHARBUF	Alias for json.obj, provided for backwards compatibility.
`jevt.rawtime`	CHARBUF	Alias for json.rawtime, provided for backwards compatibility.

Field Class: Kubernetes Audit

Name	Type	Description
`ka.auditid`	CHARBUF	The unique id of the audit event
`ka.stage`	CHARBUF	Stage of the request (e.g. RequestReceived, ResponseComplete, etc.)
`ka.auth.decision`	CHARBUF	The authorization decision
`ka.auth.reason`	CHARBUF	The authorization reason
`ka.user.name`	CHARBUF	The user name performing the request
`ka.user.groups`	LIST(CHARBUF)	The groups to which the user belongs
`ka.impuser.name`	CHARBUF	The impersonated user name
`ka.verb`	CHARBUF	The action being performed
`ka.uri`	CHARBUF	The request URI as sent from client to server
`ka.uri.param`	CHARBUF	The value of a given query parameter in the uri (e.g. when uri=/foo?key=val, ka.uri.param[key] is val).
`ka.target.name`	CHARBUF	The target object name
`ka.target.namespace`	CHARBUF	The target object namespace
`ka.target.resource`	CHARBUF	The target object resource
`ka.target.subresource`	CHARBUF	The target object subresource
`ka.req.binding.subjects`	LIST(CHARBUF)	When the request object refers to a cluster role binding, the subject (e.g. account/users) being linked by the binding
`ka.req.binding.role`	CHARBUF	When the request object refers to a cluster role binding, the role being linked by the binding
`ka.req.binding.subject.has_name`	CHARBUF	Deprecated, always returns “N/A”. Only provided for backwards compatibility
`ka.req.configmap.name`	CHARBUF	If the request object refers to a configmap, the configmap name
`ka.req.configmap.obj`	CHARBUF	If the request object refers to a configmap, the entire configmap object
`ka.req.pod.containers.image`	LIST(CHARBUF)	When the request object refers to a pod, the container’s images.
`ka.req.container.image`	CHARBUF	Deprecated by ka.req.pod.containers.image. Returns the image of the first container only
`ka.req.pod.containers.image.repository`	LIST(CHARBUF)	The same as req.container.image, but only the repository part (e.g. falcosecurity/falco).
`ka.req.container.image.repository`	CHARBUF	Deprecated by ka.req.pod.containers.image.repository. Returns the repository of the first container only
`ka.req.pod.host_ipc`	CHARBUF	When the request object refers to a pod, the value of the hostIPC flag.
`ka.req.pod.host_network`	CHARBUF	When the request object refers to a pod, the value of the hostNetwork flag.
`ka.req.container.host_network`	CHARBUF	Deprecated alias for ka.req.pod.host_network
`ka.req.pod.host_pid`	CHARBUF	When the request object refers to a pod, the value of the hostPID flag.
`ka.req.pod.containers.host_port`	LIST(CHARBUF)	When the request object refers to a pod, all container’s hostPort values.
`ka.req.pod.containers.privileged`	LIST(CHARBUF)	When the request object refers to a pod, the value of the privileged flag for all containers.
`ka.req.container.privileged`	CHARBUF	Deprecated by ka.req.pod.containers.privileged. Returns true if any container has privileged=true
`ka.req.pod.containers.allow_privilege_escalation`	LIST(CHARBUF)	When the request object refers to a pod, the value of the allowPrivilegeEscalation flag for all containers
`ka.req.pod.containers.read_only_fs`	LIST(CHARBUF)	When the request object refers to a pod, the value of the readOnlyRootFilesystem flag for all containers
`ka.req.pod.run_as_user`	CHARBUF	When the request object refers to a pod, the runAsUser uid specified in the security context for the pod. See ….containers.run_as_user for the runAsUser for individual containers
`ka.req.pod.containers.run_as_user`	LIST(CHARBUF)	When the request object refers to a pod, the runAsUser uid for all containers
`ka.req.pod.containers.eff_run_as_user`	LIST(CHARBUF)	When the request object refers to a pod, the initial uid that will be used for all containers. This combines information from both the pod and container security contexts and uses 0 if no uid is specified
`ka.req.pod.run_as_group`	CHARBUF	When the request object refers to a pod, the runAsGroup gid specified in the security context for the pod. See ….containers.run_as_group for the runAsGroup for individual containers
`ka.req.pod.containers.run_as_group`	LIST(CHARBUF)	When the request object refers to a pod, the runAsGroup gid for all containers
`ka.req.pod.containers.eff_run_as_group`	LIST(CHARBUF)	When the request object refers to a pod, the initial gid that will be used for all containers. This combines information from both the pod and container security contexts and uses 0 if no gid is specified
`ka.req.pod.containers.proc_mount`	LIST(CHARBUF)	When the request object refers to a pod, the procMount types for all containers
`ka.req.role.rules`	LIST(CHARBUF)	When the request object refers to a role/cluster role, the rules associated with the role
`ka.req.role.rules.apiGroups`	LIST(CHARBUF)	When the request object refers to a role/cluster role, the api groups associated with the role’s rules
`ka.req.role.rules.nonResourceURLs`	LIST(CHARBUF)	When the request object refers to a role/cluster role, the non resource urls associated with the role’s rules
`ka.req.role.rules.verbs`	LIST(CHARBUF)	When the request object refers to a role/cluster role, the verbs associated with the role’s rules
`ka.req.role.rules.resources`	LIST(CHARBUF)	When the request object refers to a role/cluster role, the resources associated with the role’s rules
`ka.req.pod.fs_group`	CHARBUF	When the request object refers to a pod, the fsGroup gid specified by the security context.
`ka.req.pod.supplemental_groups`	LIST(CHARBUF)	When the request object refers to a pod, the supplementalGroup gids specified by the security context.
`ka.req.pod.containers.add_capabilities`	LIST(CHARBUF)	When the request object refers to a pod, all capabilities to add when running the container.
`ka.req.service.type`	CHARBUF	When the request object refers to a service, the service type
`ka.req.service.ports`	LIST(CHARBUF)	When the request object refers to a service, the service’s ports
`ka.req.pod.volumes.hostpath`	LIST(CHARBUF)	When the request object refers to a pod, all hostPath paths specified for all volumes
`ka.req.volume.hostpath`	CHARBUF	Deprecated by ka.req.pod.volumes.hostpath. Return true if the provided (host) path prefix is used by any volume
`ka.req.pod.volumes.flexvolume_driver`	LIST(CHARBUF)	When the request object refers to a pod, all flexvolume drivers specified for all volumes
`ka.req.pod.volumes.volume_type`	LIST(CHARBUF)	When the request object refers to a pod, all volume types for all volumes
`ka.resp.name`	CHARBUF	The response object name
`ka.response.code`	CHARBUF	The response code
`ka.response.reason`	CHARBUF	The response reason (usually present only for failures)
`ka.useragent`	CHARBUF	The useragent of the client who made the request to the apiserver