Rook Falco Rules

Rook turns distributed storage systems into self-managing, self-scaling, self-healing storage services. It automates the tasks of a storage administrator: deployment, bootstrapping, configuration, provisioning, scaling, upgrading, migration, disaster recovery, monitoring, and resource management.

Unexpected spawned process Rook

Detects an unexpected process spawned in the rook container

Allowed processes:

  • /bin/sh
  • /sbin/ldconfig.real
  • /tini
  • /usr/bin/python2.7
  • /usr/local/bin/rook
  • ceph
  • ldconfig
  • ldconfig.real
  • rook

Unexpected file read by Rook

Detects an attempt to access a file readonly other than below an espected list of paths

Allowed file prefixes for readonly:

  • /

Unexpected file written by Rook

Detects an attempt to access a file readwrite other than below an espected list of paths

Allowed file prefixes for readwrite:

  • /dev
  • /tmp

Unexpected system calls in Rook container

Detects an unexpected system call executed in rook container

Allowed system calls:

  • clone
  • connect
  • dup
  • execve
  • getegid
  • geteuid
  • getgid
  • getrlimit
  • getuid
  • open
  • openat
  • pipe
  • procexit
  • sendmsg
  • socket
  • unlinkat

Rules