Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
We're seeing an issue our current policy of installing Falco, by default, as part of our Kubernetes collection solution. We've bundled Falco as part of K8s Collection in order to provide collection of security events. However, the installation of Falco triggers the following security alert if the customer has installed our solution in an EKS cluster that is already being monitored by GuardDuty.
“falco pod is connecting to Bitcoin mining server."
The reason Falco triggers this alert is that it is trying to detect nefarious bitcoin mining within the cluster. It does so by first connecting to well know bitcoin servers, and resolving those hostnames to IPs. It them other processes in the cluster that are connecting to those IP's. This is Falco doing its job, but Falco's activity appears to GuardDuty as a bad actor.
Disabling the installation of Falco by default to avoid this kind of problem.
Testing performed