Rule updates 2018.01.v1 (#319)

* Remove remaining fbash references. No longer relevant after all the installer rules were removed. * Detect contacting EC2 metadata svc from containers Add a rule that detects attempts to contact the ec2 metadata service from containers. By default, the rule does not trigger unless a list of explicitly allowed containers is provided. * Detect contacting K8S API Server from container New rule "Contact K8S API Server From Container" looks for connections to the K8s API Server. The ip/port for the K8s API Server is in the macro k8s_api_server and contains an ip/port that's not likely to occur in practice, so the rule is effectively disabled by default.
2025-08-01 06:29:47 +00:00 · 2018-01-25 16:06:15 -08:00 · 2018-01-25 16:06:15 -08:00 · 1564e87177
commit 1564e87177
parent 070a67d069
1 changed files with 48 additions and 5 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -819,7 +819,7 @@

 - rule: Write below etc
  desc: an attempt to write to any file below /etc
-  condition: write_etc_common and not proc.sname=fbash
+  condition: write_etc_common
  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
  priority: ERROR
  tags: [filesystem]
@ -1003,7 +1003,7 @@

 - list: known_shell_spawn_binaries
  items: [
-    sshd, sudo, su, tmux, screen, emacs, systemd, login, flock, fbash,
+    sshd, sudo, su, tmux, screen, emacs, systemd, login, flock,
    nginx, monit, supervisord, dragent, aws, awslogs, initdb, docker-compose,
    configure, awk, falco, fail2ban-server, fleetctl,
    logrotate, ansible, less, adduser, pycompile, py3compile,
@ -1451,9 +1451,52 @@
  priority: ERROR
  tags: [filesystem]

-# It'd be nice if we could warn when processes in a fbash session try
-# to download from any nonstandard location? This is probably blocked
-# on https://github.com/draios/falco/issues/88 though.
+
+# In a local/user rules file, you could override this macro to
+# explicitly enumerate the container images that you want to allow
+# access to EC2 metadata. In this main falco rules file, there isn't
+# any way to know all the containers that should have access, so any
+# container is alllowed, by repeating the "container" macro. In the
+# overridden macro, the condition would look something like
+# (container.image startswith vendor/container-1 or container.image
+# startswith vendor/container-2 or ...)
+- macro: ec2_metadata_containers
+  condition: container
+
+# On EC2 instances, 169.254.169.254 is a special IP used to fetch
+# metadata about the instance. It may be desirable to prevent access
+# to this IP from containers.
+- rule: Contact EC2 Instance Metadata Service From Container
+  desc: Detect attempts to contact the EC2 Instance Metadata Service from a container
+  condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers
+  output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image)
+  priority: NOTICE
+  tags: [network, aws, container]
+
+# In a local/user rules file, you should override this macro with the
+# IP address of your k8s api server. The IP 1.2.3.4 is a placeholder
+# IP that is not likely to be seen in practice.
+- macro: k8s_api_server
+  condition: (fd.sip="1.2.3.4" and fd.sport=8080)
+
+# In a local/user rules file, list the container images that are
+# allowed to contact the K8s API Server from within a container. This
+# might cover cases where the K8s infrastructure itself is running
+# within a container.
+- macro: k8s_containers
+  condition: >
+    (container.image startswith gcr.io/google_containers/hyperkube-amd64 or
+     container.image startswith gcr.io/google_containers/kube2sky or
+     container.image startswith sysdig/agent or
+     container.image startswith sysdig/falco or
+     container.image startswith sysdig/sysdig)
+
+- rule: Contact K8S API Server From Container
+  desc: Detect attempts to contact the K8S API Server from a container
+  condition: outbound and k8s_api_server and container and not k8s_containers
+  output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image connection=%fd.name)
+  priority: NOTICE
+  tags: [network, k8s, container]

 ###########################
 # Application-Related Rules