Rule updates vdec2 (#315)

* Additional rpm writers, root directories

salt-minion can also touch the rpm database, and some node packages
write below /root/.config/configstore.

* Add smbd as a protected shell spawner.

It's a server-like program.

* Also handle .ash_history

default shell for alpine linux

* Add exceptions for veritas

Let many veritas programs write below /etc/vx.

Let one veritas-related perl script read sensitive files.

* Allow postgres to run wal-e

https://github.com/wal-e/wal-e, archiving program for postgres.

* Let consul (agent) run addl scripts

Also let consul (agent, but the distinction is in the command line args)
to run nc in addition to curl. Also rename the macro.

* Let postgres setuid to itself

Let postgres setuid to itself. Seen by archiving programs like wal-e.

* Also allow consul to run alert check scripts

"sh -c /bin/consul-alerts watch checks --alert-addr 0.0.0.0:9000 ..."

* Add additional privileged containers.

Openshift's logging support containers generally run privileged.

* Let addl progs write below /etc/lvm

Add lvcreate as a program that can write below /etc/lvm and rename the
macro to lvprogs_writing_lvm_archive.

* Let glide write below root

https://glide.sh/, package management for go.

* Let sosreport read sensitive files.

* Let scom server read sensitive files.

Microsoft System Center Operations Manager (SCOM).

* Let kube-router run privileged.

https://github.com/cloudnativelabs/kube-router

* Let needrestart_binaries spawns shells

Was included in prior version of shell rules, adding back.

* Let splunk spawn shells below /opt/splunkforwarder

* Add yum-cron as a rpm binary

* Add a different way to run denyhosts.

Strange that the program is denyhosts.py but observed in actual
environments.

* Let nrpe setuid to nagios.

* Also let postgres run wal-e wrt shells

Previously added as an exception for db program spawned process, need to
add as an exception for run shell untrusted.

* Remove installer shell-related rules

They aren't used that often and removing them cleans up space for new
rules we want to add soon.

rules/falco_rules.yaml

@@ -183,10 +183,10 @@
 # interpreted by the filter expression.
 - list: rpm_binaries
   items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
-          repoquery, rpmkeys, rpmq]
+          repoquery, rpmkeys, rpmq, yum-cron]
 
 - macro: rpm_procs
-  condition: proc.name in (rpm_binaries)
+  condition: proc.name in (rpm_binaries) or proc.name in (salt-minion)
 
 - list: deb_binaries
   items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, apt, apt-get, aptitude,
@@ -389,9 +389,10 @@
 
 - macro: parent_python_running_denyhosts
   condition: >
+    (proc.cmdline startswith "denyhosts.py /usr/bin/denyhosts.py" or
      (proc.pname=python and
      (proc.pcmdline contains /usr/sbin/denyhosts or
-     proc.pcmdline contains /usr/local/bin/denyhosts.py))
+      proc.pcmdline contains /usr/local/bin/denyhosts.py)))
 
 - macro: parent_python_running_sdchecks
   condition: >
@@ -587,6 +588,9 @@
 - macro: python_mesos_marathon_scripting
   condition: (proc.pcmdline startswith "python3 /marathon-lb/marathon_lb.py")
 
+- macro: splunk_running_forwarder
+  condition: (proc.pname=splunkd and proc.cmdline startswith "sh -c /opt/splunkforwarder")
+
 - macro: parent_running_datastax
   condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or
               (proc.pcmdline startswith "nodetool /opt/dse/bin/"))
@@ -612,8 +616,8 @@
 - macro: htpasswd_writing_passwd
   condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd)
 
-- macro: dmeventd_writing_lvm_archive
+- macro: lvprogs_writing_lvm_archive
-  condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or
+  condition: (proc.name in (dmeventd,lvcreate) and (fd.name startswith /etc/lvm/archive or
                                       fd.name startswith /etc/lvm/backup))
 - macro: ovsdb_writing_openvswitch
   condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch)
@@ -637,6 +641,18 @@
 - macro: countly_writing_nginx_conf
   condition: (proc.cmdline startswith "nodejs /opt/countly/bin" and fd.name startswith /etc/nginx)
 
+- list: veritas_binaries
+  items: [vxconfigd, sfcache, vxclustadm, vxdctl, vxprint, vxdmpadm, vxdisk, vxdg, vxassist, vxtune]
+
+- macro: veritas_driver_script
+  condition: (proc.cmdline startswith "perl /opt/VRTSsfmh/bin/mh_driver.pl")
+
+- macro: veritas_progs
+  condition: (proc.name in (veritas_binaries) or veritas_driver_script)
+
+- macro: veritas_writing_config
+  condition: (veritas_progs and fd.name startswith /etc/vx)
+
 - macro: exe_running_docker_save
   condition: (container and proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker))
 
@@ -783,7 +799,7 @@
     and not supervise_writing_status
     and not pki_realm_writing_realms
     and not htpasswd_writing_passwd
-    and not dmeventd_writing_lvm_archive
+    and not lvprogs_writing_lvm_archive
     and not ovsdb_writing_openvswitch
     and not datadog_writing_conf
     and not curl_writing_pki_db
@@ -802,14 +818,14 @@
     and not countly_writing_nginx_conf
 
 - rule: Write below etc
-  desc: an attempt to write to any file below /etc, not in a pipe installer session
+  desc: an attempt to write to any file below /etc
   condition: write_etc_common and not proc.sname=fbash
   output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
   priority: ERROR
   tags: [filesystem]
 
 - list: known_root_files
-  items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.aws/credentials,
+  items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
           /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock]
 
 - list: known_root_directories
@@ -823,11 +839,13 @@
               or fd.name startswith /root/.ivy2
               or fd.name startswith /root/.config/Cypress
               or fd.name startswith /root/.config/pulse
+              or fd.name startswith /root/.config/configstore
               or fd.name startswith /root/jenkins/workspace
               or fd.name startswith /root/.jenkins
               or fd.name startswith /root/.cache
               or fd.name startswith /root/.sbt
               or fd.name startswith /root/.java
+              or fd.name startswith /root/.glide
               or fd.name startswith /root/.sonar)
 
 - rule: Write below root
@@ -842,16 +860,6 @@
   priority: ERROR
   tags: [filesystem]
 
-# Within a fbash session, the severity is lowered to INFO
-- rule: Write below etc in installer
-  desc: an attempt to write to any file below /etc, in a pipe installer session
-  condition: write_etc_common and proc.sname=fbash
-  output: >
-    File below /etc opened for writing (user=%user.name command=%proc.cmdline
-    file=%fd.name) within pipe installer session
-  priority: INFO
-  tags: [filesystem]
-
 - macro: cmp_cp_by_passwd
   condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)
 
@@ -871,7 +879,8 @@
   items: [
     iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
     vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
-    pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file
+    pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
+    scxcimservera
     ]
 
 # Add conditions to this macro (probably in a separate file,
@@ -904,6 +913,7 @@
     and not run_by_chef
     and not user_read_sensitive_file_conditions
     and not perl_running_plesk
+    and not veritas_driver_script
   output: >
     Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
@@ -918,11 +928,18 @@
   priority: ERROR
   tags: [filesystem, software_mgmt]
 
+- macro: postgres_running_wal_e
+  condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e")
+
 - rule: DB program spawned process
   desc: >
     a database-server related program spawned a new process other than itself.
     This shouldn\'t occur and is a follow on from some SQL injection attacks.
-  condition: proc.pname in (db_server_binaries) and spawned_process and not proc.name in (db_server_binaries)
+  condition: >
+    proc.pname in (db_server_binaries)
+    and spawned_process
+    and not proc.name in (db_server_binaries)
+    and not postgres_running_wal_e
   output: >
     Database-related program spawned process other than itself (user=%user.name
     program=%proc.cmdline parent=%proc.pname)
@@ -1014,7 +1031,7 @@
 - list: protected_shell_spawning_binaries
   items: [
     http_server_binaries, db_server_binaries, nosql_server_binaries, mail_binaries,
-    fluentd, flanneld, splunkd, consul, runsv
+    fluentd, flanneld, splunkd, consul, smbd, runsv
     ]
 
 - macro: parent_java_running_zookeeper
@@ -1050,8 +1067,11 @@
 - macro: nginx_starting_nginx
   condition: (proc.pname=nginx and proc.cmdline contains "/usr/sbin/nginx -c /etc/nginx/nginx.conf")
 
-- macro: consul_running_curl
+- macro: consul_running_net_scripts
-  condition: (proc.pname=consul and proc.cmdline startswith "sh -c curl")
+  condition: (proc.pname=consul and (proc.cmdline startswith "sh -c curl" or proc.cmdline startswith "sh -c nc"))
+
+- macro: consul_running_alert_checks
+  condition: (proc.pname=consul and proc.cmdline startswith "sh -c /bin/consul-alerts")
 
 - macro: serf_script
   condition: (proc.cmdline startswith "sh -c serf")
@@ -1084,18 +1104,22 @@
     and proc.pname exists
     and protected_shell_spawner
     and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries,
+                           needrestart_binaries,
                            erl_child_setup, exechealthz,
                            PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
                            lb-controller, nvidia-installe, runsv, statsite)
     and not proc.cmdline in (known_shell_spawn_cmdlines)
     and not proc.aname in (unicorn_launche)
-    and not consul_running_curl
+    and not consul_running_net_scripts
+    and not consul_running_alert_checks
     and not nginx_starting_nginx
     and not run_by_package_mgmt_binaries
     and not serf_script
     and not check_process_status
     and not run_by_foreman
     and not python_mesos_marathon_scripting
+    and not splunk_running_forwarder
+    and not postgres_running_wal_e
     and not user_shell_container_exclusions
   output: >
     Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
@@ -1114,7 +1138,10 @@
               container.image startswith quay.io/coreos/flannel or
               container.image startswith gcr.io/google_containers/kube-proxy or
               container.image startswith calico/node or
-              container.image startswith rook/toolbox)
+              container.image startswith rook/toolbox or
+              container.image startswith registry.access.redhat.com/openshift3/logging-fluentd or
+              container.image startswith registry.access.redhat.com/openshift3/logging-elasticsearch or
+              container.image startswith cloudnativelabs/kube-router)
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
@@ -1350,7 +1377,11 @@
               (user.name=postfix and evt.arg.uid=postfix) or
               (user.name=pki-agent and evt.arg.uid=pki-agent) or
               (user.name=pki-acme and evt.arg.uid=pki-acme) or
-              (user.name=nfsnobody and evt.arg.uid=nfsnobody))
+              (user.name=nfsnobody and evt.arg.uid=nfsnobody) or
+              (user.name=postgres and evt.arg.uid=postgres))
+
+- macro: nrpe_becoming_nagios
+  condition: (proc.name=nrpe and evt.arg.uid=nagios)
 
 # In containers, the user name might be for a uid that exists in the
 # container but not on the host. (See
@@ -1371,6 +1402,7 @@
     and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                           nomachine_binaries)
     and not java_running_sdjagent
+    and not nrpe_becoming_nagios
   output: >
     Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
     command=%proc.cmdline uid=%evt.arg.uid)
@@ -1419,54 +1451,10 @@
   priority: ERROR
   tags: [filesystem]
 
-# fbash is a small shell script that runs bash, and is suitable for use in curl <curl> | fbash installers.
-- rule: Installer bash starts network server
-  desc: an attempt by a program in a pipe installer session to start listening for network connections
-  condition: evt.type=listen and proc.sname=fbash
-  output: "Unexpected listen call by a process in a fbash session (command=%proc.cmdline)"
-  priority: NOTICE
-  tags: [network]
-
-- rule: Installer bash starts session
-  desc: an attempt by a program in a pipe installer session to start a new session
-  condition: evt.type=setsid and proc.sname=fbash
-  output: "Unexpected setsid call by a process in fbash session (command=%proc.cmdline)"
-  priority: NOTICE
-  tags: [process]
-
-- rule: Installer bash non https connection
-  desc: an attempt by a program in a pipe installer session to make an outgoing connection on a non-http(s) port
-  condition: proc.sname=fbash and outbound and not fd.sport in (80, 443, 53)
-  output: >
-    Outbound connection on non-http(s) port by a process in a fbash session
-    (command=%proc.cmdline connection=%fd.name)
-  priority: NOTICE
-  tags: [network]
-
 # It'd be nice if we could warn when processes in a fbash session try
 # to download from any nonstandard location? This is probably blocked
 # on https://github.com/draios/falco/issues/88 though.
 
-# Notice when processes try to run chkconfig/systemctl.... to install a service.
-# Note: this is not a WARNING, as you'd expect some service management
-# as a part of doing the installation.
-- rule: Installer bash manages service
-  desc: an attempt by a program in a pipe installer session to manage a system service (systemd/chkconfig)
-  condition: evt.type=execve and proc.name in (chkconfig, systemctl) and proc.sname=fbash
-  output: "Service management program run by process in a fbash session (command=%proc.cmdline)"
-  priority: INFO
-  tags: [software_mgmt]
-
-# Notice when processes try to run any package management binary within a fbash session.
-# Note: this is not a WARNING, as you'd expect some package management
-# as a part of doing the installation
-- rule: Installer bash runs pkgmgmt program
-  desc: an attempt by a program in a pipe installer session to run a package management binary
-  condition: evt.type=execve and package_mgmt_procs and proc.sname=fbash
-  output: "Package management program run by process in a fbash session (command=%proc.cmdline)"
-  priority: INFO
-  tags: [software_mgmt]
-
 ###########################
 # Application-Related Rules
 ###########################