github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-31 22:16:49 +00:00
Code Issues Projects Releases Wiki Activity

merge add-names-descriptions

Browse Source
This commit is contained in:
Loris Degioanni 2016-05-15 10:07:43 -07:00
commit 21eb418878
2 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@ -264,10 +264,24 @@ Or instead you can try using some of the simpler rules files in `rules`. Or to g
Create a file with some [Falco rules](Rule-syntax-and-design). For example:
```
write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename
interactive: proc.pname = bash or proc.pname = sshd
write and interactive and fd.name contains sysdig
write and interactive and fd.name contains .txt
- macro: open_write
condition: >
(evt.type=open or evt.type=openat) and
fd.typechar='f' and
(evt.arg.flags contains O_WRONLY or
evt.arg.flags contains O_RDWR or
evt.arg.flags contains O_CREAT or
evt.arg.flags contains O_TRUNC)
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
- rule: write_binary_dir
desc: an attempt to write to any file below a set of binary directories
condition: evt.dir = > and open_write and bin_dir
output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: WARNING
```
And you will see an output event for any interactive process that touches a file with "sysdig" or ".txt" in its name!

7
rules/falco_rules.yaml
View File

@ -106,6 +106,9 @@
- macro: server_binaries
condition: http_server_binaries or db_server_binaries or docker_binaries or proc.name in (sshd)
- macro: package_mgmt_binaries
condition: proc.name in (dpkg, rpm)
# A canonical set of processes that run other programs with different
# privileges or as a different user.
- macro: userexec_binaries
@ -196,13 +199,13 @@
- rule: modify_binary_dirs
desc: an attempt to modify any file below a set of binary directories.
condition: modify and bin_dir_rename
condition: modify and bin_dir_rename and not package_mgmt_binaries
output: "File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline operation=%evt.type file=%fd.name %evt.args)"
priority: WARNING
- rule: mkdir_binary_dirs
desc: an attempt to create a directory below a set of binary directories.
condition: mkdir and bin_dir_mkdir
condition: mkdir and bin_dir_mkdir and not package_mgmt_binaries
output: "Directory below known binary directory created (user=%user.name command=%proc.cmdline directory=%evt.arg.path)"
priority: WARNING