From 0a9a85d1da0f190fe023cae606539014f538f7c7 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Sat, 14 May 2016 21:51:55 -0700 Subject: [PATCH 1/2] Also update README example to reflect new format. Include full macros and rule for write_binary_dir. --- README.md | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index de389426..57d0b943 100644 --- a/README.md +++ b/README.md @@ -264,10 +264,24 @@ Or instead you can try using some of the simpler rules files in `rules`. Or to g Create a file with some [Falco rules](Rule-syntax-and-design). For example: ``` -write: (syscall.type=write and fd.typechar=f) or syscall.type=mkdir or syscall.type=creat or syscall.type=rename -interactive: proc.pname = bash or proc.pname = sshd -write and interactive and fd.name contains sysdig -write and interactive and fd.name contains .txt +- macro: open_write + condition: > + (evt.type=open or evt.type=openat) and + fd.typechar='f' and + (evt.arg.flags contains O_WRONLY or + evt.arg.flags contains O_RDWR or + evt.arg.flags contains O_CREAT or + evt.arg.flags contains O_TRUNC) + +- macro: bin_dir + condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) + +- rule: write_binary_dir + desc: an attempt to write to any file below a set of binary directories + condition: evt.dir = > and open_write and bin_dir + output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" + priority: WARNING + ``` And you will see an output event for any interactive process that touches a file with "sysdig" or ".txt" in its name! From 7436bc095231dce765509e292c3b1a047622db1a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Sat, 14 May 2016 21:57:57 -0700 Subject: [PATCH 2/2] Allow package mgmt binaries to work in bin dirs. A new macro package_mgmt_binaries includes dpkg and rpm. Those programs are allowed to create directories and modify files below binary directories. I'm not adding them to other trusted sets for now, though. --- rules/falco_rules.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 0589e82f..d0e69762 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -106,6 +106,9 @@ - macro: server_binaries condition: http_server_binaries or db_server_binaries or docker_binaries or proc.name in (sshd) +- macro: package_mgmt_binaries + condition: proc.name in (dpkg, rpm) + # A canonical set of processes that run other programs with different # privileges or as a different user. - macro: userexec_binaries @@ -196,13 +199,13 @@ - rule: modify_binary_dirs desc: an attempt to modify any file below a set of binary directories. - condition: modify and bin_dir_rename + condition: modify and bin_dir_rename and not package_mgmt_binaries output: "File below known binary directory renamed/removed (%user.name %proc.name %evt.type %evt.args %fd.name)" priority: WARNING - rule: mkdir_binary_dirs desc: an attempt to create a directory below a set of binary directories. - condition: mkdir and bin_dir_mkdir + condition: mkdir and bin_dir_mkdir and not package_mgmt_binaries output: "Directory below known binary directory created (%user.name %proc.name %evt.type %evt.args %fd.name)" priority: WARNING