From 23e3e99162b5e47d8f1ec4b550ef6c51b817c833 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 8 Sep 2016 16:20:30 -0700 Subject: [PATCH] New rules related to containers. New rule 'File Open by Privileged Container' triggers when a container that is running privileged opens a file. New rule 'Sensitive Mount by Container' triggers when a container that has a sensitive mount opens a file. Currently, a sensitive mount is a mount of /proc. This depends on https://github.com/draios/sysdig/pull/655. --- rules/falco_rules.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index bea8769d..8747fe01 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -265,7 +265,7 @@ - rule: Change thread namespace desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter) - output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)" + output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id))" priority: WARNING - rule: Run shell untrusted @@ -274,6 +274,24 @@ output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING +- macro: trusted_containers + condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig) + +- rule: File Open by Privileged Container + desc: Any open by a privileged container. Exceptions are made for known trusted images. + condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers + output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name) + priority: WARNING + +- macro: sensitive_mount + condition: (container.mount.dest[/proc*] != "N/A") + +- rule: Sensitive Mount by Container + desc: Any open by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images. + condition: (open_read or open_write) and container and sensitive_mount and not trusted_containers + output: File opened for read/write by container mounting sensitive directory (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name) + priority: WARNING + # Anything run interactively by root # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive # output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"