github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-13 14:34:33 +00:00
Code Issues Projects Releases Wiki Activity

New rules related to containers.

Browse Source 
New rule 'File Open by Privileged Container' triggers when a container
that is running privileged opens a file.

New rule 'Sensitive Mount by Container' triggers when a container that
has a sensitive mount opens a file. Currently, a sensitive mount is a
mount of /proc.

This depends on https://github.com/draios/sysdig/pull/655.
This commit is contained in:
Mark Stemm 2016-09-08 16:20:30 -07:00
parent f632fa62b0
commit 23e3e99162
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
rules/falco_rules.yaml
View File

@ -265,7 +265,7 @@
- rule: Change thread namespace - rule: Change thread namespace
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter) condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter)
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)" output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id))"
priority: WARNING priority: WARNING
- rule: Run shell untrusted - rule: Run shell untrusted
@ -274,6 +274,24 @@
output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
priority: WARNING priority: WARNING
- macro: trusted_containers
condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig)
- rule: File Open by Privileged Container
desc: Any open by a privileged container. Exceptions are made for known trusted images.
condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name)
priority: WARNING
- macro: sensitive_mount
condition: (container.mount.dest[/proc*] != "N/A")
- rule: Sensitive Mount by Container
desc: Any open by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images.
condition: (open_read or open_write) and container and sensitive_mount and not trusted_containers
output: File opened for read/write by container mounting sensitive directory (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name)
priority: WARNING
# Anything run interactively by root # Anything run interactively by root
# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" # output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"