From 29b597dd9cafc495bc6032c771b2d547cfa6bcd0 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 9 Jan 2019 12:27:46 -0800 Subject: [PATCH] Improved inbound/outbound macros (#470) * Improved inbound/outbound macros Improved versions of inbound/outbound macros that add coverage for recvfrom/recvmsg, sendto/sendmsg and also ignore non-blocking syscalls in a different way. * Let nginx-ingress-c(ontroller) write to /etc/nginx Process truncated due to comm limit. Also fix some parentheses for another write_etc_common macro. * Let calico setns also. * Let prometheus-conf write its config Let prometheus-conf write its config below /etc/prometheus. * Let openshift oc write to /etc/origin/node --- rules/falco_rules.yaml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 78dbf135..901e9b01 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -268,14 +268,18 @@ # Network - macro: inbound condition: > - (((evt.type in (accept,listen) and evt.dir=<)) or + (((evt.type in (accept,listen) and evt.dir=<) or + (evt.type in (recvfrom,recvmsg) and evt.dir=< and + fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and (fd.typechar = 4 or fd.typechar = 6) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS)) - macro: outbound condition: > - (((evt.type = connect and evt.dir=<)) or + (((evt.type = connect and evt.dir=<) or + (evt.type in (sendto,sendmsg) and evt.dir=< and + fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and (fd.typechar = 4 or fd.typechar = 6) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS)) @@ -634,7 +638,7 @@ condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom)) - macro: nginx_writing_conf - condition: (proc.name=nginx and fd.name startswith /etc/nginx) + condition: (proc.name in (nginx,nginx-ingress-c) and fd.name startswith /etc/nginx) - macro: nginx_writing_certs condition: > @@ -845,12 +849,18 @@ condition: (proc.aname[2] in (dpkg-reconfigur, dpkg-preconfigu)) - macro: ufw_writing_conf - condition: proc.name=ufw and fd.directory=/etc/ufw + condition: (proc.name=ufw and fd.directory=/etc/ufw) - macro: calico_writing_conf condition: > (proc.name = calico-node and fd.name startswith /etc/calico) - + +- macro: prometheus_conf_writing_conf + condition: (proc.name=prometheus-conf and fd.directory=/etc/prometheus/config_out) + +- macro: openshift_writing_conf + condition: (proc.name=oc and fd.name=/etc/origin/node/node.kubeconfig) + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -954,6 +964,8 @@ and not istio_writing_conf and not ufw_writing_conf and not calico_writing_conf + and not prometheus_conf_writing_conf + and not openshift_writing_conf - rule: Write below etc desc: an attempt to write to any file below /etc @@ -1164,7 +1176,7 @@ as a part of creating a container) by calling setns. condition: > evt.type = setns - and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter) + and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter, calico) and not proc.name in (user_known_change_thread_namespace_binaries) and not proc.name startswith "runc:" and not proc.pname in (sysdigcloud_binaries)