github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-15 23:36:19 +00:00
Code Issues Projects Releases Wiki Activity

Rules tweaks

Browse Source
This commit is contained in:
Henri DF 2016-03-08 19:02:45 +00:00
parent 7104d52466
commit 44adb46529
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/base.txt
View File

@ -65,6 +65,7 @@ modules: syscall.type in (delete_module, init_module)
container: container.id != host
interactive: proc.aname=sshd or proc.name=systemd-logind
syslog: fd.name = /dev/log
not_cron: proc.name != cron
# System users that should never log into a system. Consider adding your own
# service users (e.g. 'apache' or 'mysqld') here.
@ -82,7 +83,7 @@ write and bin_dir and evt.dir = > | %evt.time: Write to bin dir (%user.name %pro
write and etc_dir and evt.dir = > | %evt.time: Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Don't read 'sensitive' files
read and not proc.name in (sudo, su) and sensitive_files | %evt.time: Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
read and not proc.name in (sudo, su) and not_cron and sensitive_files | %evt.time: Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Don't modify binary dirs
modify and (bin_dir_rename or bin_dir_mkdir) | %evt.time: Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
@ -93,9 +94,6 @@ read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | outpu
# Attempts to access things that shouldn't be
evt.res = EACCES | %evt.time: EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Let's assume this is a node running elasticsearch
inbound and fd.sockfamily = ip and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1" | %evt.time: bad rip (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Only sysdig and docker can call setns
syscall.type = setns and not proc.name in (docker, sysdig) | %evt.time: Unexpected setns (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
@ -128,5 +126,7 @@ evt.type=setuid and proc.name != sudo | %evt.time: unexpected setuid call by non
not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries) | %evt.time: user-management binary command run (%user.name %proc.name %evt.dir %evt.type %evt.args)
# Some rootkits hide files in /dev
(evt.type = creat or evt.arg.flags contains O_CREAT) and fd.directory = /dev | %evt.time: file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
(evt.type = creat or evt.arg.flags contains O_CREAT) and fd.directory = /dev and fd.filename != /dev/null | %evt.time: file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Example: you might enable this on a node running elasticsearch (tailor to your server type)
# inbound and fd.sockfamily = ip and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1" | %evt.time: bad rip (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)