From 5382aa4e3bb5c458e2c54189294e95a4a871fc17 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 26 Jun 2017 11:08:20 -0700 Subject: [PATCH 001/110] More shell spawners Add additional shell spawning command lines. Allow package management binaries in containers--lots of people seem to do it. Also allow pycompile/py3compile. I need to refactor the shell spawners to more clearly isolate shell spawners that we don't want to occur in a container from ones that can run both inside and outside of a container. --- rules/falco_rules.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1bf33415..656ac035 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -574,7 +574,11 @@ '"sh -c pgrep java && exit 0 || exit 1 "', '"sh -c uname -p 2> /dev/null"', '"sh -c echo healthy "', - '"sh -c echo alive "' + '"sh -c echo alive "', + '"sh -c getconf CLK_TCK"', + "'sh -c getconf PAGESIZE'", + "'sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null'", + "'sh -c stty -a 2>/dev/null'" ] - rule: Run shell in container @@ -583,10 +587,10 @@ spawned_process and container and shell_procs and proc.pname exists - and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, + and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, - erl_child_setup, ceph, PM2) + erl_child_setup, ceph, PM2, pycompile, py3compile) and not trusted_containers and not shell_spawning_containers and not proc.cmdline in (known_container_shell_spawn_cmdlines) From 414a4aaba7e128eff9c4b6f400c30ff9eb53e137 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 26 Jun 2017 11:15:17 -0700 Subject: [PATCH 002/110] Another shell command line. --- rules/falco_rules.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 656ac035..15c6479d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -578,6 +578,7 @@ '"sh -c getconf CLK_TCK"', "'sh -c getconf PAGESIZE'", "'sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null'", + "'sh -c /sbin/ldconfig -p 2>/dev/null'", "'sh -c stty -a 2>/dev/null'" ] From daedcf172f52d423867518a1df29bb200a248654 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 26 Jun 2017 13:12:56 -0700 Subject: [PATCH 003/110] Let hhvm spawn shells. http://hhvm.com/, "open-source virtual machine designed for executing programs written in Hack and PHP." --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 15c6479d..cbb18023 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -476,7 +476,7 @@ pyclean, py3clean, pip, pip2, ansible-playboo, man-db, init, pluto, mkinitramfs, unattended-upgr, watch, sysdig, landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, - npm, cloud-init, toybox, ceph + npm, cloud-init, toybox, ceph, hhvm ] - rule: Run shell untrusted @@ -591,7 +591,7 @@ and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, - erl_child_setup, ceph, PM2, pycompile, py3compile) + erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm) and not trusted_containers and not shell_spawning_containers and not proc.cmdline in (known_container_shell_spawn_cmdlines) From 3b486fb6c6807d080ce08cff21f5fd53632ec0e3 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 27 Jun 2017 18:00:09 -0700 Subject: [PATCH 004/110] Let npm spawn shells in containers. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index cbb18023..375fa390 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -591,7 +591,7 @@ and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, - erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm) + erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm) and not trusted_containers and not shell_spawning_containers and not proc.cmdline in (known_container_shell_spawn_cmdlines) From 5d856ef97a20c8a0c3592ce5c55b471220706561 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 27 Jun 2017 18:00:29 -0700 Subject: [PATCH 005/110] Let _apt user setuid to itself. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 375fa390..3dfa98a6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -623,7 +623,8 @@ - macro: somebody_becoming_themself condition: ((user.name=nobody and evt.arg.uid=nobody) or - (user.name=www-data and evt.arg.uid=www-data)) + (user.name=www-data and evt.arg.uid=www-data) or + (user.name=_apt and evt.arg.uid=_apt)) # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs - rule: Non sudo setuid From e6006e37872d090bcc15c4ba9641add857da7a5e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 27 Jun 2017 18:06:36 -0700 Subject: [PATCH 006/110] Add additional dpkg binary dpkg-reconfigur(e), not to be confused with dpkg-preconfigu(re) --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 3dfa98a6..8c82cc60 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -154,7 +154,7 @@ condition: proc.name in (rpm_binaries) - list: deb_binaries - items: [dpkg, dpkg-preconfigu, apt, apt-get, aptitude, + items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, apt, apt-get, aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key, apt-listchanges, unattended-upgr ] From 7ac49a2f99c8373a3787f5d3b803268d7fc038a5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 28 Jun 2017 11:38:14 -0700 Subject: [PATCH 007/110] Also allow sysdig agent to setuid. It was already allowed to change namespaces. --- rules/falco_rules.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8c82cc60..ccb7c5e4 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -636,6 +636,7 @@ not user.name=root and not somebody_becoming_themself and not proc.name in (userexec_binaries, mail_binaries, docker_binaries, sshd, dbus-daemon-lau, ping, ping6, critical-stack-) + and not java_running_sdjagent output: > Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname command=%proc.cmdline uid=%evt.arg.uid) From 68d29fc906a9a74218acb314abeb95bbd28f7017 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:08:05 -0700 Subject: [PATCH 008/110] Add shell management programs. add-shell and remove-shell are programs that remove shells from /etc/shells. They are allowed to write to files below /etc. --- rules/falco_rules.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ccb7c5e4..122842dc 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -74,6 +74,9 @@ - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] +- list: shell_mgmt_binaries + items: [add-shell, remove-shell] + - macro: shell_procs condition: proc.name in (shell_binaries) @@ -332,7 +335,7 @@ etc_dir and evt.dir = < and open_write and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries, package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, - dev_creation_binaries, + dev_creation_binaries, shell_mgmt_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, systemd-machine, debconf-show, rollerd, bind9.postinst, sv, From 09e1caf4bb7f192e7f7e7b68e565d8617bdd6d64 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:09:04 -0700 Subject: [PATCH 009/110] add mesos-executor as a mesos binary. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 122842dc..dcb420dc 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -134,7 +134,7 @@ # Utility/etc programs known to run on mesos slaves. Truncation # intentional. - list: mesos_slave_binaries - items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-logrotate, mesos-fetcher] + items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-logrotate, mesos-fetcher, mesos-executor] - list: http_server_binaries items: [nginx, httpd, httpd-foregroun, lighttpd] From ee2c6687463a73acdb1071d022fae94b823c22b2 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:09:56 -0700 Subject: [PATCH 010/110] Add systemd as a program that can write below /etc It can modify /etc/resolv.conf. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index dcb420dc..a7df6d0d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -338,8 +338,8 @@ dev_creation_binaries, shell_mgmt_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, - systemd-machine, debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf.) + systemd, systemd-machine, debconf-show, rollerd, bind9.postinst, sv, and not proc.pname in (sysdigcloud_binaries) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java) and not ansible_running_python From e2be47e3c28ee406c541ab5971d41d4737e7792b Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:11:11 -0700 Subject: [PATCH 011/110] Allow update-ca-certi(ficates) to write below /etc Truncation intentonal. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a7df6d0d..6086be15 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -338,8 +338,8 @@ dev_creation_binaries, shell_mgmt_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, - gen_resolvconf.) systemd, systemd-machine, debconf-show, rollerd, bind9.postinst, sv, + gen_resolvconf., update-ca-certi) and not proc.pname in (sysdigcloud_binaries) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java) and not ansible_running_python From d96cf4c369a347b9adcbe942575f5f3d0255606a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:12:05 -0700 Subject: [PATCH 012/110] Allow programs to write below /etc/logstash At least for some logstash configs, device files get written to below /etc/logstash instead of elsewhere like /var. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6086be15..d962c539 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -341,7 +341,7 @@ systemd, systemd-machine, debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi) and not proc.pname in (sysdigcloud_binaries) - and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java) + and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash) and not ansible_running_python and not python_running_denyhosts From c8c0a97f64ddc5f54aa90c8577dd50bbb5f75c5d Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:12:54 -0700 Subject: [PATCH 013/110] Let Xvfb setuid. X11 program. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index d962c539..56e7974f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -638,7 +638,7 @@ evt.type=setuid and evt.dir=> and not user.name=root and not somebody_becoming_themself and not proc.name in (userexec_binaries, mail_binaries, docker_binaries, - sshd, dbus-daemon-lau, ping, ping6, critical-stack-) + sshd, dbus-daemon-lau, ping, ping6, critical-stack-, Xvfb) and not java_running_sdjagent output: > Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname From 02645e7a2e01f3774411b88bd7b8577c4d56f7ee Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:14:13 -0700 Subject: [PATCH 014/110] Be consistent about nested quotes. Use single quotes for the outer yaml-level strings, and double quote for the quoted string. --- rules/falco_rules.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 56e7974f..2cde2aa3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -579,10 +579,10 @@ '"sh -c echo healthy "', '"sh -c echo alive "', '"sh -c getconf CLK_TCK"', - "'sh -c getconf PAGESIZE'", - "'sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null'", - "'sh -c /sbin/ldconfig -p 2>/dev/null'", - "'sh -c stty -a 2>/dev/null'" + '"sh -c getconf PAGESIZE"', + '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"', + '"sh -c /sbin/ldconfig -p 2>/dev/null"', + '"sh -c stty -a 2>/dev/null"', ] - rule: Run shell in container From e1293a7eca604ddec6ea30dcd97ecb15bac41df8 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:14:44 -0700 Subject: [PATCH 015/110] Add some additional command lines. Dangling parentheses intentional. --- rules/falco_rules.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2cde2aa3..f76a96be 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -583,6 +583,8 @@ '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"', '"sh -c /sbin/ldconfig -p 2>/dev/null"', '"sh -c stty -a 2>/dev/null"', + '"sh -c node index.js)"', + '"sh -c node -e \"require(''nan'')\")"' ] - rule: Run shell in container From f6b306825952527c935d9b955e664eaadeafb518 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:22:38 -0700 Subject: [PATCH 016/110] Let vpn binaries write below /etc. They will modify things like dns servers, etc. --- rules/falco_rules.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f76a96be..026232e6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -193,6 +193,9 @@ - list: hids_binaries items: [aide] +- list: vpn_binaries + items: [openvpn] + - list: nids_binaries items: [bro, broctl] @@ -387,7 +390,7 @@ condition: > sensitive_files and open_read and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, - cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries) + cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, vpn_binaries) and not cmp_cp_by_passwd and not ansible_running_python and not proc.cmdline contains /usr/bin/mandb From 7ae765bfc96093ccada65f53f2f969e839a19419 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:23:10 -0700 Subject: [PATCH 017/110] Include container image in shell in container rule Include the container image in the "run shell in container" rule output. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 026232e6..71e418ae 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -604,7 +604,7 @@ and not shell_spawning_containers and not proc.cmdline in (known_container_shell_spawn_cmdlines) output: > - Shell spawned in a container other than entrypoint (user=%user.name %container.info + Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline) priority: NOTICE tags: [container, shell] From 61f738826cb34f45b13b6bea2232c9211321c4bb Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:24:32 -0700 Subject: [PATCH 018/110] Add additional command lines. Add additional command lines for known shells. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 71e418ae..18c45f68 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -587,7 +587,8 @@ '"sh -c /sbin/ldconfig -p 2>/dev/null"', '"sh -c stty -a 2>/dev/null"', '"sh -c node index.js)"', - '"sh -c node -e \"require(''nan'')\")"' + '"sh -c node -e \"require(''nan'')\")"', + '"sh -c node $NODE_DEBUG_OPTION index.js )"' ] - rule: Run shell in container From 1753d16962d088fe1846c834d4dda235cca89a07 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 14:44:17 -0700 Subject: [PATCH 019/110] Add easy way to add to container shell cmdlines A new (empty) list user_known_container_shell_spawn_binaries allows additional files to add additional programs that are allowed to spawn shells in containers. --- rules/falco_rules.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 18c45f68..4d4be1bd 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -591,6 +591,14 @@ '"sh -c node $NODE_DEBUG_OPTION index.js )"' ] +# This list allows for easy additions to the set of commands allowed +# to run shells in containers without having to without having to copy +# and override the entire run shell in container macro. Once +# https://github.com/draios/falco/issues/255 is fixed this will be a +# bit easier, as someone could append of any of the existing lists. +- list: user_known_container_shell_spawn_binaries + items: [] + - rule: Run shell in container desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded. condition: > @@ -599,6 +607,7 @@ and proc.pname exists and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, + user_known_container_shell_spawn_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm) and not trusted_containers From f12331338919eee14e09298140fcfcb9c7cf6f6f Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 5 Jul 2017 16:26:02 -0700 Subject: [PATCH 020/110] Let certbot write below etc. Let's encrypt client program. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 4d4be1bd..eca315d2 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -342,7 +342,7 @@ ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, systemd, systemd-machine, debconf-show, rollerd, bind9.postinst, sv, - gen_resolvconf., update-ca-certi) + gen_resolvconf., update-ca-certi, certbot) and not proc.pname in (sysdigcloud_binaries) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash) and not ansible_running_python From 1c645862e1e15bdf5cd8cdaa9d3b04612ca3037a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 6 Jul 2017 17:08:18 -0700 Subject: [PATCH 021/110] Allow systemd-sysuser to write below /etc. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index eca315d2..2a7b8ac3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -341,7 +341,8 @@ dev_creation_binaries, shell_mgmt_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, - systemd, systemd-machine, debconf-show, rollerd, bind9.postinst, sv, + systemd, systemd-machine, systemd-sysuser, + debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot) and not proc.pname in (sysdigcloud_binaries) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash) From 463ade2b1d5a334ef8096968cf471e57e967f6b0 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 12 Jul 2017 18:25:16 -0700 Subject: [PATCH 022/110] Add 3dt as a meos program. mesos diagnostics service. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2a7b8ac3..6e0c1efc 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -134,7 +134,7 @@ # Utility/etc programs known to run on mesos slaves. Truncation # intentional. - list: mesos_slave_binaries - items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-logrotate, mesos-fetcher, mesos-executor] + items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-logrotate, mesos-fetcher, mesos-executor, 3dt] - list: http_server_binaries items: [nginx, httpd, httpd-foregroun, lighttpd] From de3ca31b15110ddd8db4e1b49a159b8413ffc066 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 12 Jul 2017 18:25:36 -0700 Subject: [PATCH 023/110] Allow certbot to spawn shells. Part of let's encrypt. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6e0c1efc..7e83cfac 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -483,7 +483,7 @@ pyclean, py3clean, pip, pip2, ansible-playboo, man-db, init, pluto, mkinitramfs, unattended-upgr, watch, sysdig, landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, - npm, cloud-init, toybox, ceph, hhvm + npm, cloud-init, toybox, ceph, hhvm, certbot ] - rule: Run shell untrusted From 1221399ac5ed8f3dfd6e13db51929b7731316932 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 14 Jul 2017 09:14:16 -0700 Subject: [PATCH 024/110] Allow writes below /etc/nginx/conf.d The nginx docker hub container will write below that directory at startup. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 7e83cfac..40687ed8 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -345,7 +345,7 @@ debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot) and not proc.pname in (sysdigcloud_binaries) - and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash) + and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d) and not ansible_running_python and not python_running_denyhosts From 6397c3a556c6e248af6fb21aa8e98083efc66f0c Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 21 Jul 2017 12:17:45 -0700 Subject: [PATCH 025/110] Add additional command line. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 40687ed8..6e97d0c9 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -589,7 +589,8 @@ '"sh -c stty -a 2>/dev/null"', '"sh -c node index.js)"', '"sh -c node -e \"require(''nan'')\")"', - '"sh -c node $NODE_DEBUG_OPTION index.js )"' + '"sh -c node $NODE_DEBUG_OPTION index.js )"', + '"sh -c crontab -l 2"' ] # This list allows for easy additions to the set of commands allowed From b208008be1a6e7ec5b4f65d3a617b5404ff16ef5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 26 Jul 2017 14:01:03 -0700 Subject: [PATCH 026/110] Fix parent_python_running_sdchecks It was checking the current process instead of the parent, which doesn't work when you've just done an exec. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6e97d0c9..9d4f7278 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -301,8 +301,8 @@ - macro: parent_python_running_sdchecks condition: > - (proc.name in (python, python2.7) and - (proc.cmdline contains /opt/draios/bin/sdchecks)) + (proc.pname in (python, python2.7) and + (proc.pcmdline contains /opt/draios/bin/sdchecks)) - macro: parent_bro_running_python condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl) From d5a107b15f8e9dc69f1ec704ae93f4c456ae11f3 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 27 Jul 2017 17:01:36 -0700 Subject: [PATCH 027/110] More beta updates, almost all shell related: - Allow several combinations of scripting programs (ruby, python, etc.) to run other build-ish commands. - Let mysql_install_d(b) spawn shells and access sensitive files. - Let qualys-cloud-ag(ent) spawn shells - Add a few additional innocuous commandlines - Let postfix setuid to itself --- rules/falco_rules.yaml | 48 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 7 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9d4f7278..8d9e0386 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -312,6 +312,24 @@ (proc.pname=java and proc.pcmdline contains jenkins.war or proc.pcmdline contains /tmp/slave.jar) +- macro: parent_java_running_echo + condition: (proc.pname=java and proc.cmdline startswith "sh -c echo") + +- macro: parent_php_running_git + condition: (proc.pname in (php,php5-fpm) and proc.cmdline startswith "sh -c git") + +- macro: parent_ruby_running_gcc + condition: (proc.pname in (ruby,ruby2.3) and proc.cmdline startswith "sh -c gcc") + +- macro: parent_nginx_running_serf + condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf") + +- macro: parent_Xvfb_running_xkbcomp + condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"') + +- macro: mysql_image_running_healthcheck + condition: container.image=mysql and proc.cmdline="sh -c /healthcheck.sh" + # As a part of kernel upgrades, dpkg will spawn a perl script with the # name linux-image-N.N. This macro matches that. - macro: parent_linux_image_upgrade_script @@ -382,7 +400,7 @@ tags: [filesystem] - list: read_sensitive_file_binaries - items: [iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd, systemd] + items: [iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd, systemd, mysql_install_d] - rule: Read sensitive file untrusted desc: > @@ -483,7 +501,8 @@ pyclean, py3clean, pip, pip2, ansible-playboo, man-db, init, pluto, mkinitramfs, unattended-upgr, watch, sysdig, landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, - npm, cloud-init, toybox, ceph, hhvm, certbot + npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, + qualys-cloud-ag, serf ] - rule: Run shell untrusted @@ -501,6 +520,11 @@ and not parent_python_running_sdchecks and not parent_linux_image_upgrade_script and not parent_java_running_jenkins + and not parent_java_running_echo + and not parent_php_running_git + and not parent_ruby_running_gcc + and not parent_Xvfb_running_xkbcomp + and not parent_nginx_running_serf output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline) @@ -587,10 +611,13 @@ '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"', '"sh -c /sbin/ldconfig -p 2>/dev/null"', '"sh -c stty -a 2>/dev/null"', - '"sh -c node index.js)"', + '"sh -c node index.js"', + '"sh -c node index"', + '"sh -c node ./src/start.js"', '"sh -c node -e \"require(''nan'')\")"', - '"sh -c node $NODE_DEBUG_OPTION index.js )"', - '"sh -c crontab -l 2"' + '"sh -c node $NODE_DEBUG_OPTION index.js "', + '"sh -c crontab -l 2"', + '"sh -c lsb_release -a"' ] # This list allows for easy additions to the set of commands allowed @@ -611,9 +638,15 @@ lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, user_known_container_shell_spawn_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, - erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm) + erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf) and not trusted_containers and not shell_spawning_containers + and not parent_java_running_echo + and not parent_php_running_git + and not parent_ruby_running_gcc + and not parent_Xvfb_running_xkbcomp + and not mysql_image_running_healthcheck + and not parent_nginx_running_serf and not proc.cmdline in (known_container_shell_spawn_cmdlines) output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image @@ -644,7 +677,8 @@ - macro: somebody_becoming_themself condition: ((user.name=nobody and evt.arg.uid=nobody) or (user.name=www-data and evt.arg.uid=www-data) or - (user.name=_apt and evt.arg.uid=_apt)) + (user.name=_apt and evt.arg.uid=_apt) or + (user.name=postfix and evt.arg.uid=postfix)) # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs - rule: Non sudo setuid From 9883656882055fad5b25bdb80f3b5a7fa0ded3fd Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 28 Jul 2017 16:16:58 -0700 Subject: [PATCH 028/110] More shell/build related changes - Move qualys-cloud-ag to the monitoring_binaries list - Add a new list sendmail_config_binaries containing programs that can modify files. - Make parent_php_running_git a bit more generic for parent_php_running_builds and add some additional sub-commands. --- rules/falco_rules.yaml | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8d9e0386..a0c858d7 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -200,7 +200,7 @@ items: [bro, broctl] - list: monitoring_binaries - items: [icinga2, nrpe, npcd, check_sar_perf.] + items: [icinga2, nrpe, npcd, check_sar_perf., qualys-cloud-ag] - macro: system_procs condition: proc.name in (coreutils_binaries, user_mgmt_binaries) @@ -208,6 +208,12 @@ - list: mail_binaries items: [sendmail, sendmail-msp, postfix, procmail, exim4, pickup, showq] +- list: sendmail_config_binaries + items: [ + update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, + update_db, update_mc + ] + - list: make_binaries items: [make, gmake, cmake] @@ -315,8 +321,11 @@ - macro: parent_java_running_echo condition: (proc.pname=java and proc.cmdline startswith "sh -c echo") -- macro: parent_php_running_git - condition: (proc.pname in (php,php5-fpm) and proc.cmdline startswith "sh -c git") +- macro: parent_php_running_builds + condition: > + (proc.pname in (php,php5-fpm) and ( + proc.cmdline startswith "sh -c git" or + proc.cmdline startswith "sh -c date")) - macro: parent_ruby_running_gcc condition: (proc.pname in (ruby,ruby2.3) and proc.cmdline startswith "sh -c gcc") @@ -400,7 +409,10 @@ tags: [filesystem] - list: read_sensitive_file_binaries - items: [iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd, systemd, mysql_install_d] + items: [ + iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, + vsftpd, systemd, mysql_install_d + ] - rule: Read sensitive file untrusted desc: > @@ -409,7 +421,8 @@ condition: > sensitive_files and open_read and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, - cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, vpn_binaries) + cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, + vpn_binaries, sendmail_config_binaries) and not cmp_cp_by_passwd and not ansible_running_python and not proc.cmdline contains /usr/bin/mandb @@ -502,7 +515,7 @@ init, pluto, mkinitramfs, unattended-upgr, watch, sysdig, landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, - qualys-cloud-ag, serf + serf ] - rule: Run shell untrusted @@ -521,7 +534,7 @@ and not parent_linux_image_upgrade_script and not parent_java_running_jenkins and not parent_java_running_echo - and not parent_php_running_git + and not parent_php_running_builds and not parent_ruby_running_gcc and not parent_Xvfb_running_xkbcomp and not parent_nginx_running_serf @@ -642,7 +655,7 @@ and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo - and not parent_php_running_git + and not parent_php_running_builds and not parent_ruby_running_gcc and not parent_Xvfb_running_xkbcomp and not mysql_image_running_healthcheck From 33974c6912917f240641cdeb2a92e52d77a7bb37 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 1 Aug 2017 18:02:23 -0700 Subject: [PATCH 029/110] More server progs - add ssmtp.postinst as a mail config program - allow runsv to write below etc - allow a2enmod to spawn shells - add additional shell cmdline --- rules/falco_rules.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a0c858d7..c0699111 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -211,7 +211,7 @@ - list: sendmail_config_binaries items: [ update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, - update_db, update_mc + update_db, update_mc, ssmtp.postinst ] - list: make_binaries @@ -370,7 +370,7 @@ apparmor_parser, update-mime, tzdata.config, tzdata.postinst, systemd, systemd-machine, systemd-sysuser, debconf-show, rollerd, bind9.postinst, sv, - gen_resolvconf., update-ca-certi, certbot) + gen_resolvconf., update-ca-certi, certbot, runsv) and not proc.pname in (sysdigcloud_binaries) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d) and not ansible_running_python @@ -515,7 +515,7 @@ init, pluto, mkinitramfs, unattended-upgr, watch, sysdig, landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, - serf + serf, a2enmod ] - rule: Run shell untrusted @@ -627,6 +627,7 @@ '"sh -c node index.js"', '"sh -c node index"', '"sh -c node ./src/start.js"', + '"sh -c node app.js"', '"sh -c node -e \"require(''nan'')\")"', '"sh -c node $NODE_DEBUG_OPTION index.js "', '"sh -c crontab -l 2"', From 2ebe9e06a8125591b3b428ba01f456e3050c1258 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 2 Aug 2017 16:07:04 -0700 Subject: [PATCH 030/110] More build-related changes + exposing more info Combine parent_php_running_builds and parent_ruby_running_gcc into a single parent_scripting_running_builds which handles the general case of some script running some make/compilation related program. Also add some build-related command line prefixes. Allow supervisor-related programs to spawn shells and access sensitive files. Allow sendmail config binaries to write below etc directly (their children already could). Add some directories related to phusion (system-as-a-container). For a few rules add parent programs in the output so it's easier to diagnose the context for an event. Let varnishd spawn shells. --- rules/falco_rules.yaml | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index c0699111..f9b8464f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -321,14 +321,15 @@ - macro: parent_java_running_echo condition: (proc.pname=java and proc.cmdline startswith "sh -c echo") -- macro: parent_php_running_builds +- macro: parent_scripting_running_builds condition: > - (proc.pname in (php,php5-fpm) and ( + (proc.pname in (php,php5-fpm,python,ruby,ruby2.3) and ( proc.cmdline startswith "sh -c git" or - proc.cmdline startswith "sh -c date")) - -- macro: parent_ruby_running_gcc - condition: (proc.pname in (ruby,ruby2.3) and proc.cmdline startswith "sh -c gcc") + proc.cmdline startswith "sh -c date" or + proc.cmdline startswith "sh -c /usr/bin/g++" or + proc.cmdline startswith "sh -c /usr/bin/gcc" or + proc.cmdline startswith "sh -c gcc" or + proc.cmdline startswith "sh -c if type gcc")) - macro: parent_nginx_running_serf condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf") @@ -366,20 +367,23 @@ and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries, package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, dev_creation_binaries, shell_mgmt_binaries, + sendmail_config_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, systemd, systemd-machine, systemd-sysuser, debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot, runsv) - and not proc.pname in (sysdigcloud_binaries) - and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d) + and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) + and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, + /etc/nginx/conf.d, /etc/container_environment) + and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) and not ansible_running_python and not python_running_denyhosts - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session condition: write_etc_common and not proc.sname=fbash - output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" + output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name)" priority: ERROR tags: [filesystem] @@ -404,7 +408,7 @@ condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" output: > Sensitive file opened for reading by trusted program after startup (user=%user.name - command=%proc.cmdline file=%fd.name) + command=%proc.cmdline parent=%proc.pname file=%fd.name) priority: WARNING tags: [filesystem] @@ -515,7 +519,7 @@ init, pluto, mkinitramfs, unattended-upgr, watch, sysdig, landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, - serf, a2enmod + serf, a2enmod, runsv, supervisord, varnishd ] - rule: Run shell untrusted @@ -534,8 +538,7 @@ and not parent_linux_image_upgrade_script and not parent_java_running_jenkins and not parent_java_running_echo - and not parent_php_running_builds - and not parent_ruby_running_gcc + and not parent_scripting_running_builds and not parent_Xvfb_running_xkbcomp and not parent_nginx_running_serf output: > @@ -652,19 +655,19 @@ lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, user_known_container_shell_spawn_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, - erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf) + erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, + runsv, supervisord, varnishd, crond) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo - and not parent_php_running_builds - and not parent_ruby_running_gcc + and not parent_scripting_running_builds and not parent_Xvfb_running_xkbcomp and not mysql_image_running_healthcheck and not parent_nginx_running_serf and not proc.cmdline in (known_container_shell_spawn_cmdlines) output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image - shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline) + shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline) priority: NOTICE tags: [container, shell] From 0ec46feef21ed5a9bba4336cb6b615481715efa5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 9 Aug 2017 10:09:33 -0700 Subject: [PATCH 031/110] Make setuid binaries a list Move the misc binaries that are allowed to setuid from the rule to its own list. Makes it easier to add to the list. --- rules/falco_rules.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f9b8464f..e04b3570 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -181,6 +181,9 @@ - list: userexec_binaries items: [sudo, su] +- list: known_setuid_binaries + items: [sshd, dbus-daemon-lau, ping, ping6, critical-stack-] + - list: user_mgmt_binaries items: [login_binaries, passwd_binaries, shadowutils_binaries] @@ -705,8 +708,7 @@ condition: > evt.type=setuid and evt.dir=> and not user.name=root and not somebody_becoming_themself - and not proc.name in (userexec_binaries, mail_binaries, docker_binaries, - sshd, dbus-daemon-lau, ping, ping6, critical-stack-, Xvfb) + and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries) and not java_running_sdjagent output: > Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname From ef9e045a40f77b951f8c7cf1c0b365cb4b8ee687 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 9 Aug 2017 10:10:41 -0700 Subject: [PATCH 032/110] Add more ancestors Add more ancestors for several rules. Sometimes shells spawn the program reading the sensitive file, etc. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index e04b3570..3f2b46a7 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -411,7 +411,7 @@ condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" output: > Sensitive file opened for reading by trusted program after startup (user=%user.name - command=%proc.cmdline parent=%proc.pname file=%fd.name) + command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] priority: WARNING tags: [filesystem] @@ -727,7 +727,7 @@ not proc.pname in (cron_binaries, systemd, run-parts) output: > User management binary command run outside of container - (user=%user.name command=%proc.cmdline parent=%proc.pname) + (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2]) priority: NOTICE tags: [host, users] From dc44655ec2bac2ee85020982e35aa832f9ae5ed1 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 9 Aug 2017 10:12:03 -0700 Subject: [PATCH 033/110] Change how we detect entrypoints. Move entrypoint detection to its own macro. Also consider something the entrypoint if its parent is runc:[0:PARENT]. There's a race where runc:[0:PARENT] exits in parallel with the root program being execd, so the parent might not exist or might have this name. --- rules/falco_rules.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 3f2b46a7..9033a007 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -578,6 +578,17 @@ - macro: sensitive_mount condition: (container.mount.dest[/proc*] != "N/A") +# The steps libcontainer performs to set up the root program for a container are: +# - clone + exec self to a program runc:[0:PARENT] +# - clone a program runc:[1:CHILD] which sets up all the namespaces +# - clone a second program runc:[2:INIT] + exec to the root program. +# The parent of runc:[2:INIT] is runc:0:PARENT] +# As soon as 1:CHILD is created, 0:PARENT exits, so there's a race +# where at the time 2:INIT execs the root program, 0:PARENT might have +# already exited, or might still be around. So we handle both. +- macro: container_entrypoint + condition: (not proc.pname exists or proc.pname=runc:[0:PARENT]) + - rule: Launch Sensitive Mount Container desc: > Detect the initial process started by a container that has a mount from a sensitive host directory @@ -653,7 +664,7 @@ condition: > spawned_process and container and shell_procs - and proc.pname exists + and not container_entrypoint and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, user_known_container_shell_spawn_binaries, From 1f008d6c39e2557cabc48cf619f64dd3a339bf70 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 11 Aug 2017 15:40:31 -0700 Subject: [PATCH 034/110] Let needrestart run shells. https://github.com/liske/needrestart --- rules/falco_rules.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9033a007..5df23e56 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -279,6 +279,10 @@ - list: cron_binaries items: [anacron, cron, crond] +# https://github.com/liske/needrestart +- list: needrestart_binaries + items: [needrestart, 10-dpkg, 20-rpm, 30-pacman] + # System users that should never log into a system. Consider adding your own # service users (e.g. 'apache' or 'mysqld') here. - macro: system_users @@ -533,7 +537,7 @@ and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, make_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries, - monitoring_binaries, gitlab_binaries, mesos_slave_binaries, keepalived_binaries) + monitoring_binaries, gitlab_binaries, mesos_slave_binaries, keepalived_binaries, needrestart_binaries) and not parent_ansible_running_python and not parent_bro_running_python and not parent_python_running_denyhosts @@ -668,6 +672,7 @@ and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, user_known_container_shell_spawn_binaries, + needrestart_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond) From 7ff2f6643757c39bbe3013873a6fdce7a1fc5bc2 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 11 Aug 2017 15:41:39 -0700 Subject: [PATCH 035/110] Let node running npm spawn shells. New macro parent_node_running_npm looks for node running npm. Currently only /usr/local/bin/npm, can add additional well-known paths as needed. --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 5df23e56..0a75338e 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -338,6 +338,9 @@ proc.cmdline startswith "sh -c gcc" or proc.cmdline startswith "sh -c if type gcc")) +- macro: parent_node_running_npm + condition: proc.pcmdline startswith "node /usr/local/bin/npm" + - macro: parent_nginx_running_serf condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf") @@ -548,6 +551,7 @@ and not parent_scripting_running_builds and not parent_Xvfb_running_xkbcomp and not parent_nginx_running_serf + and not parent_node_running_npm output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline) @@ -684,6 +688,7 @@ and not mysql_image_running_healthcheck and not parent_nginx_running_serf and not proc.cmdline in (known_container_shell_spawn_cmdlines) + and not parent_node_running_npm output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline) From 71fee6753bb2d96fefbdcb43537e8f8e9ebb8645 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 11 Aug 2017 15:42:44 -0700 Subject: [PATCH 036/110] Let qualys write below /etc --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 0a75338e..152b31af 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -382,7 +382,8 @@ apparmor_parser, update-mime, tzdata.config, tzdata.postinst, systemd, systemd-machine, systemd-sysuser, debconf-show, rollerd, bind9.postinst, sv, - gen_resolvconf., update-ca-certi, certbot, runsv) + gen_resolvconf., update-ca-certi, certbot, runsv, + qualys-cloud-ag) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment) From 84b3543cc087407b11d1f82cd857e29cab64a103 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 11 Aug 2017 15:43:08 -0700 Subject: [PATCH 037/110] Let logrotate spawn shells in containers. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 152b31af..96120508 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -680,7 +680,7 @@ needrestart_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, - runsv, supervisord, varnishd, crond) + runsv, supervisord, varnishd, crond, logrotate) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From 97918814449547e6f56e4b4be7dacc19d9b26871 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 16 Aug 2017 11:06:12 -0700 Subject: [PATCH 038/110] Let mesos-slave, phusion passenger spawn shells We already covered mesos-agent, the new name for mesos-slave. --- rules/falco_rules.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 96120508..53df908d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -134,7 +134,10 @@ # Utility/etc programs known to run on mesos slaves. Truncation # intentional. - list: mesos_slave_binaries - items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-logrotate, mesos-fetcher, mesos-executor, 3dt] + items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-slave, mesos-logrotate, mesos-fetcher, mesos-executor, 3dt] + +- list: phusion_passenger_binaries + items: [PassengerAgent] - list: http_server_binaries items: [nginx, httpd, httpd-foregroun, lighttpd] @@ -541,7 +544,9 @@ and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, make_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries, - monitoring_binaries, gitlab_binaries, mesos_slave_binaries, keepalived_binaries, needrestart_binaries) + monitoring_binaries, gitlab_binaries, mesos_slave_binaries, + keepalived_binaries, + needrestart_binaries, phusion_passenger_binaries) and not parent_ansible_running_python and not parent_bro_running_python and not parent_python_running_denyhosts @@ -678,6 +683,7 @@ lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, user_known_container_shell_spawn_binaries, needrestart_binaries, + phusion_passenger_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond, logrotate) From cb7dab61e8d309ad064befd6ddbba948aea8e9cb Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 21 Aug 2017 17:18:55 -0700 Subject: [PATCH 039/110] Let chef binaries run shells. --- rules/falco_rules.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 53df908d..9895c43f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -139,6 +139,9 @@ - list: phusion_passenger_binaries items: [PassengerAgent] +- list: chef_binaries + items: [chef-client] + - list: http_server_binaries items: [nginx, httpd, httpd-foregroun, lighttpd] @@ -546,7 +549,7 @@ k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries, monitoring_binaries, gitlab_binaries, mesos_slave_binaries, keepalived_binaries, - needrestart_binaries, phusion_passenger_binaries) + needrestart_binaries, phusion_passenger_binaries, chef_binaries) and not parent_ansible_running_python and not parent_bro_running_python and not parent_python_running_denyhosts @@ -684,6 +687,7 @@ user_known_container_shell_spawn_binaries, needrestart_binaries, phusion_passenger_binaries, + chef_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond, logrotate) From 12de2e4119975553319d8c3bddfe8210b291785b Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 21 Aug 2017 17:30:27 -0700 Subject: [PATCH 040/110] Make safe etc directories a list. This way it can more easily be modified/added to. --- rules/falco_rules.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9895c43f..10fff3f3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -377,6 +377,9 @@ priority: ERROR tags: [filesystem] +- list: safe_etc_dirs + items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment] + - macro: write_etc_common condition: > etc_dir and evt.dir = < and open_write @@ -391,8 +394,7 @@ gen_resolvconf., update-ca-certi, certbot, runsv, qualys-cloud-ag) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) - and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, - /etc/nginx/conf.d, /etc/container_environment) + and not fd.directory in (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) and not ansible_running_python and not python_running_denyhosts From 689c02666f9bca5975412e7104a32c49ded3fe59 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 22 Aug 2017 14:05:21 -0700 Subject: [PATCH 041/110] Allow innocuous user management commands Allow innocuous user management command lines like "passwd -S" (show status for account). --- rules/falco_rules.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 10fff3f3..a44d7142 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -755,10 +755,12 @@ activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup. + Some innocuous commandlines that don't actually change anything are excluded. condition: > spawned_process and proc.name in (user_mgmt_binaries) and not proc.name in (su, sudo) and not container and - not proc.pname in (cron_binaries, systemd, run-parts) + not proc.pname in (cron_binaries, systemd, run-parts) and + not proc.cmdline startswith "passwd -S" output: > User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2]) From 32027049503a51c7ce08d21ecbc4a16b0021de17 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 22 Aug 2017 14:07:54 -0700 Subject: [PATCH 042/110] Add more logging on process ancestors. Try to find the root process that might be spawning shells/reading sensitive files. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a44d7142..c5e60d58 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -451,7 +451,7 @@ and not proc.cmdline contains /usr/bin/mandb output: > Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name - command=%proc.cmdline file=%fd.name) + command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2]) priority: WARNING tags: [filesystem] @@ -763,7 +763,7 @@ not proc.cmdline startswith "passwd -S" output: > User management binary command run outside of container - (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2]) + (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) priority: NOTICE tags: [host, users] From e88c9ec8e34ccdf784b874aba4dde1a93bd11b6a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 22 Aug 2017 14:15:44 -0700 Subject: [PATCH 043/110] Add more shell spawners. awslogs, authconfig --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index c5e60d58..7e8fe0e0 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -531,14 +531,14 @@ - list: known_shell_spawn_binaries items: [ sshd, sudo, su, tmux, screen, emacs, systemd, login, flock, fbash, - nginx, monit, supervisord, dragent, aws, initdb, docker-compose, + nginx, monit, supervisord, dragent, aws, awslogs, initdb, docker-compose, configure, awk, falco, fail2ban-server, fleetctl, logrotate, ansible, less, adduser, pycompile, py3compile, pyclean, py3clean, pip, pip2, ansible-playboo, man-db, init, pluto, mkinitramfs, unattended-upgr, watch, sysdig, landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, - serf, a2enmod, runsv, supervisord, varnishd + serf, a2enmod, runsv, supervisord, varnishd, authconfig ] - rule: Run shell untrusted From fbfd540ad23beab73ed68bb667778695a8968822 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 22 Aug 2017 14:18:32 -0700 Subject: [PATCH 044/110] More user management exclusions. Exclude lastlog and useradd -D as they don't change anything. --- rules/falco_rules.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 7e8fe0e0..75f7bf5e 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -758,9 +758,10 @@ Some innocuous commandlines that don't actually change anything are excluded. condition: > spawned_process and proc.name in (user_mgmt_binaries) and - not proc.name in (su, sudo) and not container and + not proc.name in (su, sudo, lastlog) and not container and not proc.pname in (cron_binaries, systemd, run-parts) and - not proc.cmdline startswith "passwd -S" + not proc.cmdline startswith "passwd -S" and + not proc.cmdline startswith "useradd -D" output: > User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) From 75a44a67f94f9e0c419a403140e7d578b520c59f Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 22 Aug 2017 14:24:18 -0700 Subject: [PATCH 045/110] Use pmatch instead of fd.directory Use pmatch, which compares a file against a set of prefix paths, instead of fd.directory. This allows the directories in safe_etc_dirs to be a prefix of a file instead of just the directory containing a file. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 75f7bf5e..75d39d57 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -394,7 +394,7 @@ gen_resolvconf., update-ca-certi, certbot, runsv, qualys-cloud-ag) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) - and not fd.directory in (safe_etc_dirs) + and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) and not ansible_running_python and not python_running_denyhosts From 57c1b33562d5ff00769af64bd669178c60b1889d Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 23 Aug 2017 16:31:40 -0700 Subject: [PATCH 046/110] Let /etc/locale.gen be written /etc/locale.gen isn't super critical, so let it be written. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 75d39d57..1b78a3b4 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -395,7 +395,7 @@ qualys-cloud-ag) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) and not fd.name pmatch (safe_etc_dirs) - and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) + and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/local.gen) and not ansible_running_python and not python_running_denyhosts From 4efda9cb97967a9a45d23c7f187e24387ca816d7 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 23 Aug 2017 16:32:22 -0700 Subject: [PATCH 047/110] Add nomachine binaries. Add a list of nomachine binaries and let them spawn shells, setuid, and access sensitive files. --- rules/falco_rules.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1b78a3b4..1c368d38 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -205,6 +205,9 @@ - list: vpn_binaries items: [openvpn] +- list: nomachine_binaries + items: [nxexec, nxnode.bin] + - list: nids_binaries items: [bro, broctl] @@ -445,7 +448,7 @@ sensitive_files and open_read and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, - vpn_binaries, sendmail_config_binaries) + vpn_binaries, sendmail_config_binaries, nomachine_binaries) and not cmp_cp_by_passwd and not ansible_running_python and not proc.cmdline contains /usr/bin/mandb @@ -551,7 +554,7 @@ k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries, monitoring_binaries, gitlab_binaries, mesos_slave_binaries, keepalived_binaries, - needrestart_binaries, phusion_passenger_binaries, chef_binaries) + needrestart_binaries, phusion_passenger_binaries, chef_binaries, nomachine_binaries) and not parent_ansible_running_python and not parent_bro_running_python and not parent_python_running_denyhosts @@ -690,6 +693,7 @@ needrestart_binaries, phusion_passenger_binaries, chef_binaries, + nomachine_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond, logrotate) @@ -742,7 +746,7 @@ condition: > evt.type=setuid and evt.dir=> and not user.name=root and not somebody_becoming_themself - and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries) + and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries, nomachine_binaries) and not java_running_sdjagent output: > Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname From 8e46db05c69f786e468019bf6487d8b67d753978 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 23 Aug 2017 16:37:38 -0700 Subject: [PATCH 048/110] More specific control of some /etc files Add more specific controls of files below /etc, allowing specific combinations of programs and files: - start-fluentd can write to /etc/fluent/fluent.conf - locales.postins can write to /etc/locale.gen --- rules/falco_rules.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1c368d38..a7bd4cfd 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -383,6 +383,12 @@ - list: safe_etc_dirs items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment] +- macro: fluentd_writing_fluentd_conf + condition: (proc.name=start-fluentd and fd.name=/etc/fluent/fluent.conf) + +- macro: locales_postinst_writing_locale_gen + condition: (proc.name=locales.postins and fd.name=/etc/locale.gen) + - macro: write_etc_common condition: > etc_dir and evt.dir = < and open_write @@ -398,9 +404,11 @@ qualys-cloud-ag) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) and not fd.name pmatch (safe_etc_dirs) - and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/local.gen) + and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) and not ansible_running_python and not python_running_denyhosts + and not fluentd_writing_fluentd_conf + and not locales_postinst_writing_locale_gen - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From aaa294abd1643f19037d30bcfb580cd271574595 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 23 Aug 2017 16:45:44 -0700 Subject: [PATCH 049/110] Add additional build-like shells This time node running git commands. --- rules/falco_rules.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a7bd4cfd..8c0dc0f2 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -339,13 +339,14 @@ - macro: parent_scripting_running_builds condition: > - (proc.pname in (php,php5-fpm,python,ruby,ruby2.3) and ( + (proc.pname in (php,php5-fpm,python,ruby,ruby2.3,node) and ( proc.cmdline startswith "sh -c git" or proc.cmdline startswith "sh -c date" or proc.cmdline startswith "sh -c /usr/bin/g++" or proc.cmdline startswith "sh -c /usr/bin/gcc" or proc.cmdline startswith "sh -c gcc" or - proc.cmdline startswith "sh -c if type gcc")) + proc.cmdline startswith "sh -c if type gcc" or + proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git")) - macro: parent_node_running_npm condition: proc.pcmdline startswith "node /usr/local/bin/npm" From d21fb408d465362c21715c80425ee456e6edbc96 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 23 Aug 2017 16:46:10 -0700 Subject: [PATCH 050/110] Let locales.postins write below /etc locales.postins also writes intermediate files below /etc/ so just it write generally. --- rules/falco_rules.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8c0dc0f2..1e0fe70d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -387,9 +387,6 @@ - macro: fluentd_writing_fluentd_conf condition: (proc.name=start-fluentd and fd.name=/etc/fluent/fluent.conf) -- macro: locales_postinst_writing_locale_gen - condition: (proc.name=locales.postins and fd.name=/etc/locale.gen) - - macro: write_etc_common condition: > etc_dir and evt.dir = < and open_write @@ -402,14 +399,13 @@ systemd, systemd-machine, systemd-sysuser, debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot, runsv, - qualys-cloud-ag) + qualys-cloud-ag, locales.postins) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) and not ansible_running_python and not python_running_denyhosts and not fluentd_writing_fluentd_conf - and not locales_postinst_writing_locale_gen - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From 608d4e234f2c46808a0e6d59aa240d7d6a5ef7fa Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 23 Aug 2017 16:50:32 -0700 Subject: [PATCH 051/110] Let tini spawn shells https://github.com/krallin/tini --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1e0fe70d..38cd464e 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -546,7 +546,7 @@ init, pluto, mkinitramfs, unattended-upgr, watch, sysdig, landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, - serf, a2enmod, runsv, supervisord, varnishd, authconfig + serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini ] - rule: Run shell untrusted From ac7032552251f477d32dd5dd7aced21393b565da Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 23 Aug 2017 16:50:58 -0700 Subject: [PATCH 052/110] Add more debugging for shells Used to track down deeper chains of shells for things like ansible, chef. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 38cd464e..a95a00e5 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -573,7 +573,7 @@ and not parent_node_running_npm output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname - cmdline=%proc.cmdline pcmdline=%proc.pcmdline) + cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]) priority: DEBUG tags: [host, shell] From bf1f2cb2fd5d42b84198703b0709eed885d3fb9c Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 08:56:26 -0700 Subject: [PATCH 053/110] Let coreos update_engine write below dev. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a95a00e5..5f050bd3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -194,7 +194,7 @@ items: [login_binaries, passwd_binaries, shadowutils_binaries] - list: dev_creation_binaries - items: [blkid, rename_device] + items: [blkid, rename_device, update_engine] - list: aide_wrapper_binaries items: [aide.wrapper, update-aide.con] From 6be38a323711688bd84ca0b8464e2b86ac7493cb Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 08:57:00 -0700 Subject: [PATCH 054/110] Add more nomachine binaries. Also let nomachine binaries write below /etc. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 5f050bd3..80fd7c42 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -206,7 +206,7 @@ items: [openvpn] - list: nomachine_binaries - items: [nxexec, nxnode.bin] + items: [nxexec, nxnode.bin, nxserver.bin, nxclient.bin] - list: nids_binaries items: [bro, broctl] @@ -399,7 +399,7 @@ systemd, systemd-machine, systemd-sysuser, debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot, runsv, - qualys-cloud-ag, locales.postins) + qualys-cloud-ag, locales.postins, nomachine_binaries) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) From ca9e1ebfefc1278392649f1b499b39b8b96a67f0 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 08:57:26 -0700 Subject: [PATCH 055/110] Add x2go programs They can spawn shells in and out of containers. --- rules/falco_rules.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 80fd7c42..17876ee6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -546,7 +546,8 @@ init, pluto, mkinitramfs, unattended-upgr, watch, sysdig, landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, - serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini + serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini, + x2goagent ] - rule: Run shell untrusted @@ -701,7 +702,7 @@ nomachine_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, - runsv, supervisord, varnishd, crond, logrotate) + runsv, supervisord, varnishd, crond, logrotate, x2goagent) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From 1cdacc1494f68507bc00c8d8fe83a575e1af6fa5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 08:58:09 -0700 Subject: [PATCH 056/110] Add macro to easily augment shell rule Add a macro user_shell_container_exclusions that allows a second rules file to easily extend the shelll in container rule without overriding the entire rule. Also add an exclusion node_running_edi_dynamodb which can be used for that macro. --- rules/falco_rules.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 17876ee6..5c8bec46 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -687,6 +687,17 @@ - list: user_known_container_shell_spawn_binaries items: [] +# This macro allows for easy additions to the set of commands allowed +# to run shells in containers without having to override the entire +# rule. Its default value is an expression that always is false, which +# becomes true when the "not ..." in the rule is applied. +- macro: user_shell_container_exclusions + condition: (evt.num=0) + +# Temporarily adding as an example +- macro: node_running_edi_dynamodb + condition: proc.pname=node and proc.pcmdline contains /var/www/edi/process.js + - rule: Run shell in container desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded. condition: > @@ -712,6 +723,8 @@ and not parent_nginx_running_serf and not proc.cmdline in (known_container_shell_spawn_cmdlines) and not parent_node_running_npm + and not user_shell_container_exclusions + and not node_running_edi_dynamodb output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline) From 70e49161b1c2dc713cbabbeb98a91a6e45fb7a7f Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 08:59:33 -0700 Subject: [PATCH 057/110] Let pkt-agent become themself. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 5c8bec46..ad6bd5cd 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -755,7 +755,8 @@ condition: ((user.name=nobody and evt.arg.uid=nobody) or (user.name=www-data and evt.arg.uid=www-data) or (user.name=_apt and evt.arg.uid=_apt) or - (user.name=postfix and evt.arg.uid=postfix)) + (user.name=postfix and evt.arg.uid=postfix) or + (user.name=pki-agent and evt.arg.uid=pki-agent)) # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs - rule: Non sudo setuid From ac82dd4b546483cfa4d545a1cfdb21b53c974b63 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 10:08:29 -0700 Subject: [PATCH 058/110] Let timeout run shells. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ad6bd5cd..51edfbc5 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -547,7 +547,7 @@ landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini, - x2goagent + x2goagent, timeout ] - rule: Run shell untrusted @@ -713,7 +713,7 @@ nomachine_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, - runsv, supervisord, varnishd, crond, logrotate, x2goagent) + runsv, supervisord, varnishd, crond, logrotate, x2goagent, timeout) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From 64a014c356f6a15f4f8e722027abfd96edee07b3 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 10:09:12 -0700 Subject: [PATCH 059/110] Look for qualys at various places in the heirarchy Qualys seems to run a variety of shell subprocesses, at various levels. Add a macro run_by_qualys that checks at a few levels without the cost of a full proc.aname, which traverses the full parent heirarchy. --- rules/falco_rules.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 51edfbc5..8b39ae22 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -360,6 +360,12 @@ - macro: mysql_image_running_healthcheck condition: container.image=mysql and proc.cmdline="sh -c /healthcheck.sh" +# Qualys seems to run a variety of shell subprocesses, at various +# levels. This checks at a few levels without the cost of a full +# proc.aname, which traverses the full parent heirarchy. +- macro: run_by_qualys + condition: (proc.pname=qualys-cloud-ag or proc.aname[2]=qualys-cloud-ag or proc.aname[3]=qualys-cloud-ag) + # As a part of kernel upgrades, dpkg will spawn a perl script with the # name linux-image-N.N. This macro matches that. - macro: parent_linux_image_upgrade_script @@ -435,7 +441,7 @@ condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" output: > Sensitive file opened for reading by trusted program after startup (user=%user.name - command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] + command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2]) priority: WARNING tags: [filesystem] @@ -457,9 +463,10 @@ and not cmp_cp_by_passwd and not ansible_running_python and not proc.cmdline contains /usr/bin/mandb + and not run_by_qualys output: > Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name - command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2]) + command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) priority: WARNING tags: [filesystem] From 4e7fcf3f88809747734831a736dbc16aa3ecc515 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 10:22:27 -0700 Subject: [PATCH 060/110] Let java running sbt spawn shells New macro parent_java_running_sbt looks for java running sbt code (https://github.com/sbt/sbt), and use that macro to allow shells. --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8b39ae22..6cc93508 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -337,6 +337,9 @@ - macro: parent_java_running_echo condition: (proc.pname=java and proc.cmdline startswith "sh -c echo") +- macro: parent_java_running_sbt + condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar) + - macro: parent_scripting_running_builds condition: > (proc.pname in (php,php5-fpm,python,ruby,ruby2.3,node) and ( @@ -579,6 +582,7 @@ and not parent_Xvfb_running_xkbcomp and not parent_nginx_running_serf and not parent_node_running_npm + and not parent_java_running_sbt output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]) From 42167e53cc8c31ce34c9f1ff3f9262f0bb73633e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 10:23:31 -0700 Subject: [PATCH 061/110] Let chef write below etc. New macro run_by_chef is similar to run_by_qualys in that it looks in various places in the process heirarchy. Use that macro to allow writes below etc. Will probably add in more places soon. --- rules/falco_rules.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6cc93508..b5361e33 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -369,6 +369,10 @@ - macro: run_by_qualys condition: (proc.pname=qualys-cloud-ag or proc.aname[2]=qualys-cloud-ag or proc.aname[3]=qualys-cloud-ag) +# Chef is similar. +- macro: run_by_chef + condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr) + # As a part of kernel upgrades, dpkg will spawn a perl script with the # name linux-image-N.N. This macro matches that. - macro: parent_linux_image_upgrade_script @@ -583,6 +587,7 @@ and not parent_nginx_running_serf and not parent_node_running_npm and not parent_java_running_sbt + and not run_by_chef output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]) @@ -738,7 +743,7 @@ and not node_running_edi_dynamodb output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image - shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline) + shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) priority: NOTICE tags: [container, shell] From 46f993fa4096098cae98a9d06d33fdb6fc2ffc77 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 10:25:34 -0700 Subject: [PATCH 062/110] Let fluentd write multiple files Rename fluentd_writing_fluentd_conf to fluentd_writing_conf_files and add additional files that it can modify below /etc. --- rules/falco_rules.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index b5361e33..bb1aa7cb 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -397,8 +397,8 @@ - list: safe_etc_dirs items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment] -- macro: fluentd_writing_fluentd_conf - condition: (proc.name=start-fluentd and fd.name=/etc/fluent/fluent.conf) +- macro: fluentd_writing_conf_files + condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf)) - macro: write_etc_common condition: > @@ -418,7 +418,7 @@ and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) and not ansible_running_python and not python_running_denyhosts - and not fluentd_writing_fluentd_conf + and not fluentd_writing_conf_files - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From 68cca84ba69f3ae1ea4de9d0bf020a2fd5e72e8b Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 10:26:13 -0700 Subject: [PATCH 063/110] Also let tini spawn shells in containers. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index bb1aa7cb..108ff2df 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -729,7 +729,7 @@ nomachine_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, - runsv, supervisord, varnishd, crond, logrotate, x2goagent, timeout) + runsv, supervisord, varnishd, crond, logrotate, x2goagent, timeout, tini) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From 151d1e67c594db415f94005ba0ba4315bf483877 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 14:11:01 -0700 Subject: [PATCH 064/110] Add an additional scripting-running-command combo Add an additional combination of scripting language like php/python/etc + a specific command line to parent_scripting_running_builds. --- rules/falco_rules.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 108ff2df..f46c41b5 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -340,16 +340,19 @@ - macro: parent_java_running_sbt condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar) +# The crxlsx is a bit different than the other build-like things, but +# close enough to add here rather than create a separate macro. - macro: parent_scripting_running_builds condition: > - (proc.pname in (php,php5-fpm,python,ruby,ruby2.3,node) and ( + (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,node) and ( proc.cmdline startswith "sh -c git" or proc.cmdline startswith "sh -c date" or proc.cmdline startswith "sh -c /usr/bin/g++" or proc.cmdline startswith "sh -c /usr/bin/gcc" or proc.cmdline startswith "sh -c gcc" or proc.cmdline startswith "sh -c if type gcc" or - proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git")) + proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or + proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx")) - macro: parent_node_running_npm condition: proc.pcmdline startswith "node /usr/local/bin/npm" From 548790c6638d35100cf91ea98ec92e1c3e35f303 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 14:12:18 -0700 Subject: [PATCH 065/110] Add more run by macros for h2o/Passenger Add more run_by_xxx macros for h2o/phusion passenger. Handles cases where the ancestor has a name, but the direct parent is a general scripting language like ruby/perl/etc. --- rules/falco_rules.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f46c41b5..9e975edf 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -376,6 +376,12 @@ - macro: run_by_chef condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr) +- macro: run_by_h2o + condition: (proc.pname=perl and proc.aname[2]=h2o) + +- macro: run_by_passenger_agent + condition: (proc.pname=ruby and proc.aname[2]=PassengerAgent) + # As a part of kernel upgrades, dpkg will spawn a perl script with the # name linux-image-N.N. This macro matches that. - macro: parent_linux_image_upgrade_script @@ -744,6 +750,8 @@ and not parent_node_running_npm and not user_shell_container_exclusions and not node_running_edi_dynamodb + and not run_by_h2o + and not run_by_passenger_agent output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) From b0cf038e1d1599041711c1738d921701202de2d7 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 14:13:37 -0700 Subject: [PATCH 066/110] Another uid to same uid case. pki-acme. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9e975edf..253c7458 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -783,7 +783,8 @@ (user.name=www-data and evt.arg.uid=www-data) or (user.name=_apt and evt.arg.uid=_apt) or (user.name=postfix and evt.arg.uid=postfix) or - (user.name=pki-agent and evt.arg.uid=pki-agent)) + (user.name=pki-agent and evt.arg.uid=pki-agent) or + (user.name=pki-acme and evt.arg.uid=pki-acme)) # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs - rule: Non sudo setuid From 6aa2373acd7d936047aabf079df280b52747d46c Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 14:14:11 -0700 Subject: [PATCH 067/110] More x-related shell spawners Add additional x-related shell spawning programs. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 253c7458..15d32bdc 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -738,7 +738,8 @@ nomachine_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, - runsv, supervisord, varnishd, crond, logrotate, x2goagent, timeout, tini) + runsv, supervisord, varnishd, crond, logrotate, x2goagent, timeout, tini, + xrdb, xfce4-session) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From ee025718898dbcdf40aba2df0e33bc5f3ce9fdec Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 25 Aug 2017 07:47:53 -0700 Subject: [PATCH 068/110] Add x2go binaries as a list Moving the first program x2goagent into the list. --- rules/falco_rules.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 15d32bdc..2a1cd0a2 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -208,6 +208,9 @@ - list: nomachine_binaries items: [nxexec, nxnode.bin, nxserver.bin, nxclient.bin] +- list: x2go_binaries + items: [x2gosuspend-age, x2goagent] + - list: nids_binaries items: [bro, broctl] @@ -570,7 +573,7 @@ landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini, - x2goagent, timeout + timeout ] - rule: Run shell untrusted @@ -583,7 +586,8 @@ k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries, monitoring_binaries, gitlab_binaries, mesos_slave_binaries, keepalived_binaries, - needrestart_binaries, phusion_passenger_binaries, chef_binaries, nomachine_binaries) + needrestart_binaries, phusion_passenger_binaries, chef_binaries, nomachine_binaries, + x2go_binaries) and not parent_ansible_running_python and not parent_bro_running_python and not parent_python_running_denyhosts @@ -736,9 +740,10 @@ phusion_passenger_binaries, chef_binaries, nomachine_binaries, + x2go_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, - runsv, supervisord, varnishd, crond, logrotate, x2goagent, timeout, tini, + runsv, supervisord, varnishd, crond, logrotate, timeout, tini, xrdb, xfce4-session) and not trusted_containers and not shell_spawning_containers From 276ab9139f053ba1f5c2a31e500097ce8652a928 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 25 Aug 2017 07:48:32 -0700 Subject: [PATCH 069/110] Let hddtemp.postins(t) write below etc. dpkg installation script --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2a1cd0a2..fd2e7a37 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -425,7 +425,7 @@ debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot, runsv, qualys-cloud-ag, locales.postins, nomachine_binaries) - and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) + and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) and not ansible_running_python From a4d3d4d7317f278a713065f87f82ab207a9fec01 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 25 Aug 2017 08:05:58 -0700 Subject: [PATCH 070/110] Also let docker-runc denote an entrypoint. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index fd2e7a37..14c28dec 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -644,7 +644,7 @@ # where at the time 2:INIT execs the root program, 0:PARENT might have # already exited, or might still be around. So we handle both. - macro: container_entrypoint - condition: (not proc.pname exists or proc.pname=runc:[0:PARENT]) + condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], docker-runc)) - rule: Launch Sensitive Mount Container desc: > From 3b5f959de9d0e3b96e80e1a029738e83f0fe9546 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 25 Aug 2017 08:08:02 -0700 Subject: [PATCH 071/110] Add additional node/edi command lines. --- rules/falco_rules.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 14c28dec..f29dc6e2 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -725,7 +725,9 @@ # Temporarily adding as an example - macro: node_running_edi_dynamodb - condition: proc.pname=node and proc.pcmdline contains /var/www/edi/process.js + condition: > + (proc.pname=node and (proc.pcmdline contains /var/www/edi/process.js or + proc.pcmdline contains "sh -c /var/www/edi/bin/sftp.sh")) - rule: Run shell in container desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded. From 606af16f276b0758a87d7992217f1ef886635f20 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 25 Aug 2017 08:16:21 -0700 Subject: [PATCH 072/110] Let updatedb.findut spawn shells. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f29dc6e2..e897ef0d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -573,7 +573,7 @@ landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini, - timeout + timeout, updatedb.findut ] - rule: Run shell untrusted From 6dfdadf527dd44830d936979ab07534b43d26cbd Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 25 Aug 2017 08:16:39 -0700 Subject: [PATCH 073/110] Also let runc:[1:CHILD] count as an entrypoint. Handles cases where we lose system events and have incomplete state. --- rules/falco_rules.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index e897ef0d..6e46cb65 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -643,8 +643,11 @@ # As soon as 1:CHILD is created, 0:PARENT exits, so there's a race # where at the time 2:INIT execs the root program, 0:PARENT might have # already exited, or might still be around. So we handle both. +# We also let runc:[1:CHILD] count as the parent process, which can occur +# when we lose events and lose track of state. + - macro: container_entrypoint - condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], docker-runc)) + condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], docker-runc)) - rule: Launch Sensitive Mount Container desc: > From 70d6e8de2f36b2e01b751e0687672ecdccf12e09 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 25 Aug 2017 09:25:52 -0700 Subject: [PATCH 074/110] Add more ancestors for tracking. --- rules/falco_rules.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6e46cb65..ae0b2d50 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -435,7 +435,7 @@ - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session condition: write_etc_common and not proc.sname=fbash - output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name)" + output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name)" priority: ERROR tags: [filesystem] @@ -485,7 +485,7 @@ and not run_by_qualys output: > Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name - command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) + command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) priority: WARNING tags: [filesystem] @@ -827,7 +827,7 @@ not proc.cmdline startswith "useradd -D" output: > User management binary command run outside of container - (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) + (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) priority: NOTICE tags: [host, users] From 425196f97415c2073d13ebad89c907494d202849 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 25 Aug 2017 09:26:09 -0700 Subject: [PATCH 075/110] Let weave spawn shells. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ae0b2d50..93cc52ac 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -749,7 +749,7 @@ monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond, logrotate, timeout, tini, - xrdb, xfce4-session) + xrdb, xfce4-session, weave) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From d0650688d513877e874a33d9921c108a0d95b466 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 6 Sep 2017 15:42:21 -0700 Subject: [PATCH 076/110] Let mysql_ssl_rsa_s spawn shells Part of mysql ssl key generation. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 93cc52ac..44f7e7d3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -573,7 +573,7 @@ landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini, - timeout, updatedb.findut + timeout, updatedb.findut, mysql_ssl_rsa_s ] - rule: Run shell untrusted @@ -749,7 +749,7 @@ monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond, logrotate, timeout, tini, - xrdb, xfce4-session, weave) + xrdb, xfce4-session, weave, mysql_ssl_rsa_s) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From 7c8a85158a4ce01d68221b75c338e014070e1032 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 13 Sep 2017 17:13:11 -0700 Subject: [PATCH 077/110] Decrease terminal shell in container to debug From notice. That way the two main shell-related policies are both at debug. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 44f7e7d3..8b9fb5b0 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -766,7 +766,7 @@ output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) - priority: NOTICE + priority: DEBUG tags: [container, shell] # sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets From 00dd3c47c062839b983f65e6480fd8c47e4f5367 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 19 Sep 2017 16:54:48 -0700 Subject: [PATCH 078/110] Allow systemd --version as a "user mgmt binary" systemd --version might be run in some unusual containerized environments, so exclude it. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8b9fb5b0..24c47d3f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -824,7 +824,8 @@ not proc.name in (su, sudo, lastlog) and not container and not proc.pname in (cron_binaries, systemd, run-parts) and not proc.cmdline startswith "passwd -S" and - not proc.cmdline startswith "useradd -D" + not proc.cmdline startswith "useradd -D" and + not proc.cmdline startswith "systemd --version" output: > User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) From 340ee2ece7553d93d42eb4530a35fa1bf4447d6d Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 20 Sep 2017 18:20:35 -0700 Subject: [PATCH 079/110] Add general ability to augment write_etc_common Add a stub macro user_known_write_etc_conditions that allows easy additions to write_etc_common in a separate rules file. --- rules/falco_rules.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 24c47d3f..f606c1a4 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -412,6 +412,19 @@ - macro: fluentd_writing_conf_files condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf)) +# Add conditions to this macro (probably in a separate file, +# overwriting this macro) to allow for specific combinations of +# programs writing below specific directories below +# /etc. fluentd_writing_conf_files is a good example to follow, as it +# specifies both the program doing the writing as well as the specific +# files it is allowed to modify. +# +# In this file, it just takes one of the programs in the base macro +# and repeats it. + +- macro: user_known_write_etc_conditions + condition: proc.name=confd + - macro: write_etc_common condition: > etc_dir and evt.dir = < and open_write @@ -431,6 +444,7 @@ and not ansible_running_python and not python_running_denyhosts and not fluentd_writing_conf_files + and not user_known_write_etc_conditions - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From c4c5d2f5853dcd65f98b89a7f177928dc7d8a0ed Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 20 Sep 2017 18:22:11 -0700 Subject: [PATCH 080/110] Let chef read sensitive files Add the macro run_by_chef to the set of exclusions for reading sensitive files. --- rules/falco_rules.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f606c1a4..4c5c8b6c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -497,6 +497,7 @@ and not ansible_running_python and not proc.cmdline contains /usr/bin/mandb and not run_by_qualys + and not run_by_chef output: > Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) From e44ce9a8d3143702addffe5ed53347c2ef8f8f27 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 20 Sep 2017 18:25:11 -0700 Subject: [PATCH 081/110] Add calico/node as a trusted container. It generally needs to run privileged. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 4c5c8b6c..0cd22921 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -630,7 +630,8 @@ container.image startswith sysdig/sysdig or container.image startswith gcr.io/google_containers/hyperkube or container.image startswith quay.io/coreos/flannel or - container.image startswith gcr.io/google_containers/kube-proxy) + container.image startswith gcr.io/google_containers/kube-proxy or + container.image startswith calico/node) # These containers are ones that are known to spawn lots of # shells. Generally, they are for systems where the container is used From a0e88417fca1050d8cfa662971c39f6a58bb30dc Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 20 Sep 2017 18:42:33 -0700 Subject: [PATCH 082/110] Add more container innocuous cmdlines Various uname -x variants and ruby version. --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 0cd22921..ffa218f8 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -710,6 +710,11 @@ '"sh -c curl http://localhost:6060/debug/vars>/dev/null "', '"sh -c pgrep java && exit 0 || exit 1 "', '"sh -c uname -p 2> /dev/null"', + '"sh -c uname -s 2>&1"', + '"sh -c uname -r 2>&1"', + '"sh -c uname -v 2>&1"', + '"sh -c uname -a 2>&1"', + '"sh -c ruby -v 2>&1"', '"sh -c echo healthy "', '"sh -c echo alive "', '"sh -c getconf CLK_TCK"', From 09748fcbb3ca2035645e5e9b701d83c5cca29407 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 21 Sep 2017 08:25:08 -0700 Subject: [PATCH 083/110] Allow writes to /etc/motd These files are relatively innocuous. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ffa218f8..9d8fb6a8 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -440,7 +440,7 @@ qualys-cloud-ag, locales.postins, nomachine_binaries) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins) and not fd.name pmatch (safe_etc_dirs) - and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) + and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) and not ansible_running_python and not python_running_denyhosts and not fluentd_writing_conf_files From 2bc9d35d373de32c25d405cfaec0b9b16c8636c7 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 21 Sep 2017 08:25:35 -0700 Subject: [PATCH 084/110] Let nfsnobody become themself. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9d8fb6a8..0d96c832 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -816,7 +816,8 @@ (user.name=_apt and evt.arg.uid=_apt) or (user.name=postfix and evt.arg.uid=postfix) or (user.name=pki-agent and evt.arg.uid=pki-agent) or - (user.name=pki-acme and evt.arg.uid=pki-acme)) + (user.name=pki-acme and evt.arg.uid=pki-acme) or + (user.name=nfsnobody and evt.arg.uid=nfsnobody)) # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs - rule: Non sudo setuid From fefb8ba61408055b6759e0075dee363e46b4bc92 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 21 Sep 2017 08:31:43 -0700 Subject: [PATCH 085/110] Allow puppet to run shells. Similar model as chef/qualsys/etc. --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 0d96c832..ab813f3a 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -379,6 +379,9 @@ - macro: run_by_chef condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr) +- macro: run_by_puppet + condition: (proc.aname[2]=puppet or proc.aname[3]=puppet) + - macro: run_by_h2o condition: (proc.pname=perl and proc.aname[2]=h2o) @@ -616,6 +619,7 @@ and not parent_node_running_npm and not parent_java_running_sbt and not run_by_chef + and not run_by_puppet output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]) From 1a41eeada7f86bc0245f528188f62c2eae11f5a3 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 21 Sep 2017 08:40:52 -0700 Subject: [PATCH 086/110] Add ability to augment sensitive file reads Similar to user_known_write_etc_conditions, add the ability to easily override sensitve file reads in a second rules file. --- rules/falco_rules.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ab813f3a..6f2f01d3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -487,6 +487,19 @@ vsftpd, systemd, mysql_install_d ] +# Add conditions to this macro (probably in a separate file, +# overwriting this macro) to allow for specific combinations of +# programs accessing sensitive files. +# fluentd_writing_conf_files is a good example to follow, as it +# specifies both the program doing the writing as well as the specific +# files it is allowed to modify. +# +# In this file, it just takes one of the macros in the base rule +# and repeats it. + +- macro: user_read_sensitive_file_conditions + condition: cmp_cp_by_passwd + - rule: Read sensitive file untrusted desc: > an attempt to read any sensitive file (e.g. files containing user/password/authentication @@ -501,6 +514,7 @@ and not proc.cmdline contains /usr/bin/mandb and not run_by_qualys and not run_by_chef + and not user_read_sensitive_file_conditions output: > Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) From 0e009fc89a92870301ab3d41a8f5ac5f341a5fe5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 25 Sep 2017 07:41:30 -0700 Subject: [PATCH 087/110] Let smmsp setuid. Another sendmail binary. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6f2f01d3..59dd198a 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -226,7 +226,7 @@ - list: sendmail_config_binaries items: [ update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, - update_db, update_mc, ssmtp.postinst + update_db, update_mc, ssmtp.postinst, smmsp ] - list: make_binaries From a22099c8c3c7170feee38b17861a4ae450d5d2b5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 25 Sep 2017 07:42:53 -0700 Subject: [PATCH 088/110] Let adclient spawn shells. It's not direct, hence the run_by_adclient macro. --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 59dd198a..45ba58d9 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -379,6 +379,9 @@ - macro: run_by_chef condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr) +- macro: run_by_adclient + condition: (proc.aname[2]=adclient or proc.aname[3]=adclient) + - macro: run_by_puppet condition: (proc.aname[2]=puppet or proc.aname[3]=puppet) @@ -634,6 +637,7 @@ and not parent_java_running_sbt and not run_by_chef and not run_by_puppet + and not run_by_adclient output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]) From 96992d7ac36e6ba91932bfc5851106ce4239b24d Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 25 Sep 2017 07:44:15 -0700 Subject: [PATCH 089/110] Add scripts possibly run by sshkit Some general management scripts, possibly run by sshkit (need to check). --- rules/falco_rules.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 45ba58d9..9d199004 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -295,6 +295,10 @@ - list: needrestart_binaries items: [needrestart, 10-dpkg, 20-rpm, 30-pacman] +# Possible scripts run by sshkit +- list: sshkit_script_binaries + items: [10_etc_sudoers., 10_passwd_group] + # System users that should never log into a system. Consider adding your own # service users (e.g. 'apache' or 'mysqld') here. - macro: system_users @@ -438,6 +442,7 @@ package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, dev_creation_binaries, shell_mgmt_binaries, sendmail_config_binaries, + sshkit_script_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, systemd, systemd-machine, systemd-sysuser, @@ -511,7 +516,7 @@ sensitive_files and open_read and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, - vpn_binaries, sendmail_config_binaries, nomachine_binaries) + vpn_binaries, sendmail_config_binaries, nomachine_binaries, sshkit_script_binaries) and not cmp_cp_by_passwd and not ansible_running_python and not proc.cmdline contains /usr/bin/mandb From d9cb1e2b27dffb2a21d5a8548d190a841ab93701 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 25 Sep 2017 07:51:18 -0700 Subject: [PATCH 090/110] Let adclient/certutil spawn shells/write below etc Let adclient/certutil spawn shells and write below etc. --- rules/falco_rules.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9d199004..22329ebf 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -448,7 +448,8 @@ systemd, systemd-machine, systemd-sysuser, debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot, runsv, - qualys-cloud-ag, locales.postins, nomachine_binaries) + qualys-cloud-ag, locales.postins, nomachine_binaries, + adclient, certutil) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) @@ -613,7 +614,7 @@ landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini, - timeout, updatedb.findut, mysql_ssl_rsa_s + timeout, updatedb.findut, mysql_ssl_rsa_s, adclient ] - rule: Run shell untrusted From cff8ca428a859dc560ef6644f8732a861f4634ac Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 25 Sep 2017 08:11:46 -0700 Subject: [PATCH 091/110] The right program was mailq not smmsp, that was the user. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 22329ebf..de9ea68e 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -226,7 +226,7 @@ - list: sendmail_config_binaries items: [ update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, - update_db, update_mc, ssmtp.postinst, smmsp + update_db, update_mc, ssmtp.postinst, mailq ] - list: make_binaries From cf5397f701606bc6baafb905dcc31e66f619e370 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 25 Sep 2017 08:17:54 -0700 Subject: [PATCH 092/110] Change level for sshkit binaries. It's actually the programs spawned by sshkit scripts that modify files below /etc. --- rules/falco_rules.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index de9ea68e..59c81c3c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -442,7 +442,6 @@ package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, dev_creation_binaries, shell_mgmt_binaries, sendmail_config_binaries, - sshkit_script_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, systemd, systemd-machine, systemd-sysuser, @@ -450,7 +449,7 @@ gen_resolvconf., update-ca-certi, certbot, runsv, qualys-cloud-ag, locales.postins, nomachine_binaries, adclient, certutil) - and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins) + and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins, sshkit_script_binaries) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) and not ansible_running_python From 59ab40d4573cc2e849906116830535fa98783ee8 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 25 Sep 2017 08:20:28 -0700 Subject: [PATCH 093/110] Let centrify spawn shells. This is higher up than other programs. --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 59c81c3c..2a9b8dfa 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -386,6 +386,9 @@ - macro: run_by_adclient condition: (proc.aname[2]=adclient or proc.aname[3]=adclient) +- macro: run_by_centrify + condition: (proc.aname[2]=centrify or proc.aname[3]=centrify or proc.aname[4]=centrify) + - macro: run_by_puppet condition: (proc.aname[2]=puppet or proc.aname[3]=puppet) @@ -643,6 +646,7 @@ and not run_by_chef and not run_by_puppet and not run_by_adclient + and not run_by_centrify output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]) From 011cb2f0309012d4d096929e5a7bbbd57b5600d1 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 25 Sep 2017 08:24:48 -0700 Subject: [PATCH 094/110] Also let mailq setuid. Simialr to showq --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2a9b8dfa..969a1f48 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -221,7 +221,7 @@ condition: proc.name in (coreutils_binaries, user_mgmt_binaries) - list: mail_binaries - items: [sendmail, sendmail-msp, postfix, procmail, exim4, pickup, showq] + items: [sendmail, sendmail-msp, postfix, procmail, exim4, pickup, showq, mailq] - list: sendmail_config_binaries items: [ From c3c171c7e5954122c400df4edcc8017a65d43724 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 25 Sep 2017 08:36:35 -0700 Subject: [PATCH 095/110] More centrify changes. Add crlutil as a program that can modify below etc. Let centrify programs modify below etc. Add more info for writes below etc to track etc writers through scripts. Increase the level of debugging for shells. --- rules/falco_rules.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 969a1f48..a122c611 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -451,7 +451,7 @@ debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot, runsv, qualys-cloud-ag, locales.postins, nomachine_binaries, - adclient, certutil) + adclient, certutil, crlutil) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins, sshkit_script_binaries) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) @@ -459,11 +459,12 @@ and not python_running_denyhosts and not fluentd_writing_conf_files and not user_known_write_etc_conditions + and not run_by_centrify - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session condition: write_etc_common and not proc.sname=fbash - output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name)" + output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])" priority: ERROR tags: [filesystem] @@ -649,7 +650,8 @@ and not run_by_centrify output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname - cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]) + cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] + gggparent=%proc.aname[4] ggggparent=%proc.aname[5]) priority: DEBUG tags: [host, shell] From 6540a856fade9b27af23cfa3c55abac691c2efa7 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 25 Sep 2017 08:45:16 -0700 Subject: [PATCH 096/110] Let adclient write below etc. --- rules/falco_rules.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a122c611..a204e9fa 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -384,7 +384,7 @@ condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr) - macro: run_by_adclient - condition: (proc.aname[2]=adclient or proc.aname[3]=adclient) + condition: (proc.aname[2]=adclient or proc.aname[3]=adclient or proc.aname[4]=adclient) - macro: run_by_centrify condition: (proc.aname[2]=centrify or proc.aname[3]=centrify or proc.aname[4]=centrify) @@ -445,6 +445,7 @@ package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, dev_creation_binaries, shell_mgmt_binaries, sendmail_config_binaries, + sshkit_script_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, systemd, systemd-machine, systemd-sysuser, @@ -460,6 +461,7 @@ and not fluentd_writing_conf_files and not user_known_write_etc_conditions and not run_by_centrify + and not run_by_adclient - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From 4f5ab79c692f4f12f9922ec4560397dd99ea99d3 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 29 Sep 2017 15:10:28 -0700 Subject: [PATCH 097/110] Add xray-rabbitmq shell spawning programs. They have names {1234}_scheduler and need to be quoted as they start with digits. --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a204e9fa..6665d5eb 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -211,6 +211,9 @@ - list: x2go_binaries items: [x2gosuspend-age, x2goagent] +- list: xray_rabbitmq_binaries + items: ['"1_scheduler"', '"2_scheduler"', '"3_scheduler"', '"4_scheduler"'] + - list: nids_binaries items: [bro, broctl] @@ -802,6 +805,7 @@ chef_binaries, nomachine_binaries, x2go_binaries, + xray_rabbitmq_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond, logrotate, timeout, tini, From 9504d420f069f3a42c93d98d1cba1dbcced3dfb9 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 29 Sep 2017 15:11:20 -0700 Subject: [PATCH 098/110] Add more jenkins spawners. Jenkins spawns shells via script.sh, so allow it. --- rules/falco_rules.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6665d5eb..122a1f6c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -344,6 +344,9 @@ (proc.pname=java and proc.pcmdline contains jenkins.war or proc.pcmdline contains /tmp/slave.jar) +- macro: jenkins_script_sh + condition: (proc.pcmdline startswith "script.sh -xe /var/jenkins_home") + - macro: parent_java_running_echo condition: (proc.pname=java and proc.cmdline startswith "sh -c echo") @@ -643,6 +646,7 @@ and not parent_python_running_sdchecks and not parent_linux_image_upgrade_script and not parent_java_running_jenkins + and not jenkins_script_sh and not parent_java_running_echo and not parent_scripting_running_builds and not parent_Xvfb_running_xkbcomp @@ -823,6 +827,8 @@ and not node_running_edi_dynamodb and not run_by_h2o and not run_by_passenger_agent + and not parent_java_running_jenkins + and not jenkins_script_sh output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) From bde8d673301d9f08f117ae833cd534c83bbe894e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 29 Sep 2017 15:12:08 -0700 Subject: [PATCH 099/110] Let psql read sensitive files. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 122a1f6c..e684c7cd 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -504,7 +504,7 @@ - list: read_sensitive_file_binaries items: [ iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, - vsftpd, systemd, mysql_install_d + vsftpd, systemd, mysql_install_d, psql ] # Add conditions to this macro (probably in a separate file, From 823c105f548bcc7ef436c9905ec8bda7e9bf8898 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 29 Sep 2017 15:12:20 -0700 Subject: [PATCH 100/110] Let systemd-udevd spawn shells --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index e684c7cd..68236a34 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -625,7 +625,7 @@ landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini, - timeout, updatedb.findut, mysql_ssl_rsa_s, adclient + timeout, updatedb.findut, mysql_ssl_rsa_s, adclient, systemd-udevd ] - rule: Run shell untrusted From 08afb750094edf43762ed8d2a3f76ebbb1a8824c Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 29 Sep 2017 15:34:52 -0700 Subject: [PATCH 101/110] Add /etc/hrmconfig as a safe directory. Used by docker swarm http routing mesh. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 68236a34..8849d1c3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -426,7 +426,7 @@ tags: [filesystem] - list: safe_etc_dirs - items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment] + items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig] - macro: fluentd_writing_conf_files condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf)) From a921012a6c017c5157070e4bd4d3ba3f3de85cea Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 4 Oct 2017 16:11:00 -0700 Subject: [PATCH 102/110] let logdna-agent spawn shells. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8849d1c3..ac9e9759 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -813,7 +813,7 @@ monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond, logrotate, timeout, tini, - xrdb, xfce4-session, weave, mysql_ssl_rsa_s) + xrdb, xfce4-session, weave, mysql_ssl_rsa_s, logdna-agent) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From a68d2ad769a17c43ae46b84ab244f1f19c1a8ae5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 5 Oct 2017 08:44:13 -0700 Subject: [PATCH 103/110] Let bundle spawn shells. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ac9e9759..7ddb872f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -813,7 +813,7 @@ monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond, logrotate, timeout, tini, - xrdb, xfce4-session, weave, mysql_ssl_rsa_s, logdna-agent) + xrdb, xfce4-session, weave, mysql_ssl_rsa_s, logdna-agent, bundle) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From 33a28cc17308fd83eac4722843402ec5b9837059 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 5 Oct 2017 08:54:35 -0700 Subject: [PATCH 104/110] Let node running yarn spawn shells. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 7ddb872f..b7c48c60 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -365,7 +365,8 @@ proc.cmdline startswith "sh -c gcc" or proc.cmdline startswith "sh -c if type gcc" or proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or - proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx")) + proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or + proc.pcmdline="node /opt/nodejs/bin/yarn")) - macro: parent_node_running_npm condition: proc.pcmdline startswith "node /usr/local/bin/npm" From 0d88c3020d0d123d3ba549c65cfedf1c808f0c35 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 6 Oct 2017 13:43:30 -0700 Subject: [PATCH 105/110] Let qualys perform more actions. It can have more intermediate shells, is allowed to write to its own conf file, and can run user management binaries. --- rules/falco_rules.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index b7c48c60..c4a2b1e5 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -384,7 +384,11 @@ # levels. This checks at a few levels without the cost of a full # proc.aname, which traverses the full parent heirarchy. - macro: run_by_qualys - condition: (proc.pname=qualys-cloud-ag or proc.aname[2]=qualys-cloud-ag or proc.aname[3]=qualys-cloud-ag) + condition: > + (proc.pname=qualys-cloud-ag or + proc.aname[2]=qualys-cloud-ag or + proc.aname[3]=qualys-cloud-ag or + proc.aname[4]=qualys-cloud-ag) # Chef is similar. - macro: run_by_chef @@ -432,6 +436,9 @@ - macro: fluentd_writing_conf_files condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf)) +- macro: qualys_writing_conf_files + condition: proc.name=qualys-cloud-ag and fd.name=/etc/qualys/cloud-agent/qagent-log.conf + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -469,6 +476,7 @@ and not user_known_write_etc_conditions and not run_by_centrify and not run_by_adclient + and not qualys_writing_conf_files - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session @@ -893,7 +901,8 @@ not proc.pname in (cron_binaries, systemd, run-parts) and not proc.cmdline startswith "passwd -S" and not proc.cmdline startswith "useradd -D" and - not proc.cmdline startswith "systemd --version" + not proc.cmdline startswith "systemd --version" and + not run_by_qualys output: > User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) From 43b773e9b20320692fc38677b8b78977ed4e17fc Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 9 Oct 2017 10:34:41 -0700 Subject: [PATCH 106/110] Misc gem/ruby/bundler changes - Let gem install software. - Let ruby spawn shells when run by bundle. --- rules/falco_rules.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index c4a2b1e5..a1eb0dcf 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -171,7 +171,7 @@ # The truncated dpkg-preconfigu is intentional, process names are # truncated at the sysdig level. - list: package_mgmt_binaries - items: [rpm_binaries, deb_binaries, update-alternat] + items: [rpm_binaries, deb_binaries, update-alternat, gem] - macro: package_mgmt_procs condition: proc.name in (package_mgmt_binaries) @@ -380,6 +380,13 @@ - macro: mysql_image_running_healthcheck condition: container.image=mysql and proc.cmdline="sh -c /healthcheck.sh" +- macro: bundle_running_ruby + condition: > + (proc.pname=ruby and ( + proc.aname[2]=bundle or + proc.aname[3]=bundle or + proc.aname[4]=bundle)) + # Qualys seems to run a variety of shell subprocesses, at various # levels. This checks at a few levels without the cost of a full # proc.aname, which traverses the full parent heirarchy. @@ -838,6 +845,7 @@ and not run_by_passenger_agent and not parent_java_running_jenkins and not jenkins_script_sh + and not bundle_running_ruby output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) From 1b591dc4f3be3151da3a66cba069424e172b5a44 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 9 Oct 2017 10:36:35 -0700 Subject: [PATCH 107/110] Misc build-related fixes - Let yarn spawn shells - Add several allowed commandlines - Let configure spawn shells in containers --- rules/falco_rules.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a1eb0dcf..6c7d8562 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -366,7 +366,7 @@ proc.cmdline startswith "sh -c if type gcc" or proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or - proc.pcmdline="node /opt/nodejs/bin/yarn")) + proc.pcmdline startswith "node /opt/nodejs/bin/yarn")) - macro: parent_node_running_npm condition: proc.pcmdline startswith "node /usr/local/bin/npm" @@ -787,7 +787,9 @@ '"sh -c node -e \"require(''nan'')\")"', '"sh -c node $NODE_DEBUG_OPTION index.js "', '"sh -c crontab -l 2"', - '"sh -c lsb_release -a"' + '"sh -c lsb_release -a"', + '"sh -c whoami"', + '"sh -c node_modules/.bin/bower-installer"' ] # This list allows for easy additions to the set of commands allowed @@ -829,7 +831,7 @@ monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond, logrotate, timeout, tini, - xrdb, xfce4-session, weave, mysql_ssl_rsa_s, logdna-agent, bundle) + xrdb, xfce4-session, weave, mysql_ssl_rsa_s, logdna-agent, bundle, configure) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From 0fcd01f98d42f1ef54fda7d40652b65e8041745c Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 9 Oct 2017 10:37:33 -0700 Subject: [PATCH 108/110] Let git modify nssdb Let git-remote-http modify files below the nssdb. --- rules/falco_rules.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6c7d8562..c9545125 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -444,7 +444,10 @@ condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf)) - macro: qualys_writing_conf_files - condition: proc.name=qualys-cloud-ag and fd.name=/etc/qualys/cloud-agent/qagent-log.conf + condition: (proc.name=qualys-cloud-ag and fd.name=/etc/qualys/cloud-agent/qagent-log.conf) + +- macro: git_writing_nssdb + condition: (proc.cmdline="git-remote-http origin" and fd.directory=/etc/pki/nssdb) # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of @@ -484,6 +487,7 @@ and not run_by_centrify and not run_by_adclient and not qualys_writing_conf_files + and not git_writing_nssdb - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From 080305c7a0cc62be1082b794527e96be826987f6 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 9 Oct 2017 13:05:12 -0700 Subject: [PATCH 109/110] Adjust for new severity Shell in container is now debug level, so adjust test case to match. --- test/falco_traces.yaml.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/falco_traces.yaml.in b/test/falco_traces.yaml.in index 4fc5aa8a..10d0c84b 100644 --- a/test/falco_traces.yaml.in +++ b/test/falco_traces.yaml.in @@ -149,7 +149,7 @@ traces: !mux shell-in-container: trace_file: traces-positive/shell-in-container.scap detect: True - detect_level: NOTICE + detect_level: DEBUG detect_counts: - "Run shell in container": 1 From e1044629cb066096d65621aa908cd10d80db8a00 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 9 Oct 2017 13:15:39 -0700 Subject: [PATCH 110/110] Work around unknown users in containers wrt setuid Work around https://github.com/draios/sysdig/issues/954, which relates to not always knowing the proper user name in containers, by not running the rule when in a container and the user name is "". This won't address cases where the uid from inside the container maps to a user name outside the container that is different than the user inside the container, but it will help a bit. --- rules/falco_rules.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index c9545125..8440585b 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -887,14 +887,23 @@ (user.name=pki-acme and evt.arg.uid=pki-acme) or (user.name=nfsnobody and evt.arg.uid=nfsnobody)) +# In containers, the user name might be for a uid that exists in the +# container but not on the host. (See +# https://github.com/draios/sysdig/issues/954). So in that case, allow +# a setuid. + +- macro: unknown_user_in_container + condition: (user.name="" and container) + # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs - rule: Non sudo setuid desc: > an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody" suing to itself are also excluded, as setuid calls typically involve dropping privileges. condition: > - evt.type=setuid and evt.dir=> and - not user.name=root and not somebody_becoming_themself + evt.type=setuid and evt.dir=> + and not unknown_user_in_container + and not user.name=root and not somebody_becoming_themself and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries, nomachine_binaries) and not java_running_sdjagent output: >