github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-01 17:12:21 +00:00
Code Issues Projects Releases Wiki Activity

Add nomachine binaries.

Browse Source 
Add a list of nomachine binaries and let them spawn shells, setuid, and
access sensitive files.
This commit is contained in:
Mark Stemm 2017-08-23 16:32:22 -07:00
parent 57c1b33562
commit 4efda9cb97
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/falco_rules.yaml
View File

@ -205,6 +205,9 @@
- list: vpn_binaries - list: vpn_binaries
items: [openvpn] items: [openvpn]
- list: nomachine_binaries
items: [nxexec, nxnode.bin]
- list: nids_binaries - list: nids_binaries
items: [bro, broctl] items: [bro, broctl]
@ -445,7 +448,7 @@
sensitive_files and open_read sensitive_files and open_read
and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
vpn_binaries, sendmail_config_binaries) vpn_binaries, sendmail_config_binaries, nomachine_binaries)
and not cmp_cp_by_passwd and not cmp_cp_by_passwd
and not ansible_running_python and not ansible_running_python
and not proc.cmdline contains /usr/bin/mandb and not proc.cmdline contains /usr/bin/mandb
@ -551,7 +554,7 @@
k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries, k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries,
monitoring_binaries, gitlab_binaries, mesos_slave_binaries, monitoring_binaries, gitlab_binaries, mesos_slave_binaries,
keepalived_binaries, keepalived_binaries,
needrestart_binaries, phusion_passenger_binaries, chef_binaries) needrestart_binaries, phusion_passenger_binaries, chef_binaries, nomachine_binaries)
and not parent_ansible_running_python and not parent_ansible_running_python
and not parent_bro_running_python and not parent_bro_running_python
and not parent_python_running_denyhosts and not parent_python_running_denyhosts
@ -690,6 +693,7 @@
needrestart_binaries, needrestart_binaries,
phusion_passenger_binaries, phusion_passenger_binaries,
chef_binaries, chef_binaries,
nomachine_binaries,
monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron,
erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf,
runsv, supervisord, varnishd, crond, logrotate) runsv, supervisord, varnishd, crond, logrotate)
@ -742,7 +746,7 @@
condition: > condition: >
evt.type=setuid and evt.dir=> and evt.type=setuid and evt.dir=> and
not user.name=root and not somebody_becoming_themself not user.name=root and not somebody_becoming_themself
and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries) and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries, nomachine_binaries)
and not java_running_sdjagent and not java_running_sdjagent
output: > output: >
Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname