github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-12 21:16:33 +00:00
Code Issues Projects Releases Wiki Activity

Support container event to denote container starts (#550)

Browse Source 
* Add support for container metaevent to detect container spawning

Create a new macro "container_started" to check both the old and
the new check.
Also, only look for execve exit events with vpid=1.

* Use TBB_INCLUDE_DIR for consistency w sysdig,agent

Previously it was a mix of TBB_INCLUDE and TBB_INCLUDE_DIR.

* Build using matching sysdig branch, if exists
This commit is contained in:
Mark Stemm
2019-03-08 13:23:10 -08:00
committed by GitHub
parent 3edd39e625
commit 5740186280
5 changed files with 19 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.travis.yml
View File

@@ -26,8 +26,11 @@ services:
before_install: before_install:
- sudo apt-get update - sudo apt-get update
install: install:
- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
- sudo apt-get install rpm linux-headers-$(uname -r) libelf-dev - sudo apt-get install rpm linux-headers-$(uname -r) libelf-dev
- git clone https://github.com/draios/sysdig.git ../sysdig - git clone https://github.com/draios/sysdig.git ../sysdig
# if available, use the branch with the same name in sysdig
- pushd ../sysdig && (git checkout "${BRANCH}" || exit 0) && echo "Using sysdig branch:" $(git rev-parse --abbrev-ref HEAD) && popd
- sudo apt-get install -y python-pip libvirt-dev jq dkms - sudo apt-get install -y python-pip libvirt-dev jq dkms
- cd .. - cd ..
- curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz - curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz

8
CMakeLists.txt
View File

@@ -449,10 +449,10 @@ endif()
option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS}) option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS})
if(NOT USE_BUNDLED_TBB) if(NOT USE_BUNDLED_TBB)
find_path(TBB_INCLUDE tbb.h PATH_SUFFIXES tbb) find_path(TBB_INCLUDE_DIR tbb.h PATH_SUFFIXES tbb)
find_library(TBB_LIB NAMES tbb) find_library(TBB_LIB NAMES tbb)
if(TBB_INCLUDE AND TBB_LIB) if(TBB_INCLUDE_DIR AND TBB_LIB)
message(STATUS "Found tbb: include: ${TBB_INCLUDE}, lib: ${TBB_LIB}") message(STATUS "Found tbb: include: ${TBB_INCLUDE_DIR}, lib: ${TBB_LIB}")
else() else()
message(FATAL_ERROR "Couldn't find system tbb") message(FATAL_ERROR "Couldn't find system tbb")
endif() endif()
@@ -461,7 +461,7 @@ else()
message(STATUS "Using bundled tbb in '${TBB_SRC}'") message(STATUS "Using bundled tbb in '${TBB_SRC}'")
set(TBB_INCLUDE "${TBB_SRC}/include/") set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a") set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
ExternalProject_Add(tbb ExternalProject_Add(tbb
URL "http://s3.amazonaws.com/download.draios.com/dependencies/tbb-2018_U5.tar.gz" URL "http://s3.amazonaws.com/download.draios.com/dependencies/tbb-2018_U5.tar.gz"

18
rules/falco_rules.yaml
View File

@@ -337,6 +337,9 @@
- macro: container - macro: container
condition: container.id != host condition: container.id != host
- macro: container_started
condition: (evt.type = container or (evt.type=execve and evt.dir=< and proc.vpid=1))
- macro: interactive - macro: interactive
condition: > condition: >
((proc.aname=sshd and proc.name != sshd) or ((proc.aname=sshd and proc.name != sshd) or
@@ -1406,7 +1409,7 @@
- rule: Launch Privileged Container - rule: Launch Privileged Container
desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images. desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.
condition: > condition: >
evt.type=execve and proc.vpid=1 and container container_started and container
and container.privileged=true and container.privileged=true
and not trusted_containers and not trusted_containers
and not user_trusted_containers and not user_trusted_containers
@@ -1446,7 +1449,7 @@
Detect the initial process started by a container that has a mount from a sensitive host directory Detect the initial process started by a container that has a mount from a sensitive host directory
(i.e. /proc). Exceptions are made for known trusted images. (i.e. /proc). Exceptions are made for known trusted images.
condition: > condition: >
evt.type=execve and proc.vpid=1 and container container_started and container
and sensitive_mount and sensitive_mount
and not trusted_containers and not trusted_containers
and not user_sensitive_mount_containers and not user_sensitive_mount_containers
@@ -1458,19 +1461,18 @@
# explicitly enumerate the container images that you want to run in # explicitly enumerate the container images that you want to run in
# your environment. In this main falco rules file, there isn't any way # your environment. In this main falco rules file, there isn't any way
# to know all the containers that can run, so any container is # to know all the containers that can run, so any container is
# alllowed, by using a filter that is guaranteed to evaluate to true # allowed, by using a filter that is guaranteed to evaluate to true.
# (the same proc.vpid=1 that's in the Launch Disallowed Container # In the overridden macro, the condition would look something like
# rule). In the overridden macro, the condition would look something # (container.image.repository = vendor/container-1 or
# like (container.image.repository = vendor/container-1 or
# container.image.repository = vendor/container-2 or ...) # container.image.repository = vendor/container-2 or ...)
- macro: allowed_containers - macro: allowed_containers
condition: (proc.vpid=1) condition: (container.id exists)
- rule: Launch Disallowed Container - rule: Launch Disallowed Container
desc: > desc: >
Detect the initial process started by a container that is not in a list of allowed containers. Detect the initial process started by a container that is not in a list of allowed containers.
condition: evt.type=execve and proc.vpid=1 and container and not allowed_containers condition: container_started and container and not allowed_containers
output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
priority: WARNING priority: WARNING
tags: [container] tags: [container]

1
userspace/engine/CMakeLists.txt
View File

@@ -22,6 +22,7 @@ include_directories("${PROJECT_BINARY_DIR}/userspace/engine")
include_directories("${LUAJIT_INCLUDE}") include_directories("${LUAJIT_INCLUDE}")
include_directories("${NJSON_INCLUDE}") include_directories("${NJSON_INCLUDE}")
include_directories("${CURL_INCLUDE_DIR}") include_directories("${CURL_INCLUDE_DIR}")
include_directories("${TBB_INCLUDE_DIR}")
add_library(falco_engine STATIC add_library(falco_engine STATIC
rules.cpp rules.cpp

1
userspace/falco/CMakeLists.txt
View File

@@ -24,6 +24,7 @@ include_directories("${PROJECT_SOURCE_DIR}/../sysdig/userspace/sysdig")
include_directories("${PROJECT_SOURCE_DIR}/userspace/engine") include_directories("${PROJECT_SOURCE_DIR}/userspace/engine")
include_directories("${PROJECT_BINARY_DIR}/userspace/falco") include_directories("${PROJECT_BINARY_DIR}/userspace/falco")
include_directories("${CURL_INCLUDE_DIR}") include_directories("${CURL_INCLUDE_DIR}")
include_directories("${TBB_INCLUDE_DIR}")
include_directories("${NJSON_INCLUDE}") include_directories("${NJSON_INCLUDE}")
include_directories("${YAMLCPP_INCLUDE_DIR}") include_directories("${YAMLCPP_INCLUDE_DIR}")
include_directories("${CIVETWEB_INCLUDE_DIR}") include_directories("${CIVETWEB_INCLUDE_DIR}")