Add initial set of Cloudtrail rules

These rules can be used when combined with the cloudtrail plugin. They're installed to /etc/falco like the other rules files. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-08-01 06:29:47 +00:00 · 2021-10-15 16:35:06 -07:00 · 2021-10-15 16:35:06 -07:00 · 69e32f7ed1
commit 69e32f7ed1
parent 38a7f7ada0
2 changed files with 446 additions and 0 deletions
--- a/rules/CMakeLists.txt
+++ b/rules/CMakeLists.txt
@ -23,6 +23,7 @@ if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
  set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
  set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
  set(FALCO_K8S_AUDIT_RULES_DEST_FILENAME "k8s_audit_rules.yaml")
+  set(FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME "aws_cloudtrail_rules.yaml")
 endif()

 if(DEFINED FALCO_COMPONENT)
@ -59,5 +60,10 @@ else()
    DESTINATION "${FALCO_ETC_DIR}/rules.available"
    RENAME "${FALCO_APP_RULES_DEST_FILENAME}")

+  install(
+    FILES aws_cloudtrail_rules.yaml
+    DESTINATION "${FALCO_ETC_DIR}"
+    RENAME "${FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME}")
+
  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
 endif()
--- a/rules/aws_cloudtrail_rules.yaml
+++ b/rules/aws_cloudtrail_rules.yaml
@ -0,0 +1,440 @@
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# All rules files related to plugins should require engine version 10
+- required_engine_version: 10
+
+# These rules can be read by cloudtrail plugin version 0.1.0, or
+# anything semver-compatible.
+- required_plugin_versions:
+  - name: cloudtrail
+    version: 0.1.0
+
+# Note that this rule is disabled by default. It's useful only to
+# verify that the cloudtrail plugin is sending events properly.  The
+# very broad condition evt.num > 0 only works because the rule source
+# is limited to aws_cloudtrail. This ensures that the only events that
+# are matched against the rule are from the cloudtrail plugin (or
+# a different plugin with the same source).
+- rule: All Cloudtrail Events
+  desc: Match all cloudtrail events.
+  condition:
+    evt.num > 0
+  output: Some Cloudtrail Event (evtnum=%evt.num info=%evt.plugininfo ts=%evt.time.iso8601 id=%ct.id error=%ct.error)
+  priority: DEBUG
+  tags:
+  - cloud
+  - aws
+  source: aws_cloudtrail
+  enabled: false
+
+- rule: Console Login Through Assume Role
+  desc: Detect a console login through Assume Role.
+  condition:
+    ct.name="ConsoleLogin" and not ct.error exists
+    and ct.user.identitytype="AssumedRole"
+    and json.value[/responseElements/ConsoleLogin]="Success"
+  output:
+    Detected a console login through Assume Role
+    (principal=%ct.user.principalid,
+    assumedRole=%ct.user.arn,
+    requesting IP=%ct.srcip,
+    AWS region=%ct.region)
+  priority: WARNING
+  tags:
+  - cloud
+  - aws
+  - aws_console
+  - aws_iam
+  source: aws_cloudtrail
+
+- rule: Console Login Without MFA
+  desc: Detect a console login without MFA.
+  condition:
+    ct.name="ConsoleLogin" and not ct.error exists
+    and ct.user.identitytype!="AssumedRole"
+    and json.value[/responseElements/ConsoleLogin]="Success"
+    and json.value[/additionalEventData/MFAUsed]="No"
+  output:
+    Detected a console login without MFA
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region)
+  priority: CRITICAL
+  tags:
+    - cloud
+    - aws
+    - aws_console
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: Console Root Login Without MFA
+  desc: Detect root console login without MFA.
+  condition:
+    ct.name="ConsoleLogin" and not ct.error exists
+    and json.value[/additionalEventData/MFAUsed]="No"
+    and ct.user.identitytype!="AssumedRole"
+    and json.value[/responseElements/ConsoleLogin]="Success"
+    and ct.user.identitytype="Root"
+  output:
+    Detected a root console login without MFA.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region)
+  priority: CRITICAL
+  tags:
+    - cloud
+    - aws
+    - aws_console
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: Deactivate MFA for Root User
+  desc: Detect deactivating MFA configuration for root.
+  condition:
+    ct.name="DeactivateMFADevice" and not ct.error exists
+    and ct.user.identitytype="Root"
+    and ct.request.username="AWS ROOT USER"
+  output:
+    Multi Factor Authentication configuration has been disabled for root
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     MFA serial number=%ct.request.serialnumber)
+  priority: CRITICAL
+  tags:
+    - cloud
+    - aws
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: Create AWS user
+  desc: Detect creation of a new AWS user.
+  condition:
+    ct.name="CreateUser" and not ct.error exists
+  output:
+    A new AWS user has been created
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     new user created=%ct.request.username)
+  priority: INFO
+  tags:
+    - cloud
+    - aws
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: Create Group
+  desc: Detect creation of a new user group.
+  condition:
+    ct.name="CreateGroup" and not ct.error exists
+  output:
+    A new user group has been created.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     group name=%ct.request.groupname)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: Delete Group
+  desc: Detect deletion of a user group.
+  condition:
+    ct.name="DeleteGroup" and not ct.error exists
+  output:
+    A user group has been deleted.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     group name=%ct.request.groupname)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_iam
+  source: aws_cloudtrail
+
+- rule: ECS Service Created
+  desc: Detect a new service is created in ECS.
+  condition:
+    ct.src="ecs.amazonaws.com" and
+    ct.name="CreateService" and
+    not ct.error exists
+  output:
+    A new service has been created in ECS
+    (requesting user=%ct.user,
+    requesting IP=%ct.srcip,
+    AWS region=%ct.region,
+    cluster=%ct.request.cluster,
+    service name=%ct.request.servicename,
+    task definition=%ct.request.taskdefinition)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_ecs
+    - aws_fargate
+  source: aws_cloudtrail
+
+- rule: ECS Task Run or Started
+  desc: Detect a new task is started in ECS.
+  condition:
+    ct.src="ecs.amazonaws.com" and
+    (ct.name="RunTask" or ct.name="StartTask") and
+    not ct.error exists
+  output:
+    A new task has been started in ECS
+    (requesting user=%ct.user,
+    requesting IP=%ct.srcip,
+    AWS region=%ct.region,
+    cluster=%ct.request.cluster,
+    task definition=%ct.request.taskdefinition)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_ecs
+    - aws_fargate
+  source: aws_cloudtrail
+
+- rule: Create Lambda Function
+  desc: Detect creation of a Lambda function.
+  condition:
+    ct.name="CreateFunction20150331" and not ct.error exists
+  output:
+    Lambda function has been created.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     lambda function=%ct.request.functionname)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_lambda
+  source: aws_cloudtrail
+
+- rule: Update Lambda Function Code
+  desc: Detect updates to a Lambda function code.
+  condition:
+    ct.name="UpdateFunctionCode20150331v2" and not ct.error exists
+  output:
+    The code of a Lambda function has been updated.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     lambda function=%ct.request.functionname)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_lambda
+  source: aws_cloudtrail
+
+- rule: Update Lambda Function Configuration
+  desc: Detect updates to a Lambda function configuration.
+  condition:
+    ct.name="UpdateFunctionConfiguration20150331v2" and not ct.error exists
+  output:
+    The configuration of a Lambda function has been updated.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     lambda function=%ct.request.functionname)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_lambda
+  source: aws_cloudtrail
+
+- rule: Run Instances
+  desc: Detect launching of a specified number of instances.
+  condition:
+    ct.name="RunInstances" and not ct.error exists
+  output:
+    A number of instances have been launched.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     availability zone=%ct.request.availabilityzone,
+     subnet id=%ct.response.subnetid,
+     reservation id=%ct.response.reservationid)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_ec2
+  source: aws_cloudtrail
+
+# Only instances launched on regions in this list are approved.
+- list: approved_regions
+  items:
+    - us-east-0
+
+- rule: Run Instances in Non-approved Region
+  desc: Detect launching of a specified number of instances in a non-approved region.
+  condition:
+    ct.name="RunInstances" and not ct.error exists and
+    not ct.region in (approved_regions)
+  output:
+    A number of instances have been launched in a non-approved region.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     availability zone=%ct.request.availabilityzone,
+     subnet id=%ct.response.subnetid,
+     reservation id=%ct.response.reservationid,
+     image id=%json.value[/responseElements/instancesSet/items/0/instanceId])
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_ec2
+  source: aws_cloudtrail
+
+- rule: Delete Bucket Encryption
+  desc: Detect deleting configuration to use encryption for bucket storage.
+  condition:
+    ct.name="DeleteBucketEncryption" and not ct.error exists
+  output:
+    A encryption configuration for a bucket has been deleted
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     bucket=%s3.bucket)
+  priority: CRITICAL
+  tags:
+    - cloud
+    - aws
+    - aws_s3
+  source: aws_cloudtrail
+
+- rule: Delete Bucket Public Access Block
+  desc: Detect deleting blocking public access to bucket.
+  condition:
+    ct.name="PutBucketPublicAccessBlock" and not ct.error exists and
+    json.value[/requestParameters/publicAccessBlock]="" and
+      (json.value[/requestParameters/PublicAccessBlockConfiguration/RestrictPublicBuckets]=false or
+      json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicPolicy]=false or
+      json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicAcls]=false or
+      json.value[/requestParameters/PublicAccessBlockConfiguration/IgnorePublicAcls]=false)
+  output:
+    A pulic access block for a bucket has been deleted
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     bucket=%s3.bucket)
+  priority: CRITICAL
+  tags:
+    - cloud
+    - aws
+    - aws_s3
+  source: aws_cloudtrail
+
+- rule: List Buckets
+  desc: Detect listing of all S3 buckets.
+  condition:
+    ct.name="ListBuckets" and not ct.error exists
+  output:
+    A list of all S3 buckets has been requested.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     host=%ct.request.host)
+  priority: WARNING
+  enabled: false
+  tags:
+    - cloud
+    - aws
+    - aws_s3
+  source: aws_cloudtrail
+
+- rule: Put Bucket ACL
+  desc: Detect setting the permissions on an existing bucket using access control lists.
+  condition:
+    ct.name="PutBucketAcl" and not ct.error exists
+  output:
+    The permissions on an existing bucket have been set using access control lists.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     bucket name=%s3.bucket)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_s3
+  source: aws_cloudtrail
+
+- rule: Put Bucket Policy
+  desc: Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.
+  condition:
+    ct.name="PutBucketPolicy" and not ct.error exists
+  output:
+    An Amazon S3 bucket policy has been applied to an Amazon S3 bucket.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     bucket name=%s3.bucket,
+     policy=%ct.request.policy)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_s3
+  source: aws_cloudtrail
+
+- rule: CloudTrail Trail Created
+  desc: Detect creation of a new trail.
+  condition:
+    ct.name="CreateTrail" and not ct.error exists
+  output:
+    A new trail has been created.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     trail name=%ct.request.name)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_cloudtrail
+  source: aws_cloudtrail
+
+- rule: CloudTrail Logging Disabled
+  desc: The CloudTrail logging has been disabled, this could be potentially malicious.
+  condition:
+    ct.name="StopLogging" and not ct.error exists
+  output:
+    The CloudTrail logging has been disabled.
+    (requesting user=%ct.user,
+     requesting IP=%ct.srcip,
+     AWS region=%ct.region,
+     resource name=%ct.request.name)
+  priority: WARNING
+  tags:
+    - cloud
+    - aws
+    - aws_cloudtrail
+  source: aws_cloudtrail
+