From 33b9ef5d50b4ecc4064ffd4c99e6a1b3ef665250 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 8 Sep 2016 16:15:10 -0700 Subject: [PATCH 1/3] Include condition in compilation errors. When a macro/rule condition can't be compiled, include the condition in the error message. --- userspace/engine/lua/compiler.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/userspace/engine/lua/compiler.lua b/userspace/engine/lua/compiler.lua index 470b38b3..154922c9 100644 --- a/userspace/engine/lua/compiler.lua +++ b/userspace/engine/lua/compiler.lua @@ -273,7 +273,7 @@ function compiler.compile_macro(line, list_defs) local ast, error_msg = parser.parse_filter(line) if (error_msg) then - print ("Compilation error: ", error_msg) + print ("Compilation error when compiling \""..line.."\": ", error_msg) error(error_msg) end @@ -298,7 +298,7 @@ function compiler.compile_filter(name, source, macro_defs, list_defs) local ast, error_msg = parser.parse_filter(source) if (error_msg) then - print ("Compilation error: ", error_msg) + print ("Compilation error when compiling \""..source.."\": ", error_msg) error(error_msg) end From f632fa62b0b61203c7541c98dccc07177d2fcfea Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 8 Sep 2016 16:18:53 -0700 Subject: [PATCH 2/3] Parser changes to support new sysdig features Support "glob" as an operator and allow pathnames to be the index into bracketed selectors of fields. --- userspace/engine/lua/parser.lua | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/userspace/engine/lua/parser.lua b/userspace/engine/lua/parser.lua index dd03b1d3..8292f352 100644 --- a/userspace/engine/lua/parser.lua +++ b/userspace/engine/lua/parser.lua @@ -218,14 +218,16 @@ local G = { idRest = alnum + P("_"); Identifier = V"idStart" * V"idRest"^0; Macro = V"idStart" * V"idRest"^0 * -P"."; - FieldName = V"Identifier" * (P"." + V"Identifier")^1 * (P"[" * V"Int" * P"]")^-1; + Int = digit^1; + PathString = (alnum + S'-_/*?')^1; + Index = V"Int" + V"PathString"; + FieldName = V"Identifier" * (P"." + V"Identifier")^1 * (P"[" * V"Index" * P"]")^-1; Name = C(V"Identifier") * -V"idRest"; Hex = (P("0x") + P("0X")) * xdigit^1; Expo = S("eE") * S("+-")^-1 * digit^1; Float = (((digit^1 * P(".") * digit^0) + (P(".") * digit^1)) * V"Expo"^-1) + (digit^1 * V"Expo"); - Int = digit^1; Number = C(V"Hex" + V"Float" + V"Int") / function (n) return tonumber(n) end; String = (P'"' * C(((P'\\' * P(1)) + (P(1) - P'"'))^0) * P'"' + P"'" * C(((P"\\" * P(1)) + (P(1) - P"'"))^0) * P"'") / function (s) return fix_str(s) end; @@ -243,6 +245,7 @@ local G = { symb(">") / ">" + symb("contains") / "contains" + symb("icontains") / "icontains" + + symb("glob") / "glob" + symb("startswith") / "startswith"; InOp = kw("in") / "in"; UnaryBoolOp = kw("not") / "not"; From 23e3e99162b5e47d8f1ec4b550ef6c51b817c833 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 8 Sep 2016 16:20:30 -0700 Subject: [PATCH 3/3] New rules related to containers. New rule 'File Open by Privileged Container' triggers when a container that is running privileged opens a file. New rule 'Sensitive Mount by Container' triggers when a container that has a sensitive mount opens a file. Currently, a sensitive mount is a mount of /proc. This depends on https://github.com/draios/sysdig/pull/655. --- rules/falco_rules.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index bea8769d..8747fe01 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -265,7 +265,7 @@ - rule: Change thread namespace desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter) - output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)" + output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id))" priority: WARNING - rule: Run shell untrusted @@ -274,6 +274,24 @@ output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING +- macro: trusted_containers + condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig) + +- rule: File Open by Privileged Container + desc: Any open by a privileged container. Exceptions are made for known trusted images. + condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers + output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name) + priority: WARNING + +- macro: sensitive_mount + condition: (container.mount.dest[/proc*] != "N/A") + +- rule: Sensitive Mount by Container + desc: Any open by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images. + condition: (open_read or open_write) and container and sensitive_mount and not trusted_containers + output: File opened for read/write by container mounting sensitive directory (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name) + priority: WARNING + # Anything run interactively by root # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive # output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"