github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-13 21:41:23 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #120 from draios/addl-container-rules

Browse Source 
Addl container rules
This commit is contained in:
Mark Stemm
2016-09-12 15:01:51 -05:00
committed by GitHub
parent fbcddba06a 23e3e99162
commit 6e9241a983
3 changed files with 26 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
rules/falco_rules.yaml
View File

@@ -265,7 +265,7 @@
- rule: Change thread namespace - rule: Change thread namespace
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter) condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter)
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)" output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id))"
priority: WARNING priority: WARNING
- rule: Run shell untrusted - rule: Run shell untrusted
@@ -274,6 +274,24 @@
output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
priority: WARNING priority: WARNING
- macro: trusted_containers
condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig)
- rule: File Open by Privileged Container
desc: Any open by a privileged container. Exceptions are made for known trusted images.
condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name)
priority: WARNING
- macro: sensitive_mount
condition: (container.mount.dest[/proc*] != "N/A")
- rule: Sensitive Mount by Container
desc: Any open by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images.
condition: (open_read or open_write) and container and sensitive_mount and not trusted_containers
output: File opened for read/write by container mounting sensitive directory (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name)
priority: WARNING
# Anything run interactively by root # Anything run interactively by root
# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" # output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"

4
userspace/engine/lua/compiler.lua
View File

@@ -273,7 +273,7 @@ function compiler.compile_macro(line, list_defs)
local ast, error_msg = parser.parse_filter(line) local ast, error_msg = parser.parse_filter(line)
if (error_msg) then if (error_msg) then
print ("Compilation error: ", error_msg) print ("Compilation error when compiling \""..line.."\": ", error_msg)
error(error_msg) error(error_msg)
end end
@@ -298,7 +298,7 @@ function compiler.compile_filter(name, source, macro_defs, list_defs)
local ast, error_msg = parser.parse_filter(source) local ast, error_msg = parser.parse_filter(source)
if (error_msg) then if (error_msg) then
print ("Compilation error: ", error_msg) print ("Compilation error when compiling \""..source.."\": ", error_msg)
error(error_msg) error(error_msg)
end end

7
userspace/engine/lua/parser.lua
View File

@@ -218,14 +218,16 @@ local G = {
idRest = alnum + P("_"); idRest = alnum + P("_");
Identifier = V"idStart" * V"idRest"^0; Identifier = V"idStart" * V"idRest"^0;
Macro = V"idStart" * V"idRest"^0 * -P"."; Macro = V"idStart" * V"idRest"^0 * -P".";
FieldName = V"Identifier" * (P"." + V"Identifier")^1 * (P"[" * V"Int" * P"]")^-1; Int = digit^1;
PathString = (alnum + S'-_/*?')^1;
Index = V"Int" + V"PathString";
FieldName = V"Identifier" * (P"." + V"Identifier")^1 * (P"[" * V"Index" * P"]")^-1;
Name = C(V"Identifier") * -V"idRest"; Name = C(V"Identifier") * -V"idRest";
Hex = (P("0x") + P("0X")) * xdigit^1; Hex = (P("0x") + P("0X")) * xdigit^1;
Expo = S("eE") * S("+-")^-1 * digit^1; Expo = S("eE") * S("+-")^-1 * digit^1;
Float = (((digit^1 * P(".") * digit^0) + Float = (((digit^1 * P(".") * digit^0) +
(P(".") * digit^1)) * V"Expo"^-1) + (P(".") * digit^1)) * V"Expo"^-1) +
(digit^1 * V"Expo"); (digit^1 * V"Expo");
Int = digit^1;
Number = C(V"Hex" + V"Float" + V"Int") / Number = C(V"Hex" + V"Float" + V"Int") /
function (n) return tonumber(n) end; function (n) return tonumber(n) end;
String = (P'"' * C(((P'\\' * P(1)) + (P(1) - P'"'))^0) * P'"' + P"'" * C(((P"\\" * P(1)) + (P(1) - P"'"))^0) * P"'") / function (s) return fix_str(s) end; String = (P'"' * C(((P'\\' * P(1)) + (P(1) - P'"'))^0) * P'"' + P"'" * C(((P"\\" * P(1)) + (P(1) - P"'"))^0) * P"'") / function (s) return fix_str(s) end;
@@ -243,6 +245,7 @@ local G = {
symb(">") / ">" + symb(">") / ">" +
symb("contains") / "contains" + symb("contains") / "contains" +
symb("icontains") / "icontains" + symb("icontains") / "icontains" +
symb("glob") / "glob" +
symb("startswith") / "startswith"; symb("startswith") / "startswith";
InOp = kw("in") / "in"; InOp = kw("in") / "in";
UnaryBoolOp = kw("not") / "not"; UnaryBoolOp = kw("not") / "not";