From ba1c8e45069436725b46b7bf234cde2a2ed472e3 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 26 Oct 2017 09:13:41 -0700 Subject: [PATCH 01/66] Let plesk installer write apache config. --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index c19a0423..31aad742 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -556,6 +556,10 @@ - macro: plesk_writing_keys condition: (proc.name in (plesk_binaries) and fd.name startswith /etc/sw/keys) +- macro: plesk_install_writing_apache_conf + condition: (proc.cmdline startswith "bash -hB /usr/lib/plesk-9.0/services/webserver.apache configure" + and fd.name="/etc/apache2/apache2.conf.tmp") + - macro: networkmanager_writing_resolv_conf condition: proc.aname[2]=nm-dispatcher and fd.name=/etc/resolv.conf @@ -602,6 +606,7 @@ and not qualys_writing_conf_files and not git_writing_nssdb and not plesk_writing_keys + and not plesk_install_writing_apache_conf and not networkmanager_writing_resolv_conf and not run_by_chef and not add_shell_writing_shells_tmp From dd3a7df34666fb54b7518af94b597ac68e3da6da Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 26 Oct 2017 09:14:01 -0700 Subject: [PATCH 02/66] Let pam-auth-update/parallels inst write to /etc --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 31aad742..3c52bd7d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -593,7 +593,7 @@ debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot, runsv, qualys-cloud-ag, locales.postins, nomachine_binaries, - adclient, certutil, crlutil) + adclient, certutil, crlutil, pam-auth-update, parallels_insta) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) From d57b3fe3cf2340a47ac877649524e7d66905b581 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 26 Oct 2017 09:15:18 -0700 Subject: [PATCH 03/66] Let spamd read sensitive files. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 3c52bd7d..66c46cda 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -667,7 +667,7 @@ items: [ iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update, - pam-auth-update + pam-auth-update, /usr/sbin/spamd ] # Add conditions to this macro (probably in a separate file, From b8027b5e540923f0ab1ffda03a27eeb27c7e343e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 26 Oct 2017 09:15:36 -0700 Subject: [PATCH 04/66] Add additional shell spawn binaries --- rules/falco_rules.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 66c46cda..f7a2af84 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -792,7 +792,8 @@ timeout, updatedb.findut, adclient, systemd-udevd, luajit, uwsgi, cfn-signal, apache_control_, beam.smp, paster, postfix-local, nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info, - hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd + hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward, + parallels_insta ] - rule: Run shell untrusted @@ -1049,7 +1050,7 @@ erl_child_setup, erlexec, ceph, PM2, pycompile, py3compile, hhvm, npm, serf, runsv, supervisord, varnishd, crond, logrotate, timeout, tini, xrdb, xfce4-session, weave, logdna-agent, bundle, configure, luajit, nginx, - beam.smp, paster, postfix-local, hawkular-metric, fluentd) + beam.smp, paster, postfix-local, hawkular-metric, fluentd, x2gormforward) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From b993683b96a876dbc8b5a36ce9019ab7b0b95235 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 26 Oct 2017 09:35:52 -0700 Subject: [PATCH 05/66] Let java running maven spawn shells --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f7a2af84..5805f935 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -386,6 +386,10 @@ (proc.pname=java and proc.pcmdline contains jenkins.war or proc.pcmdline contains /tmp/slave.jar) +- macro: parent_java_running_maven + condition: > + (proc.pname=java and proc.pcmdline contains "-classpath /usr/share/maven/") + - macro: parent_cpanm_running_perl condition: (proc.pname=perl and proc.aname[2]=cpanm) @@ -1065,6 +1069,7 @@ and not run_by_h2o and not run_by_passenger_agent and not parent_java_running_jenkins + and not parent_java_running_maven and not parent_beam_running_python and not jenkins_scripts and not bundle_running_ruby From d8fdaa0d889d4049b88050e2790d25e1d36d1bf6 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 26 Oct 2017 09:36:07 -0700 Subject: [PATCH 06/66] Let seed_es_acl spawn shells. --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 5805f935..e3e4f5c3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -497,6 +497,9 @@ (proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby))) +- macro: run_by_openshift + condition: proc.aname[2]=es_seed_acl + # As a part of kernel upgrades, dpkg will spawn a perl script with the # name linux-image-N.N. This macro matches that. - macro: parent_linux_image_upgrade_script @@ -834,6 +837,7 @@ and not run_by_centrify and not parent_dovecot_running_auth and not run_by_foreman + and not run_by_openshift and not parent_java_running_tomcat and not parent_java_running_install4j and not parent_cpanm_running_perl From 5127d51732e3d11f8d682294294899b9b45eece4 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 26 Oct 2017 09:42:36 -0700 Subject: [PATCH 07/66] Let python run es curator as a shell --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index e3e4f5c3..af4c2e92 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -390,6 +390,10 @@ condition: > (proc.pname=java and proc.pcmdline contains "-classpath /usr/share/maven/") +- macro: python_running_es_curator + condition: (proc.pcmdline="python -u run_cron.py" and + proc.cmdline startswith "sh -c /usr/bin/curator") + - macro: parent_cpanm_running_perl condition: (proc.pname=perl and proc.aname[2]=cpanm) @@ -1074,6 +1078,7 @@ and not run_by_passenger_agent and not parent_java_running_jenkins and not parent_java_running_maven + and not python_running_es_curator and not parent_beam_running_python and not jenkins_scripts and not bundle_running_ruby From 332e3ad8747e06f6b811974915162ba9c347a409 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 26 Oct 2017 11:37:12 -0700 Subject: [PATCH 08/66] Let salt-minion spawn shells --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index af4c2e92..dbf2d70f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -804,7 +804,7 @@ luajit, uwsgi, cfn-signal, apache_control_, beam.smp, paster, postfix-local, nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info, hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward, - parallels_insta + parallels_insta, salt-minion ] - rule: Run shell untrusted From 87fd4aba70b2a19ad954655bd72562327422c4b0 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 26 Oct 2017 14:17:39 -0700 Subject: [PATCH 09/66] Let mesos-journald-(logger) spawn shells --- rules/falco_rules.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index dbf2d70f..36fbf673 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -138,7 +138,9 @@ # Utility/etc programs known to run on mesos slaves. Truncation # intentional. - list: mesos_slave_binaries - items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-slave, mesos-logrotate, mesos-fetcher, mesos-executor, 3dt] + items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-slave, + mesos-logrotate, mesos-fetcher, mesos-executor, 3dt, + mesos-journald-] - list: phusion_passenger_binaries items: [PassengerAgent, PassengerWatchd] From 56e07f53f21ca7e4b450749fc4f3587dc76ba6bf Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 30 Oct 2017 22:57:08 -0700 Subject: [PATCH 10/66] Let appdynamics spawn shells. It's java, so look in classpath. --- rules/falco_rules.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 36fbf673..bdc1a01f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -392,6 +392,10 @@ condition: > (proc.pname=java and proc.pcmdline contains "-classpath /usr/share/maven/") +- macro: parent_java_running_appdynamics + condition: > + (proc.pname=java and proc.pcmdline contains "-jar /opt/appdynamics/") + - macro: python_running_es_curator condition: (proc.pcmdline="python -u run_cron.py" and proc.cmdline startswith "sh -c /usr/bin/curator") @@ -846,6 +850,7 @@ and not run_by_openshift and not parent_java_running_tomcat and not parent_java_running_install4j + and not parent_java_running_appdynamics and not parent_cpanm_running_perl and not parent_ruby_running_discourse and not assemble_running_php @@ -1080,6 +1085,7 @@ and not run_by_passenger_agent and not parent_java_running_jenkins and not parent_java_running_maven + and not parent_java_running_appdynamics and not python_running_es_curator and not parent_beam_running_python and not jenkins_scripts From 2eda3432e96ff681b9d3a172fbe3d68e2f2a4546 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 31 Oct 2017 20:50:58 -0700 Subject: [PATCH 11/66] Let dmeventd write additional dirs --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index bdc1a01f..cf2fc0c6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -543,7 +543,8 @@ condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd) - macro: dmeventd_writing_lvm_archive - condition: (proc.name=dmeventd and fd.name startswith /etc/lvm/archive/) + condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or + fd.name startswith /etc/lvm/backup)) ############### # General Rules From 53776b0ec6a20cd1640f50dab63297ca9b63185b Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 31 Oct 2017 20:51:18 -0700 Subject: [PATCH 12/66] Add additional /etc writers --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index cf2fc0c6..d92a4c1d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -611,7 +611,8 @@ debconf-show, rollerd, bind9.postinst, sv, gen_resolvconf., update-ca-certi, certbot, runsv, qualys-cloud-ag, locales.postins, nomachine_binaries, - adclient, certutil, crlutil, pam-auth-update, parallels_insta) + adclient, certutil, crlutil, pam-auth-update, parallels_insta, + openshift-launc) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) From 6078d4bd43e4b42a9889c2ccf9abc324ea0e8a42 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 31 Oct 2017 20:56:11 -0700 Subject: [PATCH 13/66] Add docker-current as a docker binary. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index d92a4c1d..4fca2ff8 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -127,7 +127,7 @@ items: [setup-backend, dragent, sdchecks] - list: docker_binaries - items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur] + items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current] - list: k8s_binaries items: [hyperkube, skydns, kube2sky, exechealthz] From 664d8fbc1d93f89cd835702c7ab3baeacd0c0b98 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 3 Nov 2017 15:44:26 -0700 Subject: [PATCH 14/66] Add addl mail config binaries Add additional mail config-related binaries. Also they aren't solely sendmail-related, so make the list mail_config_binaries. --- rules/falco_rules.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 4fca2ff8..dfb46bd1 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -255,10 +255,11 @@ mailmng-core, pop3-login, dovecot-lda ] -- list: sendmail_config_binaries +- list: mail_config_binaries items: [ update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, - update_db, update_mc, ssmtp.postinst, mailq + update_db, update_mc, ssmtp.postinst, mailq, postalias, postfix.config., + postfix.config, postfix-script ] - list: make_binaries @@ -603,7 +604,7 @@ and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries, package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, dev_creation_binaries, shell_mgmt_binaries, - sendmail_config_binaries, + mail_config_binaries, sshkit_script_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, @@ -613,7 +614,7 @@ qualys-cloud-ag, locales.postins, nomachine_binaries, adclient, certutil, crlutil, pam-auth-update, parallels_insta, openshift-launc) - and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins) + and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) and not ansible_running_python @@ -710,7 +711,7 @@ sensitive_files and open_read and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, - vpn_binaries, sendmail_config_binaries, nomachine_binaries, sshkit_script_binaries, + vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries, in.proftpd, mandb) and not cmp_cp_by_passwd and not ansible_running_python From 9ed1ff5f26a58d048139601d773b834ee9c4b1c7 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 3 Nov 2017 16:00:03 -0700 Subject: [PATCH 15/66] Add additional shell spawning cmdlines/progs --- rules/falco_rules.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index dfb46bd1..57cc6bbe 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -431,6 +431,7 @@ proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or proc.cmdline startswith "sh -c /var/www/edi/bin/sftp.sh" or proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or + proc.cmdline startswith "sh -c make parent" or proc.pcmdline startswith "node /opt/nodejs/bin/yarn" or proc.pcmdline startswith "node /root/.config/yarn" or proc.pcmdline startswith "node /opt/yarn/bin/yarn.js")) @@ -813,7 +814,7 @@ luajit, uwsgi, cfn-signal, apache_control_, beam.smp, paster, postfix-local, nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info, hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward, - parallels_insta, salt-minion + parallels_insta, salt-minion, dnsmng, update-inetd, pum_worker, awstats_buildst ] - rule: Run shell untrusted @@ -1005,10 +1006,12 @@ '"sh -c node index"', '"sh -c node ./src/start.js"', '"sh -c node app.js"', + '"sh -c node -e \"require(''nan'')\""', '"sh -c node -e \"require(''nan'')\")"', '"sh -c node $NODE_DEBUG_OPTION index.js "', '"sh -c crontab -l 2"', '"sh -c lsb_release -a"', + '"sh -c lsb_release -is 2>/dev/null"', '"sh -c whoami"', '"sh -c node_modules/.bin/bower-installer"', '"sh -c /bin/hostname -f 2> /dev/null"', From 3edfc6ba8e1e3b51b06fa095b53288c45b581ee8 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 3 Nov 2017 16:01:12 -0700 Subject: [PATCH 16/66] Let plesk run mktemp below /etc --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 57cc6bbe..ddb53513 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -580,6 +580,9 @@ condition: (proc.cmdline startswith "bash -hB /usr/lib/plesk-9.0/services/webserver.apache configure" and fd.name="/etc/apache2/apache2.conf.tmp") +- macro: plesk_running_mktemp + condition: (proc.name=mktemp and proc.aname[3] in (plesk_binaries)) + - macro: networkmanager_writing_resolv_conf condition: proc.aname[2]=nm-dispatcher and fd.name=/etc/resolv.conf @@ -628,6 +631,7 @@ and not git_writing_nssdb and not plesk_writing_keys and not plesk_install_writing_apache_conf + and not plesk_running_mktemp and not networkmanager_writing_resolv_conf and not run_by_chef and not add_shell_writing_shells_tmp From 0020b05624cba2eb91907976574ecd4f123e584b Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 3 Nov 2017 16:01:38 -0700 Subject: [PATCH 17/66] Add additional details for some rules Helps diagnose FPs. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ddb53513..dd7fee38 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -643,7 +643,7 @@ - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session condition: write_etc_common and not proc.sname=fbash - output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])" + output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])" priority: ERROR tags: [filesystem] @@ -1166,7 +1166,7 @@ nomachine_binaries) and not java_running_sdjagent output: > - Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname + Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname command=%proc.cmdline uid=%evt.arg.uid) priority: NOTICE tags: [users] From 36d775100e432686e000bf867e5597250b71be54 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 3 Nov 2017 17:26:37 -0700 Subject: [PATCH 18/66] Be more tolerant of es curator procs The command line occasionally ends with a space. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index dd7fee38..ca7435e7 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -398,7 +398,7 @@ (proc.pname=java and proc.pcmdline contains "-jar /opt/appdynamics/") - macro: python_running_es_curator - condition: (proc.pcmdline="python -u run_cron.py" and + condition: (proc.pcmdline startswith "python -u run_cron.py" and proc.cmdline startswith "sh -c /usr/bin/curator") - macro: parent_cpanm_running_perl From d36df62d1e0e342f618819f89d231e3a8cd8e9fe Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 6 Nov 2017 15:26:03 -0800 Subject: [PATCH 19/66] Add an additional yarn cmdline. --- rules/falco_rules.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ca7435e7..1c28ab8f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -433,6 +433,7 @@ proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or proc.cmdline startswith "sh -c make parent" or proc.pcmdline startswith "node /opt/nodejs/bin/yarn" or + proc.pcmdline startswith "node /usr/local/bin/yarn" or proc.pcmdline startswith "node /root/.config/yarn" or proc.pcmdline startswith "node /opt/yarn/bin/yarn.js")) From 01459fb49ad79b69b03861ba9f5ab9da67645c15 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 6 Nov 2017 15:26:40 -0800 Subject: [PATCH 20/66] Let threatstack spawn shells Either as tsvuln or via node cmdline. --- rules/falco_rules.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1c28ab8f..1683390c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -466,6 +466,9 @@ - macro: node_running_bitnami condition: proc.pname=node and proc.cmdline startswith "sh -c /opt/bitnami" +- macro: node_running_threatstack + condition: proc.pcmdline startswith "node /opt/threatstack/node_modules" + # Qualys seems to run a variety of shell subprocesses, at various # levels. This checks at a few levels without the cost of a full # proc.aname, which traverses the full parent heirarchy. @@ -819,7 +822,8 @@ luajit, uwsgi, cfn-signal, apache_control_, beam.smp, paster, postfix-local, nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info, hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward, - parallels_insta, salt-minion, dnsmng, update-inetd, pum_worker, awstats_buildst + parallels_insta, salt-minion, dnsmng, update-inetd, pum_worker, awstats_buildst, + tsvuln ] - rule: Run shell untrusted @@ -864,6 +868,7 @@ and not parent_ruby_running_discourse and not assemble_running_php and not node_running_bitnami + and not node_running_threatstack and not parent_python_running_localstack output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname @@ -1111,6 +1116,7 @@ and not parent_ruby_running_discourse and not assemble_running_php and not node_running_bitnami + and not node_running_threatstack and not parent_python_running_localstack output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image From e9e01779017d3cbb8613ccb4abe554e984ba1caa Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 6 Nov 2017 15:27:53 -0800 Subject: [PATCH 21/66] Add additional phusion cmdlines. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1683390c..6cf69ca4 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -504,7 +504,8 @@ - macro: run_by_passenger_agent condition: ((proc.pname=ruby and proc.aname[2]=PassengerAgent) or - proc.pcmdline startswith "ruby /usr/share/passenger/helper-scripts/rack-preloader.rb") + proc.pcmdline startswith "ruby /usr/share/passenger/helper-scripts/rack-preloader.rb" or + proc.pcmdline startswith "ruby /usr/local/bundle/bin/passenger") # Also handles running semi-indirectly via scl - macro: run_by_foreman From 6aae17600f4e3270d4757d977c2d15093b850fcc Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 09:42:15 -0800 Subject: [PATCH 22/66] Add addl ruby proc for builds. Adding ruby2.1 --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6cf69ca4..926c86c4 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -421,7 +421,7 @@ # close enough to add here rather than create a separate macro. - macro: parent_scripting_running_builds condition: > - (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,node) and ( + (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,ruby2.1,node) and ( proc.cmdline startswith "sh -c git" or proc.cmdline startswith "sh -c date" or proc.cmdline startswith "sh -c /usr/bin/g++" or From 480ba4e0f82ff5a0db9b5467e6f8f1a613ec3e82 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 09:43:07 -0800 Subject: [PATCH 23/66] Let duply write below /etc/duply It's a shell script that runs touch so the detection is slightly more complicated. --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 926c86c4..4a2d1f26 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -594,6 +594,9 @@ - macro: add_shell_writing_shells_tmp condition: (proc.name=add-shell and fd.name=/etc/shells.tmp) +- macro: duply_writing_exclude_files + condition: (proc.name=touch and proc.pcmdline startswith "bash /usr/bin/duply" and fd.name startswith "/etc/duply") + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -640,6 +643,7 @@ and not networkmanager_writing_resolv_conf and not run_by_chef and not add_shell_writing_shells_tmp + and not duply_writing_exclude_files and not parent_supervise_running_multilog and not pki_realm_writing_realms and not htpasswd_writing_passwd From 15e2d0bf7ee228ac29d0f5d4e4400f47e87e670e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 09:52:14 -0800 Subject: [PATCH 24/66] Add addl bitnami conditions. --- rules/falco_rules.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 4a2d1f26..11749ab9 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -464,7 +464,9 @@ proc.aname[4]=assemble)) - macro: node_running_bitnami - condition: proc.pname=node and proc.cmdline startswith "sh -c /opt/bitnami" + condition: (proc.pname=node and + (proc.cmdline startswith "sh -c /opt/bitnami" or + proc.cmdline startswith "sh -c bin/redis-server /opt/bitnami")) - macro: node_running_threatstack condition: proc.pcmdline startswith "node /opt/threatstack/node_modules" From e4443bea8edb27d5158b8207be2f935b1e9198b9 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 10:18:56 -0800 Subject: [PATCH 25/66] Add additional make-like binaries. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 11749ab9..b75bc463 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -263,7 +263,7 @@ ] - list: make_binaries - items: [make, gmake, cmake] + items: [make, gmake, cmake, automake, autom4te, autoheader] - list: keepalived_binaries items: [keepalived] From 9ceb11a7c83d680e2d6577cfd1b489bc54ebcb87 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 10:19:19 -0800 Subject: [PATCH 26/66] Let update-xmlcatal(og) write below /etc/xml --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index b75bc463..8db3cefe 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -599,6 +599,9 @@ - macro: duply_writing_exclude_files condition: (proc.name=touch and proc.pcmdline startswith "bash /usr/bin/duply" and fd.name startswith "/etc/duply") +- macro: xmlcatalog_writing_files + condition: (proc.name=update-xmlcatal and fd.directory=/etc/xml) + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -646,6 +649,7 @@ and not run_by_chef and not add_shell_writing_shells_tmp and not duply_writing_exclude_files + and not xmlcatalog_writing_files and not parent_supervise_running_multilog and not pki_realm_writing_realms and not htpasswd_writing_passwd From 6bcf397a17504c9d6bf451620602b3e0c1bd9e77 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 10:19:42 -0800 Subject: [PATCH 27/66] Let plesk weekly cron job spawn shells --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8db3cefe..ba6b3e04 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -834,7 +834,7 @@ nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info, hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward, parallels_insta, salt-minion, dnsmng, update-inetd, pum_worker, awstats_buildst, - tsvuln + tsvuln, 50plesk-daily ] - rule: Run shell untrusted From 83c309a6c03313c0f9405e534cd0745c82ad881a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 10:57:10 -0800 Subject: [PATCH 28/66] Let subscription-ma(nager) write to rpm db. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ba6b3e04..7267fc5e 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -178,7 +178,7 @@ # The explicit quotes are needed to avoid the - characters being # interpreted by the filter expression. - list: rpm_binaries - items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke] + items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma] - macro: rpm_procs condition: proc.name in (rpm_binaries) From fbb5451fd9048eb44e6f3d2f92aaedb5df329867 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 10:59:40 -0800 Subject: [PATCH 29/66] Let python running zookeeper spawn shells --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 7267fc5e..a31baba8 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -370,6 +370,9 @@ - macro: parent_python_running_localstack condition: (proc.pcmdline startswith "python bin/localstack") +- macro: parent_python_running_zookeeper + condition: (proc.pcmdline startswith "python /usr/local/bin/cub") + - macro: parent_python_running_denyhosts condition: > (proc.pname=python and @@ -881,6 +884,7 @@ and not node_running_bitnami and not node_running_threatstack and not parent_python_running_localstack + and not parent_python_running_zookeeper output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] @@ -1129,6 +1133,7 @@ and not node_running_bitnami and not node_running_threatstack and not parent_python_running_localstack + and not parent_python_running_zookeeper output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) From fdb2312bcf23d8b8082cc8f02c6fd9a59904a4dc Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 11:00:19 -0800 Subject: [PATCH 30/66] Let perl Makefile.PL spawn shells --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a31baba8..495a175c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -440,6 +440,9 @@ proc.pcmdline startswith "node /root/.config/yarn" or proc.pcmdline startswith "node /opt/yarn/bin/yarn.js")) +- macro: makefile_perl + condition: (proc.pcmdline="perl Makefile.PL") + - macro: parent_node_running_npm condition: proc.pcmdline startswith "node /usr/local/bin/npm" @@ -862,6 +865,7 @@ and not jenkins_scripts and not parent_java_running_echo and not parent_scripting_running_builds + and not makefile_perl and not parent_Xvfb_running_xkbcomp and not parent_nginx_running_serf and not parent_node_running_npm @@ -1105,6 +1109,7 @@ and not shell_spawning_containers and not parent_java_running_echo and not parent_scripting_running_builds + and not makefile_perl and not parent_Xvfb_running_xkbcomp and not mysql_image_running_healthcheck and not parent_nginx_running_serf From 82377348ce46015b92b0202d9588aef3dbb833cd Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 11:00:43 -0800 Subject: [PATCH 31/66] Add another way to run npm This one seen on redhat installs --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 495a175c..15250ae3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -444,7 +444,8 @@ condition: (proc.pcmdline="perl Makefile.PL") - macro: parent_node_running_npm - condition: proc.pcmdline startswith "node /usr/local/bin/npm" + condition: (proc.pcmdline startswith "node /usr/local/bin/npm" or + proc.pcmdline startswith "node /opt/rh/rh-nodejs6/root/usr/bin/npm") - macro: parent_nginx_running_serf condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf") From 0867245b73a14a502937f852d937fcb73e3280d2 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 11:01:23 -0800 Subject: [PATCH 32/66] Let yum indirectly run user mgmt binaries They run shells that run the user binaries, at various levels in the process heirarchy. --- rules/falco_rules.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 15250ae3..30047dae 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -494,6 +494,10 @@ proc.cmdline="groupadd sumologic_collector") and (proc.pname=secureFiles.sh and proc.aname[2]=java)) +- macro: run_by_yum + condition: ((proc.pname=sh and proc.aname[2]=yum) or + (proc.aname[2]=sh and proc.aname[3]=yum)) + # Chef is similar. - macro: run_by_chef condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or @@ -1214,7 +1218,8 @@ not proc.cmdline startswith "useradd -D" and not proc.cmdline startswith "systemd --version" and not run_by_qualys and - not run_by_sumologic_securefiles + not run_by_sumologic_securefiles and + not run_by_yum output: > User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) From dfbe450eeb92ed04e6b1b08285fdfc15464a0646 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 11:02:32 -0800 Subject: [PATCH 33/66] Let datastax progs spawn shells Various script-based launch points. --- rules/falco_rules.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 30047dae..389d4ed7 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -547,6 +547,10 @@ - macro: parent_java_running_install4j condition: (proc.pname=java and proc.pcmdline contains "-classpath i4jruntime.jar") +- macro: parent_running_datastax + condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or + (proc.pcmdline startswith "nodetool /opt/dse/bin/")) + - macro: parent_dovecot_running_auth condition: (proc.pname=auth and proc.aname[2]=dovecot) @@ -886,6 +890,7 @@ and not run_by_openshift and not parent_java_running_tomcat and not parent_java_running_install4j + and not parent_running_datastax and not parent_java_running_appdynamics and not parent_cpanm_running_perl and not parent_ruby_running_discourse @@ -1137,6 +1142,7 @@ and not parent_java_running_confluence and not parent_java_running_tomcat and not parent_java_running_install4j + and not parent_running_datastax and not ics_running_java and not parent_ruby_running_discourse and not assemble_running_php From 5755e79fe9405f8288af04e67645ea96293357eb Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 11:03:04 -0800 Subject: [PATCH 34/66] Let polkit-agent-he(lper) read sensitive files. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 389d4ed7..472d17b0 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -722,7 +722,7 @@ items: [ iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update, - pam-auth-update, /usr/sbin/spamd + pam-auth-update, /usr/sbin/spamd, polkit-agent-he ] # Add conditions to this macro (probably in a separate file, From 755068386242ed4687f81349a84e345ad9eb40ca Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 11:03:32 -0800 Subject: [PATCH 35/66] Add additional shell spawn programs. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 472d17b0..0ba8babc 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -849,7 +849,7 @@ nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info, hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward, parallels_insta, salt-minion, dnsmng, update-inetd, pum_worker, awstats_buildst, - tsvuln, 50plesk-daily + tsvuln, 50plesk-daily, grubby, chkconfig, dracut-install, rhnsd ] - rule: Run shell untrusted From 24fb84df60806c2bdd66a33b186c0b72a19ea994 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 11:14:50 -0800 Subject: [PATCH 36/66] Let docker start script spawn shells --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 0ba8babc..9af00b35 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -373,6 +373,9 @@ - macro: parent_python_running_zookeeper condition: (proc.pcmdline startswith "python /usr/local/bin/cub") +- macro: parent_docker_start_script + condition: (proc.pcmdline="start.sh /opt/docker/conf/start.sh") + - macro: parent_python_running_denyhosts condition: > (proc.pname=python and @@ -1150,6 +1153,7 @@ and not node_running_threatstack and not parent_python_running_localstack and not parent_python_running_zookeeper + and not parent_docker_start_script output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) From 33faa911d766580506b958be1971dfbb50f90062 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 11:18:33 -0800 Subject: [PATCH 37/66] Add addl npm cmdlines. --- rules/falco_rules.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9af00b35..3fef6de8 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -448,6 +448,7 @@ - macro: parent_node_running_npm condition: (proc.pcmdline startswith "node /usr/local/bin/npm" or + proc.pcmdline startswith "node /usr/local/nodejs/bin/npm" or proc.pcmdline startswith "node /opt/rh/rh-nodejs6/root/usr/bin/npm") - macro: parent_nginx_running_serf From 0b775fa722c2877ffef381da42f19a27985d6b8a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 7 Nov 2017 11:19:24 -0800 Subject: [PATCH 38/66] Let java running endeca spawn shells --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 3fef6de8..1ff604f4 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -551,6 +551,9 @@ - macro: parent_java_running_install4j condition: (proc.pname=java and proc.pcmdline contains "-classpath i4jruntime.jar") +- macro: parent_java_running_endeca + condition: (proc.pname=java and proc.pcmdline contains "-classpath /opt/endeca/") + - macro: parent_running_datastax condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or (proc.pcmdline startswith "nodetool /opt/dse/bin/")) @@ -894,6 +897,7 @@ and not run_by_openshift and not parent_java_running_tomcat and not parent_java_running_install4j + and not parent_java_running_endeca and not parent_running_datastax and not parent_java_running_appdynamics and not parent_cpanm_running_perl From fdebfb5b6cc38acef39a9def17864dd6b9bd4a34 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 08:05:42 -0800 Subject: [PATCH 39/66] Add N_scheduler binaries for mesos I believe these are related to the equivalent of docker exec for mesos containers, and aren't specifically related to rabbitmq. --- rules/falco_rules.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1ff604f4..b90b2efd 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -140,7 +140,8 @@ - list: mesos_slave_binaries items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-slave, mesos-logrotate, mesos-fetcher, mesos-executor, 3dt, - mesos-journald-] + mesos-journald-, '"1_scheduler"', '"2_scheduler"', + '"3_scheduler"', '"4_scheduler"'] - list: phusion_passenger_binaries items: [PassengerAgent, PassengerWatchd] @@ -236,9 +237,6 @@ - list: x2go_binaries items: [x2gosuspend-age, x2goagent] -- list: xray_rabbitmq_binaries - items: ['"1_scheduler"', '"2_scheduler"', '"3_scheduler"', '"4_scheduler"'] - - list: nids_binaries items: [bro, broctl] @@ -1115,7 +1113,6 @@ chef_binaries, nomachine_binaries, x2go_binaries, - xray_rabbitmq_binaries, db_mgmt_binaries, plesk_binaries, monitoring_binaries, gitlab_binaries, initdb, awk, falco, cron, From 4a0ec07235d5bfd927bb14e448290543ea0eeedc Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 08:12:35 -0800 Subject: [PATCH 40/66] Let celeryd spawn shells Parent process name is strange with leading [ and trailing :, so quote it. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index b90b2efd..ceb9d36c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1119,7 +1119,8 @@ erl_child_setup, erlexec, ceph, PM2, pycompile, py3compile, hhvm, npm, serf, runsv, supervisord, varnishd, crond, logrotate, timeout, tini, xrdb, xfce4-session, weave, logdna-agent, bundle, configure, luajit, nginx, - beam.smp, paster, postfix-local, hawkular-metric, fluentd, x2gormforward) + beam.smp, paster, postfix-local, hawkular-metric, fluentd, x2gormforward, + '"[celeryd:"') and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From fe283dcd76bf20353a0264714abf9074b5097644 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 09:21:17 -0800 Subject: [PATCH 41/66] Add exceptions for /root, / writes Java running as root as well as oracle. --- rules/falco_rules.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ceb9d36c..58f12fa5 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -686,7 +686,10 @@ items: [/root/.monit.state] - list: known_root_directories - items: [/root/.oracle_jre_usage] + items: [/root/.oracle_jre_usage, /root/.java/.userPrefs] + +- macro: known_root_conditions + condition: (fd.name startswith /root/orcexec.) - rule: Write below root desc: an attempt to write to any file directly below / or /root @@ -694,6 +697,7 @@ root_dir and evt.dir = < and open_write and not fd.name in (known_root_files) and not fd.directory in (known_root_directories) + and not known_root_conditions output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name)" priority: ERROR tags: [filesystem] From ffed7ef63c7d1c64f00354f6d754b638b9cb75ed Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 09:28:45 -0800 Subject: [PATCH 42/66] Add additional rpm binaries. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 58f12fa5..6b606871 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -179,7 +179,8 @@ # The explicit quotes are needed to avoid the - characters being # interpreted by the filter expression. - list: rpm_binaries - items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma] + items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma, + repoquery, rpmkeys] - macro: rpm_procs condition: proc.name in (rpm_binaries) From e7c2068267a70bfbb8a522a7edefafc3b4c4f75e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 13:13:00 -0800 Subject: [PATCH 43/66] Add addl ruby binary when run by bundle --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6b606871..709cb933 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -461,7 +461,7 @@ - macro: bundle_running_ruby condition: > - ((proc.pname=ruby or proc.pname contains ".rb") and ( + ((proc.pname in (ruby,ruby2.1) or proc.pname contains ".rb") and ( proc.aname[2]=bundle or proc.aname[3]=bundle or proc.aname[4]=bundle)) From 27df0ad29b9ee5b989ca21b2e1cd0f654d74db89 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 13:38:07 -0800 Subject: [PATCH 44/66] Add nagios as a monitoring binary Runs lots of shells --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 709cb933..674b8a4b 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -242,7 +242,7 @@ items: [bro, broctl] - list: monitoring_binaries - items: [icinga2, nrpe, npcd, check_sar_perf., qualys-cloud-ag, S99qualys-cloud] + items: [icinga2, nrpe, npcd, check_sar_perf., qualys-cloud-ag, S99qualys-cloud, nagios] - macro: system_procs condition: proc.name in (coreutils_binaries, user_mgmt_binaries) From c1de3dfe7accdfd77a263347d4df8ea1aede0146 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 13:39:20 -0800 Subject: [PATCH 45/66] Let ovsdb-server write below /etc/openvswitch --- rules/falco_rules.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 674b8a4b..bf1e0cff 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -575,6 +575,8 @@ - macro: dmeventd_writing_lvm_archive condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or fd.name startswith /etc/lvm/backup)) +- macro: ovsdb_writing_openvswitch + condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch) ############### # General Rules @@ -675,6 +677,7 @@ and not pki_realm_writing_realms and not htpasswd_writing_passwd and not dmeventd_writing_lvm_archive + and not ovsdb_writing_openvswitch - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From e02135f9f01f18a53f09c7da5677f5f28314c009 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 13:40:36 -0800 Subject: [PATCH 46/66] Let datadog write its config files --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index bf1e0cff..2e8efca3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -625,6 +625,10 @@ - macro: xmlcatalog_writing_files condition: (proc.name=update-xmlcatal and fd.directory=/etc/xml) +- macro: datadog_writing_conf + condition: (proc.cmdline startswith "python /opt/datadog-agent" + and fd.name startswith "/etc/dd-agent") + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -678,6 +682,7 @@ and not htpasswd_writing_passwd and not dmeventd_writing_lvm_archive and not ovsdb_writing_openvswitch + and not datadog_writing_conf - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From 2cbff6ff709be2d86704988141db56277262f09d Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 13:40:56 -0800 Subject: [PATCH 47/66] Add addl safe root directories --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2e8efca3..4c34a4f8 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -695,7 +695,7 @@ items: [/root/.monit.state] - list: known_root_directories - items: [/root/.oracle_jre_usage, /root/.java/.userPrefs] + items: [/root/.oracle_jre_usage, /root/.java/.userPrefs, /root/.ssh, /root/.cache] - macro: known_root_conditions condition: (fd.name startswith /root/orcexec.) From 2467766f071392d7bb8deb5558f92bd80cfcc9af Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 13:41:43 -0800 Subject: [PATCH 48/66] Add addl shell spawn conditions flock can spawn shells, new allowed shell cmdline. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 4c34a4f8..27e5aa10 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1058,6 +1058,7 @@ '"sh -c getconf CLK_TCK"', '"sh -c getconf PAGESIZE"', '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"', + '"sh -c LANG=C /sbin/ldconfig -p 2>/dev/null"', '"sh -c /sbin/ldconfig -p 2>/dev/null"', '"sh -c stty -a 2>/dev/null"', '"sh -c node index.js"', @@ -1133,7 +1134,7 @@ runsv, supervisord, varnishd, crond, logrotate, timeout, tini, xrdb, xfce4-session, weave, logdna-agent, bundle, configure, luajit, nginx, beam.smp, paster, postfix-local, hawkular-metric, fluentd, x2gormforward, - '"[celeryd:"') + '"[celeryd:"', flock) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From 85f51cf38c504772e00cc8918442ba6323ec9b89 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 8 Nov 2017 13:42:24 -0800 Subject: [PATCH 49/66] Let salt-minion read sensitive files. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 27e5aa10..2f7b5fe9 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -765,7 +765,7 @@ and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries, - in.proftpd, mandb) + in.proftpd, mandb, salt-minion) and not cmp_cp_by_passwd and not ansible_running_python and not proc.cmdline contains /usr/bin/mandb From 8bcd0e8f0543683ce63204b02c47602e4cdc730a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 9 Nov 2017 14:09:36 -0800 Subject: [PATCH 50/66] Add additional cron binaries. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2f7b5fe9..63871eb9 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -324,7 +324,7 @@ condition: fd.name in (/dev/log, /run/systemd/journal/syslog) - list: cron_binaries - items: [anacron, cron, crond] + items: [anacron, cron, crond, crontab] # https://github.com/liske/needrestart - list: needrestart_binaries From 43f7ee00fb7b870ad960399cb8e9d0a90edd414f Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 9 Nov 2017 14:10:14 -0800 Subject: [PATCH 51/66] Add an additional ics script ics_status.sh --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 63871eb9..2975ce82 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -410,7 +410,7 @@ condition: (proc.pname=perl and proc.aname[2]=cpanm) - macro: ics_running_java - condition: (proc.pname=java and proc.aname[3] in (ics_start.sh,ics_stop.sh)) + condition: (proc.pname=java and proc.aname[3] in (ics_start.sh,ics_stop.sh,ics_status.sh)) - macro: jenkins_scripts condition: (proc.pcmdline startswith "script.sh -xe /var/jenkins_home" or From e3ef7a2ed487948999d2d283b7a9b63b3070b674 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 9 Nov 2017 14:10:35 -0800 Subject: [PATCH 52/66] Be more flexible about perl Makefile.PL Allow the command line to start with that command. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2975ce82..3c0cf030 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -443,7 +443,7 @@ proc.pcmdline startswith "node /opt/yarn/bin/yarn.js")) - macro: makefile_perl - condition: (proc.pcmdline="perl Makefile.PL") + condition: (proc.pcmdline startswith "perl Makefile.PL") - macro: parent_node_running_npm condition: (proc.pcmdline startswith "node /usr/local/bin/npm" or From 326fb2998a3034018ef6036f500bd3946520a3e6 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 9 Nov 2017 14:11:36 -0800 Subject: [PATCH 53/66] Let curl write below the pki db Seems to do these writes on redhat? --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 3c0cf030..5c4865c8 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -629,6 +629,9 @@ condition: (proc.cmdline startswith "python /opt/datadog-agent" and fd.name startswith "/etc/dd-agent") +- macro: curl_writing_pki_db + condition: (proc.name=curl and fd.directory=/etc/pki/nssdb) + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -683,6 +686,7 @@ and not dmeventd_writing_lvm_archive and not ovsdb_writing_openvswitch and not datadog_writing_conf + and not curl_writing_pki_db - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From 2f4b39ae6f01726636ee512a8d6b4d36df87b5cc Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 9 Nov 2017 14:12:41 -0800 Subject: [PATCH 54/66] Let find spawn shells --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 5c4865c8..71b94354 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -871,7 +871,7 @@ nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info, hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward, parallels_insta, salt-minion, dnsmng, update-inetd, pum_worker, awstats_buildst, - tsvuln, 50plesk-daily, grubby, chkconfig, dracut-install, rhnsd + tsvuln, 50plesk-daily, grubby, chkconfig, dracut-install, rhnsd, find ] - rule: Run shell untrusted From b0bc00224c1aa741f31497c89e38b485f4023235 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 9 Nov 2017 14:13:04 -0800 Subject: [PATCH 55/66] Also let terminal shells run innocuous cmdlines The terminal shell in container rule has always been less permissive than the other shell rules, mostly because we expect terminal-attached shells to be less common. However, they might run innocuous commands, especially from scripting languages like python. So allow the innocuous commands to run. --- rules/falco_rules.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 71b94354..041d5753 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1040,6 +1040,7 @@ condition: > spawned_process and container and shell_procs and proc.tty != 0 + and not proc.cmdline in (known_shell_spawn_cmdlines) output: > A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty) From d5869599f7fd6056536374c79bd4de8a4d02d7b6 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 9 Nov 2017 14:16:24 -0800 Subject: [PATCH 56/66] Add additional innocuous command lines. --- rules/falco_rules.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 041d5753..bc5aa000 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1066,6 +1066,8 @@ '"sh -c LANG=C /sbin/ldconfig -p 2>/dev/null"', '"sh -c /sbin/ldconfig -p 2>/dev/null"', '"sh -c stty -a 2>/dev/null"', + '"sh -c stty -a < /dev/tty"', + '"sh -c stty -g < /dev/tty"', '"sh -c node index.js"', '"sh -c node index"', '"sh -c node ./src/start.js"', @@ -1080,7 +1082,8 @@ '"sh -c node_modules/.bin/bower-installer"', '"sh -c /bin/hostname -f 2> /dev/null"', '"sh -c locale -a"', - '"sh -c -t -i"' + '"sh -c -t -i"', + '"sh -c openssl version"' ] - list: known_container_shell_spawn_cmdlines @@ -1093,7 +1096,8 @@ '"sh -c curl http://localhost:6060/debug/vars>/dev/null "', '"sh -c pgrep java && exit 0 || exit 1 "', '"sh -c echo healthy "', - '"sh -c echo alive "' + '"sh -c echo alive "', + '"bash /opt/docker/bin/lar"' ] # This list allows for easy additions to the set of commands allowed From b4bd11bf7045dc0491aaa8e091a901e0086661d0 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 9 Nov 2017 14:16:52 -0800 Subject: [PATCH 57/66] Let nsrun spawn shells in containers. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index bc5aa000..8be6f020 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1143,7 +1143,7 @@ runsv, supervisord, varnishd, crond, logrotate, timeout, tini, xrdb, xfce4-session, weave, logdna-agent, bundle, configure, luajit, nginx, beam.smp, paster, postfix-local, hawkular-metric, fluentd, x2gormforward, - '"[celeryd:"', flock) + '"[celeryd:"', flock, nsrun) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From a2a4cbf586f45335721ddf49a728fbfb8d53534e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 9 Nov 2017 14:17:38 -0800 Subject: [PATCH 58/66] Let endeca spawn shells in containers also --- rules/falco_rules.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8be6f020..b7f2bc02 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1180,6 +1180,7 @@ and not parent_python_running_localstack and not parent_python_running_zookeeper and not parent_docker_start_script + and not parent_java_running_endeca output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) From 060bf78ed89589894f7b2f803eda1b0532cfa87e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 10 Nov 2017 12:05:28 -0800 Subject: [PATCH 59/66] Add conda as a scripting binary for builds conda == python packaging tool --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index b7f2bc02..435e6c9b 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -426,7 +426,7 @@ # close enough to add here rather than create a separate macro. - macro: parent_scripting_running_builds condition: > - (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,ruby2.1,node) and ( + (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,ruby2.1,node,conda) and ( proc.cmdline startswith "sh -c git" or proc.cmdline startswith "sh -c date" or proc.cmdline startswith "sh -c /usr/bin/g++" or From e51fbd65697046fd6c4192e5152c4d9eff09d828 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 10 Nov 2017 12:06:44 -0800 Subject: [PATCH 60/66] Let python/mesos health checks spawn shells --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 435e6c9b..53349b86 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -553,6 +553,9 @@ - macro: parent_java_running_endeca condition: (proc.pname=java and proc.pcmdline contains "-classpath /opt/endeca/") +- macro: python_mesos_healthcheck + condition: (proc.pcmdline startswith "python /mesoshealthcheck.py") + - macro: parent_running_datastax condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or (proc.pcmdline startswith "nodetool /opt/dse/bin/")) @@ -1181,6 +1184,7 @@ and not parent_python_running_zookeeper and not parent_docker_start_script and not parent_java_running_endeca + and not python_mesos_healthcheck output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) From 109f86cd85613df2a9aecc0be1b4dddc1c84f7f8 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 10 Nov 2017 12:08:35 -0800 Subject: [PATCH 61/66] Let ruby running pups spawn shells --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 53349b86..a2ada9e7 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -569,6 +569,9 @@ - macro: parent_ruby_running_discourse condition: (proc.pcmdline startswith "ruby /var/www/discourse/vendor/bundle/ruby") +- macro: parent_ruby_running_pups + condition: (proc.pcmdline startswith "ruby /pups/bin/pups") + - macro: pki_realm_writing_realms condition: (proc.cmdline startswith "bash /usr/local/lib/pki/pki-realm" and fd.name startswith /etc/pki/realms) @@ -920,6 +923,7 @@ and not parent_java_running_appdynamics and not parent_cpanm_running_perl and not parent_ruby_running_discourse + and not parent_ruby_running_pups and not assemble_running_php and not node_running_bitnami and not node_running_threatstack @@ -1177,6 +1181,7 @@ and not parent_running_datastax and not ics_running_java and not parent_ruby_running_discourse + and not parent_ruby_running_pups and not assemble_running_php and not node_running_bitnami and not node_running_threatstack From f379e971240491661369a7d8660271842021a560 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 10 Nov 2017 12:09:37 -0800 Subject: [PATCH 62/66] Let haproxy installation write its config files The direct or parent process starts with update-haproxy- and the file is below /etc/haproxy. --- rules/falco_rules.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a2ada9e7..b18143e6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -638,6 +638,10 @@ - macro: curl_writing_pki_db condition: (proc.name=curl and fd.directory=/etc/pki/nssdb) +- macro: haproxy_writing_conf + condition: ((proc.name=update-haproxy- or proc.pname=update-haproxy-) + and fd.name in (/etc/openvpn/client.map, /etc/haproxy/client.map-)) + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -693,6 +697,7 @@ and not ovsdb_writing_openvswitch and not datadog_writing_conf and not curl_writing_pki_db + and not haproxy_writing_conf - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From 8dd34205a8a0d863152e2bd653e388c79dcbb1b2 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 10 Nov 2017 12:11:26 -0800 Subject: [PATCH 63/66] Let java write specific config files below /etc --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index b18143e6..3541e9b5 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -642,6 +642,9 @@ condition: ((proc.name=update-haproxy- or proc.pname=update-haproxy-) and fd.name in (/etc/openvpn/client.map, /etc/haproxy/client.map-)) +- macro: java_writing_conf + condition: (proc.name=java and fd.name=/etc/.java/.systemPrefs/.system.lock) + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -698,6 +701,7 @@ and not datadog_writing_conf and not curl_writing_pki_db and not haproxy_writing_conf + and not java_writing_conf - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session From 69ede8a785374fb3d5f7f31f017ec6bdb7a88baa Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 10 Nov 2017 12:11:56 -0800 Subject: [PATCH 64/66] Let addl progs read sensitive files They only display file meta-information. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 3541e9b5..5be2a244 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -759,7 +759,7 @@ items: [ iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update, - pam-auth-update, /usr/sbin/spamd, polkit-agent-he + pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file ] # Add conditions to this macro (probably in a separate file, From 7441052b9a2f44ecab6cb32117035f35b874818a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 10 Nov 2017 12:12:22 -0800 Subject: [PATCH 65/66] Let consul spawn shells --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 5be2a244..946f5d60 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -886,7 +886,7 @@ nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info, hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward, parallels_insta, salt-minion, dnsmng, update-inetd, pum_worker, awstats_buildst, - tsvuln, 50plesk-daily, grubby, chkconfig, dracut-install, rhnsd, find + tsvuln, 50plesk-daily, grubby, chkconfig, dracut-install, rhnsd, find, consul ] - rule: Run shell untrusted @@ -1159,7 +1159,7 @@ runsv, supervisord, varnishd, crond, logrotate, timeout, tini, xrdb, xfce4-session, weave, logdna-agent, bundle, configure, luajit, nginx, beam.smp, paster, postfix-local, hawkular-metric, fluentd, x2gormforward, - '"[celeryd:"', flock, nsrun) + "[celeryd:", flock, nsrun, consul) and not trusted_containers and not shell_spawning_containers and not parent_java_running_echo From 15ed651da9d6c1d9a492b8a0396e07c7b279d611 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 10 Nov 2017 12:12:39 -0800 Subject: [PATCH 66/66] Add additional spawned shells for docker --- rules/falco_rules.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 946f5d60..d859474c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1113,7 +1113,10 @@ '"sh -c pgrep java && exit 0 || exit 1 "', '"sh -c echo healthy "', '"sh -c echo alive "', - '"bash /opt/docker/bin/lar"' + '"bash /opt/docker/bin/lar"', + '"bash /opt/docker/bin/irs"', + '"bash /opt/docker/bin/brs"', + '"bash /opt/docker/bin/hdi"' ] # This list allows for easy additions to the set of commands allowed