diff --git a/rules/base.txt b/rules/base.txt index dbffbbc0..dc77f4fb 100644 --- a/rules/base.txt +++ b/rules/base.txt @@ -65,72 +65,72 @@ system_users: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uu ####### # Don't write to binary dirs -evt.dir = > and write and bin_dir | %evt.time: Write to bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +evt.dir = > and write and bin_dir | Write to bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Don't write to /etc -evt.dir = > and write and etc_dir | %evt.time: Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +evt.dir = > and write and etc_dir | Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Don't read 'sensitive' files -read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files | %evt.time: Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files | Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Don't modify binary dirs -modify and (bin_dir_rename or bin_dir_mkdir) | %evt.time: Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +modify and (bin_dir_rename or bin_dir_mkdir) | Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Don't load shared objects coming from unexpected places read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | output.first_sequence(evt, "fd.filename", "shared_obj", "%evt.time: .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)") # Attempts to access things that shouldn't be -evt.res = EACCES | %evt.time: EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +evt.res = EACCES | EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Only sysdig and docker can call setns -syscall.type = setns and not proc.name in (docker, sysdig) | %evt.time: Unexpected setns (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +syscall.type = setns and not proc.name in (docker, sysdig) | Unexpected setns (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Shells should only be run by cron or sshd -proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | %evt.time: Unexpected shell (%user.name %proc.name %proc.pname %evt.dir %evt.type %evt.args %fd.name) +proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | Unexpected shell (%user.name %proc.name %proc.pname %evt.dir %evt.type %evt.args %fd.name) # Anything run interactively by root -# evt.type != switch and user.name = root and proc.name != sshd and interactive | %evt.time: Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +# evt.type != switch and user.name = root and proc.name != sshd and interactive | Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Anything run interactively by a non-login user -system_users and interactive | %evt.time: Sytem user ran an interactive command (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +system_users and interactive | Sytem user ran an interactive command (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Chmod should only be run interactively (by a user) -syscall.type = chmod and not interactive | %evt.time: non-interactive chmod (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +syscall.type = chmod and not interactive | non-interactive chmod (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Shells in a container -container and proc.name = bash | %evt.time: shell in a container (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +container and proc.name = bash | shell in a container (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Network traffic to/from standard utils # sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets -fd.sockfamily = ip and system_binaries | %evt.time: network traffic to %proc.name (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +fd.sockfamily = ip and system_binaries | network traffic to %proc.name (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # SSH errors (failed logins, disconnects, ..) -syslog and ssh_error_message and evt.dir = < | %evt.time: sshd error (%proc.name %evt.arg.data) +syslog and ssh_error_message and evt.dir = < | sshd error (%proc.name %evt.arg.data) # Non-sudo setuid -evt.type=setuid and not_cron and not proc.name in (sudo, sshd) | %evt.time: unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args) +evt.type=setuid and not_cron and not proc.name in (sudo, sshd) | unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args) # User management (su and sudo are ok) -not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries) | %evt.time: user-management binary command run (%user.name %proc.name %evt.dir %evt.type %evt.args) +not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries) | user-management binary command run (%user.name %proc.name %evt.dir %evt.type %evt.args) # Some rootkits hide files in /dev # (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153) -(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null | %evt.time: file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null | file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Elasticsearch ports elasticsearch_cluster_port: fd.sport=9300 elasticsearch_api_port: fd.sport=9200 elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port -user.name = elasticsearch and inbound and not elasticsearch_port | %evt.time: Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = elasticsearch and outbound and not elasticsearch_cluster_port | %evt.time: Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = elasticsearch and inbound and not elasticsearch_port | Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = elasticsearch and outbound and not elasticsearch_cluster_port | Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # ActiveMQ ports activemq_cluster_port: fd.sport=61616 activemq_web_port: fd.sport=8161 activemq_port: activemq_web_port or activemq_cluster_port -user.name = activemq and inbound and not activemq_port | %evt.time: Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = activemq and outbound and not activemq_cluster_port | %evt.time: Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = activemq and inbound and not activemq_port | Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = activemq and outbound and not activemq_cluster_port | Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Cassandra ports @@ -142,8 +142,8 @@ cassandra_ssl_cluster_port: fd.sport=7001 cassandra_jmx_port: fd.sport=7199 cassandra_port: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port -user.name = cassandra and inbound and not cassandra_port | %evt.time: Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port) | %evt.time: Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = cassandra and inbound and not cassandra_port | Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port) | Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Couchbase ports # http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html @@ -175,8 +175,8 @@ couchbase_dataexchange_port: fd.sport>=21100 and fd.sport<=21299 couchbase_internal_port: couchbase_bucket_port or couchbase_epmd_port or couchbase_dataexchange_port couchbase_port: couchbase_web_port or couchbase_api_port or couchbase_ssl_bucket_port or couchbase_internal_port or couchbase_bucket_port_ie or couchbase_client_interface_port or couchbase_incoming_ssl or couchbase_outgoing_ssl or couchbase_internal_rest_port or couchbase_internal_capi_port -user.name = couchbase and inbound and not couchbase_port | %evt.time: Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = couchbase and outbound and not couchbase_internal_port | %evt.time: Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = couchbase and inbound and not couchbase_port | Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = couchbase and outbound and not couchbase_internal_port | Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Couchdb ports @@ -190,19 +190,19 @@ couchdb_httpd_ssl_port: fd.sport=6984 etcd_client_port: fd.sport=2379 etcd_peer_port: fd.sport=2380 # need to double-check which user etcd runs as -user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port) | %evt.time: Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = etcd and outbound and not couchbase_internal_port | %evt.time: Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port) | Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = etcd and outbound and not couchbase_internal_port | Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Fluentd ports fluentd_http_port: fd.sport=9880 fluentd_forward_port: fd.sport=24224 -user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) | %evt.time: Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = td-agent and outbound and not fluentd_forward_port | %evt.time: Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) | Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = td-agent and outbound and not fluentd_forward_port | Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Gearman ports # http://gearman.org/protocol/ -user.name = gearman and outbound and outbound and not fd.sport = 4730 | %evt.time: Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = gearman and outbound and outbound and not fd.sport = 4730 | Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Zookeeper zookeeper_port: fd.sport = 2181 @@ -220,15 +220,15 @@ hbase_thrift_info_port: fd.sport = 9095 # If you're not running HBase under the 'hbase' user, adjust first expression # in each rule below -user.name = hbase and inbound and not (hbase_master_port or hbase_master_info_port or hbase_regionserver_port or hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or hbase_regionserver_thrift_port or hbase_thrift_info_port) | %evt.time: Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) -user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port) | %evt.time: Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = hbase and inbound and not (hbase_master_port or hbase_master_info_port or hbase_regionserver_port or hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or hbase_regionserver_thrift_port or hbase_thrift_info_port) | Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port) | Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Kafka ports -user.name = kafka and inbound and fd.sport != 9092 | %evt.time: Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = kafka and inbound and fd.sport != 9092 | Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # Memcached ports -user.name = memcached and inbound and fd.sport != 11211 | %evt.time: Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = memcached and inbound and fd.sport != 11211 | Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # MongoDB ports mongodb_server_port: fd.sport = 27017 @@ -236,7 +236,7 @@ mongodb_shardserver_port: fd.sport = 27018 mongodb_configserver_port: fd.sport = 27019 mongodb_webserver_port: fd.sport = 28017 -user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | %evt.time: Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) # MySQL ports -user.name = mysql and inbound and fd.sport != 3306 | %evt.time: Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) +user.name = mysql and inbound and fd.sport != 3306 | Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name) diff --git a/userspace/digwatch/lua/rule_loader.lua b/userspace/digwatch/lua/rule_loader.lua index bb5fae9d..0d930cce 100644 --- a/userspace/digwatch/lua/rule_loader.lua +++ b/userspace/digwatch/lua/rule_loader.lua @@ -5,7 +5,7 @@ --]] -local DEFAULT_OUTPUT_FORMAT = "%evt.num %evt.time %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.args" +local DEFAULT_OUTPUT_FORMAT = "%evt.time: %evt.num %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.args" local compiler = require "compiler" @@ -113,7 +113,7 @@ function set_output(output_ast) format = output_ast.value end - state.outputs[state.n_rules] = {type="format", formatter=digwatch.formatter(format)} + state.outputs[state.n_rules] = {type="format", formatter=digwatch.formatter("%evt.time: "..format)} elseif (output_ast.type == "FunctionCall") then require(output_ast.mname)