From 9c4bfecd40cf96c8aff34c2409f56ea490d8eef7 Mon Sep 17 00:00:00 2001 From: Henri DF Date: Wed, 2 Mar 2016 12:18:08 -0800 Subject: [PATCH] Progress on base rules --- rules/base.txt | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/rules/base.txt b/rules/base.txt index 07c0c4fa..237d92f9 100644 --- a/rules/base.txt +++ b/rules/base.txt @@ -22,6 +22,9 @@ bin_dir_rename: evt.arg[1] contains /bin or evt.arg[1] contains /sbin or evt.arg ubuntu_so_dirs: fd.directory contains /lib/x86_64-linux-gnu or fd.directory contains /usr/lib/x86_64-linux-gnu or fd.directory contains /usr/lib/sudo centos_so_dirs: fd.directory contains /lib64 or fd.directory contains /user/lib64 or fd.directory contains /usr/libexec +coreutils_binaries: proc.name in (truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who, groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat, basename, split, nice, yes, whoami, sha224sum, hostid, users, stdbuf, base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test, comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname, tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout, tail, [, seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred, tac, link, chroot, vdir, chown, touch, ls, dd, uname, true, pwd, date, chgrp, chmod, mktemp, cat, mknod, sync, ln, false, rm, mv, cp, echo, readlink, sleep, stty, mkdir, df, dir, rmdir, touch) + + # Network inbound: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<) @@ -52,34 +55,34 @@ interactive: proc.aname=sshd ####### # Don't write to binary dirs -write and bin_dir +write and bin_dir | Write to bin dir (%proc.name %evt.dir %evt.type %evt.args %fd.name) # Don't modify binary dirs -modify and (bin_dir_rename or bin_dir_mkdir) +modify and (bin_dir_rename or bin_dir_mkdir) | Modify bin dir (%proc.name %evt.dir %evt.type %evt.args %fd.name) # Don't load shared objects coming from unexpected places -read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) +read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | .so from wrong place (%proc.name %evt.dir %evt.type %evt.args %fd.name) # Attempts to access things that shouldn't be -evt.res = EACCES - -# Only sysdig can change namespace -setns and proc.name != sysdig +evt.res = EACCES | EACCESS (%proc.name %evt.dir %evt.type %evt.args %fd.name) # Let's assume this is a node running elasticsearch -inbound and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1" +inbound and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1" | bad rip (%proc.name %evt.dir %evt.type %evt.args %fd.name) # Only sysdig and docker can call setns -syscall.type = setns and not proc.name in (docker, sysdig) +syscall.type = setns and not proc.name in (docker, sysdig) | Unexpected setns (%proc.name %evt.dir %evt.type %evt.args %fd.name) # Shells should only be run by cron or sshd -proc.name = bash and not proc.pname in (bash, sshd, cron) +proc.name = bash and not proc.pname in (bash, sshd, cron) | Unexpected shell (%proc.name %evt.dir %evt.type %evt.args %fd.name) # Anything run by root -user.name = root +evt.type != switch and user.name = root and interactive | Interactive root (%proc.name %evt.dir %evt.type %evt.args %fd.name) # Chmod should only be run interactively (by a user) -syscall.type = chmod and not interactive +syscall.type = chmod and not interactive | non-interactive chmod (%proc.name %evt.dir %evt.type %evt.args %fd.name) # Shells in a container -container and proc.name = bash +container and proc.name = bash | shell in a container (%proc.name %evt.dir %evt.type %evt.args %fd.name) + +# Network traffic to/from standard utils +(fd.typechar = 4 or fd.typechar=6) and coreutils_binaries | network traffic to %proc.name (%proc.name %evt.dir %evt.type %evt.args %fd.name)