new(rule): excessively capable containers

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <khuang@aurora.tech>
This commit is contained in:
Lorenzo Susini 2022-03-30 13:29:20 +00:00 committed by poiana
parent 3a6274ab36
commit 9fb9215dbf

View File

@ -1815,7 +1815,7 @@
registry.access.redhat.com/sematext/agent,
registry.access.redhat.com/sematext/logagent]
# These container images are allowed to run with --privileged
# These container images are allowed to run with --privileged and full set of capabilities
- list: falco_privileged_images
items: [
docker.io/calico/node,
@ -1903,6 +1903,31 @@
priority: INFO
tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
# These capabilities were used in the past to escape from containers
- macro: excessively_capable_container
condition: >
(thread.cap_permitted contains CAP_SYS_ADMIN
or thread.cap_permitted contains CAP_SYS_MODULE
or thread.cap_permitted contains CAP_SYS_RAWIO
or thread.cap_permitted contains CAP_SYS_PTRACE
or thread.cap_permitted contains CAP_SYS_BOOT
or thread.cap_permitted contains CAP_SYSLOG
or thread.cap_permitted contains CAP_DAC_READ_SEARCH
or thread.cap_permitted contains CAP_NET_ADMIN
or thread.cap_permitted contains CAP_BPF)
- rule: Launch Excessively Capable Container
desc: Detect container started with a powerful set of capabilities. Exceptions are made for known trusted images.
condition: >
container_started and container
and excessively_capable_container
and not falco_privileged_containers
and not user_privileged_containers
output: Excessively capable container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag cap_permitted=%thread.cap_permitted)
priority: INFO
tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
# For now, only considering a full mount of /etc as
# sensitive. Ideally, this would also consider all subdirectories
# below /etc as well, but the globbing mechanism