github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-03 15:46:33 +00:00
Code Issues Projects Releases Wiki Activity

new(rule): excessively capable containers

Browse Source 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <khuang@aurora.tech>
This commit is contained in:
Lorenzo Susini
2022-03-30 13:29:20 +00:00
committed by poiana
parent 3a6274ab36
commit 9fb9215dbf
1 changed files with 26 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
rules/falco_rules.yaml
View File

@@ -1815,7 +1815,7 @@
registry.access.redhat.com/sematext/agent, registry.access.redhat.com/sematext/agent,
registry.access.redhat.com/sematext/logagent] registry.access.redhat.com/sematext/logagent]
# These container images are allowed to run with --privileged # These container images are allowed to run with --privileged and full set of capabilities
- list: falco_privileged_images - list: falco_privileged_images
items: [ items: [
docker.io/calico/node, docker.io/calico/node,
@@ -1903,6 +1903,31 @@
priority: INFO priority: INFO
tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement] tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
# These capabilities were used in the past to escape from containers
- macro: excessively_capable_container
condition: >
(thread.cap_permitted contains CAP_SYS_ADMIN
or thread.cap_permitted contains CAP_SYS_MODULE
or thread.cap_permitted contains CAP_SYS_RAWIO
or thread.cap_permitted contains CAP_SYS_PTRACE
or thread.cap_permitted contains CAP_SYS_BOOT
or thread.cap_permitted contains CAP_SYSLOG
or thread.cap_permitted contains CAP_DAC_READ_SEARCH
or thread.cap_permitted contains CAP_NET_ADMIN
or thread.cap_permitted contains CAP_BPF)
- rule: Launch Excessively Capable Container
desc: Detect container started with a powerful set of capabilities. Exceptions are made for known trusted images.
condition: >
container_started and container
and excessively_capable_container
and not falco_privileged_containers
and not user_privileged_containers
output: Excessively capable container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag cap_permitted=%thread.cap_permitted)
priority: INFO
tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
# For now, only considering a full mount of /etc as # For now, only considering a full mount of /etc as
# sensitive. Ideally, this would also consider all subdirectories # sensitive. Ideally, this would also consider all subdirectories
# below /etc as well, but the globbing mechanism # below /etc as well, but the globbing mechanism