mirror of
https://github.com/falcosecurity/falco.git
synced 2025-06-28 15:47:25 +00:00
Henri DF
commit
a9fc4d2b09
@ -65,72 +65,72 @@ system_users: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uu
|
||||
#######
|
||||
|
||||
# Don't write to binary dirs
|
||||
evt.dir = > and write and bin_dir | Write to bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
evt.dir = > and write and bin_dir | WARNING Write to bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Don't write to /etc
|
||||
evt.dir = > and write and etc_dir | Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
evt.dir = > and write and etc_dir | WARNING Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Don't read 'sensitive' files
|
||||
read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files | Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files | WARNING Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Don't modify binary dirs
|
||||
modify and (bin_dir_rename or bin_dir_mkdir) | Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
modify and (bin_dir_rename or bin_dir_mkdir) | WARNING Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Don't load shared objects coming from unexpected places
|
||||
read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | output.first_sequence(evt, "fd.filename", "shared_obj", "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)")
|
||||
read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | WARNING output.first_sequence(evt, "fd.filename", "shared_obj", "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)")
|
||||
|
||||
# Attempts to access things that shouldn't be
|
||||
evt.res = EACCES | EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
evt.res = EACCES | INFO System call returned EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Only sysdig and docker can call setns
|
||||
syscall.type = setns and not proc.name in (docker, sysdig) | Unexpected setns (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
syscall.type = setns and not proc.name in (docker, sysdig) | WARNING Unexpected setns (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Shells should only be run by cron or sshd
|
||||
proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | Unexpected shell (%user.name %proc.name %proc.pname %evt.dir %evt.type %evt.args %fd.name)
|
||||
proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | WARNING Unexpected shell (%user.name %proc.name %proc.pname %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Anything run interactively by root
|
||||
# evt.type != switch and user.name = root and proc.name != sshd and interactive | Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
# evt.type != switch and user.name = root and proc.name != sshd and interactive | WARNING Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Anything run interactively by a non-login user
|
||||
system_users and interactive | Sytem user ran an interactive command (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
system_users and interactive | WARNING Sytem user ran an interactive command (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Chmod should only be run interactively (by a user)
|
||||
syscall.type = chmod and not interactive | non-interactive chmod (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
syscall.type = chmod and not interactive | WARNING non-interactive chmod (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Shells in a container
|
||||
container and proc.name = bash | shell in a container (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
container and proc.name = bash | WARNING shell in a container (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Network traffic to/from standard utils
|
||||
# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
|
||||
fd.sockfamily = ip and system_binaries | network traffic to %proc.name (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
fd.sockfamily = ip and system_binaries | WARNING network traffic to %proc.name (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# SSH errors (failed logins, disconnects, ..)
|
||||
syslog and ssh_error_message and evt.dir = < | sshd error (%proc.name %evt.arg.data)
|
||||
syslog and ssh_error_message and evt.dir = < | WARNING sshd error (%proc.name %evt.arg.data)
|
||||
|
||||
# Non-sudo setuid
|
||||
evt.type=setuid and not_cron and not proc.name in (sudo, sshd) | unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args)
|
||||
evt.type=setuid and not_cron and not proc.name in (sudo, sshd) | WARNING unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args)
|
||||
|
||||
# User management (su and sudo are ok)
|
||||
not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries) | user-management binary command run (%user.name %proc.name %evt.dir %evt.type %evt.args)
|
||||
not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries) | WARNING user-management binary command run (%user.name %proc.name %evt.dir %evt.type %evt.args)
|
||||
|
||||
# Some rootkits hide files in /dev
|
||||
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
|
||||
(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null | file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null | WARNING file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Elasticsearch ports
|
||||
elasticsearch_cluster_port: fd.sport=9300
|
||||
elasticsearch_api_port: fd.sport=9200
|
||||
elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port
|
||||
user.name = elasticsearch and inbound and not elasticsearch_port | Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = elasticsearch and outbound and not elasticsearch_cluster_port | Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = elasticsearch and inbound and not elasticsearch_port | WARNING Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = elasticsearch and outbound and not elasticsearch_cluster_port | WARNING Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
|
||||
# ActiveMQ ports
|
||||
activemq_cluster_port: fd.sport=61616
|
||||
activemq_web_port: fd.sport=8161
|
||||
activemq_port: activemq_web_port or activemq_cluster_port
|
||||
user.name = activemq and inbound and not activemq_port | Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = activemq and outbound and not activemq_cluster_port | Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = activemq and inbound and not activemq_port | WARNING Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = activemq and outbound and not activemq_cluster_port | WARNING Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
|
||||
# Cassandra ports
|
||||
@ -142,8 +142,8 @@ cassandra_ssl_cluster_port: fd.sport=7001
|
||||
cassandra_jmx_port: fd.sport=7199
|
||||
cassandra_port: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port
|
||||
|
||||
user.name = cassandra and inbound and not cassandra_port | Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port) | Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = cassandra and inbound and not cassandra_port | WARNING Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port) | WARNING Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Couchbase ports
|
||||
# http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html
|
||||
@ -175,8 +175,8 @@ couchbase_dataexchange_port: fd.sport>=21100 and fd.sport<=21299
|
||||
couchbase_internal_port: couchbase_bucket_port or couchbase_epmd_port or couchbase_dataexchange_port
|
||||
couchbase_port: couchbase_web_port or couchbase_api_port or couchbase_ssl_bucket_port or couchbase_internal_port or couchbase_bucket_port_ie or couchbase_client_interface_port or couchbase_incoming_ssl or couchbase_outgoing_ssl or couchbase_internal_rest_port or couchbase_internal_capi_port
|
||||
|
||||
user.name = couchbase and inbound and not couchbase_port | Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = couchbase and outbound and not couchbase_internal_port | Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = couchbase and inbound and not couchbase_port | WARNING Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = couchbase and outbound and not couchbase_internal_port | WARNING Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
|
||||
# Couchdb ports
|
||||
@ -190,19 +190,19 @@ couchdb_httpd_ssl_port: fd.sport=6984
|
||||
etcd_client_port: fd.sport=2379
|
||||
etcd_peer_port: fd.sport=2380
|
||||
# need to double-check which user etcd runs as
|
||||
user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port) | Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = etcd and outbound and not couchbase_internal_port | Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port) | WARNING Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = etcd and outbound and not couchbase_internal_port | WARNING Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
|
||||
# Fluentd ports
|
||||
fluentd_http_port: fd.sport=9880
|
||||
fluentd_forward_port: fd.sport=24224
|
||||
user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) | Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = td-agent and outbound and not fluentd_forward_port | Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) | WARNING Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = td-agent and outbound and not fluentd_forward_port | WARNING Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Gearman ports
|
||||
# http://gearman.org/protocol/
|
||||
user.name = gearman and outbound and outbound and not fd.sport = 4730 | Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = gearman and outbound and outbound and not fd.sport = 4730 | WARNING Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Zookeeper
|
||||
zookeeper_port: fd.sport = 2181
|
||||
@ -220,15 +220,15 @@ hbase_thrift_info_port: fd.sport = 9095
|
||||
|
||||
# If you're not running HBase under the 'hbase' user, adjust first expression
|
||||
# in each rule below
|
||||
user.name = hbase and inbound and not (hbase_master_port or hbase_master_info_port or hbase_regionserver_port or hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or hbase_regionserver_thrift_port or hbase_thrift_info_port) | Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port) | Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = hbase and inbound and not (hbase_master_port or hbase_master_info_port or hbase_regionserver_port or hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or hbase_regionserver_thrift_port or hbase_thrift_info_port) | WARNING Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port) | WARNING Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
|
||||
# Kafka ports
|
||||
user.name = kafka and inbound and fd.sport != 9092 | Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = kafka and inbound and fd.sport != 9092 | WARNING Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# Memcached ports
|
||||
user.name = memcached and inbound and fd.sport != 11211 | Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = memcached and inbound and fd.sport != 11211 | WARNING Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# MongoDB ports
|
||||
mongodb_server_port: fd.sport = 27017
|
||||
@ -236,7 +236,7 @@ mongodb_shardserver_port: fd.sport = 27018
|
||||
mongodb_configserver_port: fd.sport = 27019
|
||||
mongodb_webserver_port: fd.sport = 28017
|
||||
|
||||
user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
# MySQL ports
|
||||
user.name = mysql and inbound and fd.sport != 3306 | Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
user.name = mysql and inbound and fd.sport != 3306 | WARNING Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
||||
|
||||
@ -155,6 +155,18 @@ end
|
||||
|
||||
-- grammar
|
||||
|
||||
local function normalize_level(level)
|
||||
valid_levels = {"emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"}
|
||||
level = string.lower(level)
|
||||
for i,v in ipairs(valid_levels) do
|
||||
if (string.find(v, "^"..level)) then
|
||||
return v
|
||||
end
|
||||
end
|
||||
error("Invalid severity level: "..level)
|
||||
end
|
||||
|
||||
|
||||
local function filter(e)
|
||||
return {type = "Filter", value=e}
|
||||
end
|
||||
@ -163,12 +175,12 @@ local function macro (name, filter)
|
||||
return {type = "MacroDef", name = name, value = filter}
|
||||
end
|
||||
|
||||
local function outputformat (format)
|
||||
return {type = "OutputFormat", value = format}
|
||||
local function outputformat (level, format)
|
||||
return {type = "OutputFormat", level = normalize_level(level), value = format}
|
||||
end
|
||||
|
||||
local function functioncall (str, mname, fname, args)
|
||||
return {type = "FunctionCall", mname = mname, fname = fname, arguments = args, source = str}
|
||||
local function functioncall (level, str, mname, fname, args)
|
||||
return {type = "FunctionCall", level = normalize_level(level), mname = mname, fname = fname, arguments = args, source = str}
|
||||
end
|
||||
|
||||
local function rule(filter, output)
|
||||
@ -217,7 +229,7 @@ local G = {
|
||||
MacroDef = (C(V"Macro") * V"Skip" * V"Colon" * (V"Filter"));
|
||||
|
||||
FuncArgs = symb("(") * list(V"Value", symb(",")) * symb(")");
|
||||
Output = (C(V"Name" * P(".") * V"Name" * V"FuncArgs") / functioncall) + P(1)^0 / outputformat;
|
||||
Output = (C(V"Identifier") * V"Skip" * C(V"Name" * P(".") * V"Name" * V"FuncArgs") / functioncall) + (C(V"Identifier") * V"Skip" * C(P(1)^0) / outputformat);
|
||||
|
||||
-- Terminals
|
||||
Value = terminal "Number" + terminal "String" + terminal "BareString";
|
||||
|
||||
Loading…
Reference in New Issue
Block a user