From b8cdb8e46c177eb61c55aff3310a6be39f219cf7 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 5 May 2016 23:20:46 -0700 Subject: [PATCH] Modify existing rules to not use ignored syscalls. The ignored syscalls in macros were: - write: renamed to open_write to make its weaker resolution more apparent. Checks for open with any flag that could change a file. - read: renamed to open_read. Checks for open with any read flag. - sendto: I couldn't think of any way to replace this, so I simply removed it with a comment. I kept the original read/write macros commented out with a note that they use ignored syscalls. I have not tested these changes yet other than verifying that falco starts properly. --- rules/falco_rules.yaml | 41 ++++++++++++++++++++++++++++++++--------- 1 file changed, 32 insertions(+), 9 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 557f11dd..b619f171 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3,10 +3,31 @@ ############# # File actions -- macro: write - condition: (syscall.type=write and fd.type in (file, directory)) -- macro: read - condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory)) + + +# Currently disabled as read/write are ignored syscalls. The nearly +# similar open_write/open_read check for files being opened for +# reading/writing. +# - macro: write +# condition: (syscall.type=write and fd.type in (file, directory)) +# - macro: read +# condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory)) + +- macro: open_write + condition: > + (evt.type=open or evt.type=openat) and + fd.typechar='f' and + (evt.arg.flags contains O_WRONLY or + evt.arg.flags contains O_RDWR or + evt.arg.flags contains O_CREAT or + evt.arg.flags contains O_TRUNC) +- macro: open_read + condition: > + (evt.type=open or evt.type=openat) and + fd.typechar='f' and + (evt.arg.flags contains O_RDONLY or + evt.arg.flags contains O_RDWR) + - macro: rename condition: syscall.type = rename - macro: mkdir @@ -79,8 +100,10 @@ # Network - macro: inbound condition: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<) + +# Currently sendto is an ignored syscall, otherwise this could also check for (syscall.type=sendto and evt.dir=>) - macro: outbound - condition: ((syscall.type=connect and evt.dir=<) or (syscall.type=sendto and evt.dir=>)) and (fd.typechar=4 or fd.typechar=6) + condition: syscall.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6) - macro: ssh_port condition: fd.lport=22 @@ -112,17 +135,17 @@ ####### # Don't write to binary dirs -- condition: evt.dir = > and write and bin_dir +- condition: evt.dir = > and open_write and bin_dir output: "Write to bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" priority: WARNING # Don't write to /etc -- condition: evt.dir = > and write and etc_dir +- condition: evt.dir = > and open_write and etc_dir output: "Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" priority: WARNING # Don't read 'sensitive' files -- condition: read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files +- condition: open_read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files output: "Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" priority: WARNING @@ -132,7 +155,7 @@ priority: WARNING # Don't load shared objects coming from unexpected places -- condition: read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) +- condition: open_read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) output: "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" priority: WARNING