mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-04 02:16:46 +00:00
Rule updates related to other security products
This is a rework of a PR made by @juju4 that had a bunch of additions related to running other security/monitoring products, including aide, bro, icinga2, nagios, ansible, etc. This overlapped a lot with changes I had been making to reduce noisiness, so rather than have @juju4 deal with the conflicts I took the changes and made a separate commit with the non-conflicting additions. A summary of the changes: - Add docker-compose as a docker binary. - Add showq/critical-stack as setuid binaries. - Add lxd binaries - Add some additional package management binaries. - Add support for host intrustion detection systems like aide. - Add support for network intrustion detections systems like bro. - Add support for monitoring systems like nagios, icinga2, npcd. - Other one-off additions to other lists of mail/etc programs.
This commit is contained in:
parent
511d0997da
commit
b9d0857362
@ -99,11 +99,14 @@
|
|||||||
items: [setup-backend, dragent, sdchecks]
|
items: [setup-backend, dragent, sdchecks]
|
||||||
|
|
||||||
- list: docker_binaries
|
- list: docker_binaries
|
||||||
items: [docker, dockerd, exe]
|
items: [docker, dockerd, exe, docker-compose]
|
||||||
|
|
||||||
- list: k8s_binaries
|
- list: k8s_binaries
|
||||||
items: [hyperkube, skydns, kube2sky, exechealthz]
|
items: [hyperkube, skydns, kube2sky, exechealthz]
|
||||||
|
|
||||||
|
- list: lxd_binaries
|
||||||
|
items: [lxd, lxcfs]
|
||||||
|
|
||||||
- list: http_server_binaries
|
- list: http_server_binaries
|
||||||
items: [nginx, httpd, httpd-foregroun, lighttpd]
|
items: [nginx, httpd, httpd-foregroun, lighttpd]
|
||||||
|
|
||||||
@ -118,8 +121,8 @@
|
|||||||
- list: package_mgmt_binaries
|
- list: package_mgmt_binaries
|
||||||
items: [
|
items: [
|
||||||
dpkg, dpkg-preconfigu, dnf, rpm, rpmkey, yum, frontend,
|
dpkg, dpkg-preconfigu, dnf, rpm, rpmkey, yum, frontend,
|
||||||
apt, apt-get, apt-add-reposit, apt-auto-remova, apt-key,
|
apt, apt-get, aptitude, add-apt-reposit, apt-auto-remova, apt-key,
|
||||||
preinst
|
preinst, update-alternat, unattended-upgr
|
||||||
]
|
]
|
||||||
|
|
||||||
- macro: package_mgmt_procs
|
- macro: package_mgmt_procs
|
||||||
@ -139,11 +142,26 @@
|
|||||||
- list: user_mgmt_binaries
|
- list: user_mgmt_binaries
|
||||||
items: [login_binaries, passwd_binaries, shadowutils_binaries]
|
items: [login_binaries, passwd_binaries, shadowutils_binaries]
|
||||||
|
|
||||||
|
- list: dev_creation_binaries
|
||||||
|
items: [blkid]
|
||||||
|
|
||||||
|
- list: aide_wrapper_binaries
|
||||||
|
items: [aide.wrapper, update-aide.con]
|
||||||
|
|
||||||
|
- list: hids_binaries
|
||||||
|
items: [aide]
|
||||||
|
|
||||||
|
- list: nids_binaries
|
||||||
|
items: [bro, broctl]
|
||||||
|
|
||||||
|
- list: monitoring_binaries
|
||||||
|
items: [icinga2, nrpe, npcd, check_sar_perf.]
|
||||||
|
|
||||||
- macro: system_procs
|
- macro: system_procs
|
||||||
condition: proc.name in (coreutils_binaries, user_mgmt_binaries)
|
condition: proc.name in (coreutils_binaries, user_mgmt_binaries)
|
||||||
|
|
||||||
- list: mail_binaries
|
- list: mail_binaries
|
||||||
items: [sendmail, sendmail-msp, postfix, procmail, exim4]
|
items: [sendmail, sendmail-msp, postfix, procmail, exim4, pickup, showq]
|
||||||
|
|
||||||
- macro: sensitive_files
|
- macro: sensitive_files
|
||||||
condition: fd.name startswith /etc and (fd.name in (/etc/shadow, /etc/sudoers, /etc/pam.conf) or fd.directory in (/etc/sudoers.d, /etc/pam.d))
|
condition: fd.name startswith /etc and (fd.name in (/etc/shadow, /etc/sudoers, /etc/pam.conf) or fd.directory in (/etc/sudoers.d, /etc/pam.d))
|
||||||
@ -209,6 +227,9 @@
|
|||||||
- macro: python_running_denyhosts
|
- macro: python_running_denyhosts
|
||||||
condition: proc.name=python and (proc.cmdline contains /usr/sbin/denyhosts or proc.cmdline contains /usr/local/bin/denyhosts.py)
|
condition: proc.name=python and (proc.cmdline contains /usr/sbin/denyhosts or proc.cmdline contains /usr/local/bin/denyhosts.py)
|
||||||
|
|
||||||
|
- macro: parent_bro_running_python
|
||||||
|
condition: proc.pname=python and proc.cmdline contains /usr/share/broctl
|
||||||
|
|
||||||
# As a part of kernel upgrades, dpkg will spawn a perl script with the
|
# As a part of kernel upgrades, dpkg will spawn a perl script with the
|
||||||
# name linux-image-N.N. This macro matches that.
|
# name linux-image-N.N. This macro matches that.
|
||||||
- macro: parent_linux_image_upgrade_script
|
- macro: parent_linux_image_upgrade_script
|
||||||
@ -231,7 +252,7 @@
|
|||||||
package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
|
package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
|
||||||
ldconfig.real, ldconfig, confd, gpg, insserv,
|
ldconfig.real, ldconfig, confd, gpg, insserv,
|
||||||
apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
|
apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
|
||||||
systemd-machine, debconf-show)
|
systemd-machine, debconf-show, rollerd, bind9.postinst)
|
||||||
and not proc.pname in (sysdigcloud_binaries)
|
and not proc.pname in (sysdigcloud_binaries)
|
||||||
and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java)
|
and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java)
|
||||||
and not ansible_running_python
|
and not ansible_running_python
|
||||||
@ -260,13 +281,13 @@
|
|||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- list: read_sensitive_file_binaries
|
- list: read_sensitive_file_binaries
|
||||||
items: [iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd]
|
items: [iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd, systemd]
|
||||||
|
|
||||||
- rule: Read sensitive file untrusted
|
- rule: Read sensitive file untrusted
|
||||||
desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.
|
desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.
|
||||||
condition: >
|
condition: >
|
||||||
sensitive_files and open_read
|
sensitive_files and open_read
|
||||||
and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, read_sensitive_file_binaries, shell_binaries)
|
and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries)
|
||||||
and not cmp_cp_by_passwd
|
and not cmp_cp_by_passwd
|
||||||
and not ansible_running_python
|
and not ansible_running_python
|
||||||
and not proc.cmdline contains /usr/bin/mandb
|
and not proc.cmdline contains /usr/bin/mandb
|
||||||
@ -276,7 +297,7 @@
|
|||||||
# Only let rpm-related programs write to the rpm database
|
# Only let rpm-related programs write to the rpm database
|
||||||
- rule: Write below rpm database
|
- rule: Write below rpm database
|
||||||
desc: an attempt to write to the rpm database by any non-rpm related program
|
desc: an attempt to write to the rpm database by any non-rpm related program
|
||||||
condition: fd.name startswith /var/lib/rpm and open_write and not proc.name in (dnf,rpm,rpmkey,yum)
|
condition: fd.name startswith /var/lib/rpm and open_write and not proc.name in (dnf,rpm,rpmkey,yum) and not ansible_running_python
|
||||||
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)"
|
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
@ -316,7 +337,10 @@
|
|||||||
|
|
||||||
- rule: Change thread namespace
|
- rule: Change thread namespace
|
||||||
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
|
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
|
||||||
condition: evt.type = setns and not proc.name in (docker_binaries, k8s_binaries, sysdigcloud_binaries, sysdig, nsenter) and not proc.pname in (sysdigcloud_binaries)
|
condition: >
|
||||||
|
evt.type = setns
|
||||||
|
and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
|
||||||
|
and not proc.pname in (sysdigcloud_binaries)
|
||||||
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline parent=%proc.pname %container.info)"
|
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline parent=%proc.pname %container.info)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
@ -328,7 +352,7 @@
|
|||||||
logrotate, ansible, less, adduser, pycompile, py3compile,
|
logrotate, ansible, less, adduser, pycompile, py3compile,
|
||||||
pyclean, py3clean, pip, pip2, ansible-playboo, man-db,
|
pyclean, py3clean, pip, pip2, ansible-playboo, man-db,
|
||||||
init, pluto, mkinitramfs, unattended-upgr, watch, sysdig,
|
init, pluto, mkinitramfs, unattended-upgr, watch, sysdig,
|
||||||
landscape-sysin, nessusd, PM2
|
landscape-sysin, nessusd, PM2, syslog-summary
|
||||||
]
|
]
|
||||||
|
|
||||||
- rule: Run shell untrusted
|
- rule: Run shell untrusted
|
||||||
@ -337,8 +361,11 @@
|
|||||||
spawned_process and not container
|
spawned_process and not container
|
||||||
and shell_procs
|
and shell_procs
|
||||||
and proc.pname exists
|
and proc.pname exists
|
||||||
and not proc.pname in (cron_binaries, shell_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries)
|
and not proc.pname in (cron_binaries, shell_binaries, known_shell_spawn_binaries, docker_binaries,
|
||||||
|
k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries,
|
||||||
|
monitoring_binaries)
|
||||||
and not parent_ansible_running_python
|
and not parent_ansible_running_python
|
||||||
|
and not parent_bro_running_python
|
||||||
and not parent_linux_image_upgrade_script
|
and not parent_linux_image_upgrade_script
|
||||||
output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline)"
|
output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
@ -378,7 +405,13 @@
|
|||||||
|
|
||||||
- rule: Run shell in container
|
- rule: Run shell in container
|
||||||
desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
|
desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
|
||||||
condition: spawned_process and container and shell_procs and proc.pname exists and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, initdb, pg_ctl, awk, apache2, falco, cron) and not trusted_containers
|
condition: >
|
||||||
|
spawned_process and container
|
||||||
|
and shell_procs
|
||||||
|
and proc.pname exists
|
||||||
|
and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, lxd_binaries, aide_wrapper_binaries, nids_binaries,
|
||||||
|
monitoring_binaries, initdb, pg_ctl, awk, apache2, falco, cron)
|
||||||
|
and not trusted_containers
|
||||||
output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
|
output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
@ -401,8 +434,8 @@
|
|||||||
# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
|
# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
|
||||||
- rule: Non sudo setuid
|
- rule: Non sudo setuid
|
||||||
desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges.
|
desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges.
|
||||||
condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, sshd, dbus-daemon-lau)
|
condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, sshd, dbus-daemon-lau, ping, ping6, critical-stack-)
|
||||||
output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name command=%proc.cmdline uid=%evt.arg.uid)"
|
output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname command=%proc.cmdline uid=%evt.arg.uid)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
- rule: User mgmt binaries
|
- rule: User mgmt binaries
|
||||||
@ -417,7 +450,11 @@
|
|||||||
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
|
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
|
||||||
- rule: Create files below dev
|
- rule: Create files below dev
|
||||||
desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
|
desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
|
||||||
condition: fd.directory = /dev and (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) and proc.name != blkid and not fd.name in (allowed_dev_files)
|
condition: >
|
||||||
|
fd.directory = /dev and
|
||||||
|
(evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT))
|
||||||
|
and not proc.name in (dev_creation_binaries)
|
||||||
|
and not fd.name in (allowed_dev_files)
|
||||||
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
|
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user