From bc83ac18a03568737d0a85fa7086ac9fc0e0dfe5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 17 Jan 2017 10:03:21 -0800 Subject: [PATCH] Allow shells spawned by ansible. Changes to allow shells spawned by ansible. In general this is actually pretty difficult--on the remote managed machine, ansible performs actions simply by running python over ssh without any explicit ansible helper or command line. One (weak) hint is that the python scripts being run are usually under a directory with ansible in the name. So use that as the basis for a macro ansible_running_python. In turn, that macro is used as a negative condition for the run shell untrusted rule. This is a pretty fragile and easily exploited condition, so add a note to the macro saying so. --- rules/falco_rules.yaml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2234cb18..c00318ee 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -295,13 +295,21 @@ sshd, sudo, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent, aws, initdb, docker-compose, make, configure, awk, falco, fail2ban-server, apt-get, apt, - fleetctl, logrotate + fleetctl, logrotate, ansible ] +- macro: ansible_running_python + condition: proc.pname=python and proc.pcmdline contains ansible + - rule: Run shell untrusted desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries. - condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries) - output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" + condition: > + spawned_process and not container + and shell_procs + and proc.pname exists + and not proc.pname in (cron_binaries, shell_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries) + and not ansible_running_python + output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline)" priority: WARNING - macro: trusted_containers