mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-31 14:20:04 +00:00
Update rules to work on demo scenarios.
Make changes to falco_rules.yaml to make sure they work on the demo scenarios without too many false positives. The specific changes are: - Add /etc/ld.so.cache as an allowed shared library to open. - Comment out the shared library check for now--there are lots of locations below /usr/lib for things like python, perl, etc and I want to get a fuller categorization first. - Add a few additional parent processes that can spawn shells, write sensitive files, and call setuid. Also allow bash shells with no parent to spawn shells. We may want to disallow this but I suspect a better place to detect is the parent-less bash shell becoming a session leader. - Add rules for fs-bash (falco-safe bash), which is used in the curl <url> | bash installer demo. The idea is that fs-bash has restrictions on what it and child proceses can do. - Add trailing '/' characters to path names in bin_dir_* so paths like /tmp/binary don't accidentally match '/bin' Note that as process names are truncated to 15 characters, long process names like 'httpd-foregroun' are intentionally truncated.
This commit is contained in:
@@ -46,9 +46,9 @@
|
||||
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
|
||||
|
||||
- macro: bin_dir_mkdir
|
||||
condition: evt.arg[0] contains /bin or evt.arg[0] contains /sbin or evt.arg[0] contains /usr/bin or evt.arg[0] contains /usr/sbin
|
||||
condition: evt.arg[0] contains /bin/ or evt.arg[0] contains /sbin/ or evt.arg[0] contains /usr/bin/ or evt.arg[0] contains /usr/sbin/
|
||||
- macro: bin_dir_rename
|
||||
condition: evt.arg[1] contains /bin or evt.arg[1] contains /sbin or evt.arg[1] contains /usr/bin or evt.arg[1] contains /usr/sbin
|
||||
condition: evt.arg[1] contains /bin/ or evt.arg[1] contains /sbin/ or evt.arg[1] contains /usr/bin/ or evt.arg[1] contains /usr/sbin/
|
||||
|
||||
- macro: etc_dir
|
||||
condition: fd.directory contains /etc
|
||||
@@ -57,6 +57,8 @@
|
||||
condition: fd.directory contains /lib/x86_64-linux-gnu or fd.directory contains /usr/lib/x86_64-linux-gnu or fd.directory contains /usr/lib/sudo
|
||||
- macro: centos_so_dirs
|
||||
condition: fd.directory contains /lib64 or fd.directory contains /user/lib64 or fd.directory contains /usr/libexec
|
||||
- macro: linux_so_dirs
|
||||
condition: ubuntu_so_dirs or centos_so_dirs or fd.name=/etc/ld.so.cache
|
||||
|
||||
- macro: coreutils_binaries
|
||||
condition: >
|
||||
@@ -145,7 +147,7 @@
|
||||
priority: WARNING
|
||||
|
||||
# Don't read 'sensitive' files
|
||||
- condition: open_read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files
|
||||
- condition: open_read and not proc.name in (sshd, sudo, su, iptables, ps, httpd-foregroun, httpd, nginx, systemd-logind, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash) and not_cron and sensitive_files
|
||||
output: "Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
||||
priority: WARNING
|
||||
|
||||
@@ -155,9 +157,13 @@
|
||||
priority: WARNING
|
||||
|
||||
# Don't load shared objects coming from unexpected places
|
||||
- condition: open_read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs)
|
||||
output: "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
||||
priority: WARNING
|
||||
# Commenting this out for now--there are lots of shared library
|
||||
# locations below /usr/lib for things like python, perl, etc. We may
|
||||
# want to just add /usr/lib to the list, but that is really
|
||||
# permissive.
|
||||
# - condition: open_read and fd.name contains .so and not (linux_so_dirs)
|
||||
# output: "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
||||
# priority: WARNING
|
||||
|
||||
# Attempts to access things that shouldn't be
|
||||
- condition: evt.res = EACCES
|
||||
@@ -170,7 +176,7 @@
|
||||
priority: WARNING
|
||||
|
||||
# Shells should only be run by cron or sshd
|
||||
- condition: proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux)
|
||||
- condition: proc.name = bash and proc.pname exists and not proc.pname in (bash, sshd, cron, sudo, su, tmux, screen, emacs, systemd, fs-bash)
|
||||
output: "Unexpected shell (%user.name %proc.name %proc.pname %evt.dir %evt.type %evt.args %fd.name)"
|
||||
priority: WARNING
|
||||
|
||||
@@ -191,7 +197,7 @@
|
||||
|
||||
# Shells in a container
|
||||
- condition: container and proc.name = bash
|
||||
output: "shell in a container (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
||||
output: "shell in a container (%user.name %container.id %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
||||
priority: WARNING
|
||||
|
||||
# Network traffic to/from standard utils
|
||||
@@ -206,7 +212,7 @@
|
||||
priority: WARNING
|
||||
|
||||
# Non-sudo setuid
|
||||
- condition: evt.type=setuid and not_cron and not proc.name in (sudo, sshd)
|
||||
- condition: evt.type=setuid and not_cron and not proc.name in (sudo, sshd, exe, httpd-foregroun, httpd, nginx, mysqld)
|
||||
output: "unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args)"
|
||||
priority: WARNING
|
||||
|
||||
@@ -459,3 +465,15 @@
|
||||
- condition: http_server and inbound and fd.sport != 80 and fd.sport != 443
|
||||
output: "Unexpected HTTP server inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
||||
priority: WARNING
|
||||
|
||||
# fs-bash is a restricted version of bash suitable for use in curl <curl> | sh installers.
|
||||
# Don't let processes who are children of fs-bash call listen()
|
||||
- condition: evt.type=listen and proc.aname=fs-bash
|
||||
output: "unexpected listen call by a child process of fs-bash (%proc.name %evt.args)"
|
||||
priority: WARNING
|
||||
|
||||
# Don't let processes who are children of fs-bash call setsid() to escape
|
||||
# their parent process either.
|
||||
- condition: evt.type=setsid and proc.aname=fs-bash
|
||||
output: "unexpected setsid call by a child process of fs-bash (%proc.name %evt.args)"
|
||||
priority: WARNING
|
||||
|
Reference in New Issue
Block a user