From c761218bfebf0000bd07554897e9b78f4f3a6640 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 11 May 2016 14:59:41 -0700 Subject: [PATCH] Don't let databases spawn processes after startup. This will detect the result of some sql injection attacks where the injected query tries to spawn a process. We don't include web servers in this list for now due to things like mod_perl, mod_php, etc. Maybe we can add it once we make exceptions for those modules. --- rules/falco_rules.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 4e6ea4ba..df929ea6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -38,6 +38,8 @@ - macro: modify condition: rename or mkdir or remove +- macro: spawn_process + condition: syscall.type = execve # File categories - macro: terminal_file_fd @@ -177,6 +179,11 @@ output: "Read sensitive file after startup (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" priority: WARNING +# Don't let databases spawn processes (i.e. workers) after startup. +- condition: db_server_binaries and not proc_is_new and spawn_process + output: "Read sensitive file after startup (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" + priority: WARNING + # Don't modify binary dirs - condition: modify and (bin_dir_rename or bin_dir_mkdir) output: "Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"