github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-16 06:48:31 +00:00
Code Issues Projects Releases Wiki Activity

Don't let databases spawn processes after startup.

Browse Source 
This will detect the result of some sql injection attacks where the
injected query tries to spawn a process.

We don't include web servers in this list for now due to things like
mod_perl, mod_php, etc. Maybe we can add it once we make exceptions for
those modules.
This commit is contained in:
Mark Stemm
2016-05-11 14:59:41 -07:00
parent 343e694ca4
commit c761218bfe
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
rules/falco_rules.yaml
View File

@@ -38,6 +38,8 @@
- macro: modify - macro: modify
condition: rename or mkdir or remove condition: rename or mkdir or remove
- macro: spawn_process
condition: syscall.type = execve
# File categories # File categories
- macro: terminal_file_fd - macro: terminal_file_fd
@@ -177,6 +179,11 @@
output: "Read sensitive file after startup (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" output: "Read sensitive file after startup (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING priority: WARNING
# Don't let databases spawn processes (i.e. workers) after startup.
- condition: db_server_binaries and not proc_is_new and spawn_process
output: "Read sensitive file after startup (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Don't modify binary dirs # Don't modify binary dirs
- condition: modify and (bin_dir_rename or bin_dir_mkdir) - condition: modify and (bin_dir_rename or bin_dir_mkdir)
output: "Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" output: "Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"