github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-13 20:05:49 +00:00
Code Issues Projects Releases Wiki Activity

rule update:

Browse Source 
1. Extend macro mkdir with syscall mkdirat (#337)
2. add placeholder for whitelist in rule Clear Log Activities (#632)

Signed-off-by: kaizhe <derek0405@gmail.com>

add docker.io/ to the trusted images list

Signed-off-by: kaizhe <derek0405@gmail.com>

rule update: add container.id and image in the rule output except those rules with "not container" in condition

Signed-off-by: kaizhe <derek0405@gmail.com>

Remove empty line

Signed-off-by: Kaizhe Huang<derek0405@gmail.com>
This commit is contained in:
Kaizhe Huang 2019-06-12 11:04:13 -07:00 committed by poiana
parent 4561c8b22e
commit cfaa52f522
1 changed files with 70 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
rules/falco_rules.yaml
View File

@ -59,7 +59,7 @@
- macro: rename - macro: rename
condition: evt.type in (rename, renameat) condition: evt.type in (rename, renameat)
- macro: mkdir - macro: mkdir
condition: evt.type = mkdir condition: evt.type in (mkdir, mkdirat)
- macro: remove - macro: remove
condition: evt.type in (rmdir, unlink, unlinkat) condition: evt.type in (rmdir, unlink, unlinkat)
@ -348,7 +348,7 @@
- rule: Disallowed SSH Connection - rule: Disallowed SSH Connection
desc: Detect any new ssh connection to a host other than those in an allowed group of hosts desc: Detect any new ssh connection to a host other than those in an allowed group of hosts
condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name) output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [network, mitre_remote_service] tags: [network, mitre_remote_service]
@ -379,7 +379,7 @@
((fd.sip in (allowed_outbound_destination_ipaddrs)) or ((fd.sip in (allowed_outbound_destination_ipaddrs)) or
(fd.snet in (allowed_outbound_destination_networks)) or (fd.snet in (allowed_outbound_destination_networks)) or
(fd.sip.name in (allowed_outbound_destination_domains))) (fd.sip.name in (allowed_outbound_destination_domains)))
output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name) output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [network] tags: [network]
@ -402,7 +402,7 @@
((fd.cip in (allowed_inbound_source_ipaddrs)) or ((fd.cip in (allowed_inbound_source_ipaddrs)) or
(fd.cnet in (allowed_inbound_source_networks)) or (fd.cnet in (allowed_inbound_source_networks)) or
(fd.cip.name in (allowed_inbound_source_domains))) (fd.cip.name in (allowed_inbound_source_domains)))
output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name) output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [network] tags: [network]
@ -440,7 +440,7 @@
fd.directory in (shell_config_directories)) and fd.directory in (shell_config_directories)) and
not proc.name in (shell_binaries) not proc.name in (shell_binaries)
output: > output: >
a shell configuration file has been modified (user=%user.name command=%proc.cmdline file=%fd.name) a shell configuration file has been modified (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority: priority:
WARNING WARNING
tag: [file, mitre_persistence] tag: [file, mitre_persistence]
@ -462,7 +462,7 @@
fd.directory in (shell_config_directories)) and fd.directory in (shell_config_directories)) and
(not proc.name in (shell_binaries)) (not proc.name in (shell_binaries))
output: > output: >
a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name) a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority: priority:
WARNING WARNING
tag: [file, mitre_discovery] tag: [file, mitre_discovery]
@ -906,7 +906,7 @@
condition: > condition: >
open_write and access_repositories and not package_mgmt_procs open_write and access_repositories and not package_mgmt_procs
output: > output: >
Repository files get updated (user=%user.name command=%proc.cmdline file=%fd.name) Repository files get updated (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority: priority:
NOTICE NOTICE
tags: [filesystem, mitre_persistence] tags: [filesystem, mitre_persistence]
@ -921,7 +921,7 @@
and not python_running_ms_oms and not python_running_ms_oms
output: > output: >
File below a known binary directory opened for writing (user=%user.name File below a known binary directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2]) command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
priority: ERROR priority: ERROR
tags: [filesystem, mitre_persistence] tags: [filesystem, mitre_persistence]
@ -979,7 +979,7 @@
and not user_known_write_monitored_dir_conditions and not user_known_write_monitored_dir_conditions
output: > output: >
File below a monitored directory opened for writing (user=%user.name File below a monitored directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2]) command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
priority: ERROR priority: ERROR
tags: [filesystem, mitre_persistence] tags: [filesystem, mitre_persistence]
@ -998,7 +998,7 @@
(not proc.name in (ssh_binaries))) (not proc.name in (ssh_binaries)))
output: > output: >
ssh-related file/directory read by non-ssh program (user=%user.name ssh-related file/directory read by non-ssh program (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline) command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)
priority: ERROR priority: ERROR
tags: [filesystem, mitre_discovery] tags: [filesystem, mitre_discovery]
@ -1249,7 +1249,7 @@
- rule: Write below etc - rule: Write below etc
desc: an attempt to write to any file below /etc desc: an attempt to write to any file below /etc
condition: write_etc_common condition: write_etc_common
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])" output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
priority: ERROR priority: ERROR
tags: [filesystem, mitre_persistence] tags: [filesystem, mitre_persistence]
@ -1329,7 +1329,7 @@
and not rancher_writing_root and not rancher_writing_root
and not known_root_conditions and not known_root_conditions
and not user_known_write_root_conditions and not user_known_write_root_conditions
output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)" output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
priority: ERROR priority: ERROR
tags: [filesystem, mitre_persistence] tags: [filesystem, mitre_persistence]
@ -1344,7 +1344,7 @@
condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd"
output: > output: >
Sensitive file opened for reading by trusted program after startup (user=%user.name Sensitive file opened for reading by trusted program after startup (user=%user.name
command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2]) command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
priority: WARNING priority: WARNING
tags: [filesystem, mitre_credential_access] tags: [filesystem, mitre_credential_access]
@ -1394,7 +1394,7 @@
and not runuser_reading_pam and not runuser_reading_pam
output: > output: >
Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
priority: WARNING priority: WARNING
tags: [filesystem, mitre_credential_access, mitre_discovery] tags: [filesystem, mitre_credential_access, mitre_discovery]
@ -1407,7 +1407,7 @@
and not ansible_running_python and not ansible_running_python
and not python_running_chef and not python_running_chef
and not exe_running_docker_save and not exe_running_docker_save
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline)" output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)"
priority: ERROR priority: ERROR
tags: [filesystem, software_mgmt, mitre_persistence] tags: [filesystem, software_mgmt, mitre_persistence]
@ -1442,7 +1442,7 @@
and not postgres_running_wal_e and not postgres_running_wal_e
output: > output: >
Database-related program spawned process other than itself (user=%user.name Database-related program spawned process other than itself (user=%user.name
program=%proc.cmdline parent=%proc.pname) program=%proc.cmdline parent=%proc.pname container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [process, database, mitre_execution] tags: [process, database, mitre_execution]
@ -1451,7 +1451,7 @@
condition: (bin_dir_rename) and modify and not package_mgmt_procs and not exe_running_docker_save condition: (bin_dir_rename) and modify and not package_mgmt_procs and not exe_running_docker_save
output: > output: >
File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args) pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository)
priority: ERROR priority: ERROR
tags: [filesystem, mitre_persistence] tags: [filesystem, mitre_persistence]
@ -1460,7 +1460,7 @@
condition: mkdir and bin_dir_mkdir and not package_mgmt_procs condition: mkdir and bin_dir_mkdir and not package_mgmt_procs
output: > output: >
Directory below known binary directory created (user=%user.name Directory below known binary directory created (user=%user.name
command=%proc.cmdline directory=%evt.arg.path) command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)
priority: ERROR priority: ERROR
tags: [filesystem, mitre_persistence] tags: [filesystem, mitre_persistence]
@ -1489,7 +1489,7 @@
and not rancher_network_manager and not rancher_network_manager
output: > output: >
Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
parent=%proc.pname %container.info) parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [process] tags: [process]
@ -1635,35 +1635,37 @@
output: > output: >
Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7]) aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository)
priority: DEBUG priority: DEBUG
tags: [shell, mitre_execution] tags: [shell, mitre_execution]
- macro: allowed_openshift_registry_root - macro: allowed_openshift_registry_root
condition: > condition: >
(container.image.repository startswith openshift3/ or (container.image.repository startswith openshift3/ or
container.image.repository startswith registry.redhat.io/openshift3/ or
container.image.repository startswith registry.access.redhat.com/openshift3/) container.image.repository startswith registry.access.redhat.com/openshift3/)
# Source: https://docs.openshift.com/enterprise/3.2/install_config/install/disconnected_install.html # Source: https://docs.openshift.com/enterprise/3.2/install_config/install/disconnected_install.html
- macro: openshift_image - macro: openshift_image
condition: > condition: >
(allowed_openshift_registry_root and (allowed_openshift_registry_root and
(container.image.repository contains logging-deployment or (container.image.repository endswith /logging-deployment or
container.image.repository contains logging-elasticsearch or container.image.repository endswith /logging-elasticsearch or
container.image.repository contains logging-kibana or container.image.repository endswith /logging-kibana or
container.image.repository contains logging-fluentd or container.image.repository endswith /logging-fluentd or
container.image.repository contains logging-auth-proxy or container.image.repository endswith /logging-auth-proxy or
container.image.repository contains metrics-deployer or container.image.repository endswith /metrics-deployer or
container.image.repository contains metrics-hawkular-metrics or container.image.repository endswith /metrics-hawkular-metrics or
container.image.repository contains metrics-cassandra or container.image.repository endswith /metrics-cassandra or
container.image.repository contains metrics-heapster or container.image.repository endswith /metrics-heapster or
container.image.repository contains ose-haproxy-router or container.image.repository endswith /ose-haproxy-router or
container.image.repository contains ose-deployer or container.image.repository endswith /ose-deployer or
container.image.repository contains ose-sti-builder or container.image.repository endswith /ose-sti-builder or
container.image.repository contains ose-docker-builder or container.image.repository endswith /ose-docker-builder or
container.image.repository contains ose-pod or container.image.repository endswith /ose-pod or
container.image.repository contains ose-docker-registry or container.image.repository endswith /ose-node or
container.image.repository contains image-inspector)) container.image.repository endswith /ose-docker-registry or
container.image.repository endswith /image-inspector))
# These images are allowed both to run with --privileged and to mount # These images are allowed both to run with --privileged and to mount
# sensitive paths from the host filesystem. # sensitive paths from the host filesystem.
@ -1687,10 +1689,10 @@
# In this file, it just takes one of the images in trusted_containers # In this file, it just takes one of the images in trusted_containers
# and repeats it. # and repeats it.
- macro: user_trusted_containers - macro: user_trusted_containers
condition: (container.image.repository=sysdig/agent) condition: (container.image.repository = docker.io/sysdig/agent)
- list: sematext_images - list: sematext_images
items: [sematext/sematext-agent-docker, sematext/agent, sematext/logagent, items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent,
registry.access.redhat.com/sematext/sematext-agent-docker, registry.access.redhat.com/sematext/sematext-agent-docker,
registry.access.redhat.com/sematext/agent, registry.access.redhat.com/sematext/agent,
registry.access.redhat.com/sematext/logagent] registry.access.redhat.com/sematext/logagent]
@ -1698,10 +1700,10 @@
# These container images are allowed to run with --privileged # These container images are allowed to run with --privileged
- list: falco_privileged_images - list: falco_privileged_images
items: [ items: [
sysdig/agent, sysdig/falco, sysdig/sysdig, docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
gcr.io/google_containers/kube-proxy, calico/node, gcr.io/google_containers/kube-proxy, docker.io/calico/node,
rook/toolbox, cloudnativelabs/kube-router, mesosphere/mesos-slave, docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
docker/ucp-agent, sematext_images docker.io/docker/ucp-agent, sematext_images
] ]
- macro: falco_privileged_containers - macro: falco_privileged_containers
@ -1719,8 +1721,7 @@
# In this file, it just takes one of the images in falco_privileged_images # In this file, it just takes one of the images in falco_privileged_images
# and repeats it. # and repeats it.
- macro: user_privileged_containers - macro: user_privileged_containers
condition: (container.image.repository=sysdig/agent) condition: (container.image.repository = docker.io/sysdig/agent)
- list: rancher_images - list: rancher_images
items: [ items: [
@ -1732,11 +1733,11 @@
# host filesystem. # host filesystem.
- list: falco_sensitive_mount_images - list: falco_sensitive_mount_images
items: [ items: [
sysdig/agent, sysdig/falco, sysdig/sysdig, docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
gcr.io/google_containers/hyperkube, gcr.io/google_containers/hyperkube,
gcr.io/google_containers/kube-proxy, calico/node, gcr.io/google_containers/kube-proxy, docker.io/calico/node,
rook/toolbox, cloudnativelabs/kube-router, consul, docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
datadog/docker-dd-agent, datadog/agent, docker/ucp-agent, gliderlabs/logspout docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout
] ]
- macro: falco_sensitive_mount_containers - macro: falco_sensitive_mount_containers
@ -1756,7 +1757,7 @@
# In this file, it just takes one of the images in falco_sensitive_mount_images # In this file, it just takes one of the images in falco_sensitive_mount_images
# and repeats it. # and repeats it.
- macro: user_sensitive_mount_containers - macro: user_sensitive_mount_containers
condition: (container.image.repository=sysdig/agent) condition: (container.image.repository = docker.io/sysdig/agent)
- rule: Launch Privileged Container - rule: Launch Privileged Container
desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images. desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.
@ -1837,7 +1838,7 @@
- rule: System user interactive - rule: System user interactive
desc: an attempt to run interactive commands by a system (i.e. non-login) user desc: an attempt to run interactive commands by a system (i.e. non-login) user
condition: spawned_process and system_users and interactive condition: spawned_process and system_users and interactive
output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)" output: "System user ran an interactive command (user=%user.name command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
priority: INFO priority: INFO
tags: [users, mitre_remote_access_tools] tags: [users, mitre_remote_access_tools]
@ -1849,7 +1850,7 @@
and container_entrypoint and container_entrypoint
output: > output: >
A shell was spawned in a container with an attached terminal (user=%user.name %container.info A shell was spawned in a container with an attached terminal (user=%user.name %container.info
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty) shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [container, shell, mitre_execution] tags: [container, shell, mitre_execution]
@ -1923,7 +1924,7 @@
and not login_doing_dns_lookup and not login_doing_dns_lookup
output: > output: >
Known system binary sent/received network traffic Known system binary sent/received network traffic
(user=%user.name command=%proc.cmdline connection=%fd.name) (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [network, mitre_exfiltration] tags: [network, mitre_exfiltration]
@ -1949,7 +1950,7 @@
proc.env icontains HTTP_PROXY proc.env icontains HTTP_PROXY
output: > output: >
Program run with disallowed HTTP_PROXY environment variable Program run with disallowed HTTP_PROXY environment variable
(user=%user.name command=%proc.cmdline env=%proc.env parent=%proc.pname) (user=%user.name command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [host, users] tags: [host, users]
@ -1972,7 +1973,7 @@
and interpreted_procs) and interpreted_procs)
output: > output: >
Interpreted program received/listened for network traffic Interpreted program received/listened for network traffic
(user=%user.name command=%proc.cmdline connection=%fd.name) (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [network, mitre_exfiltration] tags: [network, mitre_exfiltration]
@ -1983,7 +1984,7 @@
and interpreted_procs) and interpreted_procs)
output: > output: >
Interpreted program performed outgoing network connection Interpreted program performed outgoing network connection
(user=%user.name command=%proc.cmdline connection=%fd.name) (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [network, mitre_exfiltration] tags: [network, mitre_exfiltration]
@ -2024,7 +2025,7 @@
condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic
output: > output: >
Unexpected UDP Traffic Seen Unexpected UDP Traffic Seen
(user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args) (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [network, mitre_exfiltration] tags: [network, mitre_exfiltration]
@ -2084,7 +2085,7 @@
and not user_known_non_sudo_setuid_conditions and not user_known_non_sudo_setuid_conditions
output: > output: >
Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
command=%proc.cmdline uid=%evt.arg.uid) command=%proc.cmdline uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [users, mitre_privilege_escalation] tags: [users, mitre_privilege_escalation]
@ -2128,7 +2129,7 @@
and not proc.name in (dev_creation_binaries) and not proc.name in (dev_creation_binaries)
and not fd.name in (allowed_dev_files) and not fd.name in (allowed_dev_files)
and not fd.name startswith /dev/tty and not fd.name startswith /dev/tty
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)" output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)"
priority: ERROR priority: ERROR
tags: [filesystem, mitre_persistence] tags: [filesystem, mitre_persistence]
@ -2189,7 +2190,7 @@
- rule: Unexpected K8s NodePort Connection - rule: Unexpected K8s NodePort Connection
desc: Detect attempts to use K8s NodePorts from a container desc: Detect attempts to use K8s NodePorts from a container
condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers
output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name) output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
priority: NOTICE priority: NOTICE
tags: [network, k8s, container, mitre_port_knocking] tags: [network, k8s, container, mitre_port_knocking]
@ -2299,12 +2300,19 @@
- macro: access_log_files - macro: access_log_files
condition: (fd.directory in (log_directories) or fd.filename in (log_files)) condition: (fd.directory in (log_directories) or fd.filename in (log_files))
# a placeholder for whitelist log files that could be cleared. Recommend the macro as (fd.name startswith "/var/log/app1*")
- macro: allowed_clear_log_files
condition: (never_true)
- rule: Clear Log Activities - rule: Clear Log Activities
desc: Detect clearing of critical log files desc: Detect clearing of critical log files
condition: > condition: >
open_write and access_log_files and evt.arg.flags contains "O_TRUNC" open_write and
access_log_files and
evt.arg.flags contains "O_TRUNC" and
not allowed_clear_log_files
output: > output: >
Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name) Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority: priority:
WARNING WARNING
tags: [file, mitre_defense_evasion] tags: [file, mitre_defense_evasion]
@ -2319,7 +2327,7 @@
desc: Detect process running to clear bulk data from disk desc: Detect process running to clear bulk data from disk
condition: spawned_process and clear_data_procs condition: spawned_process and clear_data_procs
output: > output: >
Bulk data has been removed from disk (user=%user.name command=%proc.cmdline file=%fd.name) Bulk data has been removed from disk (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority: priority:
WARNING WARNING
tags: [process, mitre_persistence] tags: [process, mitre_persistence]
@ -2387,7 +2395,6 @@
priority: NOTICE priority: NOTICE
tags: [network, process, mitre_lateral_movement, mitre_exfiltration] tags: [network, process, mitre_lateral_movement, mitre_exfiltration]
- rule: Create Symlink Over Sensitive Files - rule: Create Symlink Over Sensitive Files
desc: Detect symlink created over sensitive files desc: Detect symlink created over sensitive files
condition: > condition: >