github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-09 10:07:57 +00:00
Code Issues Projects Releases Wiki Activity

rule update: add exception for rule change thread namespace

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2019-06-19 14:43:07 -07:00 committed by Mark Stemm
parent 1d7c6c3356
commit d158d99800
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
rules/falco_rules.yaml
View File

@ -159,7 +159,7 @@
items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current] items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current]
- list: k8s_binaries - list: k8s_binaries
items: [hyperkube, skydns, kube2sky, exechealthz, weave-net, loopback, bridge, openshift-sdn] items: [hyperkube, skydns, kube2sky, exechealthz, weave-net, loopback, bridge, openshift-sdn, openshift]
- list: lxd_binaries - list: lxd_binaries
items: [lxd, lxcfs] items: [lxd, lxcfs]
@ -243,7 +243,7 @@
# A canonical set of processes that run other programs with different # A canonical set of processes that run other programs with different
# privileges or as a different user. # privileges or as a different user.
- list: userexec_binaries - list: userexec_binaries
items: [sudo, su, suexec, critical-stack] items: [sudo, su, suexec, critical-stack, dzdo]
- list: known_setuid_binaries - list: known_setuid_binaries
items: [ items: [
@ -1470,6 +1470,12 @@
- list: user_known_change_thread_namespace_binaries - list: user_known_change_thread_namespace_binaries
items: [] items: []
- list: network_plugin_binaries
items: [aws-cni, azure-vnet]
- macro: calico_node
condition: (container.image.repository endswith calico/node and proc.name=calico-node)
- rule: Change thread namespace - rule: Change thread namespace
desc: > desc: >
an attempt to change a program/thread\'s namespace (commonly done an attempt to change a program/thread\'s namespace (commonly done
@ -1477,7 +1483,7 @@
condition: > condition: >
evt.type = setns evt.type = setns
and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
sysdig, nsenter, calico, oci-umount) sysdig, nsenter, calico, oci-umount, network_plugin_binaries)
and not proc.name in (user_known_change_thread_namespace_binaries) and not proc.name in (user_known_change_thread_namespace_binaries)
and not proc.name startswith "runc" and not proc.name startswith "runc"
and not proc.cmdline startswith "containerd" and not proc.cmdline startswith "containerd"
@ -1487,6 +1493,7 @@
and not kubelet_running_loopback and not kubelet_running_loopback
and not rancher_agent and not rancher_agent
and not rancher_network_manager and not rancher_network_manager
and not calico_node
output: > output: >
Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository) parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository)