github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 08:32:12 +00:00
Code Issues Projects Releases Wiki Activity

fix(rules): exclude runc writing /var/lib/docker for container drift

Browse Source 
detected rules

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leonardo Di Donato 2020-06-11 15:07:20 +00:00 committed by poiana
parent 70b9bfe1d6
commit d2f0ad7c07
1 changed files with 31 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
rules/falco_rules.yaml
View File

@ -1369,6 +1369,9 @@
- macro: runc_writing_exec_fifo - macro: runc_writing_exec_fifo
condition: (proc.cmdline="runc:[1:CHILD] init" and fd.name=/exec.fifo) condition: (proc.cmdline="runc:[1:CHILD] init" and fd.name=/exec.fifo)
- macro: runc_writing_var_lib_docker
condition: (proc.cmdline="runc:[1:CHILD] init" and evt.arg.filename startswith /var/lib/docker)
- rule: Write below root - rule: Write below root
desc: an attempt to write to any file directly below / or /root desc: an attempt to write to any file directly below / or /root
condition: > condition: >
@ -2838,11 +2841,17 @@
- rule: Container Drift Detected (chmod) - rule: Container Drift Detected (chmod)
desc: New executable created in a container due to chmod desc: New executable created in a container due to chmod
condition: (chmod and consider_all_chmods and container and evt.rawres>=0 and condition: >
((evt.arg.mode contains "S_IXUSR") or chmod and
(evt.arg.mode contains "S_IXGRP") or consider_all_chmods and
(evt.arg.mode contains "S_IXOTH"))) container and
output: Drift detected! New executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
evt.rawres>=0 and
((evt.arg.mode contains "S_IXUSR") or
(evt.arg.mode contains "S_IXGRP") or
(evt.arg.mode contains "S_IXOTH"))
output: Drift detected (chmod), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
priority: ERROR priority: ERROR
# **************************************************************************** # ****************************************************************************
@ -2850,8 +2859,14 @@
# **************************************************************************** # ****************************************************************************
- rule: Container Drift Detected (open+create) - rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create desc: New executable created in a container due to open+create
condition: (evt.type in (open,openat,creat) and evt.is_open_exec=true and container and evt.rawres>=0) condition: >
output: Drift detected! New executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
evt.rawres>=0
output: Drift detected (open+create), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
priority: ERROR priority: ERROR