github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-04 02:16:46 +00:00
Code Issues Projects Releases Wiki Activity

rule update: add MITRE tags for rules (#575)

Browse Source 
* rule update: add MITRE tags for rules

* update mitre tags with all lower case and add two more rules

* add two more mitre_persistence rules plus minor changes

* replace contains with icontains

* limit search passwd in container
This commit is contained in:
Kaizhe Huang 2019-04-10 22:48:51 -07:00 committed by GitHub
parent e26a9505d6
commit d83342aa2f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 100 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
rules/falco_rules.yaml
View File

@ -327,7 +327,33 @@
condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name) output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name)
priority: NOTICE priority: NOTICE
tags: [network] tags: [network, mitre_remote_service]
- list: user_context_files
items: [.bashrc, .bash_profile]
- rule: Modify User Context
desc: Detect attempt to modify .bashrc file or .bash_profile file
condition: >
open_write and fd.filename in (user_context_files)
output: >
.bash_profile or .bashrc has been modified (user=%user.name command=%proc.cmdline file=%fd.name
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
WARNING
tag: [file, mitre_persistence]
- rule: Schedule Cron Jobs in Container
desc: Detect cron jobs scheduled in container
condition: >
((open_write and fd.name startswith /etc/cron) or
(spawned_process and proc.name = "crontab")) and container
output: >
Cron jobs were scheduled to run inside container (user=%user.name command=%proc.cmdline
file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
NOTICE
tag: [file, mitre_persistence]
# Use this to test whether the event occurred within a container. # Use this to test whether the event occurred within a container.
@ -736,7 +762,7 @@
File below a known binary directory opened for writing (user=%user.name File below a known binary directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2]) command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
priority: ERROR priority: ERROR
tags: [filesystem] tags: [filesystem, mitre_persistence]
# If you'd like to generally monitor a wider set of directories on top # If you'd like to generally monitor a wider set of directories on top
# of the ones covered by the rule Write below binary dir, you can use # of the ones covered by the rule Write below binary dir, you can use
@ -794,7 +820,7 @@
File below a monitored directory opened for writing (user=%user.name File below a monitored directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2]) command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
priority: ERROR priority: ERROR
tags: [filesystem] tags: [filesystem, mitre_persistence]
- list: safe_etc_dirs - list: safe_etc_dirs
items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig] items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig]
@ -1018,7 +1044,7 @@
condition: write_etc_common condition: write_etc_common
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])" output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
priority: ERROR priority: ERROR
tags: [filesystem] tags: [filesystem, mitre_persistence]
- list: known_root_files - list: known_root_files
items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials, items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
@ -1095,7 +1121,7 @@
and not user_known_write_root_conditions and not user_known_write_root_conditions
output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)" output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
priority: ERROR priority: ERROR
tags: [filesystem] tags: [filesystem, mitre_persistence]
- macro: cmp_cp_by_passwd - macro: cmp_cp_by_passwd
condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts) condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)
@ -1110,7 +1136,7 @@
Sensitive file opened for reading by trusted program after startup (user=%user.name Sensitive file opened for reading by trusted program after startup (user=%user.name
command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2]) command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2])
priority: WARNING priority: WARNING
tags: [filesystem] tags: [filesystem, mitre_credential_access]
- list: read_sensitive_file_binaries - list: read_sensitive_file_binaries
items: [ items: [
@ -1159,7 +1185,7 @@
Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
priority: WARNING priority: WARNING
tags: [filesystem] tags: [filesystem, mitre_credential_access]
# Only let rpm-related programs write to the rpm database # Only let rpm-related programs write to the rpm database
- rule: Write below rpm database - rule: Write below rpm database
@ -1172,7 +1198,7 @@
and not exe_running_docker_save and not exe_running_docker_save
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline)" output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline)"
priority: ERROR priority: ERROR
tags: [filesystem, software_mgmt] tags: [filesystem, software_mgmt, mitre_persistence]
- macro: postgres_running_wal_e - macro: postgres_running_wal_e
condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e") condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e")
@ -1207,7 +1233,7 @@
Database-related program spawned process other than itself (user=%user.name Database-related program spawned process other than itself (user=%user.name
program=%proc.cmdline parent=%proc.pname) program=%proc.cmdline parent=%proc.pname)
priority: NOTICE priority: NOTICE
tags: [process, database] tags: [process, database, mitre_execution]
- rule: Modify binary dirs - rule: Modify binary dirs
desc: an attempt to modify any file below a set of binary directories. desc: an attempt to modify any file below a set of binary directories.
@ -1216,7 +1242,7 @@
File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args) pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args)
priority: ERROR priority: ERROR
tags: [filesystem] tags: [filesystem, mitre_persistence]
- rule: Mkdir binary dirs - rule: Mkdir binary dirs
desc: an attempt to create a directory below a set of binary directories. desc: an attempt to create a directory below a set of binary directories.
@ -1225,7 +1251,7 @@
Directory below known binary directory created (user=%user.name Directory below known binary directory created (user=%user.name
command=%proc.cmdline directory=%evt.arg.path) command=%proc.cmdline directory=%evt.arg.path)
priority: ERROR priority: ERROR
tags: [filesystem] tags: [filesystem, mitre_persistence]
# This list allows for easy additions to the set of commands allowed # This list allows for easy additions to the set of commands allowed
# to change thread namespace without having to copy and override the # to change thread namespace without having to copy and override the
@ -1398,7 +1424,7 @@
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7]) aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7])
priority: DEBUG priority: DEBUG
tags: [shell] tags: [shell, mitre_execution]
- macro: allowed_openshift_registry_root - macro: allowed_openshift_registry_root
condition: > condition: >
@ -1473,7 +1499,7 @@
and not user_trusted_containers and not user_trusted_containers
output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
priority: INFO priority: INFO
tags: [container, cis] tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
# For now, only considering a full mount of /etc as # For now, only considering a full mount of /etc as
# sensitive. Ideally, this would also consider all subdirectories # sensitive. Ideally, this would also consider all subdirectories
@ -1513,7 +1539,7 @@
and not user_sensitive_mount_containers and not user_sensitive_mount_containers
output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts) output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
priority: INFO priority: INFO
tags: [container, cis] tags: [container, cis, mitre_lateral_movement]
# In a local/user rules file, you could override this macro to # In a local/user rules file, you could override this macro to
# explicitly enumerate the container images that you want to run in # explicitly enumerate the container images that you want to run in
@ -1533,7 +1559,7 @@
condition: container_started and container and not allowed_containers condition: container_started and container and not allowed_containers
output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
priority: WARNING priority: WARNING
tags: [container] tags: [container, mitre_lateral_movement]
# Anything run interactively by root # Anything run interactively by root
# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
@ -1545,7 +1571,7 @@
condition: spawned_process and system_users and interactive condition: spawned_process and system_users and interactive
output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)" output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)"
priority: INFO priority: INFO
tags: [users] tags: [users, mitre_remote_access_tools]
- rule: Terminal shell in container - rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container with an attached terminal. desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
@ -1557,7 +1583,7 @@
A shell was spawned in a container with an attached terminal (user=%user.name %container.info A shell was spawned in a container with an attached terminal (user=%user.name %container.info
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty) shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)
priority: NOTICE priority: NOTICE
tags: [container, shell] tags: [container, shell, mitre_execution]
# For some container types (mesos), there isn't a container image to # For some container types (mesos), there isn't a container image to
# work with, and the container name is autogenerated, so there isn't # work with, and the container name is autogenerated, so there isn't
@ -1631,7 +1657,7 @@
Known system binary sent/received network traffic Known system binary sent/received network traffic
(user=%user.name command=%proc.cmdline connection=%fd.name) (user=%user.name command=%proc.cmdline connection=%fd.name)
priority: NOTICE priority: NOTICE
tags: [network] tags: [network, mitre_exfiltration]
- list: openvpn_udp_ports - list: openvpn_udp_ports
items: [1194, 1197, 1198, 8080, 9201] items: [1194, 1197, 1198, 8080, 9201]
@ -1672,7 +1698,7 @@
Unexpected UDP Traffic Seen Unexpected UDP Traffic Seen
(user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args) (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args)
priority: NOTICE priority: NOTICE
tags: [network] tags: [network, mitre_exfiltration]
# With the current restriction on system calls handled by falco # With the current restriction on system calls handled by falco
# (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't # (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't
@ -1731,7 +1757,7 @@
Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
command=%proc.cmdline uid=%evt.arg.uid) command=%proc.cmdline uid=%evt.arg.uid)
priority: NOTICE priority: NOTICE
tags: [users] tags: [users, mitre_privilege_escalation]
- rule: User mgmt binaries - rule: User mgmt binaries
desc: > desc: >
@ -1755,7 +1781,7 @@
User management binary command run outside of container User management binary command run outside of container
(user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
priority: NOTICE priority: NOTICE
tags: [host, users] tags: [host, users, mitre_persistence]
- list: allowed_dev_files - list: allowed_dev_files
items: [ items: [
@ -1775,7 +1801,7 @@
and not fd.name startswith /dev/tty and not fd.name startswith /dev/tty
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)" output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: ERROR priority: ERROR
tags: [filesystem] tags: [filesystem, mitre_persistence]
# In a local/user rules file, you could override this macro to # In a local/user rules file, you could override this macro to
@ -1797,7 +1823,7 @@
condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers
output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image.repository:%container.image.tag) output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image.repository:%container.image.tag)
priority: NOTICE priority: NOTICE
tags: [network, aws, container] tags: [network, aws, container, mitre_discovery]
# In a local/user rules file, you should override this macro with the # In a local/user rules file, you should override this macro with the
# IP address of your k8s api server. The IP 1.2.3.4 is a placeholder # IP address of your k8s api server. The IP 1.2.3.4 is a placeholder
@ -1820,7 +1846,7 @@
condition: outbound and k8s_api_server and container and not k8s_containers condition: outbound and k8s_api_server and container and not k8s_containers
output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name) output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name)
priority: NOTICE priority: NOTICE
tags: [network, k8s, container] tags: [network, k8s, container, mitre_discovery]
# In a local/user rules file, list the container images that are # In a local/user rules file, list the container images that are
# allowed to contact NodePort services from within a container. This # allowed to contact NodePort services from within a container. This
@ -1836,10 +1862,10 @@
condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers
output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name) output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name)
priority: NOTICE priority: NOTICE
tags: [network, k8s, container] tags: [network, k8s, container, mitre_port_knocking]
- list: network_tool_binaries - list: network_tool_binaries
items: [nc, ncat, nmap] items: [nc, ncat, nmap, dig]
- macro: network_tool_procs - macro: network_tool_procs
condition: proc.name in (network_tool_binaries) condition: proc.name in (network_tool_binaries)
@ -1853,7 +1879,7 @@
Package management process launched in container (user=%user.name Package management process launched in container (user=%user.name
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: ERROR priority: ERROR
tags: [process] tags: [process, mitre_persistence]
- rule: Netcat Remote Code Execution in Container - rule: Netcat Remote Code Execution in Container
desc: Netcat Program runs inside container that allows remote code execution desc: Netcat Program runs inside container that allows remote code execution
@ -1866,17 +1892,60 @@
Netcat runs inside container that allows remote code execution (user=%user.name Netcat runs inside container that allows remote code execution (user=%user.name
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: WARNING priority: WARNING
tags: [network, process] tags: [network, process, mitre_execution]
- rule: Lauch Suspicious Network Tool in Container - rule: Lauch Suspicious Network Tool in Container
desc: Detect network tools launched inside container desc: Detect network tools launched inside container
condition: > condition: >
spawned_process and container and network_tool_procs spawned_process and container and network_tool_procs
output: > output: >
Network tool launched in container (user=%user.name Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: NOTICE priority: NOTICE
tags: [network, process] tags: [network, process, mitre_discovery, mitre_exfiltration]
- list: grep_binaries
items: [grep, egre, fgrep]
- macro: grep_commands
condition: (proc.name in (grep_binaries))
- macro: private_key_or_password
condition: >
(proc.args icontains "BEGIN PRIVATE" or
proc.args icontains "BEGIN RSA PRIVATE" or
proc.args icontains "BEGIN DSA PRIVATE" or
proc.args icontains "BEGIN EC PRIVATE" or
proc.args icontains "pass" or
proc.args icontains "ssh"
)
- rule: Search Private Keys or Passwords
desc: >
Detect grep private keys or passwords activity.
condition: >
(spawned_process and container and
((grep_commands and private_key_or_password) or
(proc.name = "find" and (proc.args contains "id_rsa" or proc.args contains "id_dsa")))
)
output: >
Grep private keys or passwords activities found
(user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name
image=%container.image.repository:%container.image.tag)
priority:
WARNING
tags: [process, mitre_credential_access]
- rule: Delete Bash History
desc: Detect bash history deletetion
condition: >
(spawned_process and proc.name in (shred, rm) and proc.args contains "bash_history")
output: >
Bash history has been deleted (user=%user.name command=%proc.cmdline
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
WARNING
tag: [process, mitre_defense_evation]
# Application rules have moved to application_rules.yaml. Please look # Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to # there if you want to enable them by adding to