github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-01-29 21:48:32 +00:00
Code Issues Projects Releases Wiki Activity

Rule updates 2019 04.v2 (#573)

Browse Source 
* Also let dockerd-current setns()

* Add additional setns programs

Let oci-umount (https://github.com/containers/oci-umount) setns().

* Let Openscap RPM probes touch rpm db

Define a list openscap_rpm_binaries containing openscap probes related
to rpm and let those binaries touch the rpm database.

* Let oc write to more directories below /etc

Make the prefix more general, allowing any path below /etc/origin/node.
This commit is contained in:
Mark Stemm
2019-04-05 11:27:37 -07:00
committed by GitHub
parent b81ded44f3
commit da6b0f16f1
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
rules/falco_rules.yaml
View File

@@ -143,7 +143,7 @@
items: [setup-backend, dragent, sdchecks]
- list: docker_binaries
items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current]
items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current]
- list: k8s_binaries
items: [hyperkube, skydns, kube2sky, exechealthz, weave-net, loopback, bridge, openshift-sdn]
@@ -182,8 +182,11 @@
repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb]
- list: openscap_rpm_binaries
items: [probe_rpminfo, probe_rpmverify, probe_rpmverifyfile, probe_rpmverifypackage]
- macro: rpm_procs
condition: proc.name in (rpm_binaries) or proc.name in (salt-minion)
condition: proc.name in (rpm_binaries, openscap_rpm_binaries) or proc.name in (salt-minion)
- list: deb_binaries
items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
@@ -901,7 +904,7 @@
condition: (proc.name=prometheus-conf and fd.name startswith /etc/prometheus/config_out)
- macro: openshift_writing_conf
condition: (proc.name=oc and fd.name=/etc/origin/node/node.kubeconfig)
condition: (proc.name=oc and fd.name startswith /etc/origin/node)
# Add conditions to this macro (probably in a separate file,
# overwriting this macro) to allow for specific combinations of
@@ -1236,7 +1239,8 @@
as a part of creating a container) by calling setns.
condition: >
evt.type = setns
and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter, calico)
and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
sysdig, nsenter, calico, oci-umount)
and not proc.name in (user_known_change_thread_namespace_binaries)
and not proc.name startswith "runc:"
and not proc.pname in (sysdigcloud_binaries)