github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 07:37:32 +00:00
Code Issues Projects Releases Wiki Activity

Convert rules file to yaml format

Browse Source
This commit is contained in:
Henri DF 2016-05-02 21:48:53 +00:00
parent 0914651d1d
commit e3adaf2a5a
8 changed files with 477 additions and 295 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/CMakeLists.txt
View File

@ -1,3 +1,3 @@
install(FILES falco_rules.conf
install(FILES falco_rules.yaml
DESTINATION "${DIR_ETC}")

14
rules/example-1-simple.conf
View File

@ -1,14 +0,0 @@
# A very simple config for introductory purpose. Not for the real-world!
# Network traffic to/from standard system utilities
# These utils never communicate on the network - if they do, that is a strong indication
# that something is wrong (rootkit?)
# Note that the full rule lists all ~150 binaries from coreutils; this example only has a few.
(fd.typechar = 4 or fd.typechar = 6) and proc.name in (ls, mkdir, cat, less, ps)
# System binary is modified or new file is written to standard binary dirs
evt.type = write and fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
# Shell running in container
container.id != host and proc.name = bash

16
rules/example-1-simple.yaml Normal file
View File

@ -0,0 +1,16 @@
# A very simple config for introductory purpose. Not for the real-world!
# Network traffic to/from standard system utilities
# These utils never communicate on the network - if they do, that is a strong indication
# that something is wrong (rootkit?)
# Note that the full rule lists all ~150 binaries from coreutils; this example only has a few.
- condition: (fd.typechar = 4 or fd.typechar = 6) and proc.name in (ls, mkdir, cat, less, ps)
output: "%evt.time: %proc.name network with %fd.l4proto"
# System binary is modified or new file is written to standard binary dirs
- condition: evt.type = open and fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
output: "%evt.time: System binary modified (file '%fd.filename' written by process %proc.name)"
# Shell running in container
- condition: container.id != host and proc.name = bash
output: "%evt.time: Shell running in container (%proc.name, %container.id)"

17
rules/example-2-macros.conf
View File

@ -1,17 +0,0 @@
# A very simple config for introductory purpose. Not for the real-world!
# Binary directories
bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
# Core binaries
core_binaries: proc.name in (ls, mkdir, cat, less, ps)
# Network traffic to/from standard utility
(fd.typechar = 4 or fd.typechar=6) and core_binaries
# System binary is modified
evt.type = write and bin_dir
# Shell running in container
container.id != host and proc.name = bash

22
rules/example-2-macros.yaml Normal file
View File

@ -0,0 +1,22 @@
# A very simple config for introductory purpose. Not for the real-world!
# Binary directories
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
# Core binaries
- macro: core_binaries
condition: proc.name in (ls, mkdir, cat, less, ps)
# Network traffic to/from standard utility
- condition: (fd.typechar = 4 or fd.typechar=6) and core_binaries
output: "%evt.time: %proc.name network with %fd.l4proto"
# System binary is modified
- condition: evt.type = write and bin_dir
output: "%evt.time: System binary modified (file '%fd.filename' written by process %proc.name)"
# Shell running in container
- condition: container.id != host and proc.name = bash
output: "%evt.time: Shell running in container (%proc.name, %container.id)"

16
rules/example-3-outputs.conf
View File

@ -1,16 +0,0 @@
# A very simple config for introductory purpose. Not for the real-world!
# Binary directories
bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
# Core binaries
core_binaries: proc.name in (ls, mkdir, cat, less, ps)
# Network traffic to/from standard utility
(fd.typechar = 4 or fd.typechar=6) and core_binaries | %evt.time: %proc.name network with %fd.l4proto
# System binary is modified
evt.type = write and bin_dir | %evt.time: System binary modified (file '%fd.filename' written by process %proc.name)
# Shell running in container
container.id != host and proc.name = bash | %evt.time: Shell running in container (%proc.name, %container.id)

247
rules/falco_rules.conf
View File

@ -1,247 +0,0 @@
#############
# Definitions
#############
# File actions
write: (syscall.type=write and fd.type in (file, directory))
read: (syscall.type=read and evt.dir=> and fd.type in (file, directory))
rename: syscall.type = rename
mkdir: syscall.type = mkdir
remove: syscall.type in (remove, rmdir, unlink, unlink_at)
modify: rename or mkdir or remove
# File categories
terminal_file_fd: fd.name=/dev/ptmx or fd.directory=/dev/pts
bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
bin_dir_mkdir: evt.arg[0] contains /bin or evt.arg[0] contains /sbin or evt.arg[0] contains /usr/bin or evt.arg[0] contains /usr/sbin
bin_dir_rename: evt.arg[1] contains /bin or evt.arg[1] contains /sbin or evt.arg[1] contains /usr/bin or evt.arg[1] contains /usr/sbin
etc_dir: fd.directory contains /etc
ubuntu_so_dirs: fd.directory contains /lib/x86_64-linux-gnu or fd.directory contains /usr/lib/x86_64-linux-gnu or fd.directory contains /usr/lib/sudo
centos_so_dirs: fd.directory contains /lib64 or fd.directory contains /user/lib64 or fd.directory contains /usr/libexec
coreutils_binaries: proc.name in (truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who, groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat, basename, split, nice, yes, whoami, sha224sum, hostid, users, stdbuf, base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test, comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname, tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout, tail, [, seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred, tac, link, chroot, vdir, chown, touch, ls, dd, uname, true, pwd, date, chgrp, chmod, mktemp, cat, mknod, sync, ln, false, rm, mv, cp, echo, readlink, sleep, stty, mkdir, df, dir, rmdir, touch)
adduser_binaries: proc.name in (adduser, deluser, addgroup, delgroup)
login_binaries: proc.name in (bin, login, su, sbin, nologin, bin, faillog, lastlog, newgrp, sg)
# dpkg -L passwd | grep bin | xargs -L 1 basename | tr "\\n" ","
passwd_binaries: proc.name in (sbin, shadowconfig, sbin, grpck, pwunconv, grpconv, pwck, groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod, groupadd, groupdel, grpunconv, chgpasswd, userdel, bin, chage, chsh, gpasswd, chfn, expiry, passwd, vigr, cpgr)
# repoquery -l shadow-utils | grep bin | xargs -L 1 basename | tr "\\n" ","
shadowutils_binaries: proc.name in (chage,gpasswd,lastlog,newgrp,sg,adduser,chpasswd,groupadd,groupdel,groupmems,groupmod,grpck,grpconv,grpunconv,newusers,pwck,pwconv,pwunconv,useradd,userdel,usermod,vigr,vipw)
system_binaries: coreutils_binaries or adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries
sensitive_files: fd.name contains /etc/passwd or fd.name = /etc/sudoers or fd.directory = /etc/sudoers.d or fd.directory = /etc/pam.d or fd.name = /etc/pam.conf
# Network
inbound: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)
outbound: ((syscall.type=connect and evt.dir=<) or (syscall.type=sendto and evt.dir=>)) and (fd.typechar=4 or fd.typechar=6)
ssh_port: fd.lport=22
# Ssh
ssh_error_message: evt.arg.data contains "Invalid user" or evt.arg.data contains "preauth"
# System
modules: syscall.type in (delete_module, init_module)
container: container.id != host
interactive: (proc.aname=sshd and proc.name != sshd) or proc.name=systemd-logind
syslog: fd.name = /dev/log
not_cron: proc.name != cron
# System users that should never log into a system. Consider adding your own
# service users (e.g. 'apache' or 'mysqld') here.
system_users: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)
#######
# Rules
#######
# Don't write to binary dirs
evt.dir = > and write and bin_dir | WARNING Write to bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Don't write to /etc
evt.dir = > and write and etc_dir | WARNING Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Don't read 'sensitive' files
read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files | WARNING Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Don't modify binary dirs
modify and (bin_dir_rename or bin_dir_mkdir) | WARNING Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Don't load shared objects coming from unexpected places
read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | WARNING Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Attempts to access things that shouldn't be
evt.res = EACCES | INFO System call returned EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Only sysdig and docker can call setns
syscall.type = setns and not proc.name in (docker, sysdig) | WARNING Unexpected setns (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Shells should only be run by cron or sshd
proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | WARNING Unexpected shell (%user.name %proc.name %proc.pname %evt.dir %evt.type %evt.args %fd.name)
# Anything run interactively by root
# evt.type != switch and user.name = root and proc.name != sshd and interactive | WARNING Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Anything run interactively by a non-login user
system_users and interactive | WARNING Sytem user ran an interactive command (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Chmod should only be run interactively (by a user)
syscall.type = chmod and not interactive | WARNING non-interactive chmod (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Shells in a container
container and proc.name = bash | WARNING shell in a container (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Network traffic to/from standard utils
# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
fd.sockfamily = ip and system_binaries | WARNING network traffic to %proc.name (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# SSH errors (failed logins, disconnects, ..)
syslog and ssh_error_message and evt.dir = < | WARNING sshd error (%proc.name %evt.arg.data)
# Non-sudo setuid
evt.type=setuid and not_cron and not proc.name in (sudo, sshd) | WARNING unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args)
# User management (su and sudo are ok)
not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries) | WARNING user-management binary command run (%user.name %proc.name %evt.dir %evt.type %evt.args)
# Some rootkits hide files in /dev
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null | WARNING file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Elasticsearch ports
elasticsearch_cluster_port: fd.sport=9300
elasticsearch_api_port: fd.sport=9200
elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port
user.name = elasticsearch and inbound and not elasticsearch_port | WARNING Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = elasticsearch and outbound and not elasticsearch_cluster_port | WARNING Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# ActiveMQ ports
activemq_cluster_port: fd.sport=61616
activemq_web_port: fd.sport=8161
activemq_port: activemq_web_port or activemq_cluster_port
user.name = activemq and inbound and not activemq_port | WARNING Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = activemq and outbound and not activemq_cluster_port | WARNING Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Cassandra ports
# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
cassandra_thrift_client_port: fd.sport=9160
cassandra_cql_port: fd.sport=9042
cassandra_cluster_port: fd.sport=7000
cassandra_ssl_cluster_port: fd.sport=7001
cassandra_jmx_port: fd.sport=7199
cassandra_port: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port
user.name = cassandra and inbound and not cassandra_port | WARNING Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port) | WARNING Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Couchbase ports
# http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html
# Web Administration Port
couchbase_web_port: fd.sport=8091
# Couchbase API Port
couchbase_api_port: fd.sport=8092
# Internal/External Bucket Port for SSL
couchbase_ssl_bucket_port: fd.sport=11207
# Internal Bucket Port
couchbase_bucket_port: fd.sport=11209
# Internal/External Bucket Port
couchbase_bucket_port_ie: fd.sport=11210
# Client interface (proxy)
couchbase_client_interface_port: fd.sport=11211
# Incoming SSL Proxy
couchbase_incoming_ssl: fd.sport=11214
# Internal Outgoing SSL Proxy
couchbase_outgoing_ssl: fd.sport=11215
# Internal REST HTTPS for SSL
couchbase_internal_rest_port: fd.sport=18091
# Internal CAPI HTTPS for SSL
couchbase_internal_capi_port: fd.sport=18092
# Erlang Port Mapper ( epmd )
couchbase_epmd_port: fd.sport=4369
# Node data exchange
couchbase_dataexchange_port: fd.sport>=21100 and fd.sport<=21299
couchbase_internal_port: couchbase_bucket_port or couchbase_epmd_port or couchbase_dataexchange_port
couchbase_port: couchbase_web_port or couchbase_api_port or couchbase_ssl_bucket_port or couchbase_internal_port or couchbase_bucket_port_ie or couchbase_client_interface_port or couchbase_incoming_ssl or couchbase_outgoing_ssl or couchbase_internal_rest_port or couchbase_internal_capi_port
user.name = couchbase and inbound and not couchbase_port | WARNING Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = couchbase and outbound and not couchbase_internal_port | WARNING Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Couchdb ports
# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
couchdb_httpd_port: fd.sport=5984
couchdb_httpd_ssl_port: fd.sport=6984
# xxx can't tell what clustering ports are used. not writing rules for this
# yet.
# Etcd ports
etcd_client_port: fd.sport=2379
etcd_peer_port: fd.sport=2380
# need to double-check which user etcd runs as
user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port) | WARNING Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = etcd and outbound and not couchbase_internal_port | WARNING Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Fluentd ports
fluentd_http_port: fd.sport=9880
fluentd_forward_port: fd.sport=24224
user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) | WARNING Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = td-agent and outbound and not fluentd_forward_port | WARNING Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Gearman ports
# http://gearman.org/protocol/
user.name = gearman and outbound and outbound and not fd.sport = 4730 | WARNING Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Zookeeper
zookeeper_port: fd.sport = 2181
# HBase ports
# http://blog.cloudera.com/blog/2013/07/guide-to-using-apache-hbase-ports/
hbase_master_port: fd.sport = 60000
hbase_master_info_port: fd.sport = 60010
hbase_regionserver_port: fd.sport = 60020
hbase_regionserver_info_port: fd.sport = 60030
hbase_rest_port: fd.sport = 8080
hbase_rest_info_port: fd.sport = 8085
hbase_regionserver_thrift_port: fd.sport = 9090
hbase_thrift_info_port: fd.sport = 9095
# If you're not running HBase under the 'hbase' user, adjust first expression
# in each rule below
user.name = hbase and inbound and not (hbase_master_port or hbase_master_info_port or hbase_regionserver_port or hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or hbase_regionserver_thrift_port or hbase_thrift_info_port) | WARNING Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port) | WARNING Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Kafka ports
user.name = kafka and inbound and fd.sport != 9092 | WARNING Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# Memcached ports
user.name = memcached and inbound and fd.sport != 11211 | WARNING Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
user.name = memcached and outbound | WARNING Unexpected Memcached outbound connection (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# MongoDB ports
mongodb_server_port: fd.sport = 27017
mongodb_shardserver_port: fd.sport = 27018
mongodb_configserver_port: fd.sport = 27019
mongodb_webserver_port: fd.sport = 28017
user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDB inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# MySQL ports
user.name = mysql and inbound and fd.sport != 3306 | WARNING Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
# HTTP server
http_server: proc.name in (nginx, httpd, lighttpd)
http_server and inbound and fd.sport != 80 and fd.sport != 443 | WARNING Unexpected HTTP server inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)

438
rules/falco_rules.yaml Normal file
View File

@ -0,0 +1,438 @@
#############
# Definitions
#############
# File actions
- macro: write
condition: (syscall.type=write and fd.type in (file, directory))
- macro: read
condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory))
- macro: rename
condition: syscall.type = rename
- macro: mkdir
condition: syscall.type = mkdir
- macro: remove
condition: syscall.type in (remove, rmdir, unlink, unlink_at)
- macro: modify
condition: rename or mkdir or remove
# File categories
- macro: terminal_file_fd
condition: fd.name=/dev/ptmx or fd.directory=/dev/pts
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
- macro: bin_dir_mkdir
condition: evt.arg[0] contains /bin or evt.arg[0] contains /sbin or evt.arg[0] contains /usr/bin or evt.arg[0] contains /usr/sbin
- macro: bin_dir_rename
condition: evt.arg[1] contains /bin or evt.arg[1] contains /sbin or evt.arg[1] contains /usr/bin or evt.arg[1] contains /usr/sbin
- macro: etc_dir
condition: fd.directory contains /etc
- macro: ubuntu_so_dirs
condition: fd.directory contains /lib/x86_64-linux-gnu or fd.directory contains /usr/lib/x86_64-linux-gnu or fd.directory contains /usr/lib/sudo
- macro: centos_so_dirs
condition: fd.directory contains /lib64 or fd.directory contains /user/lib64 or fd.directory contains /usr/libexec
- macro: coreutils_binaries
condition: >
proc.name in (truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who,
groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat,
basename, split, nice, yes, whoami, sha224sum, hostid, users, stdbuf,
base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test,
comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname,
tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout,
tail, [, seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred,
tac, link, chroot, vdir, chown, touch, ls, dd, uname, true, pwd, date,
chgrp, chmod, mktemp, cat, mknod, sync, ln, false, rm, mv, cp, echo,
readlink, sleep, stty, mkdir, df, dir, rmdir, touch)
- macro: adduser_binaries
condition: proc.name in (adduser, deluser, addgroup, delgroup)
- macro: login_binaries
condition: proc.name in (bin, login, su, sbin, nologin, bin, faillog, lastlog, newgrp, sg)
# dpkg -L passwd | grep bin | xargs -L 1 basename | tr "\\n" ","
- macro: passwd_binaries
condition: >
proc.name in (sbin, shadowconfig, sbin, grpck, pwunconv, grpconv, pwck,
groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod,
groupadd, groupdel, grpunconv, chgpasswd, userdel, bin, chage, chsh,
gpasswd, chfn, expiry, passwd, vigr, cpgr)
# repoquery -l shadow-utils | grep bin | xargs -L 1 basename | tr "\\n" ","
- macro: shadowutils_binaries
condition: >
proc.name in (chage, gpasswd, lastlog, newgrp, sg, adduser, chpasswd,
groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv,
newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vigr, vipw)
- macro: system_binaries
condition: coreutils_binaries or adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries
- macro: sensitive_files
condition: fd.name contains /etc/passwd or fd.name = /etc/sudoers or fd.directory = /etc/sudoers.d or fd.directory = /etc/pam.d or fd.name = /etc/pam.conf
# Network
- macro: inbound
condition: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)
- macro: outbound
condition: ((syscall.type=connect and evt.dir=<) or (syscall.type=sendto and evt.dir=>)) and (fd.typechar=4 or fd.typechar=6)
- macro: ssh_port
condition: fd.lport=22
# Ssh
- macro: ssh_error_message
condition: evt.arg.data contains "Invalid user" or evt.arg.data contains "preauth"
# System
- macro: modules
condition: syscall.type in (delete_module, init_module)
- macro: container
condition: container.id != host
- macro: interactive
condition: (proc.aname=sshd and proc.name != sshd) or proc.name=systemd-logind
- macro: syslog
condition: fd.name = /dev/log
- macro: not_cron
condition: proc.name != cron
# System users that should never log into a system. Consider adding your own
# service users (e.g. 'apache' or 'mysqld') here.
- macro: system_users
condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)
#######
# Rules
#######
# Don't write to binary dirs
- condition: evt.dir = > and write and bin_dir
output: "Write to bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Don't write to /etc
- condition: evt.dir = > and write and etc_dir
output: "Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Don't read 'sensitive' files
- condition: read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files
output: "Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Don't modify binary dirs
- condition: modify and (bin_dir_rename or bin_dir_mkdir)
output: "Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Don't load shared objects coming from unexpected places
- condition: read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs)
output: "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Attempts to access things that shouldn't be
- condition: evt.res = EACCES
output: "System call returned EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: INFO
# Only sysdig and docker can call setns
- condition: syscall.type = setns and not proc.name in (docker, sysdig)
output: "Unexpected setns (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Shells should only be run by cron or sshd
- condition: proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux)
output: "Unexpected shell (%user.name %proc.name %proc.pname %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Anything run interactively by root
# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
# priority: WARNING
# Anything run interactively by a non-login user
- condition: system_users and interactive
output: "Sytem user ran an interactive command (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Chmod should only be run interactively (by a user)
- condition: syscall.type = chmod and not interactive
output: "non-interactive chmod (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Shells in a container
- condition: container and proc.name = bash
output: "shell in a container (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Network traffic to/from standard utils
# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
- condition: fd.sockfamily = ip and system_binaries
output: "network traffic to %proc.name (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# SSH errors (failed logins, disconnects, ..)
- condition: syslog and ssh_error_message and evt.dir = <
output: "sshd error (%proc.name %evt.arg.data)"
priority: WARNING
# Non-sudo setuid
- condition: evt.type=setuid and not_cron and not proc.name in (sudo, sshd)
output: "unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args)"
priority: WARNING
# User management (su and sudo are ok)
- condition: not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries)
output: "user-management binary command run (%user.name %proc.name %evt.dir %evt.type %evt.args)"
priority: WARNING
# Some rootkits hide files in /dev
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
- condition: (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null
output: "file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Elasticsearch ports
- macro: elasticsearch_cluster_port
condition: fd.sport=9300
- macro: elasticsearch_api_port
condition: fd.sport=9200
- macro: elasticsearch_port
condition: elasticsearch_cluster_port or elasticsearch_api_port
- condition: user.name = elasticsearch and inbound and not elasticsearch_port
output: "Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
- condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
output: "Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# ActiveMQ ports
- macro: activemq_cluster_port
condition: fd.sport=61616
- macro: activemq_web_port
condition: fd.sport=8161
- macro: activemq_port
condition: activemq_web_port or activemq_cluster_port
- condition: user.name = activemq and inbound and not activemq_port
output: "Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
- condition: user.name = activemq and outbound and not activemq_cluster_port
output: "Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Cassandra ports
# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
- macro: cassandra_thrift_client_port
condition: fd.sport=9160
- macro: cassandra_cql_port
condition: fd.sport=9042
- macro: cassandra_cluster_port
condition: fd.sport=7000
- macro: cassandra_ssl_cluster_port
condition: fd.sport=7001
- macro: cassandra_jmx_port
condition: fd.sport=7199
- macro: cassandra_port
condition: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port
- condition: user.name = cassandra and inbound and not cassandra_port
output: "Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
- condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
output: "Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Couchbase ports
# http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html
# Web Administration Port
- macro: couchbase_web_port
condition: fd.sport=8091
# Couchbase API Port
- macro: couchbase_api_port
condition: fd.sport=8092
# Internal/External Bucket Port for SSL
- macro: couchbase_ssl_bucket_port
condition: fd.sport=11207
# Internal Bucket Port
- macro: couchbase_bucket_port
condition: fd.sport=11209
# Internal/External Bucket Port
- macro: couchbase_bucket_port_ie
condition: fd.sport=11210
# Client interface (proxy)
- macro: couchbase_client_interface_port
condition: fd.sport=11211
# Incoming SSL Proxy
- macro: couchbase_incoming_ssl
condition: fd.sport=11214
# Internal Outgoing SSL Proxy
- macro: couchbase_outgoing_ssl
condition: fd.sport=11215
# Internal REST HTTPS for SSL
- macro: couchbase_internal_rest_port
condition: fd.sport=18091
# Internal CAPI HTTPS for SSL
- macro: couchbase_internal_capi_port
condition: fd.sport=18092
# Erlang Port Mapper ( epmd )
- macro: couchbase_epmd_port
condition: fd.sport=4369
# Node data exchange
- macro: couchbase_dataexchange_port
condition: fd.sport>=21100 and fd.sport<=21299
- macro: couchbase_internal_port
condition: couchbase_bucket_port or couchbase_epmd_port or couchbase_dataexchange_port
- macro: couchbase_port
condition: >
couchbase_web_port or couchbase_api_port or couchbase_ssl_bucket_port or
couchbase_internal_port or couchbase_bucket_port_ie or
couchbase_client_interface_port or couchbase_incoming_ssl or
couchbase_outgoing_ssl or couchbase_internal_rest_port or
couchbase_internal_capi_port
- condition: user.name = couchbase and inbound and not couchbase_port
output: "Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
- condition: user.name = couchbase and outbound and not couchbase_internal_port
output: "Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Couchdb ports
# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
- macro: couchdb_httpd_port
condition: fd.sport=5984
- macro: couchdb_httpd_ssl_port
condition: fd.sport=6984
# xxx can't tell what clustering ports are used. not writing rules for this
# yet.
# Etcd ports
- macro: etcd_client_port
condition: fd.sport=2379
- macro: etcd_peer_port
condition: fd.sport=2380
# need to double-check which user etcd runs as
- condition: user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port)
output: "Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
- condition: user.name = etcd and outbound and not couchbase_internal_port
output: "Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Fluentd ports
- macro: fluentd_http_port
condition: fd.sport=9880
- macro: fluentd_forward_port
condition: fd.sport=24224
- condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
output: "Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
- condition: user.name = td-agent and outbound and not fluentd_forward_port
output: "Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Gearman ports
# http://gearman.org/protocol/
- condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
output: "Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Zookeeper
- macro: zookeeper_port
condition: fd.sport = 2181
# HBase ports
# http://blog.cloudera.com/blog/2013/07/guide-to-using-apache-hbase-ports/
- macro: hbase_master_port
condition: fd.sport = 60000
- macro: hbase_master_info_port
condition: fd.sport = 60010
- macro: hbase_regionserver_port
condition: fd.sport = 60020
- macro: hbase_regionserver_info_port
condition: fd.sport = 60030
- macro: hbase_rest_port
condition: fd.sport = 8080
- macro: hbase_rest_info_port
condition: fd.sport = 8085
- macro: hbase_regionserver_thrift_port
condition: fd.sport = 9090
- macro: hbase_thrift_info_port
condition: fd.sport = 9095
# If you're not running HBase under the 'hbase' user, adjust first expression
# in each rule below
- condition: >
user.name = hbase and inbound and not (hbase_master_port or
hbase_master_info_port or hbase_regionserver_port or
hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or
hbase_regionserver_thrift_port or hbase_thrift_info_port)
output: "Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
- condition: user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port)
output: "Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Kafka ports
- condition: user.name = kafka and inbound and fd.sport != 9092
output: "Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# Memcached ports
- condition: user.name = memcached and inbound and fd.sport != 11211
output: "Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
- condition: user.name = memcached and outbound
output: "Unexpected Memcached outbound connection (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# MongoDB ports
- macro: mongodb_server_port
condition: fd.sport = 27017
- macro: mongodb_shardserver_port
condition: fd.sport = 27018
- macro: mongodb_configserver_port
condition: fd.sport = 27019
- macro: mongodb_webserver_port
condition: fd.sport = 28017
- condition: user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
output: "Unexpected MongoDB inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# MySQL ports
- condition: user.name = mysql and inbound and fd.sport != 3306
output: "Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING
# HTTP server
- macro: http_server
condition: proc.name in (nginx, httpd, lighttpd)
- condition: http_server and inbound and fd.sport != 80 and fd.sport != 443
output: "Unexpected HTTP server inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
priority: WARNING