From e49c3e68e7cc31d8bc2850c0d6e7b0e60a092fe0 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 12 Aug 2016 14:17:13 -0700 Subject: [PATCH] Improve ruleset based on falco event-generator. Improve ruleset after using with falco event_generator: - Instead of assuming all shells are bash, add a list shell_binaries and macro shell_procs, and replace references to bash with shell_procs. This revealed some other programs that can spawn shells. - Add "login" as an interactive command. systemd-login isn't in alpine linux, which is the linux distro used for the container. - Move read_sensitive_file_untrusted before read_sensitive_file_trusted_after_startup, so it can hit first. --- rules/falco_rules.yaml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index e576fb94..ea0f941f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -54,6 +54,12 @@ - macro: linux_so_dirs condition: ubuntu_so_dirs or centos_so_dirs or fd.name=/etc/ld.so.cache +- list: shell_binaries + items: [bash, csh, ksh, sh, tcsh, zsh, dash] + +- macro: shell_procs + condition: proc.name in (shell_binaries) + - list: coreutils_binaries items: [ truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who, @@ -161,7 +167,7 @@ - macro: container condition: container.id != host - macro: interactive - condition: ((proc.aname=sshd and proc.name != sshd) or proc.name=systemd-logind) + condition: ((proc.aname=sshd and proc.name != sshd) or proc.name=systemd-logind or proc.name=login) - macro: syslog condition: fd.name in (/dev/log, /run/systemd/journal/syslog) - list: cron_binaries @@ -203,18 +209,18 @@ output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name) within pipe installer session" priority: INFO -- rule: read_sensitive_file_untrusted - desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs. - condition: sensitive_files and open_read and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash, sshd) and not proc.cmdline contains /usr/bin/mandb - output: "Sensitive file opened for reading by non-trusted program (user=%user.name command=%proc.cmdline file=%fd.name)" - priority: WARNING - - rule: read_sensitive_file_trusted_after_startup desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards. condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" output: "Sensitive file opened for reading by trusted program after startup (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING +- rule: read_sensitive_file_untrusted + desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs. + condition: sensitive_files and open_read and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, shell_binaries, sshd) and not proc.cmdline contains /usr/bin/mandb + output: "Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name command=%proc.cmdline file=%fd.name)" + priority: WARNING + # Only let rpm-related programs write to the rpm database - rule: write_rpm_database desc: an attempt to write to the rpm database by any non-rpm related program @@ -264,7 +270,7 @@ - rule: run_shell_untrusted desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries. - condition: spawned_process and not container and proc.name = bash and proc.pname exists and not proc.pname in (cron_binaries, bash, sshd, sudo, docker_binaries, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent) + condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, sshd, sudo, docker_binaries, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent, aws, initdb, docker-compose) output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING @@ -281,7 +287,7 @@ - rule: run_shell_in_container desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded. - condition: spawned_process and container and proc.name = bash and proc.pname exists and not proc.pname in (sh, bash, docker_binaries) + condition: spawned_process and container and shell_procs and proc.pname exists and not proc.pname in (shell_binaries, docker_binaries, initdb, pg_ctl) output: "Shell spawned in a container other than entrypoint (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING