Rule updates 2018 04.v1 (#350)

* added new command lines for rabbitMQ * added httpd_writing_ssl_conf macro and add it to write_etc_common * modified httpd_writing_ssl_conf to add additional files * added additional command to httpd_writing_ssl_conf * Wrap condition Wrap condition with folded style. * Consolidate test connect ports into one list There were several exceptions for apps that do a udp connect on an address simply to see if it works, folllowed by a tcp connect that actually sends/receives data. Unify these exceptions into a single list test_connect_ports, and add port 9 (discard, used by dockerd).
2025-07-12 05:58:26 +00:00 · 2018-04-24 09:24:50 -07:00 · 2018-04-24 09:24:50 -07:00 · e6bf402117
commit e6bf402117
parent e922a849a9
1 changed files with 23 additions and 14 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -378,6 +378,13 @@
       proc.pcmdline startswith "node /root/.config/yarn" or
       proc.pcmdline startswith "node /opt/yarn/bin/yarn.js"))

+
+- macro: httpd_writing_ssl_conf
+  condition: >
+    (proc.pname=run-httpd and
+     (proc.cmdline startswith "sed -ri" or proc.cmdline startswith "sed -i") and
+     (fd.name startswith /etc/httpd/conf.d/ or fd.name startswith /etc/httpd/conf))
+
 - macro: parent_Xvfb_running_xkbcomp
  condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"')

@ -793,6 +800,7 @@
    and not centrify_writing_krb
    and not cockpit_writing_conf
    and not ipsec_writing_conf
+    and not httpd_writing_ssl_conf

 - rule: Write below etc
  desc: an attempt to write to any file below /etc
@ -932,7 +940,12 @@
  condition: (proc.aname[2]=redis-server and (proc.cmdline contains "redis-server.post-up.d" or proc.cmdline contains "redis-server.pre-up.d"))

 - macro: rabbitmq_running_scripts
-  condition: (proc.pname=beam.smp and (proc.cmdline startswith "sh -c exec ps" or proc.cmdline startswith "sh -c exec inet_gethost"))
+  condition: > 
+    (proc.pname=beam.smp and 
+    (proc.cmdline startswith "sh -c exec ps" or 
+     proc.cmdline startswith "sh -c exec inet_gethost" or
+     proc.cmdline= "sh -s unix:cmd" or
+     proc.cmdline= "sh -c exec /bin/sh -s unix:cmd 2>&1")) 

 - macro: rabbitmqctl_running_scripts
  condition: (proc.aname[2]=rabbitmqctl and proc.cmdline startswith "sh -c ")
@ -1344,23 +1357,19 @@
 - list: statsd_ports
  items: [8125]

- list: mysql_ports
-  items: [3306]
-
 - list: ntp_ports
  items: [123]

-# 0 is included in the list because some apps connect to an address
-# only to test connectivity.
+# Some applications will connect a udp socket to an address only to
+# test connectivity. Assuming the udp connect works, they will follow
+# up with a tcp connect that actually sends/receives data.
 #
-# mysql_ports is included becuase some versions of the mysql client
-# will attempt a connect using udp + port 3306 before connecting via
-# tcp + port 3306.
-#
-# 80 is included for the same reason as mysql_ports--some apps do a
-# connect using udp before doing a real connect using tcp.
+# To address this, we'll list the set of ports seen here.
+- list: test_connect_ports
+  items: [0, 9, 80, 3306]
+
 - list: expected_udp_ports
-  items: [0, 53, 80, openvpn_udp_ports, l2tp_udp_ports, statsd_ports, mysql_ports, ntp_ports]
+  items: [53, openvpn_udp_ports, l2tp_udp_ports, statsd_ports, ntp_ports, test_connect_ports]

 - macro: expected_udp_traffic
  condition: fd.port in (expected_udp_ports)
@ -1370,7 +1379,7 @@
  condition: (inbound_outbound) and fd.l4proto=udp and not expected_udp_traffic
  output: >
    Unexpected UDP Traffic Seen
-    (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto)
+    (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args)
  priority: NOTICE
  tags: [network]