From e6bf402117e3d61cade2ffd0ec3f9861c9e3af56 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 24 Apr 2018 09:24:50 -0700 Subject: [PATCH] Rule updates 2018 04.v1 (#350) * added new command lines for rabbitMQ * added httpd_writing_ssl_conf macro and add it to write_etc_common * modified httpd_writing_ssl_conf to add additional files * added additional command to httpd_writing_ssl_conf * Wrap condition Wrap condition with folded style. * Consolidate test connect ports into one list There were several exceptions for apps that do a udp connect on an address simply to see if it works, folllowed by a tcp connect that actually sends/receives data. Unify these exceptions into a single list test_connect_ports, and add port 9 (discard, used by dockerd). --- rules/falco_rules.yaml | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index c646979b..c5332a1d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -378,6 +378,13 @@ proc.pcmdline startswith "node /root/.config/yarn" or proc.pcmdline startswith "node /opt/yarn/bin/yarn.js")) + +- macro: httpd_writing_ssl_conf + condition: > + (proc.pname=run-httpd and + (proc.cmdline startswith "sed -ri" or proc.cmdline startswith "sed -i") and + (fd.name startswith /etc/httpd/conf.d/ or fd.name startswith /etc/httpd/conf)) + - macro: parent_Xvfb_running_xkbcomp condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"') @@ -793,6 +800,7 @@ and not centrify_writing_krb and not cockpit_writing_conf and not ipsec_writing_conf + and not httpd_writing_ssl_conf - rule: Write below etc desc: an attempt to write to any file below /etc @@ -932,7 +940,12 @@ condition: (proc.aname[2]=redis-server and (proc.cmdline contains "redis-server.post-up.d" or proc.cmdline contains "redis-server.pre-up.d")) - macro: rabbitmq_running_scripts - condition: (proc.pname=beam.smp and (proc.cmdline startswith "sh -c exec ps" or proc.cmdline startswith "sh -c exec inet_gethost")) + condition: > + (proc.pname=beam.smp and + (proc.cmdline startswith "sh -c exec ps" or + proc.cmdline startswith "sh -c exec inet_gethost" or + proc.cmdline= "sh -s unix:cmd" or + proc.cmdline= "sh -c exec /bin/sh -s unix:cmd 2>&1")) - macro: rabbitmqctl_running_scripts condition: (proc.aname[2]=rabbitmqctl and proc.cmdline startswith "sh -c ") @@ -1344,23 +1357,19 @@ - list: statsd_ports items: [8125] -- list: mysql_ports - items: [3306] - - list: ntp_ports items: [123] -# 0 is included in the list because some apps connect to an address -# only to test connectivity. +# Some applications will connect a udp socket to an address only to +# test connectivity. Assuming the udp connect works, they will follow +# up with a tcp connect that actually sends/receives data. # -# mysql_ports is included becuase some versions of the mysql client -# will attempt a connect using udp + port 3306 before connecting via -# tcp + port 3306. -# -# 80 is included for the same reason as mysql_ports--some apps do a -# connect using udp before doing a real connect using tcp. +# To address this, we'll list the set of ports seen here. +- list: test_connect_ports + items: [0, 9, 80, 3306] + - list: expected_udp_ports - items: [0, 53, 80, openvpn_udp_ports, l2tp_udp_ports, statsd_ports, mysql_ports, ntp_ports] + items: [53, openvpn_udp_ports, l2tp_udp_ports, statsd_ports, ntp_ports, test_connect_ports] - macro: expected_udp_traffic condition: fd.port in (expected_udp_ports) @@ -1370,7 +1379,7 @@ condition: (inbound_outbound) and fd.l4proto=udp and not expected_udp_traffic output: > Unexpected UDP Traffic Seen - (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto) + (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args) priority: NOTICE tags: [network]