From f64ea7def5337fd5a08ba82eeaebbcf15f2bce1a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 11 May 2016 14:11:18 -0700 Subject: [PATCH] Add addl groups of binary programs. Add some new groups of binary programs as macros and start using them in the set of rules: - docker_binaries: docker and exe (which is a temporary process name for processes like docker-proxy) - http_server_binaries: httpd, nginx, and similar - db_server_binaries: mysql for now, we'll add more later - server_binaries: all of the above - userexec_binaries: sudo and su. Start using these groups in the rules. Most of the time, changing from the inline lists of processes to macros was a no-op. There are some actual changes, though: - docker and exe are now allowed to read 'sensitive' files. They may not actually do so, but it's not really harmful. - lighttpd is now allowed to read 'sensitive' files, via inclusion in http_server_binaries. - su, lighttpd, and docker can now setuid. - http-foreground is included as a http server wrt non-port 80/443 ports. I'm going to use these macros in some of the following rules. This actually prevents detection of mysql reading sensitive files, which is one of the demo scenarios (sql injection). I plan on adding this detection back in the next commit. --- rules/falco_rules.yaml | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1f90baa0..28150fe2 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -92,6 +92,23 @@ groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vigr, vipw) +- macro: docker_binaries + condition: proc.name in (docker, exe) + +- macro: http_server_binaries + condition: proc.name in (nginx, httpd, httpd-foregroun, lighttpd) + +- macro: db_server_binaries + condition: proc.name in (mysqld) + +- macro: server_binaries + condition: http_server_binaries or db_server_binaries or docker_binaries or proc.name in (sshd) + +# A canonical set of processes that run other programs with different +# privileges or as a different user. +- macro: userexec_binaries + condition: proc.name in (sudo, su) + - macro: system_binaries condition: coreutils_binaries or adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries @@ -147,7 +164,7 @@ priority: WARNING # Don't read 'sensitive' files -- condition: open_read and not proc.name in (sshd, sudo, su, iptables, ps, httpd-foregroun, httpd, nginx, systemd-logind, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash) and not_cron and sensitive_files +- condition: open_read and not server_binaries and not userexec_binaries and not proc.name in (iptables, ps, systemd-logind, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash) and not_cron and sensitive_files output: "Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" priority: WARNING @@ -211,9 +228,9 @@ output: "sshd error (%proc.name %evt.arg.data)" priority: WARNING -# Non-sudo setuid -- condition: evt.type=setuid and not_cron and not proc.name in (sudo, sshd, exe, httpd-foregroun, httpd, nginx, mysqld) - output: "unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args)" +# setuid by a process that doesn't typically change uid (servers, sudo, su, etc.) +- condition: evt.type=setuid and not_cron and not userexec_binaries and not server_binaries + output: "unexpected setuid call (%user.name %proc.name %proc.cwd %proc.aname[0] %proc.aname[1] %proc.aname[2] %proc.aname[3] %proc.pid %proc.ppid %evt.dir %evt.type %evt.args)" priority: WARNING # User management (su and sudo are ok) @@ -458,11 +475,7 @@ output: "Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" priority: WARNING -# HTTP server -- macro: http_server - condition: proc.name in (nginx, httpd, lighttpd) - -- condition: http_server and inbound and fd.sport != 80 and fd.sport != 443 +- condition: http_server_binaries and inbound and fd.sport != 80 and fd.sport != 443 output: "Unexpected HTTP server inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" priority: WARNING