github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-13 05:22:34 +00:00
Code Issues Projects Releases Wiki Activity

Add additional rules/tests for pipe installers.

Browse Source 
Add additional rules related to using pipe installers within a fbash
session:

 - Modify write_etc to only trigger if *not* in a fbash session. There's
   a new rule write_etc_installer which has the same conditions when in
   a fbash session, logging at INFO severity.

 - A new rule write_rpm_database warns if any non package management
   program tries to write below /var/lib/rpm.

 - Add a new warning if any program below a fbash session tries to open
   an outbound network connection on ports other than http(s) and dns.

 - Add INFO level messages when programs in a fbash session try to run
   package management binaries (rpm,yum,etc) or service
   management (systemctl,chkconfig,etc) binaries.

In order to test these new INFO level rules, make up a third class of
trace files traces-info.zip containing trace files that should result in
info-level messages.

To differentiate warning and info level detection, add an attribute to
the multiplex file "detect_level", which is "Warning" for the files in
traces-positive and "Info" for the files in traces-info. Modify
falco_test.py to look specifically for a non-zero count for the given
detect_level.

Doing this exposed a bug in the way the level-specific counts were being
recorded--they were keeping counts by level name, not number. Fix that.
This commit is contained in:
Mark Stemm
2016-06-01 16:01:37 -07:00
parent 31c87c295a
commit fc6d775e5b
5 changed files with 91 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
userspace/falco/lua/rule_loader.lua
View File

@@ -102,14 +102,13 @@ function set_output(output_format, state)
end
local function priority(s)
valid_levels = {"emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"}
s = string.lower(s)
for i,v in ipairs(valid_levels) do
if (string.find(v, "^"..s)) then
for i,v in ipairs(output.levels) do
if (string.find(string.lower(v), "^"..s)) then
return i - 1 -- (syslog levels start at 0, lua indices start at 1)
end
end
error("Invalid severity level: "..level)
error("Invalid severity level: "..s)
end
-- Note that the rules_by_name and rules_by_idx refer to the same rule
@@ -232,8 +231,8 @@ end
local rule_output_counts = {total=0, by_level={}, by_name={}}
for idx, level in ipairs(output.levels) do
rule_output_counts[level] = 0
for idx=0,table.getn(output.levels)-1,1 do
rule_output_counts.by_level[idx] = 0
end
function on_event(evt_, rule_id)
@@ -265,8 +264,8 @@ function print_stats()
print("Rule counts by severity:")
for idx, level in ipairs(output.levels) do
-- To keep the output concise, we only print 0 counts for error, warning, and info levels
if rule_output_counts[level] > 0 or level == "Error" or level == "Warning" or level == "Informational" then
print (" "..level..": "..rule_output_counts[level])
if rule_output_counts.by_level[idx-1] > 0 or level == "Error" or level == "Warning" or level == "Informational" then
print (" "..level..": "..rule_output_counts.by_level[idx-1])
end
end