github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-04-06 12:02:16 +00:00
Code Issues Projects Releases Wiki Activity
1,625 Commits 127 Branches 184 Tags
adding-install-script
Commit Graph

377 Commits

Author SHA1 Message Date
Mark Stemm
3693b16c91 Let puma reactor spawn shells 
Sample Falco alert:

```
Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor
cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor
gparent=puma ggparent=runsv aname[4]=ru...
```

https://github.com/puma/puma says it is "A Ruby/Rack web server built
for concurrency".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
48a0f512fb Let cilium-cni change namespaces 
Sample Falco alert:

```
Namespace change (setns) by unexpected program (user=root
command=cilium-cni parent=cilium-cni host CID2 CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
01c9d8ba31 Let runc write to /exec.fifo 
Sample Falco alert:

```
File below / or /root opened for writing (user=<NA>
command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo
program=runc:[1:CHILD] CID1 image=<NA>)
```

This github issue provides some context:
https://github.com/opencontainers/runc/pull/1698

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
7794e468ba Alow writes to /etc/pki from openshift secrets dir 
Sample falco alert:

```
File below /etc opened for writing (user=root command=cp
/run/secrets/kubernetes.io/serviceaccount/ca.crt
/etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash
pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node
image\nunset KUB...
```

The exception is conditioned on containers.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
0d74f3938d Let avinetworks supervisor write some ssh cfg 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=se_supervisor.p
/opt/avi/scripts/se_supervisor.py -d parent=systemd pcmdline=systemd
file=/etc/ssh/ssh_monitor_config_10.24.249.200 program=se_supervisor.p
gparent=docker-containe ggparent=docker-con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
e5f06e399f Let mcafee write to /etc/cma.d 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=macompatsvc
self_start parent=macompatsvc pcmdline=macompatsvc self_start
file=/etc/cma.d/lpc.conf program=macompatsvc gparent=macompatsvc
ggparent=systemd gggparent=<NA> CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
fa3e48ca1a Add "dsc_host" as a MS OMS program 
Sample Falco alert:

```
File below /etc opened for writing (user=<NA> command=dsc_host
/opt/dsc/output PerformRequiredConfigurationChecks 1 parent=python
pcmdline=python
/opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py
file=/etc/opt/omi/conf/omsconfig/con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Hiroki Suezawa
cd94d05cd9 rule(list network_tool_binaries): delete ssh from the list 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
23a7203e50 rule(list network_tool_binaries): add network tool names 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
93fdf8ef61 rule(macro user_known_k8s_client_container): Rephrase the comment 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Hiroki Suezawa
bcc84c47c6 rule(macro user_known_k8s_client_container): have more strict condition to avoid false positives 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Nicolas Marier
13931ab5d7 rule(Write below etc): whitelist automount writing under /etc 
This commit allows automount to write under /etc/mtab without flagging
it as an error.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2019-12-05 19:27:18 +01:00
Hiroki Suezawa
559b7e1bb1 rule(The docker client is executed in a container): modify condition to reduce false positive 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 14:32:22 +01:00
Hiroki Suezawa
fc58ac7356 rule update: modify rule to detect connection to K8S API Server from a container 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 10:59:05 +01:00
Jean-Philippe Lachance
418bcf2177 Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
f97a33d40a Exclude exe_running_docker_save in the "Update Package Repository" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
df7a356e1d Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
03e8b7f53d Exclude exe_running_docker_save in the "Modify Shell Configuration File" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
146343e5f0 Update the exe_running_docker_save macro to support docker in docker 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 02:20:21 +01:00
Hiroki Suezawa
7da245e902 rule update: Modify rule to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
d0e6279bb2 rule update: Modify condition for raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
8b2d4e1fe6 rule update: Fix condition for raw packets creation and renamed 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
ebec520ebc rule update: Add rules to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
0b402e2326 rule update: Rename rule for Cloud Metadata access again 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
54329a64cd rule update: Rename rule for Cloud Metadata access 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
rung
89d8259860 rule update: Add consider_gce_metadata_access macro for rule to detect GCE Metadata access 
Signed-off-by: rung <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
e70febc8db rule update: Add rules for GCE Metadata detection 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
kaizhe
722ab4f2f9 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
7c33fafe89 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
8011fe7ce7 rules update: add more sensitive host path to sensitive_host_mount macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
Jean-Philippe Lachance
80d69917ea * Rename the macro to user_known_package_manager_in_container 
+ Add a comment to explain how we should use this macro

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-03 00:03:35 +01:00
Jean-Philippe Lachance
3713f7a614 + Add a simple user_known_package_manager_in_container_conditions macro 
* Use the user_known_package_manager_in_container_conditions macro in the "Launch Package Management Process in Container" rule

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-03 00:03:35 +01:00
Jean-Philippe Lachance
79cb75dcd1 ! Exclude exe_running_docker_save in the "Set Setuid or Setgid bit" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-02 23:54:53 +01:00
Hiroki Suezawa
c736a843a0 rule update: Add kubelet to user_known_chmod_applications list 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-01 23:27:04 +01:00
kaizhe
cf8395c7ed minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-11-08 10:38:47 +01:00
kaizhe
f16c744779 rules update: add hyperkube to the whitelist of rule Set Setuid or Setgit bit 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-11-08 10:38:47 +01:00
kaizhe
4ed581853a rules update: add docker-runc-cur to container_entrypoint macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-11-08 10:38:47 +01:00
David de Torres
ed767561ac Added list k8s_client_binaries 
Added accidentally deleted lines for the list of k8s client binaries.

Signed-off-by: David de Torres <detorres.david@gmail.com>
 2019-11-08 09:49:09 +01:00
David de Torres
98becedebb Added rule to detect k8s client tool in container 
The rule detects the execution of the k8s client tool in a container and
logs it with WARNING priority.

Signed-off-by: David de Torres <detorres.david@gmail.com>
 2019-11-08 09:49:09 +01:00
kaizhe
b38db99449 rules update: add calico/node to trusted privileged container list; add calico_node_write_envvars macro to exception list of write below etc 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-10-25 15:18:32 +02:00
Felipe Bessa Coelho
8353a0b22e Ignore sensitive mounts from ecs-agent 
Without this, as ecs-agent starts we get a bunch of errors that look
like this (reformatted for readability):

  Notice Container with sensitive mount started (
    user=root
    command=init -- /agent ecs-agent (id=19d4e98bb0dc)
    image=amazon/amazon-ecs-agent:latest
    mounts=/proc:/host/proc:ro:false:rprivate,$lotsofthings
  )

ecs-agent needs those to work properly, so this can cause lots of false
positives when starting a new instance.

Signed-off-by: Felipe Bessa Coelho <fcoelho.9@gmail.com>
 2019-10-09 16:30:36 +02:00
Lorenzo Fontana
c76518c681 update: license headers 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-10-08 16:02:26 +02:00
kaizhe
cdb5d71eb6 rule update: add more comments 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-10-03 10:16:28 +02:00
kaizhe
e81decac13 rule update: fix missing entries 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-10-03 10:16:28 +02:00
kaizhe
a43ae037a9 rules update: add back rule Delete Bash History for backport compatibility 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-10-03 10:16:28 +02:00
kaizhe
79a10ad90e rules update: add fluent/fluentd-kubernetes-daemonset to clear log trusted images 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-09-26 13:56:59 +03:00
Lorenzo Fontana
39b51562ed fix(rules): modification of a file should trigger as if it was opened or created 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-08-20 09:45:08 +02:00
Lorenzo Fontana
e229cecbe1 fix(rules): make chmod rules enabled by default 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-08-16 10:23:28 +02:00
Lorenzo Fontana
3ea98b05dd fix(rules/Set Setuid or Setgid bit): use chmod syscalls instead of chmod command 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2019-08-16 10:23:28 +02:00
kaizhe
1fc509d78b rule update: fine grained sending to mining domain 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-08-12 17:37:01 +02:00