github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-19 19:22:05 +00:00
Code Issues Projects Releases Wiki Activity
3,279 Commits 124 Branches 184 Tags
dev_docker
Commit Graph

684 Commits

Author SHA1 Message Date
Nicolas Marier
91a0b510fa rule(macro user_expected_system_procs_network_activity_conditions): create the macro 
It's useful to ignore some system binaries that use the network under
certain conditions, so this should be overridable by the user.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2020-04-14 13:22:09 +02:00
Nicolas Marier
76062b93ab rule(list known_system_procs_network_activity_binaries): add a list of known procs for convenience 
This makes it more convenient to add more allowed procs and many other
rules have a similar mechanism to whitelist certain processes.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2020-04-14 13:22:09 +02:00
Vicente Herrera
9fd08ce3e4 Introduce missing allowed_full_admin_users macro so its corresponding rule is disabled by default 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-04-14 13:19:14 +02:00
Vicente Herrera
3ce11f093f Removed default K3s admin user from list, clarified comments 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-04-14 13:19:14 +02:00
Vicente Herrera
e7b3d7a7e0 Added four new rules, to detect k8s operation by an administrator, nodes successfully joining the cluster, nodes unsuccessfully attempt to join, creation ingress without TLS certificate 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-04-14 13:19:14 +02:00
Vicente Herrera
2c2d126a54 Added two new rules to detect traffic to image outside local subnet and detect traffic that is not to authorized server process and port 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-04-14 13:19:14 +02:00
Bob Aman
ffa137fc7c rule(Delete Bash History): Fix typo in tags 
Signed-off-by: Bob Aman <bob@sporkmonger.com>
 2020-04-14 12:54:02 +02:00
Bob Aman
534a642074 rule(Delete or rename shell history): Fix typo in tags 
Signed-off-by: Bob Aman <bob@sporkmonger.com>
 2020-04-14 12:54:02 +02:00
kaizhe
1548ccbc4f rule(Write below root): use pmatch to check against known root directories 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-04-09 12:32:30 +02:00
kaizhe
6834649fa5 rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-27 13:02:57 +01:00
kaizhe
e1cb2e9bb0 rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-27 00:33:24 +01:00
Hiroki Suezawa
3067af566e rule(Change thread namespace): fix regression test 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-03-12 16:35:46 +01:00
Hiroki Suezawa
742538ac86 rule(Change thread namespace): change condition to detect suspicious container activity 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-03-12 16:35:46 +01:00
Vicente Herrera
085009ad93 Fixed use of "tag" instead of "tags" in default rules 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-03-10 20:51:45 +01:00
kaizhe
4a8d8a049f add comments 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-04 09:28:43 +01:00
kaizhe
b4f2fdc439 disable cryptomining rule by default; add exception of localhost and rfc1918 ip addresses 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-04 09:28:43 +01:00
Mark Stemm
3693b16c91 Let puma reactor spawn shells 
Sample Falco alert:

```
Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor
cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor
gparent=puma ggparent=runsv aname[4]=ru...
```

https://github.com/puma/puma says it is "A Ruby/Rack web server built
for concurrency".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
48a0f512fb Let cilium-cni change namespaces 
Sample Falco alert:

```
Namespace change (setns) by unexpected program (user=root
command=cilium-cni parent=cilium-cni host CID2 CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
01c9d8ba31 Let runc write to /exec.fifo 
Sample Falco alert:

```
File below / or /root opened for writing (user=<NA>
command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo
program=runc:[1:CHILD] CID1 image=<NA>)
```

This github issue provides some context:
https://github.com/opencontainers/runc/pull/1698

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
7794e468ba Alow writes to /etc/pki from openshift secrets dir 
Sample falco alert:

```
File below /etc opened for writing (user=root command=cp
/run/secrets/kubernetes.io/serviceaccount/ca.crt
/etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash
pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node
image\nunset KUB...
```

The exception is conditioned on containers.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
0d74f3938d Let avinetworks supervisor write some ssh cfg 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=se_supervisor.p
/opt/avi/scripts/se_supervisor.py -d parent=systemd pcmdline=systemd
file=/etc/ssh/ssh_monitor_config_10.24.249.200 program=se_supervisor.p
gparent=docker-containe ggparent=docker-con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
e5f06e399f Let mcafee write to /etc/cma.d 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=macompatsvc
self_start parent=macompatsvc pcmdline=macompatsvc self_start
file=/etc/cma.d/lpc.conf program=macompatsvc gparent=macompatsvc
ggparent=systemd gggparent=<NA> CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
fa3e48ca1a Add "dsc_host" as a MS OMS program 
Sample Falco alert:

```
File below /etc opened for writing (user=<NA> command=dsc_host
/opt/dsc/output PerformRequiredConfigurationChecks 1 parent=python
pcmdline=python
/opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py
file=/etc/opt/omi/conf/omsconfig/con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Leonardo Di Donato
572ac46d85 build: include GNUInstallDirs module 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-17 19:09:31 +01:00
Hiroki Suezawa
cd94d05cd9 rule(list network_tool_binaries): delete ssh from the list 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
23a7203e50 rule(list network_tool_binaries): add network tool names 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
93fdf8ef61 rule(macro user_known_k8s_client_container): Rephrase the comment 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Hiroki Suezawa
bcc84c47c6 rule(macro user_known_k8s_client_container): have more strict condition to avoid false positives 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Nicolas Marier
13931ab5d7 rule(Write below etc): whitelist automount writing under /etc 
This commit allows automount to write under /etc/mtab without flagging
it as an error.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2019-12-05 19:27:18 +01:00
Hiroki Suezawa
559b7e1bb1 rule(The docker client is executed in a container): modify condition to reduce false positive 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 14:32:22 +01:00
Hiroki Suezawa
fc58ac7356 rule update: modify rule to detect connection to K8S API Server from a container 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 10:59:05 +01:00
Jean-Philippe Lachance
418bcf2177 Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
f97a33d40a Exclude exe_running_docker_save in the "Update Package Repository" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
df7a356e1d Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
03e8b7f53d Exclude exe_running_docker_save in the "Modify Shell Configuration File" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
146343e5f0 Update the exe_running_docker_save macro to support docker in docker 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 02:20:21 +01:00
Hiroki Suezawa
7da245e902 rule update: Modify rule to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
d0e6279bb2 rule update: Modify condition for raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
8b2d4e1fe6 rule update: Fix condition for raw packets creation and renamed 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
ebec520ebc rule update: Add rules to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
kaizhe
2f8caf99cd rule update: align sensitive mount macro between k8s_audit rules and syscall rules 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 12:58:21 -08:00
Hiroki Suezawa
0b402e2326 rule update: Rename rule for Cloud Metadata access again 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
54329a64cd rule update: Rename rule for Cloud Metadata access 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
rung
89d8259860 rule update: Add consider_gce_metadata_access macro for rule to detect GCE Metadata access 
Signed-off-by: rung <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
e70febc8db rule update: Add rules for GCE Metadata detection 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
kaizhe
722ab4f2f9 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
6c9bce6f73 update k8s audit rule 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
7c33fafe89 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
18acea4a73 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
8011fe7ce7 rules update: add more sensitive host path to sensitive_host_mount macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00