github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-04-05 03:22:41 +00:00
Code Issues Projects Releases Wiki Activity
1,844 Commits 127 Branches 184 Tags
nova-debug
Commit Graph

401 Commits

Author SHA1 Message Date
Leonardo Grasso
578ef7f64d rule(Create files below dev): correct condition to catch openat 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-06-10 12:21:36 +02:00
Leonardo Grasso
a5ce61f03f rule(macro bin_dir_rename): correct condition to catch all variants 
Since `evt.arg[1]` does not work for all syscalls, switch to:
 - `evt.arg.path` for `rmdir` and `unlink` (used by `remove` macro)
 - `evt.arg.name` for `unlinkat` (used by `remove` macro)
 - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro)

That ensures `Modify binary dirs` works properly.

Note that we cannot yet use `renameat2` (not supported by sinsp, see https://github.com/draios/sysdig/issues/1603 )

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-06-10 12:21:36 +02:00
Leonardo Grasso
74ca02d199 rule(macro bin_dir_mkdir): correct condition to catch mkdirat case 
Since the dir's path is found:
-  in `evt.arg[1]` for `mkdir`
-  but in `evt.arg[2]` for `mkdirat`
switch to `evt.arg.path` to catch both.
That ensures `Mkdir binary dirs` works properly.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2020-06-10 12:21:36 +02:00
Nicolas Marier
81e29c55ec rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro 
This macro will be useful because it will make it possible to filter out
events with a higher degree of granularity than is currently possible
for the `Set Setuid or Setgid bit` rule.

For example, if some application is expected to set the setuid or the
setgid bit under a specific condition, like if it's started with a
specific command, then the `user_known_chmod_applications` list is not
enough because we don't want to filter out _all_ events by this
application, only specific ones. This macro allows that.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2020-05-26 10:23:31 +02:00
Mark Stemm
986ea28279 rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront torun kubectl in containers 
https://stackoverflow.com/questions/50349586/what-is-hcp-tunnelfront

Example alert:

---
Docker or kubernetes client executed in container (user=root
parent=run-tunnel-fron cmdline=kubectl
--kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig get secret
tunnelfront --namespace=kube-system --output json --ignore-not-found
image=mcr.microsoft.com/aks/hcp/hcp-tunnel-front)
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-05-21 10:57:42 +02:00
Mark Stemm
5266618689 rule(macro lvprogs_writing_conf): Add lvs as a lvm program 
Example event. I'm pretty sure the full file in this case is /etc/lvm/cache:

---
File below /etc opened for writing (user=root command=lvs --noheadings
--readonly --separator=";" -a -o
lv_tags,lv_path,lv_name,vg_name,lv_uuid,lv_size parent=ceph-volume
pcmdline=ceph-volume /usr/sbin/ceph-volume inventory --format json file=/etc/lvm/c...
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-05-21 10:57:42 +02:00
Mark Stemm
fa3d2eb473 rule(macro trusted_logging_images): Let azure-npm image write to /var/log 
"The Azure's NPM is a a daemonset that supports network policies as
defined by the Kubernetes policy specification."

Example event:

---
Log files were tampered (user=root command=azure-npm
file=/var/log/iptables.conf CID1 image=mcr.microsoft.com/containernetworking/azure-npm)
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-05-21 10:57:42 +02:00
Mark Stemm
acb3f94786 rule(macro trusted_logging_images): Add addl fluentd image 
Openshift specific variant, example alert:

---
Log files were tampered (user=root command=fluentd /usr/bin/fluentd
--no-supervisor file=/var/log/journal.pos CID1 image=registry.redhat.io/openshift3/ose-logging-fluentd)
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-05-21 10:57:42 +02:00
kaizhe
d1af7e139f rule update: fix macro reference 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-05-21 10:55:53 +02:00
kaizhe
f27056c394 fix rule naming following naming convention 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-04-28 18:18:06 +02:00
kaizhe
f7ac7f34b7 rename rule 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-04-21 19:04:14 +02:00
kaizhe
a1145d9841 rule update: add a rule to detect reverse shell 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-04-21 19:04:14 +02:00
Nicolas Marier
91a0b510fa rule(macro user_expected_system_procs_network_activity_conditions): create the macro 
It's useful to ignore some system binaries that use the network under
certain conditions, so this should be overridable by the user.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2020-04-14 13:22:09 +02:00
Nicolas Marier
76062b93ab rule(list known_system_procs_network_activity_binaries): add a list of known procs for convenience 
This makes it more convenient to add more allowed procs and many other
rules have a similar mechanism to whitelist certain processes.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2020-04-14 13:22:09 +02:00
Vicente Herrera
2c2d126a54 Added two new rules to detect traffic to image outside local subnet and detect traffic that is not to authorized server process and port 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-04-14 13:19:14 +02:00
Bob Aman
ffa137fc7c rule(Delete Bash History): Fix typo in tags 
Signed-off-by: Bob Aman <bob@sporkmonger.com>
 2020-04-14 12:54:02 +02:00
Bob Aman
534a642074 rule(Delete or rename shell history): Fix typo in tags 
Signed-off-by: Bob Aman <bob@sporkmonger.com>
 2020-04-14 12:54:02 +02:00
kaizhe
1548ccbc4f rule(Write below root): use pmatch to check against known root directories 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-04-09 12:32:30 +02:00
kaizhe
e1cb2e9bb0 rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-27 00:33:24 +01:00
Hiroki Suezawa
3067af566e rule(Change thread namespace): fix regression test 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-03-12 16:35:46 +01:00
Hiroki Suezawa
742538ac86 rule(Change thread namespace): change condition to detect suspicious container activity 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-03-12 16:35:46 +01:00
Vicente Herrera
085009ad93 Fixed use of "tag" instead of "tags" in default rules 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-03-10 20:51:45 +01:00
kaizhe
4a8d8a049f add comments 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-04 09:28:43 +01:00
kaizhe
b4f2fdc439 disable cryptomining rule by default; add exception of localhost and rfc1918 ip addresses 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-04 09:28:43 +01:00
Mark Stemm
3693b16c91 Let puma reactor spawn shells 
Sample Falco alert:

```
Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor
cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor
gparent=puma ggparent=runsv aname[4]=ru...
```

https://github.com/puma/puma says it is "A Ruby/Rack web server built
for concurrency".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
48a0f512fb Let cilium-cni change namespaces 
Sample Falco alert:

```
Namespace change (setns) by unexpected program (user=root
command=cilium-cni parent=cilium-cni host CID2 CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
01c9d8ba31 Let runc write to /exec.fifo 
Sample Falco alert:

```
File below / or /root opened for writing (user=<NA>
command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo
program=runc:[1:CHILD] CID1 image=<NA>)
```

This github issue provides some context:
https://github.com/opencontainers/runc/pull/1698

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
7794e468ba Alow writes to /etc/pki from openshift secrets dir 
Sample falco alert:

```
File below /etc opened for writing (user=root command=cp
/run/secrets/kubernetes.io/serviceaccount/ca.crt
/etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash
pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node
image\nunset KUB...
```

The exception is conditioned on containers.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
0d74f3938d Let avinetworks supervisor write some ssh cfg 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=se_supervisor.p
/opt/avi/scripts/se_supervisor.py -d parent=systemd pcmdline=systemd
file=/etc/ssh/ssh_monitor_config_10.24.249.200 program=se_supervisor.p
gparent=docker-containe ggparent=docker-con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
e5f06e399f Let mcafee write to /etc/cma.d 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=macompatsvc
self_start parent=macompatsvc pcmdline=macompatsvc self_start
file=/etc/cma.d/lpc.conf program=macompatsvc gparent=macompatsvc
ggparent=systemd gggparent=<NA> CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
fa3e48ca1a Add "dsc_host" as a MS OMS program 
Sample Falco alert:

```
File below /etc opened for writing (user=<NA> command=dsc_host
/opt/dsc/output PerformRequiredConfigurationChecks 1 parent=python
pcmdline=python
/opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py
file=/etc/opt/omi/conf/omsconfig/con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Hiroki Suezawa
cd94d05cd9 rule(list network_tool_binaries): delete ssh from the list 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
23a7203e50 rule(list network_tool_binaries): add network tool names 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
93fdf8ef61 rule(macro user_known_k8s_client_container): Rephrase the comment 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Hiroki Suezawa
bcc84c47c6 rule(macro user_known_k8s_client_container): have more strict condition to avoid false positives 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Nicolas Marier
13931ab5d7 rule(Write below etc): whitelist automount writing under /etc 
This commit allows automount to write under /etc/mtab without flagging
it as an error.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2019-12-05 19:27:18 +01:00
Hiroki Suezawa
559b7e1bb1 rule(The docker client is executed in a container): modify condition to reduce false positive 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 14:32:22 +01:00
Hiroki Suezawa
fc58ac7356 rule update: modify rule to detect connection to K8S API Server from a container 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 10:59:05 +01:00
Jean-Philippe Lachance
418bcf2177 Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
f97a33d40a Exclude exe_running_docker_save in the "Update Package Repository" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
df7a356e1d Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
03e8b7f53d Exclude exe_running_docker_save in the "Modify Shell Configuration File" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
146343e5f0 Update the exe_running_docker_save macro to support docker in docker 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 02:20:21 +01:00
Hiroki Suezawa
7da245e902 rule update: Modify rule to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
d0e6279bb2 rule update: Modify condition for raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
8b2d4e1fe6 rule update: Fix condition for raw packets creation and renamed 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
ebec520ebc rule update: Add rules to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
0b402e2326 rule update: Rename rule for Cloud Metadata access again 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
54329a64cd rule update: Rename rule for Cloud Metadata access 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
rung
89d8259860 rule update: Add consider_gce_metadata_access macro for rule to detect GCE Metadata access 
Signed-off-by: rung <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00