Commit Graph

242 Commits

Author SHA1 Message Date
Mark Stemm
689c02666f Allow innocuous user management commands
Allow innocuous user management command lines like "passwd -S" (show
status for account).
2017-10-09 09:18:53 -07:00
Mark Stemm
12de2e4119 Make safe etc directories a list.
This way it can more easily be modified/added to.
2017-10-09 09:18:53 -07:00
Mark Stemm
cb7dab61e8 Let chef binaries run shells. 2017-10-09 09:18:50 -07:00
Mark Stemm
9791881444 Let mesos-slave, phusion passenger spawn shells
We already covered mesos-agent, the new name for mesos-slave.
2017-10-09 09:18:07 -07:00
Mark Stemm
84b3543cc0 Let logrotate spawn shells in containers. 2017-10-09 09:17:13 -07:00
Mark Stemm
71fee6753b Let qualys write below /etc 2017-10-09 09:17:13 -07:00
Mark Stemm
7ff2f66437 Let node running npm spawn shells.
New macro parent_node_running_npm looks for node running npm. Currently
only /usr/local/bin/npm, can add additional well-known paths as needed.
2017-10-09 09:17:13 -07:00
Mark Stemm
1f008d6c39 Let needrestart run shells.
https://github.com/liske/needrestart
2017-10-09 09:17:09 -07:00
Mark Stemm
dc44655ec2 Change how we detect entrypoints.
Move entrypoint detection to its own macro. Also consider something the
entrypoint if its parent is runc:[0:PARENT]. There's a race where
runc:[0:PARENT] exits in parallel with the root program being execd, so
the parent might not exist or might have this name.
2017-10-09 09:16:25 -07:00
Mark Stemm
ef9e045a40 Add more ancestors
Add more ancestors for several rules. Sometimes shells spawn the program
reading the sensitive file, etc.
2017-10-09 09:16:25 -07:00
Mark Stemm
0ec46feef2 Make setuid binaries a list
Move the misc binaries that are allowed to setuid from the rule to its
own list. Makes it easier to add to the list.
2017-10-09 09:16:25 -07:00
Mark Stemm
2ebe9e06a8 More build-related changes + exposing more info
Combine parent_php_running_builds and parent_ruby_running_gcc into a
single parent_scripting_running_builds which handles the general case of
some script running some make/compilation related program. Also add some
build-related command line prefixes.

Allow supervisor-related programs to spawn shells and access sensitive
files.

Allow sendmail config binaries to write below etc directly (their
children already could).

Add some directories related to phusion (system-as-a-container).

For a few rules add parent programs in the output so it's easier to
diagnose the context for an event.

Let varnishd spawn shells.
2017-10-09 09:16:25 -07:00
Mark Stemm
33974c6912 More server progs
- add ssmtp.postinst as a mail config program
 - allow runsv to write below etc
 - allow a2enmod to spawn shells
 - add additional shell cmdline
2017-10-09 09:16:25 -07:00
Mark Stemm
9883656882 More shell/build related changes
- Move qualys-cloud-ag to the monitoring_binaries list
 - Add a new list sendmail_config_binaries containing programs that can
   modify files.
 - Make parent_php_running_git a bit more generic for
   parent_php_running_builds and add some additional sub-commands.
2017-10-09 09:16:25 -07:00
Mark Stemm
d5a107b15f More beta updates, almost all shell related:
- Allow several combinations of scripting programs (ruby, python, etc.)
   to run other build-ish commands.
 - Let mysql_install_d(b) spawn shells and access sensitive files.
 - Let qualys-cloud-ag(ent) spawn shells
 - Add a few additional innocuous commandlines
 - Let postfix setuid to itself
2017-10-09 09:16:25 -07:00
Mark Stemm
b208008be1 Fix parent_python_running_sdchecks
It was checking the current process instead of the parent, which doesn't
work when you've just done an exec.
2017-10-09 09:16:25 -07:00
Mark Stemm
6397c3a556 Add additional command line. 2017-10-09 09:16:24 -07:00
Mark Stemm
1221399ac5 Allow writes below /etc/nginx/conf.d
The nginx docker hub container will write below that directory at
startup.
2017-10-09 09:16:24 -07:00
Mark Stemm
de3ca31b15 Allow certbot to spawn shells.
Part of let's encrypt.
2017-10-09 09:16:24 -07:00
Mark Stemm
463ade2b1d Add 3dt as a meos program.
mesos diagnostics service.
2017-10-09 09:16:24 -07:00
Mark Stemm
1c645862e1 Allow systemd-sysuser to write below /etc. 2017-10-09 09:16:24 -07:00
Mark Stemm
f123313389 Let certbot write below etc.
Let's encrypt client program.
2017-10-09 09:16:24 -07:00
Mark Stemm
1753d16962 Add easy way to add to container shell cmdlines
A new (empty) list user_known_container_shell_spawn_binaries allows
additional files to add additional programs that are allowed to spawn
shells in containers.
2017-10-09 09:16:24 -07:00
Mark Stemm
61f738826c Add additional command lines.
Add additional command lines for known shells.
2017-10-09 09:16:24 -07:00
Mark Stemm
7ae765bfc9 Include container image in shell in container rule
Include the container image in the "run shell in container" rule output.
2017-10-09 09:16:24 -07:00
Mark Stemm
f6b3068259 Let vpn binaries write below /etc.
They will modify things like dns servers, etc.
2017-10-09 09:16:24 -07:00
Mark Stemm
e1293a7eca Add some additional command lines.
Dangling parentheses intentional.
2017-10-09 09:16:24 -07:00
Mark Stemm
02645e7a2e Be consistent about nested quotes.
Use single quotes for the outer yaml-level strings, and double quote for
the quoted string.
2017-10-09 09:16:24 -07:00
Mark Stemm
c8c0a97f64 Let Xvfb setuid.
X11 program.
2017-10-09 09:16:24 -07:00
Mark Stemm
d96cf4c369 Allow programs to write below /etc/logstash
At least for some logstash configs, device files get written to below
/etc/logstash instead of elsewhere like /var.
2017-10-09 09:16:24 -07:00
Mark Stemm
e2be47e3c2 Allow update-ca-certi(ficates) to write below /etc
Truncation intentonal.
2017-10-09 09:16:24 -07:00
Mark Stemm
ee2c668746 Add systemd as a program that can write below /etc
It can modify /etc/resolv.conf.
2017-10-09 09:16:24 -07:00
Mark Stemm
09e1caf4bb add mesos-executor as a mesos binary. 2017-10-09 09:16:24 -07:00
Mark Stemm
68d29fc906 Add shell management programs.
add-shell and remove-shell are programs that remove shells from
/etc/shells. They are allowed to write to files below /etc.
2017-10-09 09:16:24 -07:00
Mark Stemm
7ac49a2f99 Also allow sysdig agent to setuid.
It was already allowed to change namespaces.
2017-10-09 09:16:24 -07:00
Mark Stemm
e6006e3787 Add additional dpkg binary
dpkg-reconfigur(e), not to be confused with dpkg-preconfigu(re)
2017-10-09 09:16:24 -07:00
Mark Stemm
5d856ef97a Let _apt user setuid to itself. 2017-10-09 09:16:24 -07:00
Mark Stemm
3b486fb6c6 Let npm spawn shells in containers. 2017-10-09 09:16:24 -07:00
Mark Stemm
daedcf172f Let hhvm spawn shells.
http://hhvm.com/, "open-source virtual machine designed for executing
programs written in Hack and PHP."
2017-10-09 09:16:24 -07:00
Mark Stemm
414a4aaba7 Another shell command line. 2017-10-09 09:16:24 -07:00
Mark Stemm
5382aa4e3b More shell spawners
Add additional shell spawning command lines.

Allow package management binaries in containers--lots of people seem to
do it. Also allow pycompile/py3compile.

I need to refactor the shell spawners to more clearly isolate shell
spawners that we don't want to occur in a container from ones that can
run both inside and outside of a container.
2017-10-09 09:16:24 -07:00
Mark Stemm
8641f3c958 Rework config file handling
These changes allow for a local rules file that will be preserved across
upgrades and allows the main rules file to be overwritten across upgrades.

- Move all config/rules files below /etc/falco/
- Add a "local rules" file /etc/falco/falco_rules.local.yaml. The intent
  is that it contains modifications/deltas to the main rules file
  /etc/falco/falco_rules.yaml. The main falco_rules.yaml should be
  treated as immutable.
- All config files are flagged so they are not overwritten on upgrade.
- Change the handling of the config item "rules_file" in falco.yaml to
  allow a list of files. By default, this list contains:
  [/etc/falco/falco_rules.yaml, /etc/falco/falco_rules.local.yaml].

Also change rpm/debian packaging to ensure that the above files are
preserved across upgrades:

- Use relative paths for share/bin dirs. This ensures that when packaged
  as rpms they won't be flagged as config files.
- Add CMAKE_INSTALL_PREFIX to FALCO_ENGINE_LUA_DIR now that it's relative.
- In debian packaging, flag
  /etc/falco/{falco.yaml,falco_rules.yaml,falco_rules.local.yaml} as
  conffiles. That way they are preserved across upgrades if modified.
- In rpm packaging when using cmake, any files installed with an
  absolute path are automatically flagged as %config. The only files
  directly installed are now the config files, so that addresses the problem.

Add CMAKE_INSTALL_PREFIX to lua dir.
2017-10-05 18:35:39 -07:00
Mark Stemm
95bb96e6ec Merge pull request #269 from dkerwin/add_keepalived_to_run_shell_cmd
Add keepalived to list of shell spawning binaries
2017-09-22 17:19:54 -07:00
Daniel Kerwin
64145ba961 Add official gitlab EE docker image to list of known shell spawning images.
sysdig-CLA-1.0-signed-off-by: Daniel Kerwin <daniel@gini.net>
2017-09-05 13:41:05 +02:00
Daniel Kerwin
598cbbe5e7 Add keepalived to list oh shell spawning binaries.
sysdig-CLA-1.0-signed-off-by: Daniel Kerwin <daniel@gini.net>
2017-09-04 22:08:47 +02:00
Mark Stemm
38f488bfda Beta rule updates (#247)
* Updates from beta customers.

- add anacron as a cron program

* Reorganize package management binaries

Split package_management_binaries into two separate lists rpm_binaries
and deb_binaries. unattended-upgr is common to both worlds so it's still
in package_management_binaries.

Also change Write below rpm database to use rpm_binaries instead of its
own list.

Also add 75-system-updat (truncated) as a shell spawner.

* Add rules for jenkins

Add rules that allow jenkins to spawn shells, both in containers and
directly on the host.

Also handle jenkins slaves that run /tmp/slave.jar.

* Allow npm to run shells.

Not yet allowing node to run shells itself, although we want to add
something to reduce node-related FPs.

* Allow urlgrabber/git-remote to access /etc

urlgrabber and git-remote both try to access the RHEL nss database,
containing shared certificates. I may change this in a more general way
by changing open_read/open_write to only look for successful opens.

* Only look for successful open_read/open_writes

Change the macros open_read/open_write to only trigger on successful
opens (when fd.num > 0). This is a pretty big change to behavior, but
is more intuitive.

This required a small update to the open counts for a couple of unit
tests, but otherwise they still all passed with this change.

* Allow rename_device to write below /dev

Part of udev.

* Allow cloud-init to spawn shells.

Part of https://cloud-init.io/

* Allow python to run a shell that runs sdchecks

sdchecks is a part of the sysdig monitor agent.

* Allow dev creation binaries to write below etc.

Specifically this includes blkid and /etc/blkid/blkid.tab.

* Allow git binaries to spawn shells.

They were already allowed to run shells in a container.

* Add /dev/kmsg as an allowed /dev file

Allows userspace programs to write to kernel log.

* Allow other make programs to spawn shells.

Also allow gmake/cmake to spawn shells and put them in their own list
make_binaries.

* Add better mesos support.

Mesos slaves appear to be in a container due to their cgroup and can run
programs mesos-health-check/mesos-docker-exec to monitor the containers
on the slave, so allow them to run shells.

Add mesos-agent, mesos-logrotate, mesos-fetch as shell spawners both in
and out of containers.

Add gen_resolvconf. (short for gen_resolvconf.py) as a program that can
write to /etc.

Add toybox (used by mesos, part of http://landley.net/toybox/about.html)
as a shell spawner.

* systemd can listen on network ports.

Systemd can listen on network ports to launch daemons on demand, so
allow it to perform network activity.

* Let docker binaries setuid.

Let docker binaries setuid and add docker-entrypoi (truncation
intentional) to the set of docker binaries.

* Change cis-related rules to be less noisy

Change the two cis-related falco rules "File Open by Privileged
Container" and "Sensitive Mount by Container" to be less noisy. We found
in practice that tracking every open still results in too many falco
notifications.

For now, change the rules to only track the initial process start in the
container by looking for vpid=1. This should result in only triggering
when a privileged/sensitive mount container is started. This is slightly
less coverage but is far less noisy.

* Add quay.io/sysdig as trusted containers

These are used for sysdig cloud onpremise deployments.

* Add gitlab-runner-b(uild) as a gitlab binary.

Add gitlab-runner-b (truncated gitlab-runner-build) as a gitlab binary.

* Add ceph as a shell spawner.

Also allow ceph to spawn shells in a container.

* Allow some shells by command line.

For some mesos containers, where the container doesn't have an image and
is just a tarball in a cgroup/namespace, we don't have any image to work
with. In those cases, allow specific command lines.

* Allow user 'nobody' to setuid.

Allow the user nobody to setuid. This depends on the user nobody being
set up in the first place to have no access, but that should be an ok
assumption.

* Additional allowed shell commandlines

* Add additional shells.

* Allow multiple users to become themself.

Add rule somebody_becoming_themself that handles cases of nobody and
www-data trying to setuid to themself. The sysdig filter language
doesn't support template/variable values to allow "user.name=X and
evt.arg.uid=X for a given X", so we have to enumerate the users.

* More known spawn command lines

* Let make binaries be run in containers.

Some CI/CD pipelines build in containers.

* Add additional shell spawning command lines

* Add additional apt program apt-listchanges.

* Add gitlab-ce as shell spawning container.

* Allow PM2 to spawn shells in containers.

Was already in the general list, seen in some customers, so adding to
the in containers list.

* Clean up pass to fix long lines.

Take a pass through the rules making sure each line is < 120 characters.

* Change tests for privileged container rules.

Change unit tests to reflect the new privileged/sensitive mount
container rules that only detect container launch.
2017-06-19 11:28:15 -07:00
Mark Stemm
edce729bd9 Use a wider range of priorities in rules.
Review the priorities used by each rule and try to use a consistent set
that uses more of the possible priorities. The general guidelines I used
were:

 - If a rule is related to a write of state (i.e. filesystem, etc.),
   its priority is ERROR.
 - If a rule is related to an unauthorized read of state (i.e. reading
   sensitive filees, etc.), its priority is WARNING.
 - If a rule is related to unexpected behavior (spawning an unexpected
   shell in a container, opening an unexpected network connection, etc.), its priority
   is NOTICE.
 - If a rule is related to behaving against good practices (unexpected
   privileged containers, containers with sensitive mounts, running
   interactive commands as root), its priority is INFO.

One exception is that the most FP-prone rule (Run shell untrusted) has a
priority of DEBUG.
2017-05-24 18:54:14 -07:00
Mark Stemm
f426c4292d Merge pull request #243 from draios/falco-fps
Address some setns FPs.
2017-05-24 13:18:08 -07:00
Mark Stemm
277d8ab887 Merge pull request #242 from draios/container-shell-with-tty
Add rule for shell with terminal in container.
2017-05-24 10:49:03 -07:00
Mark Stemm
c5a964e651 Address some setns FPs.
Allow the sysdig cloud agent to call setns to collect java process
metrics.

We've also seen cases where some of the intermediate processes created
below runc appear to call setns. It appears that this only should happen
if some events (like the execve that spawns the intermediate processes)
are lost, but just to be safe allow processes starting with "runc:" to
call setns.
2017-05-24 10:17:57 -07:00