github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-22 03:49:36 +00:00
Code Issues Projects Releases Wiki Activity
1,760 Commits 123 Branches 176 Tags
9909af8bfbee53b1795de19430a30a347adb18b2
Commit Graph

439 Commits

Author SHA1 Message Date
kaizhe
f27056c394 fix rule naming following naming convention 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-04-28 18:18:06 +02:00
Mark Stemm
357da40fc4 Only use metadata in k8s audit event for secrets 
Instead of using the request object to identify service account tokens,
exclude any secrets activity by system users (e.g. users starting with
"system:"). This allows the rules to work on k8s audit events at
Metadata level instead of RequestResponse level.

Also change the example objects for automated tests to ones collected at
Metadata level.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-04-22 21:00:38 +02:00
Mark Stemm
026965bc6a Add rules to detect creating/deleting secrets 
New rules K8s Secret Created/K8s Secret Deleted detect creating/deleting
secrets, following the pattern of the other "K8s XXX Created/Deleted"
rules. One minor difference is that service account token secrets are
excluded, as those are created automatically as namespaces are created.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-04-22 21:00:38 +02:00
kaizhe
f7ac7f34b7 rename rule 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-04-21 19:04:14 +02:00
kaizhe
a1145d9841 rule update: add a rule to detect reverse shell 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-04-21 19:04:14 +02:00
Nicolas Marier
91a0b510fa rule(macro user_expected_system_procs_network_activity_conditions): create the macro 
It's useful to ignore some system binaries that use the network under
certain conditions, so this should be overridable by the user.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2020-04-14 13:22:09 +02:00
Nicolas Marier
76062b93ab rule(list known_system_procs_network_activity_binaries): add a list of known procs for convenience 
This makes it more convenient to add more allowed procs and many other
rules have a similar mechanism to whitelist certain processes.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2020-04-14 13:22:09 +02:00
Vicente Herrera
9fd08ce3e4 Introduce missing allowed_full_admin_users macro so its corresponding rule is disabled by default 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-04-14 13:19:14 +02:00
Vicente Herrera
3ce11f093f Removed default K3s admin user from list, clarified comments 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-04-14 13:19:14 +02:00
Vicente Herrera
e7b3d7a7e0 Added four new rules, to detect k8s operation by an administrator, nodes successfully joining the cluster, nodes unsuccessfully attempt to join, creation ingress without TLS certificate 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-04-14 13:19:14 +02:00
Vicente Herrera
2c2d126a54 Added two new rules to detect traffic to image outside local subnet and detect traffic that is not to authorized server process and port 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-04-14 13:19:14 +02:00
Bob Aman
ffa137fc7c rule(Delete Bash History): Fix typo in tags 
Signed-off-by: Bob Aman <bob@sporkmonger.com>
 2020-04-14 12:54:02 +02:00
Bob Aman
534a642074 rule(Delete or rename shell history): Fix typo in tags 
Signed-off-by: Bob Aman <bob@sporkmonger.com>
 2020-04-14 12:54:02 +02:00
kaizhe
1548ccbc4f rule(Write below root): use pmatch to check against known root directories 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-04-09 12:32:30 +02:00
kaizhe
6834649fa5 rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-27 13:02:57 +01:00
kaizhe
e1cb2e9bb0 rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-27 00:33:24 +01:00
Hiroki Suezawa
3067af566e rule(Change thread namespace): fix regression test 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-03-12 16:35:46 +01:00
Hiroki Suezawa
742538ac86 rule(Change thread namespace): change condition to detect suspicious container activity 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-03-12 16:35:46 +01:00
Vicente Herrera
085009ad93 Fixed use of "tag" instead of "tags" in default rules 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-03-10 20:51:45 +01:00
kaizhe
4a8d8a049f add comments 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-04 09:28:43 +01:00
kaizhe
b4f2fdc439 disable cryptomining rule by default; add exception of localhost and rfc1918 ip addresses 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-04 09:28:43 +01:00
Mark Stemm
3693b16c91 Let puma reactor spawn shells 
Sample Falco alert:

```
Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor
cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor
gparent=puma ggparent=runsv aname[4]=ru...
```

https://github.com/puma/puma says it is "A Ruby/Rack web server built
for concurrency".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
48a0f512fb Let cilium-cni change namespaces 
Sample Falco alert:

```
Namespace change (setns) by unexpected program (user=root
command=cilium-cni parent=cilium-cni host CID2 CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
01c9d8ba31 Let runc write to /exec.fifo 
Sample Falco alert:

```
File below / or /root opened for writing (user=<NA>
command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo
program=runc:[1:CHILD] CID1 image=<NA>)
```

This github issue provides some context:
https://github.com/opencontainers/runc/pull/1698

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
7794e468ba Alow writes to /etc/pki from openshift secrets dir 
Sample falco alert:

```
File below /etc opened for writing (user=root command=cp
/run/secrets/kubernetes.io/serviceaccount/ca.crt
/etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash
pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node
image\nunset KUB...
```

The exception is conditioned on containers.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
0d74f3938d Let avinetworks supervisor write some ssh cfg 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=se_supervisor.p
/opt/avi/scripts/se_supervisor.py -d parent=systemd pcmdline=systemd
file=/etc/ssh/ssh_monitor_config_10.24.249.200 program=se_supervisor.p
gparent=docker-containe ggparent=docker-con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
e5f06e399f Let mcafee write to /etc/cma.d 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=macompatsvc
self_start parent=macompatsvc pcmdline=macompatsvc self_start
file=/etc/cma.d/lpc.conf program=macompatsvc gparent=macompatsvc
ggparent=systemd gggparent=<NA> CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
fa3e48ca1a Add "dsc_host" as a MS OMS program 
Sample Falco alert:

```
File below /etc opened for writing (user=<NA> command=dsc_host
/opt/dsc/output PerformRequiredConfigurationChecks 1 parent=python
pcmdline=python
/opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py
file=/etc/opt/omi/conf/omsconfig/con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Leonardo Di Donato
572ac46d85 build: include GNUInstallDirs module 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-17 19:09:31 +01:00
Hiroki Suezawa
cd94d05cd9 rule(list network_tool_binaries): delete ssh from the list 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
23a7203e50 rule(list network_tool_binaries): add network tool names 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
93fdf8ef61 rule(macro user_known_k8s_client_container): Rephrase the comment 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Hiroki Suezawa
bcc84c47c6 rule(macro user_known_k8s_client_container): have more strict condition to avoid false positives 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Nicolas Marier
13931ab5d7 rule(Write below etc): whitelist automount writing under /etc 
This commit allows automount to write under /etc/mtab without flagging
it as an error.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2019-12-05 19:27:18 +01:00
Hiroki Suezawa
559b7e1bb1 rule(The docker client is executed in a container): modify condition to reduce false positive 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 14:32:22 +01:00
Hiroki Suezawa
fc58ac7356 rule update: modify rule to detect connection to K8S API Server from a container 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 10:59:05 +01:00
Jean-Philippe Lachance
418bcf2177 Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
f97a33d40a Exclude exe_running_docker_save in the "Update Package Repository" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
df7a356e1d Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
03e8b7f53d Exclude exe_running_docker_save in the "Modify Shell Configuration File" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
146343e5f0 Update the exe_running_docker_save macro to support docker in docker 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 02:20:21 +01:00
Hiroki Suezawa
7da245e902 rule update: Modify rule to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
d0e6279bb2 rule update: Modify condition for raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
8b2d4e1fe6 rule update: Fix condition for raw packets creation and renamed 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
ebec520ebc rule update: Add rules to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
kaizhe
2f8caf99cd rule update: align sensitive mount macro between k8s_audit rules and syscall rules 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 12:58:21 -08:00
Hiroki Suezawa
0b402e2326 rule update: Rename rule for Cloud Metadata access again 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
54329a64cd rule update: Rename rule for Cloud Metadata access 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
rung
89d8259860 rule update: Add consider_gce_metadata_access macro for rule to detect GCE Metadata access 
Signed-off-by: rung <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
e70febc8db rule update: Add rules for GCE Metadata detection 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00