github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-22 12:27:10 +00:00
Code Issues Projects Releases Wiki Activity
1,718 Commits 124 Branches 178 Tags
a0c189b7302b25ce4770f0450b76e665a5df37b7
Commit Graph

425 Commits

Author SHA1 Message Date
kaizhe
6834649fa5 rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-27 13:02:57 +01:00
kaizhe
e1cb2e9bb0 rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-27 00:33:24 +01:00
Hiroki Suezawa
3067af566e rule(Change thread namespace): fix regression test 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-03-12 16:35:46 +01:00
Hiroki Suezawa
742538ac86 rule(Change thread namespace): change condition to detect suspicious container activity 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-03-12 16:35:46 +01:00
Vicente Herrera
085009ad93 Fixed use of "tag" instead of "tags" in default rules 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
 2020-03-10 20:51:45 +01:00
kaizhe
4a8d8a049f add comments 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-04 09:28:43 +01:00
kaizhe
b4f2fdc439 disable cryptomining rule by default; add exception of localhost and rfc1918 ip addresses 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-03-04 09:28:43 +01:00
Mark Stemm
3693b16c91 Let puma reactor spawn shells 
Sample Falco alert:

```
Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor
cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor
gparent=puma ggparent=runsv aname[4]=ru...
```

https://github.com/puma/puma says it is "A Ruby/Rack web server built
for concurrency".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
48a0f512fb Let cilium-cni change namespaces 
Sample Falco alert:

```
Namespace change (setns) by unexpected program (user=root
command=cilium-cni parent=cilium-cni host CID2 CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
01c9d8ba31 Let runc write to /exec.fifo 
Sample Falco alert:

```
File below / or /root opened for writing (user=<NA>
command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo
program=runc:[1:CHILD] CID1 image=<NA>)
```

This github issue provides some context:
https://github.com/opencontainers/runc/pull/1698

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
7794e468ba Alow writes to /etc/pki from openshift secrets dir 
Sample falco alert:

```
File below /etc opened for writing (user=root command=cp
/run/secrets/kubernetes.io/serviceaccount/ca.crt
/etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash
pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node
image\nunset KUB...
```

The exception is conditioned on containers.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
0d74f3938d Let avinetworks supervisor write some ssh cfg 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=se_supervisor.p
/opt/avi/scripts/se_supervisor.py -d parent=systemd pcmdline=systemd
file=/etc/ssh/ssh_monitor_config_10.24.249.200 program=se_supervisor.p
gparent=docker-containe ggparent=docker-con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
e5f06e399f Let mcafee write to /etc/cma.d 
Sample Falco alert:

```
File below /etc opened for writing (user=root command=macompatsvc
self_start parent=macompatsvc pcmdline=macompatsvc self_start
file=/etc/cma.d/lpc.conf program=macompatsvc gparent=macompatsvc
ggparent=systemd gggparent=<NA> CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Mark Stemm
fa3e48ca1a Add "dsc_host" as a MS OMS program 
Sample Falco alert:

```
File below /etc opened for writing (user=<NA> command=dsc_host
/opt/dsc/output PerformRequiredConfigurationChecks 1 parent=python
pcmdline=python
/opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py
file=/etc/opt/omi/conf/omsconfig/con...
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-02-03 16:13:57 +01:00
Leonardo Di Donato
572ac46d85 build: include GNUInstallDirs module 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-17 19:09:31 +01:00
Hiroki Suezawa
cd94d05cd9 rule(list network_tool_binaries): delete ssh from the list 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
23a7203e50 rule(list network_tool_binaries): add network tool names 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-16 22:27:12 +01:00
Hiroki Suezawa
93fdf8ef61 rule(macro user_known_k8s_client_container): Rephrase the comment 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Hiroki Suezawa
bcc84c47c6 rule(macro user_known_k8s_client_container): have more strict condition to avoid false positives 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-11 12:53:06 +01:00
Nicolas Marier
13931ab5d7 rule(Write below etc): whitelist automount writing under /etc 
This commit allows automount to write under /etc/mtab without flagging
it as an error.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
 2019-12-05 19:27:18 +01:00
Hiroki Suezawa
559b7e1bb1 rule(The docker client is executed in a container): modify condition to reduce false positive 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 14:32:22 +01:00
Hiroki Suezawa
fc58ac7356 rule update: modify rule to detect connection to K8S API Server from a container 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-05 10:59:05 +01:00
Jean-Philippe Lachance
418bcf2177 Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
f97a33d40a Exclude exe_running_docker_save in the "Update Package Repository" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:36:04 +01:00
Jean-Philippe Lachance
df7a356e1d Apply Kaizhe's code review 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
03e8b7f53d Exclude exe_running_docker_save in the "Modify Shell Configuration File" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 03:35:11 +01:00
Jean-Philippe Lachance
146343e5f0 Update the exe_running_docker_save macro to support docker in docker 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-04 02:20:21 +01:00
Hiroki Suezawa
7da245e902 rule update: Modify rule to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
d0e6279bb2 rule update: Modify condition for raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
8b2d4e1fe6 rule update: Fix condition for raw packets creation and renamed 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
Hiroki Suezawa
ebec520ebc rule update: Add rules to detect raw packets creation 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-04 00:19:26 +00:00
kaizhe
2f8caf99cd rule update: align sensitive mount macro between k8s_audit rules and syscall rules 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 12:58:21 -08:00
Hiroki Suezawa
0b402e2326 rule update: Rename rule for Cloud Metadata access again 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
54329a64cd rule update: Rename rule for Cloud Metadata access 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
rung
89d8259860 rule update: Add consider_gce_metadata_access macro for rule to detect GCE Metadata access 
Signed-off-by: rung <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
Hiroki Suezawa
e70febc8db rule update: Add rules for GCE Metadata detection 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-03 20:15:33 +00:00
kaizhe
722ab4f2f9 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
6c9bce6f73 update k8s audit rule 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
7c33fafe89 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
18acea4a73 minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
kaizhe
8011fe7ce7 rules update: add more sensitive host path to sensitive_host_mount macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-12-03 19:37:01 +00:00
Jean-Philippe Lachance
80d69917ea * Rename the macro to user_known_package_manager_in_container 
+ Add a comment to explain how we should use this macro

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-03 00:03:35 +01:00
Jean-Philippe Lachance
3713f7a614 + Add a simple user_known_package_manager_in_container_conditions macro 
* Use the user_known_package_manager_in_container_conditions macro in the "Launch Package Management Process in Container" rule

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-03 00:03:35 +01:00
Jean-Philippe Lachance
79cb75dcd1 ! Exclude exe_running_docker_save in the "Set Setuid or Setgid bit" rule 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
 2019-12-02 23:54:53 +01:00
Hiroki Suezawa
c736a843a0 rule update: Add kubelet to user_known_chmod_applications list 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2019-12-01 23:27:04 +01:00
kaizhe
cf8395c7ed minor changes 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-11-08 10:38:47 +01:00
kaizhe
f16c744779 rules update: add hyperkube to the whitelist of rule Set Setuid or Setgit bit 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-11-08 10:38:47 +01:00
kaizhe
4ed581853a rules update: add docker-runc-cur to container_entrypoint macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2019-11-08 10:38:47 +01:00
David de Torres
ed767561ac Added list k8s_client_binaries 
Added accidentally deleted lines for the list of k8s client binaries.

Signed-off-by: David de Torres <detorres.david@gmail.com>
 2019-11-08 09:49:09 +01:00
David de Torres
98becedebb Added rule to detect k8s client tool in container 
The rule detects the execution of the k8s client tool in a container and
logs it with WARNING priority.

Signed-off-by: David de Torres <detorres.david@gmail.com>
 2019-11-08 09:49:09 +01:00