github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-01-30 06:00:00 +00:00
Code Issues Projects Releases Wiki Activity
2,406 Commits 122 Branches 184 Tags
ca66b84e5ab5f2433e698d098aca0785caea1eb9
Commit Graph

563 Commits

Author SHA1 Message Date
Tom Keyte
e0f8b81692 Remove duplicate allowed ecr registry rule 
Signed-off-by: Tom Keyte <tom.keyte@onsecurity.co.uk>
 2021-09-17 11:12:54 +02:00
Alberto Pellitteri
874809351f rules(list https_miner_domains): fix typo in the list 
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
 2021-09-17 09:16:54 +02:00
Alberto Pellitteri
4527228ef8 rules(list https_miner_domains): add new miner domains 
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
 2021-09-17 09:16:54 +02:00
Alberto Pellitteri
e684c95e23 rules(list miner_domains): add new miner domains 
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
 2021-09-17 09:16:54 +02:00
Leonardo Di Donato
d6690313a0 update(rules): bump the required engine version to version 9 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
98ce88f7ef chore(rules): imporve name of the list for userfaultfd exceptions 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9ff8099501 update(userspace/engine): bump falco engine version 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7db4778f55 update(rules): introducing list user_known_userfaultfd_activities to exclude processes known to use userfaultfd syscall 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7f761ade4b update(rules): introducing the macro consider_userfaultfd_activities to act as a gate 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
84257912e0 update(rules): tag rule as syscall 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9bc942c654 new(rules): detect unprivileged (successful) userfaultfd syscalls 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
8216b435cb update(rules): adding container info to the output of the Lryke detecting kernel module injections from containers 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Lorenzo Fontana
0f24448d18 rules(list miner_domains): add rx.unmineable.com for anti-miner detection 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-06-17 09:59:25 +02:00
Kaizhe Huang
b268d4d6c3 rule update(Non sudo setuid): check user id as well in case user name info is not available 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-06-10 13:44:05 +02:00
Kaizhe Huang
ad82f66be3 rules update(Change thread namespace and Set Setuid or Setgid bit): disable by default 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-06-07 12:17:21 +02:00
Sverre Boschman
35dc315390 add known k8s service accounts 
Signed-off-by: Sverre Boschman
 2021-06-04 10:46:09 +02:00
Kaizhe Huang
09e1604fe0 rule update(Debugfs Launched in Privileged Container): fix typo in description 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-05-27 11:21:30 +02:00
ismail yenigul
2226a1508c exception to privileged container for EKS images 
Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-05-06 02:36:48 +02:00
maxgio92
fd6a1d0d05 clean(rules/falco_rules.yaml): remove deprecated oci image repositories 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-04-29 11:51:35 +02:00
Leonardo Grasso
e95ab26f33 update(rules): stricter detection of man-db postinst exception 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-19 17:01:10 +02:00
Leonardo Grasso
23a611b343 chore(rules): remove too week macro python_running_sdchecks 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-19 17:01:10 +02:00
Leonardo Di Donato
2e97d0e27c chore(rules): cleanup old macros 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-09 18:17:11 +02:00
Leonardo Di Donato
06086df21e chore(rules): re-enable negation of package_mgmt_procs for Write below binary dir rule 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-09 18:17:11 +02:00
Lorenzo Fontana
194cdf7873 update(rules): revert exceptions in default ruleset for k8s audit 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-09 18:17:11 +02:00
Lorenzo Fontana
35fe14e691 rules(list user_known_sa_list): revert as an empty list for user overwrite 
rules(list known_sa_list): list of known sa moved here from user_known_sa_list

Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-09 18:17:11 +02:00
Lorenzo Fontana
abc79fb548 update(rules): revert exceptions in default ruleset 
Exceptions have been introduced in commit 64a231b962
The feature itself is very useful for more complex environments where
the simple conditions are difficult to handle.
However, many users reported that they find them difficult to understand so
we are doing a rollback of them in the default ruleset in favor of the
syntax without exceptions.

Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-09 18:17:11 +02:00
stevenshuang
167c5bc691 fix: update rule description 
Signed-off-by: stevenshuang <stevenshuang521@gmail.com>
 2021-03-24 18:47:55 +01:00
Kaizhe Huang
7ea80e39b1 rule(Set Setuid or Setgid bit) update: add k3s-agent in the whitelist 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-03-22 11:36:59 +01:00
Kaizhe Huang
b58f76b268 rule (Debugfs Launched in Privileged Container and Mount Launched in Privileged Container): create 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-03-22 11:36:59 +01:00
Shane Lawrence
2f0e09b549 rule (Write below monitored dir): Clean up and use glob matching. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2021-03-12 10:37:16 +01:00
Spencer Krum
b3693a0b75 chore(rules): Add ibmcloud operator lifecycle manager 
Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
 2021-02-19 12:35:30 +01:00
Spencer Krum
a54f946135 chore(rules): Rule exceptions for ibm cloud 
Whitelist ibm images for connecting to k8s api server

IBM Observability by Sysdig has a vendored sysdig/agent image.

IBM's Kubernetes Service ships with an operator manager. Example:

19:12:45.090908160: Notice Unexpected connection to K8s API Server from
container (command=catalog -namespace ibm-system
-configmapServerImage=registry.ng.bluemix.net/armada-master/configmap-operator-registry:v1.6.1
k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z
container=4ad7a04fa1e0
image=registry.ng.bluemix.net/armada-master/olm:0.14.1-IKS-1
connection=172.30.108.219:48200->172.21.0.1:443) k8s.ns=ibm-system
k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0

IBM's Kubernetes service also ships with a metrics collecting agent

Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
 2021-02-19 12:35:30 +01:00
Leonardo Grasso
85db1aa997 fix(rules): correct indentation 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-02-19 09:24:55 +01:00
ismail yenigul
37a6caae12 remove commercial images to unblock PR 
add endpoint-controller to user_known_sa_list
related event:
    {
        "output": "05:19:25.557989888: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=endpoint-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-16T05:19:25.557989888Z",
        "output_fields": {
            "jevt.time": "05:19:25.557989888",
            "ka.target.name": "endpoint-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-02-19 09:24:55 +01:00
ismail yenigul
2d962dfcb0 rebase to master 
update user_known_sa_list with k8s internal sa in kube-system

{
        "output": "10:27:56.539783936: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=replicaset-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-15T10:27:56.539783936Z",
        "output_fields": {
            "jevt.time": "10:27:56.539783936",
            "ka.target.name": "replicaset-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

{
        "output": "17:06:18.267429888: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=deployment-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-15T17:06:18.267429888Z",
        "output_fields": {
            "jevt.time": "17:06:18.267429888",
            "ka.target.name": "deployment-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

and more..

Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-02-19 09:24:55 +01:00
Petr Michalec
541845156f rhsm cert updates 
Signed-off-by: Petr Michalec <epcim@apealive.net>
Signed-off-by: Petr Michalec <pmichalec@ves.io>
 2021-02-18 15:42:06 +01:00
darryk5
0879523776 update: add review suggestions for Rule Sudo Potential Privilege Escalation 
Signed-off-by: darryk5 <stefano.chierici@sysdig.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-02-17 21:36:51 +01:00
darryk5
81e880b486 Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156) 
See #1540

Signed-off-by: darryk5 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
 2021-02-17 21:36:51 +01:00
ismail yenigul
959811a503 add eks:node-manager to allowed_k8s_users list 
eks:node-manager  is an Amazon EKS internal service role that performs specific operations for managed node groups and Fargate.
Reference: https://github.com/awsdocs/amazon-eks-user-guide/blob/master/doc_source/logging-monitoring.md
Related falco log

```
{"output":"10:56:31.181308928: Warning K8s Operation performed by user not in allowed list of users
 (user=eks:node-manager target=aws-auth/configmaps verb=get uri=/api/v1/namespaces/kube-system/configmaps/aws-auth?timeout=19s resp=200)","priority":"Warning","rule":"Disallowed K8s User","time":"2021-01-26T10:56:31.181308928Z", "output_fields":
{"jevt.time":"10:56:31.181308928","ka.response.code":"200","ka.target.name":"aws-auth","ka.target.resource":"configmaps","ka.uri":"/api/v1/namespaces/kube-system/configmaps/aws-auth?timeout=19s","ka.user.name":"eks:node-manager","ka.verb":"get"}}
```

Signed-off-by: ismailyenigul <ismailyenigul@gmail.com>
 2021-02-04 17:33:54 +01:00
Mark Stemm
49b8f87db4 Make the req. engine version 8 for k8s_audit rules 
These define exceptions too.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-01-19 10:37:55 +01:00
Mark Stemm
7f4afffe3e Remove old unused macros/lists 
Remove old macros/lists that aren't being used by any current rules.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-01-19 10:37:55 +01:00
Mark Stemm
64a231b962 Add exceptions fields/comps/values to rules files 
Take advantage of the changes to support exceptions and refactor rules
to use them whenever feasible:

- Define exceptions for every rule. In cases where no practical
  exception exists e.g. "K8s <obj> Created/Deleted", define an empty
  exception property just to avoid warnings when loading rules.
- Go through all rules and convert macros-used-as-exceptions that
  matched against 2-3 filter fields into exceptions. In most cases,
  switching from equality (e.g proc.name=nginx) to in (e.g. proc.name
  in (nginx)) allowed for better groupings into a smaller set of
  exception items.
- In cases where the exception had complex combinations of fields, keep
  the macro as is.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-01-19 10:37:55 +01:00
James Barlow
7f33b08634 rule(Create Hidden Files or Directories): Exclude exe_running_docker_save 
Signed-off-by: James Barlow <james.barlow@finbourne.com>
 2021-01-08 19:21:42 +01:00
James Barlow
c2a05b3e64 rule(Mkdir binary dirs): Exclude exe_running_docker_save 
Signed-off-by: James Barlow <james.barlow@finbourne.com>
 2021-01-08 19:21:42 +01:00
kaizhe
6beb9838d6 rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-12-14 04:16:15 -05:00
kaizhe
0a901e4f52 add exception macro 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-12-04 06:21:34 -05:00
kaizhe
22732e9edb rule(Container Run as Root User): new rule created 
Signed-off-by: kaizhe <derek0405@gmail.com>
 2020-12-04 06:21:34 -05:00
DingGGu
2b2856299c rule(macro user_known_k8s_client_container): separate list of k8s images 
Signed-off-by: DingGGu <ggu@dunamu.com>
 2020-11-11 10:22:45 -05:00
DingGGu
ec5b42074e rule(macro user_known_k8s_ns_kube_system_images): add new macro image name inside kube-system namespace 
Signed-off-by: DingGGu <ggu@dunamu.com>
 2020-11-11 10:22:45 -05:00
DingGGu
0b516b7d42 rule(macro user_known_k8s_ns_kube_system_images): add new macro image name inside kube-system namespace 
Signed-off-by: DingGGu <ggu@dunamu.com>
 2020-11-11 10:22:45 -05:00