Commit Graph

27 Commits

Author SHA1 Message Date
Mark Stemm
c23229263c Update rules to work on demo scenarios.
Make changes to falco_rules.yaml to make sure they work on the demo
scenarios without too many false positives. The specific changes are:

- Add /etc/ld.so.cache as an allowed shared library to open.
- Comment out the shared library check for now--there are lots of
  locations below /usr/lib for things like python, perl, etc and I want
  to get a fuller categorization first.
- Add a few additional parent processes that can spawn shells, write
  sensitive files, and call setuid. Also allow bash shells with no
  parent to spawn shells. We may want to disallow this but I suspect a
  better place to detect is the parent-less bash shell becoming a
  session leader.
- Add rules for fs-bash (falco-safe bash), which is used in the curl
  <url> | bash installer demo. The idea is that fs-bash has restrictions
  on what it and child proceses can do.
- Add trailing '/' characters to path names in bin_dir_* so paths like
  /tmp/binary don't accidentally match '/bin'

Note that as process names are truncated to 15 characters, long process
names like 'httpd-foregroun' are intentionally truncated.
2016-05-10 11:37:25 -07:00
Mark Stemm
b8cdb8e46c Modify existing rules to not use ignored syscalls.
The ignored syscalls in macros were:
 - write: renamed to open_write to make its weaker resolution more
 apparent. Checks for open with any flag that could change a file.
 - read: renamed to open_read. Checks for open with any read flag.
 - sendto: I couldn't think of any way to replace this, so I simply
 removed it with a comment.

I kept the original read/write macros commented out with a note that
they use ignored syscalls.

I have not tested these changes yet other than verifying that falco
starts properly.
2016-05-05 23:20:46 -07:00
Henri DF
e3adaf2a5a Convert rules file to yaml format 2016-05-06 03:36:59 +00:00
Henri DF
abe6220651 Renaming 2016-04-28 03:28:19 +00:00
Henri DF
ef93844234 Rename digwatch.conf -> digwatch_rules.conf 2016-04-13 03:43:30 +00:00
Henri DF
a96816cc5d Add some simple example rules 2016-04-06 23:13:15 +00:00
Henri DF
0cfb89ffb4 Add digwatch.conf to package, install to /etc 2016-03-31 20:47:00 -07:00
Henri DF
8546e970f0 rename rules file 2016-03-31 20:29:41 -07:00
Henri DF
5f0123317a Remove function outputs from grammar 2016-03-30 13:00:51 -07:00
Henri DF
aef0be3027 Add priorities to all outputs
For now, all are WARNING. Will need to refine/adjust over time.
2016-03-30 12:54:46 -07:00
Henri DF
38957d3b14 Add timestamp in function outputs 2016-03-29 19:54:15 -07:00
Henri DF
97d7b125ba Implicit time in output formats
As pointed out by Loris, timestamping output messages should be a
responsibility of the output/collection system.

So as a first step towards this, add timestamps automatically for output
formats, and remove them from rules.
2016-03-29 19:47:57 -07:00
Henri DF
bc7f955127 rules: fix error in zookeeper_port 2016-03-29 19:47:18 -07:00
Henri DF
08afde0858 Add mysql rules 2016-03-29 22:16:15 +00:00
Henri DF
1e003fc0a6 Add more services to rules file
(HBase, Kafka, Memcached, MongoDB)
2016-03-29 22:16:15 +00:00
Henri DF
1d1a14acf9 Tweak comments in rules file 2016-03-29 22:16:15 +00:00
Henri DF
bbcedef54a Some tweaks to rules 2016-03-18 13:09:17 -07:00
Henri DF
6a504c924c Add a bunch of rules for service ports 2016-03-11 14:38:16 -08:00
Henri DF
773bc3f5d0 rules tweaks 2016-03-10 16:59:37 -08:00
Henri DF
44adb46529 Rules tweaks 2016-03-08 19:02:45 +00:00
Henri DF
972c84707f Mo rules 2016-03-07 16:35:13 -08:00
Henri DF
9bbe692137 Some more progress on rules 2016-03-03 16:14:14 -08:00
Henri DF
a921e25385 Tweaks to base.txt 2016-03-04 00:10:57 +00:00
Henri DF
b700a85b05 Add ssh alert 2016-03-04 00:10:48 +00:00
Henri DF
9c4bfecd40 Progress on base rules 2016-03-02 22:24:12 +00:00
Henri DF
a52441dcaa Some updates to base rules file 2016-03-01 20:10:52 -08:00
Henri DF
31a0065c3c Example ruleset 2016-02-28 16:19:47 -08:00