Merge branch 'dev' into agent-master

* Associate --validate with -V.

This fixes https://github.com/draios/falco/issues/322.

* Pin the version of libvirt-python to < 4.1.0

Evidently a recent libvirt-python has build problems on ubuntu. See
https://bugs.launchpad.net/openstack-requirements/+bug/1753539.

Pin to releases < 4.1.0 to avoid picking up the newer one that
has the build failure.

.travis.yml

@@ -17,6 +17,7 @@ install:
     - curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz
     - tar -zxvf avocado-36.0-tar.gz
     - cd avocado-36.0lts
+    - sed -e 's/libvirt-python>=1.2.9/libvirt-python>=1.2.9,<4.1.0/' < requirements.txt  > /tmp/requirements.txt && mv /tmp/requirements.txt ./requirements.txt
     - sudo -H pip install -r requirements.txt
     - sudo python setup.py install
     - cd ../falco

docker/dev/Dockerfile

@@ -14,8 +14,7 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
  && apt-get install -y --no-install-recommends \
 	bash-completion \
 	curl \
@@ -24,18 +23,11 @@ RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources
 	ca-certificates \
 	gcc \
 	gcc-5 \
-	gcc-4.9 && rm -rf /var/lib/apt/lists/*
+	gdb && rm -rf /var/lib/apt/lists/*
 
-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \

docker/local/Dockerfile

@@ -14,8 +14,7 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
  && apt-get install -y --no-install-recommends \
 	bash-completion \
 	curl \
@@ -24,19 +23,11 @@ RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources
 	ca-certificates \
 	gcc \
 	gcc-5 \
-	gcc-4.9 \
 	dkms && rm -rf /var/lib/apt/lists/*
 
-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
 

docker/stable/Dockerfile

@@ -14,8 +14,7 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
  && apt-get install -y --no-install-recommends \
 	bash-completion \
 	curl \
@@ -23,19 +22,11 @@ RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources
 	ca-certificates \
 	gnupg2 \
 	gcc \
-	gcc-5 \
-	gcc-4.9 && rm -rf /var/lib/apt/lists/*
+	gcc-5 && rm -rf /var/lib/apt/lists/*
 
-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \

examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml

@@ -19,14 +19,12 @@ spec:
           image: sysdig/falco:latest
           securityContext:
             privileged: true
-          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk"]
+          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk"]
           volumeMounts:
             - mountPath: /host/var/run/docker.sock
               name: docker-socket
-              readOnly: true
             - mountPath: /host/dev
               name: dev-fs
-              readOnly: true
             - mountPath: /host/proc
               name: proc-fs
               readOnly: true

examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml

@@ -18,14 +18,12 @@ spec:
           image: sysdig/falco:latest
           securityContext:
             privileged: true
-          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
+          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
           volumeMounts:
             - mountPath: /host/var/run/docker.sock
               name: docker-socket
-              readOnly: true
             - mountPath: /host/dev
               name: dev-fs
-              readOnly: true
             - mountPath: /host/proc
               name: proc-fs
               readOnly: true

rules/falco_rules.yaml

@@ -1,10 +1,3 @@
-#############
-# Definitions
-#############
-
-# File actions
-
-
 # Currently disabled as read/write are ignored syscalls. The nearly
 # similar open_write/open_read check for files being opened for
 # reading/writing.
@@ -19,6 +12,16 @@
 - macro: open_read
   condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0
 
+- macro: never_true
+  condition: (evt.num=0)
+
+# In some cases, such as dropped system call events, information about
+# the process name may be missing. For some rules that really depend
+# on the identity of the process performing an action such as opening
+# a file, etc., we require that the process name be known.
+- macro: proc_name_exists
+  condition: (proc.name!="<NA>")
+
 - macro: rename
   condition: evt.type = rename
 - macro: mkdir
@@ -33,9 +36,6 @@
   condition: evt.type = execve and evt.dir=<
 
 # File categories
-- macro: terminal_file_fd
-  condition: fd.name=/dev/ptmx or fd.name startswith /dev/pts
-
 - macro: bin_dir
   condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
 
@@ -58,22 +58,7 @@
 
 # This detects writes immediately below / or any write anywhere below /root
 - macro: root_dir
-  condition: (fd.directory=/ or fd.name startswith /root)
-
-- macro: ubuntu_so_dirs
-  condition: >
-    fd.name startswith /lib/x86_64-linux-gnu or
-    fd.name startswith /usr/lib/x86_64-linux-gnu or
-    fd.name startswith /usr/lib/sudo
-
-- macro: centos_so_dirs
-  condition: >
-    fd.name startswith /lib64 or
-    fd.name startswith /usr/lib64 or
-    fd.name startswith /usr/libexec
-
-- macro: linux_so_dirs
-  condition: ubuntu_so_dirs or centos_so_dirs or fd.name=/etc/ld.so.cache
+  condition: ((fd.directory=/ or fd.name startswith /root) and fd.name contains "/")
 
 - list: shell_binaries
   items: [bash, csh, ksh, sh, tcsh, zsh, dash]
@@ -135,26 +120,6 @@
 - list: lxd_binaries
   items: [lxd, lxcfs]
 
-# Utility/etc programs known to run on mesos slaves. Truncation
-# intentional.
-- list: mesos_slave_binaries
-  items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-slave,
-          mesos-logrotate, mesos-fetcher, mesos-executor, 3dt,
-          mesos-journald-, '"1_scheduler"', '"2_scheduler"',
-          '"3_scheduler"', '"4_scheduler"']
-
-- list: phusion_passenger_binaries
-  items: [PassengerAgent, PassengerWatchd]
-
-# A bit longer to avoid the fairly generic my_init.
-- macro: parent_phusion_passenger_my_init
-  condition: >
-    (proc.pcmdline="my_init -u /sbin/my_init " or
-     proc.pcmdline="my_init -u /sbin/my_init")
-
-- list: chef_binaries
-  items: [chef-client]
-
 - list: http_server_binaries
   items: [nginx, httpd, httpd-foregroun, lighttpd, apache, apache2]
 
@@ -165,7 +130,7 @@
   items: [mysql_install_d, mysql_ssl_rsa_s]
 
 - list: postgres_mgmt_binaries
-  items: [pg_dumpall, pg_ctl]
+  items: [pg_dumpall, pg_ctl, pg_lsclusters, pg_ctlcluster]
 
 - list: db_mgmt_binaries
   items: [mysql_mgmt_binaries, postgres_mgmt_binaries]
@@ -183,7 +148,7 @@
 # interpreted by the filter expression.
 - list: rpm_binaries
   items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
-          repoquery, rpmkeys, rpmq, yum-cron]
+          repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump]
 
 - macro: rpm_procs
   condition: proc.name in (rpm_binaries) or proc.name in (salt-minion)
@@ -191,7 +156,7 @@
 - list: deb_binaries
   items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, apt, apt-get, aptitude,
     frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key,
-    apt-listchanges, unattended-upgr
+    apt-listchanges, unattended-upgr, apt-add-reposit
     ]
 
 # The truncated dpkg-preconfigu is intentional, process names are
@@ -229,9 +194,6 @@
 - list: dev_creation_binaries
   items: [blkid, rename_device, update_engine, sgdisk]
 
-- list: aide_wrapper_binaries
-  items: [aide.wrapper, update-aide.con]
-
 - list: hids_binaries
   items: [aide]
 
@@ -241,15 +203,6 @@
 - list: nomachine_binaries
   items: [nxexec, nxnode.bin, nxserver.bin, nxclient.bin]
 
-- list: x2go_binaries
-  items: [x2gosuspend-age, x2goagent, x2gomountdirs]
-
-- list: nids_binaries
-  items: [bro, broctl]
-
-- list: monitoring_binaries
-  items: [icinga2, nrpe, npcd, check_sar_perf., qualys-cloud-ag, S99qualys-cloud, nagios]
-
 - macro: system_procs
   condition: proc.name in (coreutils_binaries, user_mgmt_binaries)
 
@@ -267,12 +220,6 @@
     postfix.config, postfix-script
     ]
 
-- list: make_binaries
-  items: [make, gmake, cmake, automake, autom4te, autoheader]
-
-- list: keepalived_binaries
-  items: [keepalived]
-
 - list: sensitive_file_names
   items: [/etc/shadow, /etc/sudoers, /etc/pam.conf]
 
@@ -297,18 +244,27 @@
   condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6)
 
 - macro: ssh_port
-  condition: fd.lport=22
+  condition: fd.sport=22
 
-# Ssh
-- macro: ssh_error_message
-  condition: >
-    (evt.arg.data contains "Invalid user" or
-    evt.arg.data contains "preauth" or
-    evt.arg.data contains "Failed password")
+# In a local/user rules file, you could override this macro to
+# enumerate the servers for which ssh connections are allowed. For
+# example, you might have a ssh gateway host for which ssh connections
+# are allowed.
+#
+# In the main falco rules file, there isn't any way to know the
+# specific hosts for which ssh access is allowed, so this macro just
+# repeats ssh_port, which effectively allows ssh from all hosts. In
+# the overridden macro, the condition would look something like
+# "fd.sip="a.b.c.d" or fd.sip="e.f.g.h" or ..."
+- macro: allowed_ssh_hosts
+  condition: ssh_port
 
-# System
-- macro: modules
-  condition: evt.type in (delete_module, init_module)
+- rule: Disallowed SSH Connection
+  desc: Detect any new ssh connection to a host other than those in an allowed group of hosts
+  condition: (outbound or inbound) and ssh_port and not allowed_ssh_hosts
+  output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name)
+  priority: NOTICE
+  tags: [network]
 
 # Use this to test whether the event occurred within a container.
 
@@ -326,9 +282,6 @@
     ((proc.aname=sshd and proc.name != sshd) or
     proc.name=systemd-logind or proc.name=login)
 
-- macro: syslog
-  condition: fd.name in (/dev/log, /run/systemd/journal/syslog)
-
 - list: cron_binaries
   items: [anacron, cron, crond, crontab]
 
@@ -348,44 +301,14 @@
 - macro: system_users
   condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)
 
-# SPECIAL NOTE: This macro eliminates false positives that result from
-# running python scripts as a part of ansible. However, the condition
-# that the command line contains "ansible" is very
-# permissive. Ideally, you should change this macro to explicitly
-# scope the python scripts to a specific directory (namely, your
-# configured remote_tmp directory).
+# These macros will be removed soon. Only keeping them to maintain
+# compatiblity with some widely used rules files.
+# Begin Deprecated
 - macro: parent_ansible_running_python
   condition: (proc.pname in (python, pypy) and proc.pcmdline contains ansible)
 
-- macro: ansible_running_python
-  condition: (proc.name in (python, pypy) and proc.cmdline contains ansible)
-
-- macro: chef_running_yum_dump
-  condition: (proc.name=python and proc.cmdline contains yum-dump.py)
-
-- macro: parent_beam_running_python
-  condition: proc.pcmdline="python pipeline.py -c conf.json"
-
-- macro: parent_strongswan_running_starter
-  condition: proc.pcmdline="starter --daemon charon"
-
-- macro: python_running_denyhosts
-  condition: >
-    (proc.name=python and
-    (proc.cmdline contains /usr/sbin/denyhosts or
-     proc.cmdline contains /usr/local/bin/denyhosts.py))
-
-- macro: parent_python_running_localstack
-  condition: (proc.pcmdline startswith "python bin/localstack")
-
-- macro: parent_python_running_zookeeper
-  condition: (proc.pcmdline startswith "python /usr/local/bin/cub")
-
-- macro: parent_python_running_airflow
-  condition: (proc.pname in (python,/usr/bin/python) and proc.cmdline startswith "bash -c airflow")
-
-- macro: parent_docker_start_script
-  condition: (proc.pcmdline="start.sh /opt/docker/conf/start.sh")
+- macro: parent_bro_running_python
+  condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl)
 
 - macro: parent_python_running_denyhosts
   condition: >
@@ -399,49 +322,12 @@
     (proc.pname in (python, python2.7) and
     (proc.pcmdline contains /opt/draios/bin/sdchecks))
 
-- macro: parent_bro_running_python
-  condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl)
-
-- macro: parent_java_running_jenkins
-  condition: >
-    (proc.pname=java and
-     (proc.pcmdline contains jenkins.war or
-      proc.pcmdline contains "-cp /jenkins/maven" or
-      proc.pcmdline contains /tmp/slave.jar or
-      proc.pcmdline contains /mnt/mesos/sandbox/slave.jar))
-
-- macro: parent_java_running_maven
-  condition: >
-    (proc.pname=java and proc.pcmdline contains "-classpath /usr/share/maven/")
-
-- macro: parent_java_running_appdynamics
-  condition: >
-    (proc.pname=java and proc.pcmdline contains "-jar /opt/appdynamics/")
-
-- macro: python_running_es_curator
-  condition: (proc.pcmdline startswith "python -u run_cron.py" and
-              proc.cmdline startswith "sh -c /usr/bin/curator")
-
-- macro: parent_cpanm_running_perl
-  condition: (proc.pname=perl and proc.aname[2]=cpanm)
-
-- macro: ics_running_java
-  condition: (proc.pname=java and proc.aname[3] in (ics_start.sh,ics_stop.sh,ics_status.sh))
-
-- macro: jenkins_scripts
-  condition: (proc.pcmdline startswith "script.sh -xe /var/jenkins_home" or
-              proc.pcmdline startswith "node /jenkins/workspace" or
-              proc.pcmdline startswith "python /home/jenkins/workspace" or
-              proc.cmdline="bash /usr/local/bin/jenkins-slave")
+- macro: parent_linux_image_upgrade_script
+  condition: proc.pname startswith linux-image-
 
 - macro: parent_java_running_echo
   condition: (proc.pname=java and proc.cmdline startswith "sh -c echo")
 
-- macro: parent_java_running_sbt
-  condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar)
-
-# The crxlsx is a bit different than the other build-like things, but
-# close enough to add here rather than create a separate macro.
 - macro: parent_scripting_running_builds
   condition: >
     (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,ruby2.1,node,conda) and (
@@ -463,50 +349,44 @@
        proc.pcmdline startswith "node /root/.config/yarn" or
        proc.pcmdline startswith "node /opt/yarn/bin/yarn.js"))
 
-- macro: makefile_perl
-  condition: (proc.pcmdline startswith "perl Makefile.PL")
+- macro: parent_Xvfb_running_xkbcomp
+  condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"')
+
+- macro: parent_nginx_running_serf
+  condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf")
 
 - macro: parent_node_running_npm
   condition: (proc.pcmdline startswith "node /usr/local/bin/npm" or
               proc.pcmdline startswith "node /usr/local/nodejs/bin/npm" or
               proc.pcmdline startswith "node /opt/rh/rh-nodejs6/root/usr/bin/npm")
 
-- macro: parent_npm_running_node
-  condition: (proc.pname=node and proc.aname[2]=npm)
+- macro: parent_java_running_sbt
+  condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar)
 
-- macro: parent_nginx_running_serf
-  condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf")
+- list: known_container_shell_spawn_cmdlines
+  items: []
 
-- macro: parent_Xvfb_running_xkbcomp
-  condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"')
+- list: known_shell_spawn_binaries
+  items: []
 
-- macro: mysql_image_running_healthcheck
-  condition: container.image=mysql and proc.cmdline="sh -c /healthcheck.sh"
+- macro: shell_spawning_containers
+  condition: (container.image startswith jenkins or
+              container.image startswith gitlab/gitlab-ce or
+              container.image startswith gitlab/gitlab-ee)
 
-- macro: parent_rancher_running_healthcheck
-  condition: (proc.pname=healthcheck and (proc.aname[2]=tini or proc.aname[3]=tini))
+## End Deprecated
 
-- macro: bundle_running_ruby
+- macro: ansible_running_python
+  condition: (proc.name in (python, pypy) and proc.cmdline contains ansible)
+
+- macro: chef_running_yum_dump
+  condition: (proc.name=python and proc.cmdline contains yum-dump.py)
+
+- macro: python_running_denyhosts
   condition: >
-    ((proc.pname in (ruby,ruby2.1) or proc.pname contains ".rb") and (
-     proc.aname[2]=bundle or
-     proc.aname[3]=bundle or
-     proc.aname[4]=bundle))
-
-- macro: assemble_running_php
-  condition: >
-    (proc.pname=php and (
-     proc.aname[2]=assemble or
-     proc.aname[3]=assemble or
-     proc.aname[4]=assemble))
-
-- macro: node_running_bitnami
-  condition: (proc.pname=node and
-                (proc.cmdline startswith "sh -c /opt/bitnami" or
-                 proc.cmdline startswith "sh -c bin/redis-server /opt/bitnami"))
-
-- macro: node_running_threatstack
-  condition: proc.pcmdline startswith "node /opt/threatstack/node_modules"
+    (proc.name=python and
+    (proc.cmdline contains /usr/sbin/denyhosts or
+     proc.cmdline contains /usr/local/bin/denyhosts.py))
 
 # Qualys seems to run a variety of shell subprocesses, at various
 # levels. This checks at a few levels without the cost of a full
@@ -540,18 +420,6 @@
 - macro: run_by_centrify
   condition: (proc.aname[2]=centrify or proc.aname[3]=centrify or proc.aname[4]=centrify)
 
-- macro: run_by_puppet
-  condition: (proc.aname[2]=puppet or proc.aname[3]=puppet)
-
-- macro: run_by_h2o
-  condition: (proc.pname=perl and proc.aname[2]=h2o)
-
-- macro: run_by_passenger_agent
-  condition: ((proc.pname=ruby and proc.aname[2]=PassengerAgent) or
-              proc.pcmdline startswith "ruby /usr/share/passenger/helper-scripts/rack-preloader.rb" or
-              proc.pcmdline startswith "ruby /usr/local/bundle/bin/passenger" or
-              proc.pcmdline startswith "ruby /usr/local/bin/passenger")
-
 # Also handles running semi-indirectly via scl
 - macro: run_by_foreman
   condition: >
@@ -559,57 +427,24 @@
      (proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or
      (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby)))
 
-- macro: run_by_openshift
-  condition: proc.aname[2]=es_seed_acl
-
-# As a part of kernel upgrades, dpkg will spawn a perl script with the
-# name linux-image-N.N. This macro matches that.
-- macro: parent_linux_image_upgrade_script
-  condition: proc.pname startswith linux-image-
-
 - macro: java_running_sdjagent
   condition: proc.name=java and proc.cmdline contains sdjagent.jar
 
 - macro: kubelet_running_loopback
   condition: (proc.pname=kubelet and proc.name=loopback)
 
-- macro: parent_java_running_confluence
-  condition: (proc.pname=java and proc.pcmdline contains "-classpath /opt/atlassian/confluence")
-
-- macro: parent_java_running_install4j
-  condition: (proc.pname=java and proc.pcmdline contains "-classpath i4jruntime.jar")
-
-- macro: parent_java_running_endeca
-  condition: (proc.pname=java and proc.pcmdline contains "-classpath /opt/endeca/")
-
-- macro: python_mesos_healthcheck
-  condition: (proc.pcmdline startswith "python /mesoshealthcheck.py")
-
 - macro: python_mesos_marathon_scripting
   condition: (proc.pcmdline startswith "python3 /marathon-lb/marathon_lb.py")
 
 - macro: splunk_running_forwarder
   condition: (proc.pname=splunkd and proc.cmdline startswith "sh -c /opt/splunkforwarder")
 
-- macro: parent_running_datastax
-  condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or
-              (proc.pcmdline startswith "nodetool /opt/dse/bin/"))
-
-- macro: parent_dovecot_running_auth
-  condition: (proc.pname=auth and proc.aname[2]=dovecot)
-
 - macro: parent_supervise_running_multilog
   condition: (proc.name=multilog and proc.pname=supervise)
 
 - macro: supervise_writing_status
   condition: (proc.name in (supervise,svc) and fd.name startswith "/etc/sb/")
 
-- macro: parent_ruby_running_discourse
-  condition: (proc.pcmdline startswith "ruby /var/www/discourse/vendor/bundle/ruby")
-
-- macro: parent_ruby_running_pups
-  condition: (proc.pcmdline startswith "ruby /pups/bin/pups")
-
 - macro: pki_realm_writing_realms
   condition: (proc.cmdline startswith "bash /usr/local/lib/pki/pki-realm" and fd.name startswith /etc/pki/realms)
 
@@ -626,14 +461,11 @@
   condition: (proc.cmdline startswith "perl /opt/psa/admin/bin/plesk_agent_manager" or
               proc.pcmdline startswith "perl /opt/psa/admin/bin/plesk_agent_manager")
 
-- macro: plesk_autoinstaller
-  condition: (proc.pname=autoinstaller and proc.aname[2]=sw-engine)
-
-- macro: parent_perl_running_openresty
-  condition: (proc.pcmdline startswith "perl /usr/local/openresty/bin")
+- macro: perl_running_updmap
+  condition: (proc.cmdline startswith "perl /usr/bin/updmap")
 
 - macro: parent_ucf_writing_conf
-  condition: (proc.pname=ucf and fd.name startswith "/etc/gconf")
+  condition: (proc.pname=ucf and proc.aname[2]=frontend)
 
 - macro: consul_template_writing_conf
   condition: (proc.name=consul-template and fd.name startswith /etc/haproxy)
@@ -641,6 +473,35 @@
 - macro: countly_writing_nginx_conf
   condition: (proc.cmdline startswith "nodejs /opt/countly/bin" and fd.name startswith /etc/nginx)
 
+- macro: omiagent_writing_conf
+  condition: (proc.name in (omiagent,PerformInventor) and fd.name startswith /etc/opt/omi/conf/)
+
+- macro: omsagent_writing_conf
+  condition: (proc.name in (omsagent,in_heartbeat_r*) and fd.name startswith /etc/opt/microsoft/omsagent)
+
+- macro: couchdb_writing_conf
+  condition: (proc.name=beam.smp and proc.cmdline contains couchdb and fd.name startswith /etc/couchdb)
+
+- macro: update_texmf_writing_conf
+  condition: (proc.name=update-texmf and fd.name startswith /etc/texmf)
+
+- macro: slapadd_writing_conf
+  condition: (proc.name=slapadd and fd.name startswith /etc/ldap)
+
+- macro: symantec_writing_conf
+  condition: >
+    ((proc.name=symcfgd and fd.name startswith /etc/symantec) or
+     (proc.name=navdefutil and fd.name=/etc/symc-defutils.conf))
+
+- macro: liveupdate_writing_conf
+  condition: (proc.cmdline startswith "java LiveUpdate" and fd.name in (/etc/liveupdate.conf, /etc/Product.Catalog.JavaLiveUpdate))
+
+- macro: sosreport_writing_files
+  condition: (proc.name=urlgrabber-ext- and proc.aname[3]=sosreport and fd.name startswith /etc/pkt/nssdb)
+
+- macro: semodule_writing_conf
+  condition: (proc.name=semodule and fd.name startswith /etc/selinux)
+
 - list: veritas_binaries
   items: [vxconfigd, sfcache, vxclustadm, vxdctl, vxprint, vxdmpadm, vxdisk, vxdg, vxassist, vxtune]
 
@@ -656,16 +517,15 @@
 - macro: exe_running_docker_save
   condition: (container and proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker))
 
-###############
-# General Rules
-###############
+- macro: gugent_writing_guestagent_log
+  condition: (proc.name=gugent and fd.name=GuestAgent.log)
 
 - rule: Write below binary dir
   desc: an attempt to write to any file below a set of binary directories
   condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs and not exe_running_docker_save
   output: >
     File below a known binary directory opened for writing (user=%user.name
-    command=%proc.cmdline file=%fd.name)
+    command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
   priority: ERROR
   tags: [filesystem]
 
@@ -738,8 +598,15 @@
 - macro: php_handlers_writing_conf
   condition: (proc.name=php_handlers_co and fd.name=/etc/psa/php_versions.json)
 
-- macro: cron_sed_writing_temp_file
-  condition: (proc.aname[3]=cron_start.sh and fd.name startswith /etc/security/sed)
+- macro: sed_writing_temp_file
+  condition: >
+    ((proc.aname[3]=cron_start.sh and fd.name startswith /etc/security/sed) or
+     (proc.name=sed and (fd.name startswith /etc/apt/sources.list.d/sed or
+                         fd.name startswith /etc/apt/sed or
+                         fd.name startswith /etc/apt/apt.conf.d/sed)))
+
+- macro: cron_start_writing_pam_env
+  condition: (proc.cmdline="bash /usr/sbin/start-cron" and fd.name=/etc/security/pam_env.conf)
 
 # In some cases dpkg-reconfigur runs commands that modify /etc. Not
 # putting the full set of package management programs yet.
@@ -762,6 +629,7 @@
 - macro: write_etc_common
   condition: >
     etc_dir and evt.dir = < and open_write
+    and proc_name_exists
     and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries,
                           package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
                           dev_creation_binaries, shell_mgmt_binaries,
@@ -810,23 +678,34 @@
     and not rabbitmq_writing_conf
     and not rook_writing_conf
     and not php_handlers_writing_conf
-    and not cron_sed_writing_temp_file
+    and not sed_writing_temp_file
+    and not cron_start_writing_pam_env
     and not httpd_writing_conf_logs
     and not mysql_writing_conf
     and not openvpn_writing_conf
     and not consul_template_writing_conf
     and not countly_writing_nginx_conf
+    and not omiagent_writing_conf
+    and not omsagent_writing_conf
+    and not couchdb_writing_conf
+    and not update_texmf_writing_conf
+    and not slapadd_writing_conf
+    and not symantec_writing_conf
+    and not liveupdate_writing_conf
+    and not sosreport_writing_files
+    and not semodule_writing_conf
+    and not veritas_writing_config
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc
-  condition: write_etc_common and not proc.sname=fbash
+  condition: write_etc_common
   output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
   priority: ERROR
   tags: [filesystem]
 
 - list: known_root_files
   items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
-          /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock]
+          /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, /root/.babel.json, /root/.localstack]
 
 - list: known_root_directories
   items: [/root/.oracle_jre_usage, /root/.ssh]
@@ -846,7 +725,15 @@
               or fd.name startswith /root/.sbt
               or fd.name startswith /root/.java
               or fd.name startswith /root/.glide
-              or fd.name startswith /root/.sonar)
+              or fd.name startswith /root/.sonar
+              or fd.name startswith /root/.v8flag
+              or fd.name startswith /root/infaagent
+              or fd.name startswith /root/.local/lib/python
+              or fd.name startswith /root/.pm2
+              or fd.name startswith /root/.gnupg
+              or fd.name startswith /root/.pgpass
+              or fd.name startswith /root/.theano
+              or fd.name startswith /root/.nv)
 
 - rule: Write below root
   desc: an attempt to write to any file directly below / or /root
@@ -855,6 +742,7 @@
     and not fd.name in (known_root_files)
     and not fd.directory in (known_root_directories)
     and not exe_running_docker_save
+    and not gugent_writing_guestagent_log
     and not known_root_conditions
   output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name)"
   priority: ERROR
@@ -902,10 +790,11 @@
     information). Exceptions are made for known trusted programs.
   condition: >
     sensitive_files and open_read
+    and proc_name_exists
     and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
      cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
      vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries,
-     in.proftpd, mandb, salt-minion)
+     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries)
     and not cmp_cp_by_passwd
     and not ansible_running_python
     and not proc.cmdline contains /usr/bin/mandb
@@ -913,6 +802,7 @@
     and not run_by_chef
     and not user_read_sensitive_file_conditions
     and not perl_running_plesk
+    and not perl_running_updmap
     and not veritas_driver_script
   output: >
     Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name
@@ -931,6 +821,15 @@
 - macro: postgres_running_wal_e
   condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e")
 
+- macro: redis_running_prepost_scripts
+  condition: (proc.aname[2]=redis-server and (proc.cmdline contains "redis-server.post-up.d" or proc.cmdline contains "redis-server.pre-up.d"))
+
+- macro: rabbitmq_running_scripts
+  condition: (proc.pname=beam.smp and (proc.cmdline startswith "sh -c exec ps" or proc.cmdline startswith "sh -c exec inet_gethost"))
+
+- macro: rabbitmqctl_running_scripts
+  condition: (proc.aname[2]=rabbitmqctl and proc.cmdline startswith "sh -c ")
+
 - rule: DB program spawned process
   desc: >
     a database-server related program spawned a new process other than itself.
@@ -964,25 +863,11 @@
   priority: ERROR
   tags: [filesystem]
 
-# Don't load shared objects coming from unexpected places
-# Commenting this out for now--there are lots of shared library
-# locations below /usr/lib for things like python, perl, etc. We may
-# want to just add /usr/lib to the list, but that is really
-# permissive.
-# - condition: open_read and fd.name contains .so and not (linux_so_dirs)
-#   output: "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
-#   priority: WARNING
-
-# Temporarily disabling this rule as it's tripping over https://github.com/draios/sysdig/issues/598
-# - rule: Syscall returns eaccess
-#   desc: >
-#     any system call that returns EACCESS. This is not always a strong
-#      indication of a problem, hence the INFO priority.
-#   condition: evt.res = EACCESS
-#   output: >
-#     System call returned EACCESS (user=%user.name command=%proc.cmdline
-#     syscall=%evt.type args=%evt.args)
-#   priority: INFO
+# This list allows for easy additions to the set of commands allowed
+# to change thread namespace without having to copy and override the
+# entire change thread namespace rule.
+- list: user_known_change_thread_namespace_binaries
+  items: []
 
 - rule: Change thread namespace
   desc: >
@@ -991,6 +876,7 @@
   condition: >
     evt.type = setns
     and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
+    and not proc.name in (user_known_change_thread_namespace_binaries)
     and not proc.name startswith "runc:"
     and not proc.pname in (sysdigcloud_binaries)
     and not java_running_sdjagent
@@ -1001,27 +887,6 @@
   priority: NOTICE
   tags: [process]
 
-- list: known_shell_spawn_binaries
-  items: [
-    sshd, sudo, su, tmux, screen, emacs, systemd, login, flock, fbash,
-    nginx, monit, supervisord, dragent, aws, awslogs, initdb, docker-compose,
-    configure, awk, falco, fail2ban-server, fleetctl,
-    logrotate, ansible, less, adduser, pycompile, py3compile,
-    pyclean, py3clean, pip, pip2, ansible-playboo, man-db,
-    init, pluto, mkinitramfs, unattended-upgr, watch, sysdig,
-    landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, erlexec,
-    npm, cloud-init, toybox, ceph, hhvm, certbot,
-    serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini,
-    timeout, updatedb.findut, adclient, systemd-udevd,
-    luajit, uwsgi, cfn-signal, apache_control_, beam.smp, paster, postfix-local,
-    nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info,
-    hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward,
-    parallels_insta, salt-minion, dnsmng, update-inetd, pum_worker, awstats_buildst,
-    tsvuln, 50plesk-daily, grubby, chkconfig, dracut-install, rhnsd, find, consul,
-    doxygen, Cypress, consul-template, xargs, scl, awstats_updatea, sa-update,
-    mysql_upgrade, opkg-cl, vmtoolsd, confd
-    ]
-
 # The binaries in this list and their descendents are *not* allowed
 # spawn shells. This includes the binaries spawning shells directly as
 # well as indirectly. For example, apache -> php/perl for
@@ -1031,7 +896,7 @@
 - list: protected_shell_spawning_binaries
   items: [
     http_server_binaries, db_server_binaries, nosql_server_binaries, mail_binaries,
-    fluentd, flanneld, splunkd, consul, smbd, runsv
+    fluentd, flanneld, splunkd, consul, smbd, runsv, PM2
     ]
 
 - macro: parent_java_running_zookeeper
@@ -1047,7 +912,7 @@
   condition: (proc.pname=java and proc.pcmdline contains activemq.jar)
 
 - macro: parent_java_running_cassandra
-  condition: (proc.pname=java and proc.pcmdline contains org.apache.cassandra.service.CassandraDaemon)
+  condition: (proc.pname=java and (proc.pcmdline contains "-Dcassandra.config.loader" or proc.pcmdline contains org.apache.cassandra.service.CassandraDaemon))
 
 - macro: parent_java_running_jboss_wildfly
   condition: (proc.pname=java and proc.pcmdline contains org.jboss)
@@ -1061,12 +926,12 @@
 - macro: parent_java_running_datastax
   condition: (proc.pname=java and proc.pcmdline contains com.datastax)
 
-- macro: parent_java_running_sumologic
-  condition: (proc.pname=java and proc.pcmdline contains com.sumologic)
-
 - macro: nginx_starting_nginx
   condition: (proc.pname=nginx and proc.cmdline contains "/usr/sbin/nginx -c /etc/nginx/nginx.conf")
 
+- macro: nginx_running_aws_s3_cp
+  condition: (proc.pname=nginx and proc.cmdline startswith "sh -c /usr/local/bin/aws s3 cp")
+
 - macro: consul_running_net_scripts
   condition: (proc.pname=consul and (proc.cmdline startswith "sh -c curl" or proc.cmdline startswith "sh -c nc"))
 
@@ -1079,6 +944,24 @@
 - macro: check_process_status
   condition: (proc.cmdline startswith "sh -c kill -0 ")
 
+# In some cases, you may want to consider node processes run directly
+# in containers as protected shell spawners. Examples include using
+# pm2-docker or pm2 start some-app.js --no-daemon-mode as the direct
+# entrypoint of the container, and when the node app is a long-lived
+# server using something like express.
+#
+# However, there are other uses of node related to build pipelines for
+# which node is not really a server but instead a general scripting
+# tool. In these cases, shells are very likely and in these cases you
+# don't want to consider node processes protected shell spawners.
+#
+# We have to choose one of these cases, so we consider node processes
+# as unprotected by default. If you want to consider any node process
+# run in a container as a protected shell spawner, override the below
+# macro to remove the "never_true" clause, which allows it to take effect.
+- macro: possibly_node_in_container
+  condition: (never_true and (proc.pname=node and proc.aname[3]=docker-containe))
+
 - macro: protected_shell_spawner
   condition: >
     (proc.aname in (protected_shell_spawning_binaries)
@@ -1090,7 +973,8 @@
     or parent_java_running_jboss_wildfly
     or parent_java_running_glassfish
     or parent_java_running_hadoop
-    or parent_java_running_datastax)
+    or parent_java_running_datastax
+    or possibly_node_in_container)
 
 # Note that runsv is both in protected_shell_spawner and the
 # exclusions by pname. This means that runsv can itself spawn shells
@@ -1107,12 +991,13 @@
                            needrestart_binaries,
                            erl_child_setup, exechealthz,
                            PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
-                           lb-controller, nvidia-installe, runsv, statsite)
+                           lb-controller, nvidia-installe, runsv, statsite, erlexec)
     and not proc.cmdline in (known_shell_spawn_cmdlines)
     and not proc.aname in (unicorn_launche)
     and not consul_running_net_scripts
     and not consul_running_alert_checks
     and not nginx_starting_nginx
+    and not nginx_running_aws_s3_cp
     and not run_by_package_mgmt_binaries
     and not serf_script
     and not check_process_status
@@ -1120,6 +1005,9 @@
     and not python_mesos_marathon_scripting
     and not splunk_running_forwarder
     and not postgres_running_wal_e
+    and not redis_running_prepost_scripts
+    and not rabbitmq_running_scripts
+    and not rabbitmqctl_running_scripts
     and not user_shell_container_exclusions
   output: >
     Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
@@ -1161,14 +1049,6 @@
 - macro: user_sensitive_mount_containers
   condition: (container.image startswith sysdig/agent)
 
-# These containers are ones that are known to spawn lots of
-# shells. Generally, they are for systems where the container is used
-# as a packaging mechanism more than for a dedicated microservice.
-- macro: shell_spawning_containers
-  condition: (container.image startswith jenkins or
-              container.image startswith gitlab/gitlab-ce or
-              container.image startswith gitlab/gitlab-ee)
-
 - rule: Launch Privileged Container
   desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.
   condition: >
@@ -1302,26 +1182,6 @@
     '"sh -c openssl version"'
     ]
 
-- list: known_container_shell_spawn_cmdlines
-  items: [
-    known_shell_spawn_cmdlines,
-    '"bash -c curl -f localhost:$API_PORT/admin/healthcheck"',
-    '"sh -c curl http://localhost:6060/debug/vars>/dev/null "',
-    '"sh -c curl http://localhost:6060/debug/vars>/dev/null"',
-    '"sh -c  curl http://localhost:6060/debug/vars>/dev/null"',
-    '"sh -c  curl http://localhost:6060/debug/vars>/dev/null "',
-    '"sh -c  pgrep java && exit 0 || exit 1 "',
-    '"sh -c  echo healthy "',
-    '"sh -c  echo alive "',
-    '"bash /opt/docker/bin/lar"',
-    '"bash /opt/docker/bin/irs"',
-    '"bash /opt/docker/bin/brs"',
-    '"bash /opt/docker/bin/hdi"',
-    '"bash /opt/docker/bin/hdi "',
-    '"bash /home/entrypoint.sh"',
-    '"bash /tmp/bootstrap.sh"'
-    ]
-
 # This list allows for easy additions to the set of commands allowed
 # to run shells in containers without having to without having to copy
 # and override the entire run shell in container macro. Once
@@ -1335,13 +1195,7 @@
 # rule. Its default value is an expression that always is false, which
 # becomes true when the "not ..." in the rule is applied.
 - macro: user_shell_container_exclusions
-  condition: (evt.num=0)
-
-# Temporarily adding as an example
-- macro: node_running_edi_dynamodb
-  condition: >
-    (proc.pname=node and (proc.pcmdline contains /var/www/edi/process.js or
-                          proc.pcmdline contains "sh -c /var/www/edi/bin/sftp.sh"))
+  condition: (never_true)
 
 - macro: login_doing_dns_lookup
   condition: (proc.name=login and fd.l4proto=udp and fd.sport=53)
@@ -1451,14 +1305,70 @@
   priority: ERROR
   tags: [filesystem]
 
-# It'd be nice if we could warn when processes in a fbash session try
-# to download from any nonstandard location? This is probably blocked
-# on https://github.com/draios/falco/issues/88 though.
 
-###########################
-# Application-Related Rules
-###########################
+# In a local/user rules file, you could override this macro to
+# explicitly enumerate the container images that you want to allow
+# access to EC2 metadata. In this main falco rules file, there isn't
+# any way to know all the containers that should have access, so any
+# container is alllowed, by repeating the "container" macro. In the
+# overridden macro, the condition would look something like
+# (container.image startswith vendor/container-1 or container.image
+# startswith vendor/container-2 or ...)
+- macro: ec2_metadata_containers
+  condition: container
 
-# Moved to application_rules.yaml. Please look there if you want to
-# enable them by adding to falco_rules.local.yaml.
+# On EC2 instances, 169.254.169.254 is a special IP used to fetch
+# metadata about the instance. It may be desirable to prevent access
+# to this IP from containers.
+- rule: Contact EC2 Instance Metadata Service From Container
+  desc: Detect attempts to contact the EC2 Instance Metadata Service from a container
+  condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers
+  output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image)
+  priority: NOTICE
+  tags: [network, aws, container]
+
+# In a local/user rules file, you should override this macro with the
+# IP address of your k8s api server. The IP 1.2.3.4 is a placeholder
+# IP that is not likely to be seen in practice.
+- macro: k8s_api_server
+  condition: (fd.sip="1.2.3.4" and fd.sport=8080)
+
+# In a local/user rules file, list the container images that are
+# allowed to contact the K8s API Server from within a container. This
+# might cover cases where the K8s infrastructure itself is running
+# within a container.
+- macro: k8s_containers
+  condition: >
+    (container.image startswith gcr.io/google_containers/hyperkube-amd64 or
+     container.image startswith gcr.io/google_containers/kube2sky or
+     container.image startswith sysdig/agent or
+     container.image startswith sysdig/falco or
+     container.image startswith sysdig/sysdig)
+
+- rule: Contact K8S API Server From Container
+  desc: Detect attempts to contact the K8S API Server from a container
+  condition: outbound and k8s_api_server and container and not k8s_containers
+  output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image connection=%fd.name)
+  priority: NOTICE
+  tags: [network, k8s, container]
+
+# In a local/user rules file, list the container images that are
+# allowed to contact NodePort services from within a container. This
+# might cover cases where the K8s infrastructure itself is running
+# within a container.
+#
+# By default, all containers are allowed to contact NodePort services.
+- macro: nodeport_containers
+  condition: container
+
+- rule: Unexpected K8s NodePort Connection
+  desc: Detect attempts to use K8s NodePorts from a container
+  condition: (outbound or inbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers
+  output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name)
+  priority: NOTICE
+  tags: [network, k8s, container]
+
+# Application rules have moved to application_rules.yaml. Please look
+# there if you want to enable them by adding to
+# falco_rules.local.yaml.
 

test/falco_traces.yaml.in

@@ -86,6 +86,7 @@ traces: !mux
     detect_level: WARNING
     detect_counts:
       - "Read sensitive file untrusted": 1
+      - "Read sensitive file trusted after startup": 1
 
   read-sensitive-file-untrusted:
     trace_file: traces-positive/read-sensitive-file-untrusted.scap

userspace/engine/lua/compiler.lua

@@ -76,7 +76,8 @@ function expand_macros(ast, defs, changed)
          if (defs[ast.value.value] == nil) then
             error("Undefined macro '".. ast.value.value .. "' used in filter.")
          end
-         ast.value = copy_ast_obj(defs[ast.value.value])
+	 defs[ast.value.value].used = true
+         ast.value = copy_ast_obj(defs[ast.value.value].ast)
          changed = true
 	 return changed
       end
@@ -88,7 +89,8 @@ function expand_macros(ast, defs, changed)
          if (defs[ast.left.value] == nil) then
             error("Undefined macro '".. ast.left.value .. "' used in filter.")
          end
-         ast.left = copy_ast_obj(defs[ast.left.value])
+	 defs[ast.left.value].used = true
+         ast.left = copy_ast_obj(defs[ast.left.value].ast)
          changed = true
       end
 
@@ -96,7 +98,8 @@ function expand_macros(ast, defs, changed)
          if (defs[ast.right.value] == nil) then
             error("Undefined macro ".. ast.right.value .. " used in filter.")
          end
-         ast.right = copy_ast_obj(defs[ast.right.value])
+	 defs[ast.right.value].used = true
+         ast.right = copy_ast_obj(defs[ast.right.value].ast)
          changed = true
       end
 
@@ -109,7 +112,8 @@ function expand_macros(ast, defs, changed)
          if (defs[ast.argument.value] == nil) then
             error("Undefined macro ".. ast.argument.value .. " used in filter.")
          end
-         ast.argument = copy_ast_obj(defs[ast.argument.value])
+	 defs[ast.argument.value].used = true
+         ast.argument = copy_ast_obj(defs[ast.argument.value].ast)
          changed = true
       end
       return expand_macros(ast.argument, defs, changed)
@@ -283,11 +287,28 @@ function get_evttypes(name, ast, source)
    return evttypes
 end
 
+function compiler.expand_lists_in(source, list_defs)
+
+   for name, def in pairs(list_defs) do
+      local begin_name_pat = "^("..name..")([%s(),=])"
+      local mid_name_pat = "([%s(),=])("..name..")([%s(),=])"
+      local end_name_pat = "([%s(),=])("..name..")$"
+
+      source, subcount1 = string.gsub(source, begin_name_pat, table.concat(def.items, ", ").."%2")
+      source, subcount2 = string.gsub(source, mid_name_pat, "%1"..table.concat(def.items, ", ").."%3")
+      source, subcount3 = string.gsub(source, end_name_pat, "%1"..table.concat(def.items, ", "))
+
+      if (subcount1 + subcount2 + subcount3) > 0 then
+	 def.used = true
+      end
+   end
+
+   return source
+end
+
 function compiler.compile_macro(line, macro_defs, list_defs)
 
-   for name, items in pairs(list_defs) do
-      line = string.gsub(line, name, table.concat(items, ", "))
-   end
+   line = compiler.expand_lists_in(line, list_defs)
 
    local ast, error_msg = parser.parse_filter(line)
 
@@ -325,14 +346,7 @@ end
 --]]
 function compiler.compile_filter(name, source, macro_defs, list_defs)
 
-   for name, items in pairs(list_defs) do
-      local begin_name_pat = "^("..name..")([%s(),=])"
-      local mid_name_pat = "([%s(),=])("..name..")([%s(),=])"
-      local end_name_pat = "([%s(),=])("..name..")$"
-      source = string.gsub(source, begin_name_pat, table.concat(items, ", ").."%2")
-      source = string.gsub(source, mid_name_pat, "%1"..table.concat(items, ", ").."%3")
-      source = string.gsub(source, end_name_pat, "%1"..table.concat(items, ", "))
-   end
+   source = compiler.expand_lists_in(source, list_defs)
 
    local ast, error_msg = parser.parse_filter(source)
 

userspace/engine/lua/rule_loader.lua

@@ -347,13 +347,13 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
 	 if (state.lists[item] == nil) then
 	    items[#items+1] = item
 	 else
-	    for i, exp_item in ipairs(state.lists[item]) do
+	    for i, exp_item in ipairs(state.lists[item].items) do
 	       items[#items+1] = exp_item
 	    end
 	 end
       end
 
-      state.lists[v['list']] = items
+      state.lists[v['list']] = {["items"] = items, ["used"] = false}
    end
 
    for i, name in ipairs(state.ordered_macro_names) do
@@ -361,7 +361,7 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
       local v = state.macros_by_name[name]
 
       local ast = compiler.compile_macro(v['condition'], state.macros, state.lists)
-      state.macros[v['macro']] = ast.filter.value
+      state.macros[v['macro']] = {["ast"] = ast.filter.value, ["used"] = false}
    end
 
    for i, name in ipairs(state.ordered_rule_names) do
@@ -443,6 +443,21 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
       end
    end
 
+   if verbose then
+      -- Print info on any dangling lists or macros that were not used anywhere
+      for name, macro in pairs(state.macros) do
+	 if macro.used == false then
+	    print("Warning: macro "..name.." not refered to by any rule/macro")
+	 end
+      end
+
+      for name, list in pairs(state.lists) do
+	 if list.used == false then
+	    print("Warning: list "..name.." not refered to by any rule/macro/list")
+	 end
+      end
+   end
+
    io.flush()
 end
 

userspace/falco/falco.cpp

@@ -111,7 +111,8 @@ static void usage()
 	   "                               single line emitted by falco to be flushed, which generates higher CPU\n"
 	   "                               usage but is useful when piping those outputs into another process\n"
 	   "                               or into a script.\n"
-	   " -V,--validate <rules_file>    Read the contents of the specified rules file and exit\n"
+	   " -V,--validate <rules_file>    Read the contents of the specified rules(s) file and exit\n"
+	   "                               Can be specified multiple times to validate multiple files.\n"
 	   " -v                            Verbose output.\n"
            " --version                     Print version number.\n"
 	   "\n"
@@ -245,7 +246,7 @@ int falco_init(int argc, char **argv)
 	string pidfilename = "/var/run/falco.pid";
 	bool describe_all_rules = false;
 	string describe_rule = "";
-	string validate_rules_file = "";
+	list<string> validate_rules_filenames;
 	string stats_filename = "";
 	bool verbose = false;
 	bool all_events = false;
@@ -282,7 +283,7 @@ int falco_init(int argc, char **argv)
 		{"pidfile", required_argument, 0, 'P' },
 		{"unbuffered", no_argument, 0, 'U' },
 		{"version", no_argument, 0, 0 },
-		{"validate", required_argument, 0, 0 },
+		{"validate", required_argument, 0, 'V' },
 		{"writefile", required_argument, 0, 'w' },
 
 		{0, 0, 0, 0}
@@ -396,7 +397,7 @@ int falco_init(int argc, char **argv)
 				verbose = true;
 				break;
 			case 'V':
-				validate_rules_file = optarg;
+				validate_rules_filenames.push_back(optarg);
 				break;
 			case 'w':
 				outfile = optarg;
@@ -460,10 +461,17 @@ int falco_init(int argc, char **argv)
 			}
 		}
 
-		if(validate_rules_file != "")
+		if(validate_rules_filenames.size() > 0)
 		{
-			falco_logger::log(LOG_INFO, "Validating rules file: " + validate_rules_file + "...\n");
-			engine->load_rules_file(validate_rules_file, verbose, all_events);
+			falco_logger::log(LOG_INFO, "Validating rules file(s):\n");
+			for(auto file : validate_rules_filenames)
+			{
+				falco_logger::log(LOG_INFO, "   " + file + "\n");
+			}
+			for(auto file : validate_rules_filenames)
+			{
+				engine->load_rules_file(file, verbose, all_events);
+			}
 			falco_logger::log(LOG_INFO, "Ok\n");
 			goto exit;
 		}