Merge branch 'dev' into agent-master

2026-04-05 19:42:21 +00:00 · 2017-11-21 12:18:56 +01:00 · 2017-11-10 14:08:13 -08:00 · 2017-10-27 14:31:48 +02:00 · 2017-10-19 11:03:45 +02:00 · 2017-10-12 13:33:08 +02:00
13 changed files with 296 additions and 408 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,24 +2,6 @@

 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).

-## v0.9.0
-
-Released 2018-01-18
-
-### Bug Fixes
-
-* Fix driver incompatibility problems with some linux kernel versions that can disable pagefault tracepoints [[#sysdig/1034](https://github.com/draios/sysdig/pull/1034)]
-* Fix OSX Build incompatibility with latest version of libcurl [[#291](https://github.com/draios/falco/pull/291)]
-
-### Minor Changes
-
-* Updated the Kubernetes example to provide an additional example: Daemon Set using RBAC and a ConfigMap for configuration. Also expanded the documentation for both the RBAC and non-RBAC examples. [[#309](https://github.com/draios/falco/pull/309)]
-
-### Rule Changes
-
-* Refactor the shell-related rules to reduce false positives. These changes significantly decrease the scope of the rules so they trigger only for shells spawned below specific processes instead of anywhere. [[#301](https://github.com/draios/falco/pull/301)] [[#304](https://github.com/draios/falco/pull/304)]
-* Lots of rule changes based on feedback from Sysdig Secure community [[#293](https://github.com/draios/falco/pull/293)] [[#298](https://github.com/draios/falco/pull/298)] [[#300](https://github.com/draios/falco/pull/300)] [[#307](https://github.com/draios/falco/pull/307)] [[#315](https://github.com/draios/falco/pull/315)]
-
 ## v0.8.1

 Released 2017-10-10
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -78,7 +78,7 @@ else()
        set(ZLIB_INCLUDE "${ZLIB_SRC}")
        set(ZLIB_LIB "${ZLIB_SRC}/libz.a")
        ExternalProject_Add(zlib
-		URL "http://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.8.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.8.tar.gz"
 		URL_MD5 "44d667c142d7cda120332623eab69f40"
 		CONFIGURE_COMMAND "./configure"
 		BUILD_COMMAND ${CMD_MAKE}
@@ -104,7 +104,7 @@ else()
        set(JQ_INCLUDE "${JQ_SRC}")
        set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
        ExternalProject_Add(jq
-                URL "http://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
+                URL "https://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
                URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
                CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
                BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
@@ -134,7 +134,7 @@ else()
 	set(CURSES_LIBRARIES "${CURSES_BUNDLE_DIR}/lib/libncurses.a")
 	message(STATUS "Using bundled ncurses in '${CURSES_BUNDLE_DIR}'")
 	ExternalProject_Add(ncurses
-		URL "http://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
 		URL_MD5 "32b8913312e738d707ae68da439ca1f4"
 		CONFIGURE_COMMAND ./configure --without-cxx --without-cxx-binding --without-ada --without-manpages --without-progs --without-tests --with-terminfo-dirs=/etc/terminfo:/lib/terminfo:/usr/share/terminfo
 		BUILD_COMMAND ${CMD_MAKE}
@@ -161,7 +161,7 @@ else()
 	set(B64_INCLUDE "${B64_SRC}/include")
 	set(B64_LIB "${B64_SRC}/src/libb64.a")
 	ExternalProject_Add(b64
-		URL "http://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
 		URL_MD5 "a609809408327117e2c643bed91b76c5"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ${CMD_MAKE}
@@ -215,7 +215,7 @@ else()
 	message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")

 	ExternalProject_Add(openssl
-		URL "http://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2j.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2j.tar.gz"
 		URL_MD5 "96322138f0b69e61b7212bc53d5e912b"
 		CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
 		BUILD_COMMAND ${CMD_MAKE}
@@ -246,7 +246,7 @@ else()

 	ExternalProject_Add(curl
 		DEPENDS openssl
-		URL "http://s3.amazonaws.com/download.draios.com/dependencies/curl-7.56.0.tar.bz2"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.56.0.tar.bz2"
 		URL_MD5 "e0caf257103e0c77cee5be7e9ac66ca4"
 		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2 --disable-threaded-resolver
 		BUILD_COMMAND ${CMD_MAKE}
@@ -280,7 +280,7 @@ else()
 	set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
 	set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 	ExternalProject_Add(luajit
-		URL "http://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
 		URL_MD5 "f14e9104be513913810cd59c8c658dc0"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ${CMD_MAKE}
@@ -310,7 +310,7 @@ else()
 	endif()
 	ExternalProject_Add(lpeg
 		DEPENDS ${LPEG_DEPENDENCIES}
-		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
 		URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
 		BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
 		BUILD_IN_SOURCE 1
@@ -345,7 +345,7 @@ else()
 	set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
 	message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 	ExternalProject_Add(libyaml
-		URL "http://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
 		URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
 		BUILD_COMMAND ${CMD_MAKE}
 		BUILD_IN_SOURCE 1
@@ -381,7 +381,7 @@ else()
 	endif()
 	ExternalProject_Add(lyaml
 		DEPENDS ${LYAML_DEPENDENCIES}
-		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
                URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
                BUILD_COMMAND ${CMD_MAKE}
                BUILD_IN_SOURCE 1
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 #### Latest release

-**v0.9.0**
+**v0.8.1**
 Read the [change log](https://github.com/draios/falco/blob/dev/CHANGELOG.md)

 Dev Branch: [![Build Status](https://travis-ci.org/draios/falco.svg?branch=dev)](https://travis-ci.org/draios/falco)<br />
--- a/docker/event-generator/event_generator.cpp
+++ b/docker/event-generator/event_generator.cpp
@@ -50,8 +50,6 @@ void usage(char *program)
 	printf("                                                     then read a sensitive file\n");
 	printf("          write_rpm_database                         Write to files below /var/lib/rpm\n");
 	printf("          spawn_shell                                Run a shell (bash)\n");
-	printf("                                                     Used by spawn_shell_under_httpd below\n");
-	printf("          spawn_shell_under_httpd                    Run a shell (bash) under a httpd process\n");
 	printf("          db_program_spawn_process                   As a database program, try to spawn\n");
 	printf("                                                     another program\n");
 	printf("          modify_binary_dirs                         Modify a file below /bin\n");
@@ -66,7 +64,7 @@ void usage(char *program)
 	printf("          non_sudo_setuid                            Setuid as a non-root user\n");
 	printf("          create_files_below_dev                     Create files below /dev\n");
 	printf("          exec_ls                                    execve() the program ls\n");
-	printf("                                                     (used by user_mgmt_binaries, db_program_spawn_process)\n");
+	printf("                                                     (used by user_mgmt_binaries below)\n");
 	printf("          user_mgmt_binaries                         Become the program \"vipw\", which triggers\n");
 	printf("                                                     rules related to user management programs\n");
 	printf("          exfiltration                               Read /etc/shadow and send it via udp to a\n");
@@ -232,14 +230,9 @@ void spawn_shell() {
 	}
 }

-void spawn_shell_under_httpd() {
-	printf("Becoming the program \"httpd\" and then spawning a shell\n");
-	respawn("./httpd", "spawn_shell", "0");
-}
-
 void db_program_spawn_process() {
-	printf("Becoming the program \"mysql\" and then running ls\n");
-	respawn("./mysqld", "exec_ls", "0");
+	printf("Becoming the program \"mysql\" and then spawning a shell\n");
+	respawn("./mysqld", "spawn_shell", "0");
 }

 void modify_binary_dirs() {
@@ -367,7 +360,6 @@ map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},
 					 {"read_sensitive_file_after_startup", read_sensitive_file_after_startup},
 					 {"write_rpm_database", write_rpm_database},
 					 {"spawn_shell", spawn_shell},
-					 {"spawn_shell_under_httpd", spawn_shell_under_httpd},
 					 {"db_program_spawn_process", db_program_spawn_process},
 					 {"modify_binary_dirs", modify_binary_dirs},
 					 {"mkdir_binary_dirs", mkdir_binary_dirs},
@@ -383,7 +375,7 @@ map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},

 // Some actions don't directly result in suspicious behavior. These
 // actions are excluded from the ones run with -a all.
-set<string> exclude_from_all_actions = {"spawn_shell", "exec_ls", "network_activity"};
+set<string> exclude_from_all_actions = {"exec_ls", "network_activity"};

 void create_symlinks(const char *program)
 {
--- a/examples/k8s-using-daemonset/README.md
+++ b/examples/k8s-using-daemonset/README.md
@@ -1,92 +1,5 @@
-# Example Kubernetes Daemon Sets for Sysdig Falco
+# Example K8s Services for Falco

-This directory gives you the required YAML files to stand up Sysdig Falco on Kubernetes as a Daemon Set. This will result in a Falco Pod being deployed to each node, and thus the ability to monitor any running containers for abnormal behavior. 
-
-The two options are provided to deploy a Daemon Set:
- `k8s-with-rbac` - This directory provides a definition to deploy a Daemon Set on Kubernetes with RBAC enabled.
- `k8s-without-rbac` - This directory provides a definition to deploy a Daemon Set on Kubernetes without RBAC enabled. 
-
-Also provided:
- `falco-event-generator-deployment.yaml` - A Kubernetes Deployment to generate sample events. This is useful for testing, but note it will generate a large number of events.
-
-## Deploying to Kubernetes with RBAC enabled
-
-Since v1.8 RBAC has been available in Kubernetes, and running with RBAC enabled is considered the best practice. The `k8s-with-rbac` directory provides the YAML to create a Service Account for Falco, as well as the ClusterRoles and bindings to grant the appropriate permissions to the Service Account.
-
-```
-k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-account.yaml
-serviceaccount "falco-account" created
-clusterrole "falco-cluster-role" created
-clusterrolebinding "falco-cluster-role-binding" created
-k8s-using-daemonset$
-```
-
-The Daemon Set also relies on a Kubernetes ConfigMap to store the Falco configuration and make the configuration available to the Falco Pods. This allows you to manage custom configuration without rebuilding and redeploying the underlying Pods. In order to create the ConfigMap you'll need to first need to copy the required configuration from their location in this GitHub repo to the `k8s-with-rbac/falco-config/` directory. Any modification of the configuration should be performed on these copies rather than the original files.
-
-```
-k8s-using-daemonset$ cp ../../falco.yaml k8s-with-rbac/falco-config/
-k8s-using-daemonset$ cp ../../rules/falco_rules.* k8s-with-rbac/falco-config/
-```
-
-If you want to send Falco alerts to a Slack channel, you'll want to modify the `falco.yaml` file to point to your Slack webhook. For more information on getting a webhook URL for your Slack team, refer to the [Slack documentation](https://api.slack.com/incoming-webhooks). Add the below to the bottom of the `falco.yaml` config file you just copied to enable Slack messages.
-
-```
-program_output:
-  enabled: true
-  keep_alive: false
-  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"
-```
-
-You will also need to enable JSON output. Find the `json_output: false` setting in the `falco.yaml` file and change it to read `json_output: true`. Any custom rules for your environment can be added to into the `falco_rules.local.yaml` file and they will be picked up by Falco at start time. You can now create the ConfigMap in Kubernetes. 
-
-```
-k8s-using-daemonset$ kubectl create configmap falco-config --from-file=k8s-with-rbac/falco-config
-configmap "falco-config" created
-k8s-using-daemonset$
-```
-
-Now that we have the requirements for our Daemon Set in place, we can create our Daemon Set.
-
-```
-k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-daemonset-configmap.yaml 
-daemonset "falco" created
-k8s-using-daemonset$
-```
-
-
-## Deploying to Kubernetes without RBAC enabled
-
-If you are running Kubernetes with Legacy Authorization enabled, you can use `kubectl` to deploy the Daemon Set provided in the `k8s-without-rbac` directory. The example provides the ability to post messages to a Slack channel via a webhook. For more information on getting a webhook URL for your Slack team, refer to the [Slack documentation](https://api.slack.com/incoming-webhooks). Modify the [`args`](https://github.com/draios/falco/blob/dev/examples/k8s-using-daemonset/falco-daemonset.yaml#L21) passed to the Falco container to point to the appropriate URL for your webhook.
-
-```
-k8s-using-daemonset$ kubectl create -f k8s-without-rbac/falco-daemonset.yaml
-```
-
-
-## Verifying the installation
-
-In order to test that Falco is working correctly, you can launch a shell in a Pod. You should see a message in your Slack channel (if configured), or in the logs of the Falco pod.
-
-```
-k8s-using-daemonset$ kubectl get pods
-NAME          READY     STATUS    RESTARTS   AGE
-falco-74htl   1/1       Running   0          13h
-falco-fqz2m   1/1       Running   0          13h
-falco-sgjfx   1/1       Running   0          13h
-k8s-using-daemonset$ kubectl exec -it falco-74htl bash
-root@falco-74htl:/# exit
-k8s-using-daemonset$ kubectl logs falco-74htl
-{"output":"17:48:58.590038385: Notice A shell was spawned in a container with an attached terminal (user=root k8s.pod=falco-74htl container=a98c2aa8e670 shell=bash parent=<NA> cmdline=bash  terminal=34816)","priority":"Notice","rule":"Terminal shell in container","time":"2017-12-20T17:48:58.590038385Z", "output_fields": {"container.id":"a98c2aa8e670","evt.time":1513792138590038385,"k8s.pod.name":"falco-74htl","proc.cmdline":"bash ","proc.name":"bash","proc.pname":null,"proc.tty":34816,"user.name":"root"}}
-k8s-using-daemonset$
-``` 
-
-Alternatively, you can deploy the [Falco Event Generator](https://github.com/draios/falco/wiki/Generating-Sample-Events) deployement to have events automatically generated. Please note that this Deployment will generate a large number of events. 
-
-```
-k8s-using-daemonset$ kubectl create -f falco-event-generator-deployment.yaml \
-&& sleep 1 \
-&& kubectl delete -f falco-event-generator-deployment.yaml
-deployment "falco-event-generator-deployment" created
-deployment "falco-event-generator-deployment" deleted
-k8s-using-daemonset$ 
-```
+The yaml file in this directory installs the following:
+ - Open Source Falco, as a DaemonSet. Falco is configured to communicate with the K8s API server via its service account, and changes its output to be K8s-friendly. It also sends to a slack webhook for the `#demo-falco-alerts` channel on our [public slack](https://sysdig.slack.com/messages/demo-falco-alerts/).
+ - The [Falco Event Generator](https://github.com/draios/falco/wiki/Generating-Sample-Events), as a deployment that ensures it runs on exactly 1 node.
--- a/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml
+++ b/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml
@@ -18,7 +18,7 @@ spec:
          image: sysdig/falco:latest
          securityContext:
            privileged: true
-          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
+          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/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"]
          volumeMounts:
            - mountPath: /host/var/run/docker.sock
              name: docker-socket
--- a/examples/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml
+++ b/examples/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml
@@ -1,29 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: falco-account
---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: falco-cluster-role
-rules:
-  - apiGroups: ["extensions",""]
-    resources: ["nodes","namespaces","pods","replicationcontrollers","services","events","configmaps"]
-    verbs: ["get","list","watch"]
-  - nonResourceURLs: ["/healthz", "/healthz/*"]
-    verbs: ["get"]
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: falco-cluster-role-binding
-  namespace: default
-subjects:
-  - kind: ServiceAccount
-    name: falco-account
-    namespace: default
-roleRef:
-  kind: ClusterRole
-  name: falco-cluster-role
-  apiGroup: rbac.authorization.k8s.io
--- a/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
+++ b/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
@@ -1,65 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: DaemonSet
-metadata:
-  name: falco
-  labels:
-    name: falco-daemonset
-    app: demo
-spec:
-  template:
-    metadata:
-      labels:
-        name: falco
-        app: demo
-        role: security
-    spec:
-      serviceAccount: falco-account
-      containers:
-        - name: falco
-          image: sysdig/falco:latest
-          securityContext:
-            privileged: true
-          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk"]
-          volumeMounts:
-            - mountPath: /host/var/run/docker.sock
-              name: docker-socket
-              readOnly: true
-            - mountPath: /host/dev
-              name: dev-fs
-              readOnly: true
-            - mountPath: /host/proc
-              name: proc-fs
-              readOnly: true
-            - mountPath: /host/boot
-              name: boot-fs
-              readOnly: true
-            - mountPath: /host/lib/modules
-              name: lib-modules
-              readOnly: true
-            - mountPath: /host/usr
-              name: usr-fs
-              readOnly: true
-            - mountPath: /etc/falco
-              name: falco-config
-      volumes:
-        - name: docker-socket
-          hostPath:
-            path: /var/run/docker.sock
-        - name: dev-fs
-          hostPath:
-            path: /dev
-        - name: proc-fs
-          hostPath:
-            path: /proc
-        - name: boot-fs
-          hostPath:
-            path: /boot
-        - name: lib-modules
-          hostPath:
-            path: /lib/modules
-        - name: usr-fs
-          hostPath:
-            path: /usr
-        - name: falco-config
-          configMap:
-            name: falco-config
--- a/examples/nodejs-bad-rest-api/demo.yml
+++ b/examples/nodejs-bad-rest-api/demo.yml
@@ -1,7 +1,9 @@
+# Owned by software vendor, serving install-software.sh.
 express_server:
  container_name: express_server
  image: node:latest
-  command: bash -c "apt-get -y update && apt-get -y install runit && npm install && runsv /usr/src/app"
+  working_dir: /usr/src/app
+  command: bash -c "npm install && node server.js"
  ports:
    - "8181:8181"
  volumes:
--- a/examples/nodejs-bad-rest-api/run
+++ b/examples/nodejs-bad-rest-api/run
@@ -1,2 +0,0 @@
-#!/bin/sh
-node server.js
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -41,10 +41,10 @@

 - macro: bin_dir_mkdir
  condition: >
-    (evt.arg[1] startswith /bin/ or
-     evt.arg[1] startswith /sbin/ or
-     evt.arg[1] startswith /usr/bin/ or
-     evt.arg[1] startswith /usr/sbin/)
+    evt.arg[0] startswith /bin/ or
+    evt.arg[0] startswith /sbin/ or
+    evt.arg[0] startswith /usr/bin/ or
+    evt.arg[0] startswith /usr/sbin/

 - macro: bin_dir_rename
  condition: >
@@ -156,10 +156,10 @@
  items: [chef-client]

 - list: http_server_binaries
-  items: [nginx, httpd, httpd-foregroun, lighttpd, apache, apache2]
+  items: [nginx, httpd, httpd-foregroun, lighttpd]

 - list: db_server_binaries
-  items: [mysqld, postgres, sqlplus]
+  items: [mysqld]

 - list: mysql_mgmt_binaries
  items: [mysql_install_d, mysql_ssl_rsa_s]
@@ -170,9 +170,6 @@
 - list: db_mgmt_binaries
  items: [mysql_mgmt_binaries, postgres_mgmt_binaries]

- list: nosql_server_binaries
-  items: [couchdb, memcached, redis-server, rabbitmq-server, mongod]
-
 - list: gitlab_binaries
  items: [gitlab-shell, gitlab-mon, gitlab-runner-b, git]

@@ -183,10 +180,10 @@
 # interpreted by the filter expression.
 - list: rpm_binaries
  items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
-          repoquery, rpmkeys, rpmq, yum-cron]
+          repoquery, rpmkeys, rpmq]

 - macro: rpm_procs
-  condition: proc.name in (rpm_binaries) or proc.name in (salt-minion)
+  condition: proc.name in (rpm_binaries)

 - list: deb_binaries
  items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, apt, apt-get, aptitude,
@@ -202,9 +199,6 @@
 - macro: package_mgmt_procs
  condition: proc.name in (package_mgmt_binaries)

- macro: run_by_package_mgmt_binaries
-  condition: proc.aname in (package_mgmt_binaries, needrestart)
-
 - list: ssl_mgmt_binaries
  items: [ca-certificates]

@@ -360,9 +354,6 @@
 - macro: ansible_running_python
  condition: (proc.name in (python, pypy) and proc.cmdline contains ansible)

- macro: chef_running_yum_dump
-  condition: (proc.name=python and proc.cmdline contains yum-dump.py)
-
 - macro: parent_beam_running_python
  condition: proc.pcmdline="python pipeline.py -c conf.json"

@@ -389,10 +380,9 @@

 - macro: parent_python_running_denyhosts
  condition: >
-    (proc.cmdline startswith "denyhosts.py /usr/bin/denyhosts.py" or
-     (proc.pname=python and
-     (proc.pcmdline contains /usr/sbin/denyhosts or
-      proc.pcmdline contains /usr/local/bin/denyhosts.py)))
+    (proc.pname=python and
+    (proc.pcmdline contains /usr/sbin/denyhosts or
+     proc.pcmdline contains /usr/local/bin/denyhosts.py))

 - macro: parent_python_running_sdchecks
  condition: >
@@ -531,8 +521,7 @@
 # Chef is similar.
 - macro: run_by_chef
  condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or
-              proc.aname[2]=chef-client or proc.aname[3]=chef-client or
-              proc.name=chef-client)
+              proc.aname[2]=chef-client or proc.aname[3]=chef-client)

 - macro: run_by_adclient
  condition: (proc.aname[2]=adclient or proc.aname[3]=adclient or proc.aname[4]=adclient)
@@ -570,12 +559,12 @@
 - macro: java_running_sdjagent
  condition: proc.name=java and proc.cmdline contains sdjagent.jar

- macro: kubelet_running_loopback
-  condition: (proc.pname=kubelet and proc.name=loopback)
-
 - macro: parent_java_running_confluence
  condition: (proc.pname=java and proc.pcmdline contains "-classpath /opt/atlassian/confluence")

+- macro: parent_java_running_tomcat
+  condition: (proc.pname=java and proc.pcmdline contains "-classpath /usr/local/tomcat")
+
 - macro: parent_java_running_install4j
  condition: (proc.pname=java and proc.pcmdline contains "-classpath i4jruntime.jar")

@@ -588,9 +577,6 @@
 - macro: python_mesos_marathon_scripting
  condition: (proc.pcmdline startswith "python3 /marathon-lb/marathon_lb.py")

- macro: splunk_running_forwarder
-  condition: (proc.pname=splunkd and proc.cmdline startswith "sh -c /opt/splunkforwarder")
-
 - macro: parent_running_datastax
  condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or
              (proc.pcmdline startswith "nodetool /opt/dse/bin/"))
@@ -616,8 +602,8 @@
 - macro: htpasswd_writing_passwd
  condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd)

- macro: lvprogs_writing_lvm_archive
-  condition: (proc.name in (dmeventd,lvcreate) and (fd.name startswith /etc/lvm/archive or
+- macro: dmeventd_writing_lvm_archive
+  condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or
                                      fd.name startswith /etc/lvm/backup))
 - macro: ovsdb_writing_openvswitch
  condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch)
@@ -641,28 +627,13 @@
 - macro: countly_writing_nginx_conf
  condition: (proc.cmdline startswith "nodejs /opt/countly/bin" and fd.name startswith /etc/nginx)

- list: veritas_binaries
-  items: [vxconfigd, sfcache, vxclustadm, vxdctl, vxprint, vxdmpadm, vxdisk, vxdg, vxassist, vxtune]
-
- macro: veritas_driver_script
-  condition: (proc.cmdline startswith "perl /opt/VRTSsfmh/bin/mh_driver.pl")
-
- macro: veritas_progs
-  condition: (proc.name in (veritas_binaries) or veritas_driver_script)
-
- macro: veritas_writing_config
-  condition: (veritas_progs and fd.name startswith /etc/vx)
-
- macro: exe_running_docker_save
-  condition: (container and proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker))
-
 ###############
 # General Rules
 ###############

 - rule: Write below binary dir
  desc: an attempt to write to any file below a set of binary directories
-  condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs and not exe_running_docker_save
+  condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs
  output: >
    File below a known binary directory opened for writing (user=%user.name
    command=%proc.cmdline file=%fd.name)
@@ -778,7 +749,6 @@
    and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries)
    and not fd.name pmatch (safe_etc_dirs)
    and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
-    and not exe_running_docker_save    
    and not ansible_running_python
    and not python_running_denyhosts
    and not fluentd_writing_conf_files
@@ -799,7 +769,7 @@
    and not supervise_writing_status
    and not pki_realm_writing_realms
    and not htpasswd_writing_passwd
-    and not lvprogs_writing_lvm_archive
+    and not dmeventd_writing_lvm_archive
    and not ovsdb_writing_openvswitch
    and not datadog_writing_conf
    and not curl_writing_pki_db
@@ -818,14 +788,14 @@
    and not countly_writing_nginx_conf

 - rule: Write below etc
-  desc: an attempt to write to any file below /etc
+  desc: an attempt to write to any file below /etc, not in a pipe installer session
  condition: write_etc_common and not proc.sname=fbash
  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
  priority: ERROR
  tags: [filesystem]

 - list: known_root_files
-  items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
+  items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.aws/credentials,
          /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock]

 - list: known_root_directories
@@ -839,13 +809,11 @@
              or fd.name startswith /root/.ivy2
              or fd.name startswith /root/.config/Cypress
              or fd.name startswith /root/.config/pulse
-              or fd.name startswith /root/.config/configstore
              or fd.name startswith /root/jenkins/workspace
              or fd.name startswith /root/.jenkins
              or fd.name startswith /root/.cache
              or fd.name startswith /root/.sbt
              or fd.name startswith /root/.java
-              or fd.name startswith /root/.glide
              or fd.name startswith /root/.sonar)

 - rule: Write below root
@@ -854,12 +822,21 @@
    root_dir and evt.dir = < and open_write
    and not fd.name in (known_root_files)
    and not fd.directory in (known_root_directories)
-    and not exe_running_docker_save
    and not known_root_conditions
  output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name)"
  priority: ERROR
  tags: [filesystem]

+# Within a fbash session, the severity is lowered to INFO
+- rule: Write below etc in installer
+  desc: an attempt to write to any file below /etc, in a pipe installer session
+  condition: write_etc_common and proc.sname=fbash
+  output: >
+    File below /etc opened for writing (user=%user.name command=%proc.cmdline
+    file=%fd.name) within pipe installer session
+  priority: INFO
+  tags: [filesystem]
+
 - macro: cmp_cp_by_passwd
  condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)

@@ -879,8 +856,7 @@
  items: [
    iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
    vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
-    pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
-    scxcimservera
+    pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file
    ]

 # Add conditions to this macro (probably in a separate file,
@@ -913,7 +889,6 @@
    and not run_by_chef
    and not user_read_sensitive_file_conditions
    and not perl_running_plesk
-    and not veritas_driver_script
  output: >
    Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name
    command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
@@ -923,23 +898,16 @@
 # Only let rpm-related programs write to the rpm database
 - rule: Write below rpm database
  desc: an attempt to write to the rpm database by any non-rpm related program
-  condition: fd.name startswith /var/lib/rpm and open_write and not rpm_procs and not ansible_running_python and not chef_running_yum_dump
+  condition: fd.name startswith /var/lib/rpm and open_write and not rpm_procs and not ansible_running_python
  output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)"
  priority: ERROR
  tags: [filesystem, software_mgmt]

- macro: postgres_running_wal_e
-  condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e")
-
 - rule: DB program spawned process
  desc: >
    a database-server related program spawned a new process other than itself.
    This shouldn\'t occur and is a follow on from some SQL injection attacks.
-  condition: >
-    proc.pname in (db_server_binaries)
-    and spawned_process
-    and not proc.name in (db_server_binaries)
-    and not postgres_running_wal_e
+  condition: proc.pname in (db_server_binaries) and spawned_process and not proc.name in (db_server_binaries)
  output: >
    Database-related program spawned process other than itself (user=%user.name
    program=%proc.cmdline parent=%proc.pname)
@@ -994,7 +962,6 @@
    and not proc.name startswith "runc:"
    and not proc.pname in (sysdigcloud_binaries)
    and not java_running_sdjagent
-    and not kubelet_running_loopback
  output: >
    Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
    parent=%proc.pname %container.info)
@@ -1022,111 +989,66 @@
    mysql_upgrade, opkg-cl, vmtoolsd, confd
    ]

-# The binaries in this list and their descendents are *not* allowed
-# spawn shells. This includes the binaries spawning shells directly as
-# well as indirectly. For example, apache -> php/perl for
-# mod_{php,perl} -> some shell is also not allowed, because the shell
-# has apache as an ancestor.
-
- list: protected_shell_spawning_binaries
-  items: [
-    http_server_binaries, db_server_binaries, nosql_server_binaries, mail_binaries,
-    fluentd, flanneld, splunkd, consul, smbd, runsv
-    ]
-
- macro: parent_java_running_zookeeper
-  condition: (proc.pname=java and proc.pcmdline contains org.apache.zookeeper.server)
-
- macro: parent_java_running_kafka
-  condition: (proc.pname=java and proc.pcmdline contains kafka.Kafka)
-
- macro: parent_java_running_elasticsearch
-  condition: (proc.pname=java and proc.pcmdline contains org.elasticsearch.bootstrap.Elasticsearch)
-
- macro: parent_java_running_activemq
-  condition: (proc.pname=java and proc.pcmdline contains activemq.jar)
-
- macro: parent_java_running_cassandra
-  condition: (proc.pname=java and proc.pcmdline contains org.apache.cassandra.service.CassandraDaemon)
-
- macro: parent_java_running_jboss_wildfly
-  condition: (proc.pname=java and proc.pcmdline contains org.jboss)
-
- macro: parent_java_running_glassfish
-  condition: (proc.pname=java and proc.pcmdline contains com.sun.enterprise.glassfish)
-
- macro: parent_java_running_hadoop
-  condition: (proc.pname=java and proc.pcmdline contains org.apache.hadoop)
-
- macro: parent_java_running_datastax
-  condition: (proc.pname=java and proc.pcmdline contains com.datastax)
-
- macro: parent_java_running_sumologic
-  condition: (proc.pname=java and proc.pcmdline contains com.sumologic)
-
- macro: nginx_starting_nginx
-  condition: (proc.pname=nginx and proc.cmdline contains "/usr/sbin/nginx -c /etc/nginx/nginx.conf")
-
- macro: consul_running_net_scripts
-  condition: (proc.pname=consul and (proc.cmdline startswith "sh -c curl" or proc.cmdline startswith "sh -c nc"))
-
- macro: consul_running_alert_checks
-  condition: (proc.pname=consul and proc.cmdline startswith "sh -c /bin/consul-alerts")
-
- macro: serf_script
-  condition: (proc.cmdline startswith "sh -c serf")
-
- macro: check_process_status
-  condition: (proc.cmdline startswith "sh -c kill -0 ")
-
- macro: protected_shell_spawner
-  condition: >
-    (proc.aname in (protected_shell_spawning_binaries)
-    or parent_java_running_zookeeper
-    or parent_java_running_kafka
-    or parent_java_running_elasticsearch
-    or parent_java_running_activemq
-    or parent_java_running_cassandra
-    or parent_java_running_jboss_wildfly
-    or parent_java_running_glassfish
-    or parent_java_running_hadoop
-    or parent_java_running_datastax)
-
-# Note that runsv is both in protected_shell_spawner and the
-# exclusions by pname. This means that runsv can itself spawn shells
-# (the ./run and ./finish scripts), but the processes runsv can not
-# spawn shells.
 - rule: Run shell untrusted
-  desc: an attempt to spawn a shell below a non-shell application. Specific applications are monitored.
+  desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries.
  condition: >
-    spawned_process
+    spawned_process and not container
    and shell_procs
    and proc.pname exists
-    and protected_shell_spawner
-    and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries,
-                           needrestart_binaries,
-                           erl_child_setup, exechealthz,
-                           PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
-                           lb-controller, nvidia-installe, runsv, statsite)
+    and not proc.pname in (cron_binaries, shell_binaries, make_binaries, known_shell_spawn_binaries, docker_binaries,
+                           k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries,
+                           monitoring_binaries, gitlab_binaries, mesos_slave_binaries,
+                           keepalived_binaries,
+                           needrestart_binaries, phusion_passenger_binaries, chef_binaries, nomachine_binaries,
+                           x2go_binaries, db_mgmt_binaries, plesk_binaries)
+    and not parent_ansible_running_python
+    and not parent_bro_running_python
+    and not parent_python_running_denyhosts
+    and not parent_python_running_sdchecks
+    and not parent_linux_image_upgrade_script
+    and not parent_java_running_jenkins
    and not proc.cmdline in (known_shell_spawn_cmdlines)
-    and not proc.aname in (unicorn_launche)
-    and not consul_running_net_scripts
-    and not consul_running_alert_checks
-    and not nginx_starting_nginx
-    and not run_by_package_mgmt_binaries
-    and not serf_script
-    and not check_process_status
+    and not jenkins_scripts
+    and not parent_java_running_echo
+    and not parent_scripting_running_builds
+    and not makefile_perl
+    and not parent_Xvfb_running_xkbcomp
+    and not parent_nginx_running_serf
+    and not parent_node_running_npm
+    and not parent_npm_running_node
+    and not parent_java_running_sbt
+    and not parent_beam_running_python
+    and not parent_strongswan_running_starter
+    and not run_by_chef
+    and not run_by_puppet
+    and not run_by_adclient
+    and not run_by_centrify
+    and not parent_dovecot_running_auth
    and not run_by_foreman
-    and not python_mesos_marathon_scripting
-    and not splunk_running_forwarder
-    and not postgres_running_wal_e
-    and not user_shell_container_exclusions
+    and not run_by_openshift
+    and not parent_java_running_tomcat
+    and not parent_java_running_install4j
+    and not parent_java_running_endeca
+    and not parent_running_datastax
+    and not parent_java_running_appdynamics
+    and not parent_cpanm_running_perl
+    and not parent_ruby_running_discourse
+    and not parent_ruby_running_pups
+    and not assemble_running_php
+    and not node_running_bitnami
+    and not node_running_threatstack
+    and not parent_python_running_localstack
+    and not parent_python_running_zookeeper
+    and not parent_python_running_airflow
+    and not perl_running_plesk
+    and not plesk_autoinstaller
+    and not parent_perl_running_openresty
  output: >
    Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
    cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
    gggparent=%proc.aname[4] ggggparent=%proc.aname[5])
  priority: DEBUG
-  tags: [shell]
+  tags: [host, shell]

 - macro: trusted_containers
  condition: (container.image startswith sysdig/agent or
@@ -1138,10 +1060,7 @@
              container.image startswith quay.io/coreos/flannel or
              container.image startswith gcr.io/google_containers/kube-proxy or
              container.image startswith calico/node or
-              container.image startswith rook/toolbox or
-              container.image startswith registry.access.redhat.com/openshift3/logging-fluentd or
-              container.image startswith registry.access.redhat.com/openshift3/logging-elasticsearch or
-              container.image startswith cloudnativelabs/kube-router)
+              container.image startswith rook/toolbox)

 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
@@ -1203,7 +1122,7 @@
 # when we lose events and lose track of state.

 - macro: container_entrypoint
-  condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], docker-runc, exe))
+  condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], docker-runc))

 - rule: Launch Sensitive Mount Container
  desc: >
@@ -1252,11 +1171,11 @@
  tags: [users]

 - rule: Terminal shell in container
-  desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
+  desc: A shell was spawned by a program in a container with an attached terminal.
  condition: >
    spawned_process and container
    and shell_procs and proc.tty != 0
-    and container_entrypoint
+    and not proc.cmdline in (known_shell_spawn_cmdlines)
  output: >
    A shell was spawned in a container with an attached terminal (user=%user.name %container.info
    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)
@@ -1327,7 +1246,7 @@
 # and override the entire run shell in container macro. Once
 # https://github.com/draios/falco/issues/255 is fixed this will be a
 # bit easier, as someone could append of any of the existing lists.
- list: user_known_shell_spawn_binaries
+- list: user_known_container_shell_spawn_binaries
  items: []

 # This macro allows for easy additions to the set of commands allowed
@@ -1343,6 +1262,84 @@
    (proc.pname=node and (proc.pcmdline contains /var/www/edi/process.js or
                          proc.pcmdline contains "sh -c /var/www/edi/bin/sftp.sh"))

+- rule: Run shell in container
+  desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
+  condition: >
+    spawned_process and container
+    and shell_procs
+    and not container_entrypoint
+    and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries,
+                           lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries,
+                           cron_binaries,
+                           user_known_container_shell_spawn_binaries,
+                           needrestart_binaries,
+                           phusion_passenger_binaries,
+                           chef_binaries,
+                           nomachine_binaries,
+                           x2go_binaries,
+                           db_mgmt_binaries,
+                           plesk_binaries,
+                           monitoring_binaries, gitlab_binaries, initdb, awk, falco, cron,
+                           erl_child_setup, erlexec, ceph, PM2, pycompile, py3compile, hhvm, npm, serf,
+                           runsv, supervisord, varnishd, crond, logrotate, timeout, tini,
+                           xrdb, xfce4-session, weave, logdna-agent, bundle, configure, luajit, nginx,
+                           beam.smp, paster, postfix-local, hawkular-metric, fluentd, x2gormforward,
+                           "[celeryd:", flock, nsrun, consul, migrate-databas, airflow, bootstrap-qmf-l,
+                           build-qmf-artif, colormake.pl, doxygen, Cypress, lb-controller, vmtoolsd,
+                           haproxy_reload., curator, consul-template, xargs, scl, find, awstats_updatea,
+                           sa-update, mysql_upgrade, opkg-cl, peer-finder, confd, aws)
+    and not trusted_containers
+    and not shell_spawning_containers
+    and not parent_java_running_echo
+    and not parent_scripting_running_builds
+    and not makefile_perl
+    and not parent_Xvfb_running_xkbcomp
+    and not mysql_image_running_healthcheck
+    and not parent_nginx_running_serf
+    and not proc.cmdline in (known_container_shell_spawn_cmdlines)
+    and not parent_node_running_npm
+    and not parent_npm_running_node
+    and not user_shell_container_exclusions
+    and not node_running_edi_dynamodb
+    and not run_by_h2o
+    and not run_by_passenger_agent
+    and not parent_java_running_jenkins
+    and not parent_java_running_maven
+    and not parent_java_running_appdynamics
+    and not parent_java_running_sbt
+    and not python_running_es_curator
+    and not parent_beam_running_python
+    and not jenkins_scripts
+    and not bundle_running_ruby
+    and not parent_dovecot_running_auth
+    and not parent_strongswan_running_starter
+    and not parent_phusion_passenger_my_init
+    and not parent_java_running_confluence
+    and not parent_java_running_tomcat
+    and not parent_java_running_install4j
+    and not parent_running_datastax
+    and not ics_running_java
+    and not parent_ruby_running_discourse
+    and not parent_ruby_running_pups
+    and not assemble_running_php
+    and not node_running_bitnami
+    and not node_running_threatstack
+    and not parent_python_running_localstack
+    and not parent_python_running_zookeeper
+    and not parent_python_running_airflow
+    and not parent_docker_start_script
+    and not parent_java_running_endeca
+    and not python_mesos_healthcheck
+    and not python_mesos_marathon_scripting
+    and not perl_running_plesk
+    and not parent_rancher_running_healthcheck
+    and not parent_perl_running_openresty
+  output: >
+    Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image
+    shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])
+  priority: DEBUG
+  tags: [container, shell]
+
 - macro: login_doing_dns_lookup
  condition: (proc.name=login and fd.l4proto=udp and fd.sport=53)

@@ -1377,11 +1374,7 @@
              (user.name=postfix and evt.arg.uid=postfix) or
              (user.name=pki-agent and evt.arg.uid=pki-agent) or
              (user.name=pki-acme and evt.arg.uid=pki-acme) or
-              (user.name=nfsnobody and evt.arg.uid=nfsnobody) or
-              (user.name=postgres and evt.arg.uid=postgres))
-
- macro: nrpe_becoming_nagios
-  condition: (proc.name=nrpe and evt.arg.uid=nagios)
+              (user.name=nfsnobody and evt.arg.uid=nfsnobody))

 # In containers, the user name might be for a uid that exists in the
 # container but not on the host. (See
@@ -1402,7 +1395,6 @@
    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                          nomachine_binaries)
    and not java_running_sdjagent
-    and not nrpe_becoming_nagios
  output: >
    Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
    command=%proc.cmdline uid=%evt.arg.uid)
@@ -1451,10 +1443,54 @@
  priority: ERROR
  tags: [filesystem]

+# fbash is a small shell script that runs bash, and is suitable for use in curl <curl> | fbash installers.
+- rule: Installer bash starts network server
+  desc: an attempt by a program in a pipe installer session to start listening for network connections
+  condition: evt.type=listen and proc.sname=fbash
+  output: "Unexpected listen call by a process in a fbash session (command=%proc.cmdline)"
+  priority: NOTICE
+  tags: [network]
+
+- rule: Installer bash starts session
+  desc: an attempt by a program in a pipe installer session to start a new session
+  condition: evt.type=setsid and proc.sname=fbash
+  output: "Unexpected setsid call by a process in fbash session (command=%proc.cmdline)"
+  priority: NOTICE
+  tags: [process]
+
+- rule: Installer bash non https connection
+  desc: an attempt by a program in a pipe installer session to make an outgoing connection on a non-http(s) port
+  condition: proc.sname=fbash and outbound and not fd.sport in (80, 443, 53)
+  output: >
+    Outbound connection on non-http(s) port by a process in a fbash session
+    (command=%proc.cmdline connection=%fd.name)
+  priority: NOTICE
+  tags: [network]
+
 # It'd be nice if we could warn when processes in a fbash session try
 # to download from any nonstandard location? This is probably blocked
 # on https://github.com/draios/falco/issues/88 though.

+# Notice when processes try to run chkconfig/systemctl.... to install a service.
+# Note: this is not a WARNING, as you'd expect some service management
+# as a part of doing the installation.
+- rule: Installer bash manages service
+  desc: an attempt by a program in a pipe installer session to manage a system service (systemd/chkconfig)
+  condition: evt.type=execve and proc.name in (chkconfig, systemctl) and proc.sname=fbash
+  output: "Service management program run by process in a fbash session (command=%proc.cmdline)"
+  priority: INFO
+  tags: [software_mgmt]
+
+# Notice when processes try to run any package management binary within a fbash session.
+# Note: this is not a WARNING, as you'd expect some package management
+# as a part of doing the installation
+- rule: Installer bash runs pkgmgmt program
+  desc: an attempt by a program in a pipe installer session to run a package management binary
+  condition: evt.type=execve and package_mgmt_procs and proc.sname=fbash
+  output: "Package management program run by process in a fbash session (command=%proc.cmdline)"
+  priority: INFO
+  tags: [software_mgmt]
+
 ###########################
 # Application-Related Rules
 ###########################
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -319,7 +319,7 @@ trace_files: !mux
    detect_counts:
      - "Write below binary dir": 1
      - "Read sensitive file untrusted": 3
-      - "Run shell untrusted": 1
+      - "Run shell in container": 1
      - "Write below rpm database": 1
      - "Write below etc": 1
      - "System procs network activity": 1
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@@ -43,11 +43,11 @@ traces: !mux
  falco-event-generator:
    trace_file: traces-positive/falco-event-generator.scap
    detect: True
-    detect_level: [ERROR, WARNING, INFO, NOTICE, DEBUG]
+    detect_level: [ERROR, WARNING, INFO, NOTICE]
    detect_counts:
      - "Write below binary dir": 1
      - "Read sensitive file untrusted": 3
-      - "Run shell untrusted": 1
+      - "Run shell in container": 1
      - "Write below rpm database": 1
      - "Write below etc": 1
      - "System procs network activity": 1
@@ -59,6 +59,44 @@ traces: !mux
      - "Modify binary dirs": 2
      - "Change thread namespace": 2

+  installer-fbash-manages-service:
+    trace_file: traces-info/installer-fbash-manages-service.scap
+    detect: True
+    detect_level: INFO
+    detect_counts:
+      - "Installer bash manages service": 4
+
+  installer-bash-non-https-connection:
+    trace_file: traces-positive/installer-bash-non-https-connection.scap
+    detect: True
+    detect_level: NOTICE
+    detect_counts:
+      - "Installer bash non https connection": 1
+
+  installer-fbash-runs-pkgmgmt:
+    trace_file: traces-info/installer-fbash-runs-pkgmgmt.scap
+    detect: True
+    detect_level: [NOTICE, INFO]
+    detect_counts:
+      - "Installer bash runs pkgmgmt program": 4
+      - "Installer bash non https connection": 4
+
+  installer-bash-starts-network-server:
+    trace_file: traces-positive/installer-bash-starts-network-server.scap
+    detect: True
+    detect_level: NOTICE
+    detect_counts:
+      - "Installer bash starts network server": 2
+      - "Installer bash non https connection": 3
+
+  installer-bash-starts-session:
+    trace_file: traces-positive/installer-bash-starts-session.scap
+    detect: True
+    detect_level: NOTICE
+    detect_counts:
+      - "Installer bash starts session": 1
+      - "Installer bash non https connection": 3
+
  mkdir-binary-dirs:
    trace_file: traces-positive/mkdir-binary-dirs.scap
    detect: True
@@ -73,6 +111,13 @@ traces: !mux
    detect_counts:
      - "Modify binary dirs": 1

+  modify-package-repo-list-installer:
+    trace_file: traces-info/modify-package-repo-list-installer.scap
+    detect: True
+    detect_level: INFO
+    detect_counts:
+      - "Write below etc in installer": 1
+
  non-sudo-setuid:
    trace_file: traces-positive/non-sudo-setuid.scap
    detect: True
@@ -101,6 +146,13 @@ traces: !mux
    detect_counts:
      - "Run shell untrusted": 1

+  shell-in-container:
+    trace_file: traces-positive/shell-in-container.scap
+    detect: True
+    detect_level: DEBUG
+    detect_counts:
+      - "Run shell in container": 1
+
  system-binaries-network-activity:
    trace_file: traces-positive/system-binaries-network-activity.scap
    detect: True
@@ -136,6 +188,13 @@ traces: !mux
    detect_counts:
      - "Write below etc": 1

+  write-etc-installer:
+    trace_file: traces-info/write-etc-installer.scap
+    detect: True
+    detect_level: INFO
+    detect_counts:
+      - "Write below etc in installer": 1
+
  write-rpm-database:
    trace_file: traces-positive/write-rpm-database.scap
    detect: True
Author	SHA1	Message	Date
Luca Marturana	5ac3e7d074	Merge branch 'dev' into agent-master	2017-11-21 12:18:56 +01:00
Brett Bertocci	d321666ee5	Merge branch 'dev' into agent-master	2017-11-10 14:08:13 -08:00
Luca Marturana	09d570d985	Merge branch 'dev' into agent-master	2017-10-27 14:31:48 +02:00
Luca Marturana	5844030bcb	Merge branch 'dev' into agent-master the commit.	2017-10-19 11:03:45 +02:00
Luca Marturana	31482c2a18	Merge branch 'dev' into agent-master	2017-10-12 13:33:08 +02:00
Mark Stemm	498d083980	Merge branch 'dev' into agent-master	2017-09-25 10:58:36 -07:00
Luca Marturana	6fd7f0d628	Merge branch 'dev' into agent-master	2017-08-23 10:30:27 +02:00
Thom van Os	d6fe29b47d	Merge branch 'dev' into agent-master	2017-07-27 14:04:16 -07:00
Riccardo Schirone	a71cbcd7ee	Merge branch 'dev' into agent-master	2017-07-03 12:18:10 +02:00
Mark Stemm	99d6bccc81	Merge branch 'dev' into agent-master	2017-06-06 10:13:23 -07:00
Brett	f92f74eaa8	Merge branch 'dev' into agent-master	2017-05-05 12:01:57 -07:00
Luca Marturana	d42d0e2dd1	Merge branch 'dev' into agent-master	2017-04-14 14:57:56 +02:00
Luca Marturana	135b4d9975	Merge branch 'dev' into agent-master	2017-03-30 14:46:44 +02:00
Luca Marturana	a25166b7ac	Merge branch 'dev' into agent-master	2017-03-20 15:45:29 +01:00
Luca Marturana	800a3f1ea1	Merge branch 'dev' into agent-master	2017-02-21 11:47:36 +01:00
Luca Marturana	31464de885	Merge branch 'dev' into agent-master	2017-02-07 11:06:22 +01:00
Luca Marturana	9b308d2793	Merge branch 'dev' into agent-master	2017-02-02 12:35:47 +01:00
Luca Marturana	a99f09da96	Merge branch 'dev' into agent-master	2017-01-31 11:47:33 +01:00
Luca Marturana	1e0ddba11a	Merge branch 'dev' into agent-master	2017-01-25 18:08:35 +01:00
Luca Marturana	b6d1101cb6	Merge branch 'agent-master' into dev	2017-01-17 10:55:07 +01:00