Merge branch 'dev' into agent-master

* Remove remaining fbash references.

No longer relevant after all the installer rules were removed.

* Detect contacting EC2 metadata svc from containers

Add a rule that detects attempts to contact the ec2 metadata service
from containers. By default, the rule does not trigger unless a list of
explicitly allowed containers is provided.

* Detect contacting K8S API Server from container

New rule "Contact K8S API Server From Container" looks for connections
to the K8s API Server. The ip/port for the K8s API Server is in the
macro k8s_api_server and contains an ip/port that's not likely to occur
in practice, so the rule is effectively disabled by default.

CHANGELOG.md

@@ -2,6 +2,24 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
+## v0.9.0
+
+Released 2018-01-18
+
+### Bug Fixes
+
+* Fix driver incompatibility problems with some linux kernel versions that can disable pagefault tracepoints [[#sysdig/1034](https://github.com/draios/sysdig/pull/1034)]
+* Fix OSX Build incompatibility with latest version of libcurl [[#291](https://github.com/draios/falco/pull/291)]
+
+### Minor Changes
+
+* Updated the Kubernetes example to provide an additional example: Daemon Set using RBAC and a ConfigMap for configuration. Also expanded the documentation for both the RBAC and non-RBAC examples. [[#309](https://github.com/draios/falco/pull/309)]
+
+### Rule Changes
+
+* Refactor the shell-related rules to reduce false positives. These changes significantly decrease the scope of the rules so they trigger only for shells spawned below specific processes instead of anywhere. [[#301](https://github.com/draios/falco/pull/301)] [[#304](https://github.com/draios/falco/pull/304)]
+* Lots of rule changes based on feedback from Sysdig Secure community [[#293](https://github.com/draios/falco/pull/293)] [[#298](https://github.com/draios/falco/pull/298)] [[#300](https://github.com/draios/falco/pull/300)] [[#307](https://github.com/draios/falco/pull/307)] [[#315](https://github.com/draios/falco/pull/315)]
+
 ## v0.8.1
 
 Released 2017-10-10

CMakeLists.txt

@@ -78,7 +78,7 @@ else()
         set(ZLIB_INCLUDE "${ZLIB_SRC}")
         set(ZLIB_LIB "${ZLIB_SRC}/libz.a")
         ExternalProject_Add(zlib
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.8.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.8.tar.gz"
 		URL_MD5 "44d667c142d7cda120332623eab69f40"
 		CONFIGURE_COMMAND "./configure"
 		BUILD_COMMAND ${CMD_MAKE}
@@ -104,7 +104,7 @@ else()
         set(JQ_INCLUDE "${JQ_SRC}")
         set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
         ExternalProject_Add(jq
-                URL "https://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
+                URL "http://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
                 URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
                 CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
                 BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
@@ -134,7 +134,7 @@ else()
 	set(CURSES_LIBRARIES "${CURSES_BUNDLE_DIR}/lib/libncurses.a")
 	message(STATUS "Using bundled ncurses in '${CURSES_BUNDLE_DIR}'")
 	ExternalProject_Add(ncurses
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
 		URL_MD5 "32b8913312e738d707ae68da439ca1f4"
 		CONFIGURE_COMMAND ./configure --without-cxx --without-cxx-binding --without-ada --without-manpages --without-progs --without-tests --with-terminfo-dirs=/etc/terminfo:/lib/terminfo:/usr/share/terminfo
 		BUILD_COMMAND ${CMD_MAKE}
@@ -161,7 +161,7 @@ else()
 	set(B64_INCLUDE "${B64_SRC}/include")
 	set(B64_LIB "${B64_SRC}/src/libb64.a")
 	ExternalProject_Add(b64
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
 		URL_MD5 "a609809408327117e2c643bed91b76c5"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ${CMD_MAKE}
@@ -215,7 +215,7 @@ else()
 	message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
 
 	ExternalProject_Add(openssl
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2j.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2j.tar.gz"
 		URL_MD5 "96322138f0b69e61b7212bc53d5e912b"
 		CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
 		BUILD_COMMAND ${CMD_MAKE}
@@ -246,7 +246,7 @@ else()
 
 	ExternalProject_Add(curl
 		DEPENDS openssl
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.56.0.tar.bz2"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/curl-7.56.0.tar.bz2"
 		URL_MD5 "e0caf257103e0c77cee5be7e9ac66ca4"
 		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2 --disable-threaded-resolver
 		BUILD_COMMAND ${CMD_MAKE}
@@ -280,7 +280,7 @@ else()
 	set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
 	set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 	ExternalProject_Add(luajit
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
 		URL_MD5 "f14e9104be513913810cd59c8c658dc0"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ${CMD_MAKE}
@@ -310,7 +310,7 @@ else()
 	endif()
 	ExternalProject_Add(lpeg
 		DEPENDS ${LPEG_DEPENDENCIES}
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
 		URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
 		BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
 		BUILD_IN_SOURCE 1
@@ -345,7 +345,7 @@ else()
 	set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
 	message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 	ExternalProject_Add(libyaml
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
 		URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
 		BUILD_COMMAND ${CMD_MAKE}
 		BUILD_IN_SOURCE 1
@@ -381,7 +381,7 @@ else()
 	endif()
 	ExternalProject_Add(lyaml
 		DEPENDS ${LYAML_DEPENDENCIES}
-		URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
                 URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
                 BUILD_COMMAND ${CMD_MAKE}
                 BUILD_IN_SOURCE 1

README.md

@@ -2,7 +2,7 @@
 
 #### Latest release
 
-**v0.8.1**
+**v0.9.0**
 Read the [change log](https://github.com/draios/falco/blob/dev/CHANGELOG.md)
 
 Dev Branch: [![Build Status](https://travis-ci.org/draios/falco.svg?branch=dev)](https://travis-ci.org/draios/falco)<br />

rules/falco_rules.yaml

@@ -183,10 +183,10 @@
 # interpreted by the filter expression.
 - list: rpm_binaries
   items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
-          repoquery, rpmkeys, rpmq]
+          repoquery, rpmkeys, rpmq, yum-cron]
 
 - macro: rpm_procs
-  condition: proc.name in (rpm_binaries)
+  condition: proc.name in (rpm_binaries) or proc.name in (salt-minion)
 
 - list: deb_binaries
   items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, apt, apt-get, aptitude,
@@ -389,9 +389,10 @@
 
 - macro: parent_python_running_denyhosts
   condition: >
-    (proc.pname=python and
-    (proc.pcmdline contains /usr/sbin/denyhosts or
-     proc.pcmdline contains /usr/local/bin/denyhosts.py))
+    (proc.cmdline startswith "denyhosts.py /usr/bin/denyhosts.py" or
+     (proc.pname=python and
+     (proc.pcmdline contains /usr/sbin/denyhosts or
+      proc.pcmdline contains /usr/local/bin/denyhosts.py)))
 
 - macro: parent_python_running_sdchecks
   condition: >
@@ -587,6 +588,9 @@
 - macro: python_mesos_marathon_scripting
   condition: (proc.pcmdline startswith "python3 /marathon-lb/marathon_lb.py")
 
+- macro: splunk_running_forwarder
+  condition: (proc.pname=splunkd and proc.cmdline startswith "sh -c /opt/splunkforwarder")
+
 - macro: parent_running_datastax
   condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or
               (proc.pcmdline startswith "nodetool /opt/dse/bin/"))
@@ -612,8 +616,8 @@
 - macro: htpasswd_writing_passwd
   condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd)
 
-- macro: dmeventd_writing_lvm_archive
-  condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or
+- macro: lvprogs_writing_lvm_archive
+  condition: (proc.name in (dmeventd,lvcreate) and (fd.name startswith /etc/lvm/archive or
                                       fd.name startswith /etc/lvm/backup))
 - macro: ovsdb_writing_openvswitch
   condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch)
@@ -637,6 +641,18 @@
 - macro: countly_writing_nginx_conf
   condition: (proc.cmdline startswith "nodejs /opt/countly/bin" and fd.name startswith /etc/nginx)
 
+- list: veritas_binaries
+  items: [vxconfigd, sfcache, vxclustadm, vxdctl, vxprint, vxdmpadm, vxdisk, vxdg, vxassist, vxtune]
+
+- macro: veritas_driver_script
+  condition: (proc.cmdline startswith "perl /opt/VRTSsfmh/bin/mh_driver.pl")
+
+- macro: veritas_progs
+  condition: (proc.name in (veritas_binaries) or veritas_driver_script)
+
+- macro: veritas_writing_config
+  condition: (veritas_progs and fd.name startswith /etc/vx)
+
 - macro: exe_running_docker_save
   condition: (container and proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker))
 
@@ -783,7 +799,7 @@
     and not supervise_writing_status
     and not pki_realm_writing_realms
     and not htpasswd_writing_passwd
-    and not dmeventd_writing_lvm_archive
+    and not lvprogs_writing_lvm_archive
     and not ovsdb_writing_openvswitch
     and not datadog_writing_conf
     and not curl_writing_pki_db
@@ -802,14 +818,14 @@
     and not countly_writing_nginx_conf
 
 - rule: Write below etc
-  desc: an attempt to write to any file below /etc, not in a pipe installer session
-  condition: write_etc_common and not proc.sname=fbash
+  desc: an attempt to write to any file below /etc
+  condition: write_etc_common
   output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
   priority: ERROR
   tags: [filesystem]
 
 - list: known_root_files
-  items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.aws/credentials,
+  items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
           /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock]
 
 - list: known_root_directories
@@ -823,11 +839,13 @@
               or fd.name startswith /root/.ivy2
               or fd.name startswith /root/.config/Cypress
               or fd.name startswith /root/.config/pulse
+              or fd.name startswith /root/.config/configstore
               or fd.name startswith /root/jenkins/workspace
               or fd.name startswith /root/.jenkins
               or fd.name startswith /root/.cache
               or fd.name startswith /root/.sbt
               or fd.name startswith /root/.java
+              or fd.name startswith /root/.glide
               or fd.name startswith /root/.sonar)
 
 - rule: Write below root
@@ -842,16 +860,6 @@
   priority: ERROR
   tags: [filesystem]
 
-# Within a fbash session, the severity is lowered to INFO
-- rule: Write below etc in installer
-  desc: an attempt to write to any file below /etc, in a pipe installer session
-  condition: write_etc_common and proc.sname=fbash
-  output: >
-    File below /etc opened for writing (user=%user.name command=%proc.cmdline
-    file=%fd.name) within pipe installer session
-  priority: INFO
-  tags: [filesystem]
-
 - macro: cmp_cp_by_passwd
   condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)
 
@@ -871,7 +879,8 @@
   items: [
     iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
     vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
-    pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file
+    pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
+    scxcimservera
     ]
 
 # Add conditions to this macro (probably in a separate file,
@@ -904,6 +913,7 @@
     and not run_by_chef
     and not user_read_sensitive_file_conditions
     and not perl_running_plesk
+    and not veritas_driver_script
   output: >
     Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
@@ -918,11 +928,18 @@
   priority: ERROR
   tags: [filesystem, software_mgmt]
 
+- macro: postgres_running_wal_e
+  condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e")
+
 - rule: DB program spawned process
   desc: >
     a database-server related program spawned a new process other than itself.
     This shouldn\'t occur and is a follow on from some SQL injection attacks.
-  condition: proc.pname in (db_server_binaries) and spawned_process and not proc.name in (db_server_binaries)
+  condition: >
+    proc.pname in (db_server_binaries)
+    and spawned_process
+    and not proc.name in (db_server_binaries)
+    and not postgres_running_wal_e
   output: >
     Database-related program spawned process other than itself (user=%user.name
     program=%proc.cmdline parent=%proc.pname)
@@ -986,7 +1003,7 @@
 
 - list: known_shell_spawn_binaries
   items: [
-    sshd, sudo, su, tmux, screen, emacs, systemd, login, flock, fbash,
+    sshd, sudo, su, tmux, screen, emacs, systemd, login, flock,
     nginx, monit, supervisord, dragent, aws, awslogs, initdb, docker-compose,
     configure, awk, falco, fail2ban-server, fleetctl,
     logrotate, ansible, less, adduser, pycompile, py3compile,
@@ -1014,7 +1031,7 @@
 - list: protected_shell_spawning_binaries
   items: [
     http_server_binaries, db_server_binaries, nosql_server_binaries, mail_binaries,
-    fluentd, flanneld, splunkd, consul, runsv
+    fluentd, flanneld, splunkd, consul, smbd, runsv
     ]
 
 - macro: parent_java_running_zookeeper
@@ -1050,8 +1067,11 @@
 - macro: nginx_starting_nginx
   condition: (proc.pname=nginx and proc.cmdline contains "/usr/sbin/nginx -c /etc/nginx/nginx.conf")
 
-- macro: consul_running_curl
-  condition: (proc.pname=consul and proc.cmdline startswith "sh -c curl")
+- macro: consul_running_net_scripts
+  condition: (proc.pname=consul and (proc.cmdline startswith "sh -c curl" or proc.cmdline startswith "sh -c nc"))
+
+- macro: consul_running_alert_checks
+  condition: (proc.pname=consul and proc.cmdline startswith "sh -c /bin/consul-alerts")
 
 - macro: serf_script
   condition: (proc.cmdline startswith "sh -c serf")
@@ -1084,18 +1104,22 @@
     and proc.pname exists
     and protected_shell_spawner
     and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries,
+                           needrestart_binaries,
                            erl_child_setup, exechealthz,
                            PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
                            lb-controller, nvidia-installe, runsv, statsite)
     and not proc.cmdline in (known_shell_spawn_cmdlines)
     and not proc.aname in (unicorn_launche)
-    and not consul_running_curl
+    and not consul_running_net_scripts
+    and not consul_running_alert_checks
     and not nginx_starting_nginx
     and not run_by_package_mgmt_binaries
     and not serf_script
     and not check_process_status
     and not run_by_foreman
     and not python_mesos_marathon_scripting
+    and not splunk_running_forwarder
+    and not postgres_running_wal_e
     and not user_shell_container_exclusions
   output: >
     Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
@@ -1114,7 +1138,10 @@
               container.image startswith quay.io/coreos/flannel or
               container.image startswith gcr.io/google_containers/kube-proxy or
               container.image startswith calico/node or
-              container.image startswith rook/toolbox)
+              container.image startswith rook/toolbox or
+              container.image startswith registry.access.redhat.com/openshift3/logging-fluentd or
+              container.image startswith registry.access.redhat.com/openshift3/logging-elasticsearch or
+              container.image startswith cloudnativelabs/kube-router)
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
@@ -1350,7 +1377,11 @@
               (user.name=postfix and evt.arg.uid=postfix) or
               (user.name=pki-agent and evt.arg.uid=pki-agent) or
               (user.name=pki-acme and evt.arg.uid=pki-acme) or
-              (user.name=nfsnobody and evt.arg.uid=nfsnobody))
+              (user.name=nfsnobody and evt.arg.uid=nfsnobody) or
+              (user.name=postgres and evt.arg.uid=postgres))
+
+- macro: nrpe_becoming_nagios
+  condition: (proc.name=nrpe and evt.arg.uid=nagios)
 
 # In containers, the user name might be for a uid that exists in the
 # container but not on the host. (See
@@ -1371,6 +1402,7 @@
     and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                           nomachine_binaries)
     and not java_running_sdjagent
+    and not nrpe_becoming_nagios
   output: >
     Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
     command=%proc.cmdline uid=%evt.arg.uid)
@@ -1419,53 +1451,52 @@
   priority: ERROR
   tags: [filesystem]
 
-# fbash is a small shell script that runs bash, and is suitable for use in curl <curl> | fbash installers.
-- rule: Installer bash starts network server
-  desc: an attempt by a program in a pipe installer session to start listening for network connections
-  condition: evt.type=listen and proc.sname=fbash
-  output: "Unexpected listen call by a process in a fbash session (command=%proc.cmdline)"
+
+# In a local/user rules file, you could override this macro to
+# explicitly enumerate the container images that you want to allow
+# access to EC2 metadata. In this main falco rules file, there isn't
+# any way to know all the containers that should have access, so any
+# container is alllowed, by repeating the "container" macro. In the
+# overridden macro, the condition would look something like
+# (container.image startswith vendor/container-1 or container.image
+# startswith vendor/container-2 or ...)
+- macro: ec2_metadata_containers
+  condition: container
+
+# On EC2 instances, 169.254.169.254 is a special IP used to fetch
+# metadata about the instance. It may be desirable to prevent access
+# to this IP from containers.
+- rule: Contact EC2 Instance Metadata Service From Container
+  desc: Detect attempts to contact the EC2 Instance Metadata Service from a container
+  condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers
+  output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image)
   priority: NOTICE
-  tags: [network]
+  tags: [network, aws, container]
 
-- rule: Installer bash starts session
-  desc: an attempt by a program in a pipe installer session to start a new session
-  condition: evt.type=setsid and proc.sname=fbash
-  output: "Unexpected setsid call by a process in fbash session (command=%proc.cmdline)"
+# In a local/user rules file, you should override this macro with the
+# IP address of your k8s api server. The IP 1.2.3.4 is a placeholder
+# IP that is not likely to be seen in practice.
+- macro: k8s_api_server
+  condition: (fd.sip="1.2.3.4" and fd.sport=8080)
+
+# In a local/user rules file, list the container images that are
+# allowed to contact the K8s API Server from within a container. This
+# might cover cases where the K8s infrastructure itself is running
+# within a container.
+- macro: k8s_containers
+  condition: >
+    (container.image startswith gcr.io/google_containers/hyperkube-amd64 or
+     container.image startswith gcr.io/google_containers/kube2sky or
+     container.image startswith sysdig/agent or
+     container.image startswith sysdig/falco or
+     container.image startswith sysdig/sysdig)
+
+- rule: Contact K8S API Server From Container
+  desc: Detect attempts to contact the K8S API Server from a container
+  condition: outbound and k8s_api_server and container and not k8s_containers
+  output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image connection=%fd.name)
   priority: NOTICE
-  tags: [process]
-
-- rule: Installer bash non https connection
-  desc: an attempt by a program in a pipe installer session to make an outgoing connection on a non-http(s) port
-  condition: proc.sname=fbash and outbound and not fd.sport in (80, 443, 53)
-  output: >
-    Outbound connection on non-http(s) port by a process in a fbash session
-    (command=%proc.cmdline connection=%fd.name)
-  priority: NOTICE
-  tags: [network]
-
-# It'd be nice if we could warn when processes in a fbash session try
-# to download from any nonstandard location? This is probably blocked
-# on https://github.com/draios/falco/issues/88 though.
-
-# Notice when processes try to run chkconfig/systemctl.... to install a service.
-# Note: this is not a WARNING, as you'd expect some service management
-# as a part of doing the installation.
-- rule: Installer bash manages service
-  desc: an attempt by a program in a pipe installer session to manage a system service (systemd/chkconfig)
-  condition: evt.type=execve and proc.name in (chkconfig, systemctl) and proc.sname=fbash
-  output: "Service management program run by process in a fbash session (command=%proc.cmdline)"
-  priority: INFO
-  tags: [software_mgmt]
-
-# Notice when processes try to run any package management binary within a fbash session.
-# Note: this is not a WARNING, as you'd expect some package management
-# as a part of doing the installation
-- rule: Installer bash runs pkgmgmt program
-  desc: an attempt by a program in a pipe installer session to run a package management binary
-  condition: evt.type=execve and package_mgmt_procs and proc.sname=fbash
-  output: "Package management program run by process in a fbash session (command=%proc.cmdline)"
-  priority: INFO
-  tags: [software_mgmt]
+  tags: [network, k8s, container]
 
 ###########################
 # Application-Related Rules

test/falco_traces.yaml.in

@@ -59,44 +59,6 @@ traces: !mux
       - "Modify binary dirs": 2
       - "Change thread namespace": 2
 
-  installer-fbash-manages-service:
-    trace_file: traces-info/installer-fbash-manages-service.scap
-    detect: True
-    detect_level: INFO
-    detect_counts:
-      - "Installer bash manages service": 4
-
-  installer-bash-non-https-connection:
-    trace_file: traces-positive/installer-bash-non-https-connection.scap
-    detect: True
-    detect_level: NOTICE
-    detect_counts:
-      - "Installer bash non https connection": 1
-
-  installer-fbash-runs-pkgmgmt:
-    trace_file: traces-info/installer-fbash-runs-pkgmgmt.scap
-    detect: True
-    detect_level: [NOTICE, INFO]
-    detect_counts:
-      - "Installer bash runs pkgmgmt program": 4
-      - "Installer bash non https connection": 4
-
-  installer-bash-starts-network-server:
-    trace_file: traces-positive/installer-bash-starts-network-server.scap
-    detect: True
-    detect_level: NOTICE
-    detect_counts:
-      - "Installer bash starts network server": 2
-      - "Installer bash non https connection": 3
-
-  installer-bash-starts-session:
-    trace_file: traces-positive/installer-bash-starts-session.scap
-    detect: True
-    detect_level: NOTICE
-    detect_counts:
-      - "Installer bash starts session": 1
-      - "Installer bash non https connection": 3
-
   mkdir-binary-dirs:
     trace_file: traces-positive/mkdir-binary-dirs.scap
     detect: True
@@ -111,13 +73,6 @@ traces: !mux
     detect_counts:
       - "Modify binary dirs": 1
 
-  modify-package-repo-list-installer:
-    trace_file: traces-info/modify-package-repo-list-installer.scap
-    detect: True
-    detect_level: INFO
-    detect_counts:
-      - "Write below etc in installer": 1
-
   non-sudo-setuid:
     trace_file: traces-positive/non-sudo-setuid.scap
     detect: True
@@ -181,13 +136,6 @@ traces: !mux
     detect_counts:
       - "Write below etc": 1
 
-  write-etc-installer:
-    trace_file: traces-info/write-etc-installer.scap
-    detect: True
-    detect_level: INFO
-    detect_counts:
-      - "Write below etc in installer": 1
-
   write-rpm-database:
     trace_file: traces-positive/write-rpm-database.scap
     detect: True