mirror of
https://github.com/falcosecurity/falco.git
synced 2026-04-05 03:22:41 +00:00
139ee56af7
Adding docker-compose based example of man-in-the-middle attack against installation scripts and how it can be detected using sysdig falco. The docker-compose environment starts a good web server, compromised nginx installation, evil web server, and a copy of sysdig falco. The README walks through the process of compromising a client by using curl http://localhost/get-software.sh | bash and detecting the compromise using ./fbash. The fbash program included in this example fixes https://github.com/draios/falco/issues/46.
52 lines
1.2 KiB
YAML
52 lines
1.2 KiB
YAML
# Owned by software vendor, serving install-software.sh.
|
|
apache:
|
|
container_name: apache
|
|
image: httpd:2.4
|
|
volumes:
|
|
- ${PWD}/web_root:/usr/local/apache2/htdocs
|
|
|
|
# Owned by software vendor, compromised by attacker.
|
|
nginx:
|
|
container_name: mitm_nginx
|
|
image: nginx:latest
|
|
links:
|
|
- apache
|
|
ports:
|
|
- "80:80"
|
|
volumes:
|
|
- ${PWD}/nginx.conf:/etc/nginx/nginx.conf:ro
|
|
|
|
# Owned by attacker.
|
|
evil_apache:
|
|
container_name: evil_apache
|
|
image: httpd:2.4
|
|
volumes:
|
|
- ${PWD}/evil_web_root:/usr/local/apache2/htdocs
|
|
ports:
|
|
- "9090:80"
|
|
|
|
# Owned by attacker, constantly trying to contact client.
|
|
attacker_botnet_master:
|
|
container_name: attacker_botnet_master
|
|
image: alpine:latest
|
|
net: host
|
|
volumes:
|
|
- ${PWD}/botnet_master.sh:/tmp/botnet_master.sh
|
|
command:
|
|
- /tmp/botnet_master.sh
|
|
|
|
# Owned by client, detects attack by attacker
|
|
falco:
|
|
container_name: falco
|
|
image: sysdig/falco:latest
|
|
privileged: true
|
|
volumes:
|
|
- /var/run/docker.sock:/host/var/run/docker.sock
|
|
- /dev:/host/dev
|
|
- /proc:/host/proc:ro
|
|
- /boot:/host/boot:ro
|
|
- /lib/modules:/host/lib/modules:ro
|
|
- /usr:/host/usr:ro
|
|
- ${PWD}/../../rules/falco_rules.yaml:/etc/falco_rules.yaml
|
|
tty: true
|