mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 11:29:26 +00:00
248 lines
14 KiB
Plaintext
248 lines
14 KiB
Plaintext
#############
|
|
# Definitions
|
|
#############
|
|
|
|
# File actions
|
|
write: (syscall.type=write and fd.type in (file, directory))
|
|
read: (syscall.type=read and evt.dir=> and fd.type in (file, directory))
|
|
rename: syscall.type = rename
|
|
mkdir: syscall.type = mkdir
|
|
remove: syscall.type in (remove, rmdir, unlink, unlink_at)
|
|
|
|
modify: rename or mkdir or remove
|
|
|
|
|
|
# File categories
|
|
terminal_file_fd: fd.name=/dev/ptmx or fd.directory=/dev/pts
|
|
bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
|
|
|
|
bin_dir_mkdir: evt.arg[0] contains /bin or evt.arg[0] contains /sbin or evt.arg[0] contains /usr/bin or evt.arg[0] contains /usr/sbin
|
|
bin_dir_rename: evt.arg[1] contains /bin or evt.arg[1] contains /sbin or evt.arg[1] contains /usr/bin or evt.arg[1] contains /usr/sbin
|
|
|
|
etc_dir: fd.directory contains /etc
|
|
|
|
ubuntu_so_dirs: fd.directory contains /lib/x86_64-linux-gnu or fd.directory contains /usr/lib/x86_64-linux-gnu or fd.directory contains /usr/lib/sudo
|
|
centos_so_dirs: fd.directory contains /lib64 or fd.directory contains /user/lib64 or fd.directory contains /usr/libexec
|
|
|
|
coreutils_binaries: proc.name in (truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who, groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat, basename, split, nice, yes, whoami, sha224sum, hostid, users, stdbuf, base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test, comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname, tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout, tail, [, seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred, tac, link, chroot, vdir, chown, touch, ls, dd, uname, true, pwd, date, chgrp, chmod, mktemp, cat, mknod, sync, ln, false, rm, mv, cp, echo, readlink, sleep, stty, mkdir, df, dir, rmdir, touch)
|
|
adduser_binaries: proc.name in (adduser, deluser, addgroup, delgroup)
|
|
login_binaries: proc.name in (bin, login, su, sbin, nologin, bin, faillog, lastlog, newgrp, sg)
|
|
|
|
# dpkg -L passwd | grep bin | xargs -L 1 basename | tr "\\n" ","
|
|
passwd_binaries: proc.name in (sbin, shadowconfig, sbin, grpck, pwunconv, grpconv, pwck, groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod, groupadd, groupdel, grpunconv, chgpasswd, userdel, bin, chage, chsh, gpasswd, chfn, expiry, passwd, vigr, cpgr)
|
|
|
|
# repoquery -l shadow-utils | grep bin | xargs -L 1 basename | tr "\\n" ","
|
|
shadowutils_binaries: proc.name in (chage,gpasswd,lastlog,newgrp,sg,adduser,chpasswd,groupadd,groupdel,groupmems,groupmod,grpck,grpconv,grpunconv,newusers,pwck,pwconv,pwunconv,useradd,userdel,usermod,vigr,vipw)
|
|
|
|
system_binaries: coreutils_binaries or adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries
|
|
|
|
sensitive_files: fd.name contains /etc/passwd or fd.name = /etc/sudoers or fd.directory = /etc/sudoers.d or fd.directory = /etc/pam.d or fd.name = /etc/pam.conf
|
|
|
|
|
|
# Network
|
|
inbound: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)
|
|
outbound: ((syscall.type=connect and evt.dir=<) or (syscall.type=sendto and evt.dir=>)) and (fd.typechar=4 or fd.typechar=6)
|
|
|
|
ssh_port: fd.lport=22
|
|
|
|
# Ssh
|
|
ssh_error_message: evt.arg.data contains "Invalid user" or evt.arg.data contains "preauth"
|
|
|
|
# System
|
|
modules: syscall.type in (delete_module, init_module)
|
|
container: container.id != host
|
|
interactive: (proc.aname=sshd and proc.name != sshd) or proc.name=systemd-logind
|
|
syslog: fd.name = /dev/log
|
|
not_cron: proc.name != cron
|
|
|
|
# System users that should never log into a system. Consider adding your own
|
|
# service users (e.g. 'apache' or 'mysqld') here.
|
|
system_users: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)
|
|
|
|
|
|
#######
|
|
# Rules
|
|
#######
|
|
|
|
# Don't write to binary dirs
|
|
evt.dir = > and write and bin_dir | WARNING Write to bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Don't write to /etc
|
|
evt.dir = > and write and etc_dir | WARNING Write to etc dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Don't read 'sensitive' files
|
|
read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files | WARNING Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Don't modify binary dirs
|
|
modify and (bin_dir_rename or bin_dir_mkdir) | WARNING Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Don't load shared objects coming from unexpected places
|
|
read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | WARNING Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Attempts to access things that shouldn't be
|
|
evt.res = EACCES | INFO System call returned EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Only sysdig and docker can call setns
|
|
syscall.type = setns and not proc.name in (docker, sysdig) | WARNING Unexpected setns (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Shells should only be run by cron or sshd
|
|
proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | WARNING Unexpected shell (%user.name %proc.name %proc.pname %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Anything run interactively by root
|
|
# evt.type != switch and user.name = root and proc.name != sshd and interactive | WARNING Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Anything run interactively by a non-login user
|
|
system_users and interactive | WARNING Sytem user ran an interactive command (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Chmod should only be run interactively (by a user)
|
|
syscall.type = chmod and not interactive | WARNING non-interactive chmod (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Shells in a container
|
|
container and proc.name = bash | WARNING shell in a container (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Network traffic to/from standard utils
|
|
# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
|
|
fd.sockfamily = ip and system_binaries | WARNING network traffic to %proc.name (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# SSH errors (failed logins, disconnects, ..)
|
|
syslog and ssh_error_message and evt.dir = < | WARNING sshd error (%proc.name %evt.arg.data)
|
|
|
|
# Non-sudo setuid
|
|
evt.type=setuid and not_cron and not proc.name in (sudo, sshd) | WARNING unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args)
|
|
|
|
# User management (su and sudo are ok)
|
|
not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries) | WARNING user-management binary command run (%user.name %proc.name %evt.dir %evt.type %evt.args)
|
|
|
|
# Some rootkits hide files in /dev
|
|
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
|
|
(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null | WARNING file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Elasticsearch ports
|
|
elasticsearch_cluster_port: fd.sport=9300
|
|
elasticsearch_api_port: fd.sport=9200
|
|
elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port
|
|
user.name = elasticsearch and inbound and not elasticsearch_port | WARNING Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
user.name = elasticsearch and outbound and not elasticsearch_cluster_port | WARNING Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
|
|
# ActiveMQ ports
|
|
activemq_cluster_port: fd.sport=61616
|
|
activemq_web_port: fd.sport=8161
|
|
activemq_port: activemq_web_port or activemq_cluster_port
|
|
user.name = activemq and inbound and not activemq_port | WARNING Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
user.name = activemq and outbound and not activemq_cluster_port | WARNING Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
|
|
# Cassandra ports
|
|
# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
|
|
cassandra_thrift_client_port: fd.sport=9160
|
|
cassandra_cql_port: fd.sport=9042
|
|
cassandra_cluster_port: fd.sport=7000
|
|
cassandra_ssl_cluster_port: fd.sport=7001
|
|
cassandra_jmx_port: fd.sport=7199
|
|
cassandra_port: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port
|
|
|
|
user.name = cassandra and inbound and not cassandra_port | WARNING Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port) | WARNING Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Couchbase ports
|
|
# http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html
|
|
# Web Administration Port
|
|
couchbase_web_port: fd.sport=8091
|
|
# Couchbase API Port
|
|
couchbase_api_port: fd.sport=8092
|
|
# Internal/External Bucket Port for SSL
|
|
couchbase_ssl_bucket_port: fd.sport=11207
|
|
# Internal Bucket Port
|
|
couchbase_bucket_port: fd.sport=11209
|
|
# Internal/External Bucket Port
|
|
couchbase_bucket_port_ie: fd.sport=11210
|
|
# Client interface (proxy)
|
|
couchbase_client_interface_port: fd.sport=11211
|
|
# Incoming SSL Proxy
|
|
couchbase_incoming_ssl: fd.sport=11214
|
|
# Internal Outgoing SSL Proxy
|
|
couchbase_outgoing_ssl: fd.sport=11215
|
|
# Internal REST HTTPS for SSL
|
|
couchbase_internal_rest_port: fd.sport=18091
|
|
# Internal CAPI HTTPS for SSL
|
|
couchbase_internal_capi_port: fd.sport=18092
|
|
# Erlang Port Mapper ( epmd )
|
|
couchbase_epmd_port: fd.sport=4369
|
|
# Node data exchange
|
|
couchbase_dataexchange_port: fd.sport>=21100 and fd.sport<=21299
|
|
|
|
couchbase_internal_port: couchbase_bucket_port or couchbase_epmd_port or couchbase_dataexchange_port
|
|
couchbase_port: couchbase_web_port or couchbase_api_port or couchbase_ssl_bucket_port or couchbase_internal_port or couchbase_bucket_port_ie or couchbase_client_interface_port or couchbase_incoming_ssl or couchbase_outgoing_ssl or couchbase_internal_rest_port or couchbase_internal_capi_port
|
|
|
|
user.name = couchbase and inbound and not couchbase_port | WARNING Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
user.name = couchbase and outbound and not couchbase_internal_port | WARNING Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
|
|
# Couchdb ports
|
|
# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
|
|
couchdb_httpd_port: fd.sport=5984
|
|
couchdb_httpd_ssl_port: fd.sport=6984
|
|
# xxx can't tell what clustering ports are used. not writing rules for this
|
|
# yet.
|
|
|
|
# Etcd ports
|
|
etcd_client_port: fd.sport=2379
|
|
etcd_peer_port: fd.sport=2380
|
|
# need to double-check which user etcd runs as
|
|
user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port) | WARNING Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
user.name = etcd and outbound and not couchbase_internal_port | WARNING Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
|
|
# Fluentd ports
|
|
fluentd_http_port: fd.sport=9880
|
|
fluentd_forward_port: fd.sport=24224
|
|
user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) | WARNING Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
user.name = td-agent and outbound and not fluentd_forward_port | WARNING Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Gearman ports
|
|
# http://gearman.org/protocol/
|
|
user.name = gearman and outbound and outbound and not fd.sport = 4730 | WARNING Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Zookeeper
|
|
zookeeper_port: fd.sport = 2181
|
|
|
|
# HBase ports
|
|
# http://blog.cloudera.com/blog/2013/07/guide-to-using-apache-hbase-ports/
|
|
hbase_master_port: fd.sport = 60000
|
|
hbase_master_info_port: fd.sport = 60010
|
|
hbase_regionserver_port: fd.sport = 60020
|
|
hbase_regionserver_info_port: fd.sport = 60030
|
|
hbase_rest_port: fd.sport = 8080
|
|
hbase_rest_info_port: fd.sport = 8085
|
|
hbase_regionserver_thrift_port: fd.sport = 9090
|
|
hbase_thrift_info_port: fd.sport = 9095
|
|
|
|
# If you're not running HBase under the 'hbase' user, adjust first expression
|
|
# in each rule below
|
|
user.name = hbase and inbound and not (hbase_master_port or hbase_master_info_port or hbase_regionserver_port or hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or hbase_regionserver_thrift_port or hbase_thrift_info_port) | WARNING Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port) | WARNING Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
|
|
# Kafka ports
|
|
user.name = kafka and inbound and fd.sport != 9092 | WARNING Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Memcached ports
|
|
user.name = memcached and inbound and fd.sport != 11211 | WARNING Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
user.name = memcached and outbound | WARNING Unexpected Memcached outbound connection (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
|
|
# MongoDB ports
|
|
mongodb_server_port: fd.sport = 27017
|
|
mongodb_shardserver_port: fd.sport = 27018
|
|
mongodb_configserver_port: fd.sport = 27019
|
|
mongodb_webserver_port: fd.sport = 28017
|
|
user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | WARNING Unexpected MongoDB inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# MySQL ports
|
|
user.name = mysql and inbound and fd.sport != 3306 | WARNING Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# HTTP server
|
|
http_server: proc.name in (nginx, httpd, lighttpd)
|
|
http_server and inbound and fd.sport != 80 and fd.sport != 443 | WARNING Unexpected HTTP server inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
|