mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 03:27:36 +00:00
96 lines
4.6 KiB
Plaintext
96 lines
4.6 KiB
Plaintext
#############
|
|
# Definitions
|
|
#############
|
|
|
|
# File actions
|
|
write: (syscall.type=write and fd.type in (file, directory))
|
|
read: (syscall.type=read and evt.dir=> and fd.type in (file, directory))
|
|
rename: syscall.type = rename
|
|
mkdir: syscall.type = mkdir
|
|
remove: syscall.type in (remove, rmdir, unlink, unlink_at)
|
|
|
|
modify: rename or mkdir or remove
|
|
|
|
|
|
# File categories
|
|
terminal_file_fd: fd.name=/dev/ptmx or fd.directory=/dev/pts
|
|
bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
|
|
|
|
bin_dir_mkdir: evt.arg[0] contains /bin or evt.arg[0] contains /sbin or evt.arg[0] contains /usr/bin or evt.arg[0] contains /usr/sbin
|
|
bin_dir_rename: evt.arg[1] contains /bin or evt.arg[1] contains /sbin or evt.arg[1] contains /usr/bin or evt.arg[1] contains /usr/sbin
|
|
|
|
ubuntu_so_dirs: fd.directory contains /lib/x86_64-linux-gnu or fd.directory contains /usr/lib/x86_64-linux-gnu or fd.directory contains /usr/lib/sudo
|
|
centos_so_dirs: fd.directory contains /lib64 or fd.directory contains /user/lib64 or fd.directory contains /usr/libexec
|
|
|
|
coreutils_binaries: proc.name in (truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who, groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat, basename, split, nice, yes, whoami, sha224sum, hostid, users, stdbuf, base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test, comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname, tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout, tail, [, seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred, tac, link, chroot, vdir, chown, touch, ls, dd, uname, true, pwd, date, chgrp, chmod, mktemp, cat, mknod, sync, ln, false, rm, mv, cp, echo, readlink, sleep, stty, mkdir, df, dir, rmdir, touch)
|
|
|
|
|
|
|
|
# Network
|
|
inbound: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)
|
|
outbound: ((syscall.type=connect and evt.dir=<) or (syscall.type=sendto and evt.dir=>)) and (fd.typechar=4 or fd.typechar=6)
|
|
|
|
active_mq_port: fd.lport=61616
|
|
active_mq_web_port: fd.lport=8161
|
|
active_mq: active_mq_port or active_mq_web_port
|
|
|
|
cassandra_thrift_client_port: fd.lport=9160
|
|
cassandra_cql_port: fd.lport=9042
|
|
cassandra_port: cassandra_thrift_client_port or cassandra_cql_port
|
|
|
|
elasticsearch_cluster_port: fd.lport=9300
|
|
elasticsearch_api_port: fd.lport=9200
|
|
elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port
|
|
|
|
ssh_port: fd.lport=22
|
|
|
|
# Ssh
|
|
ssh_error_message: evt.arg.data contains "Invalid user" or evt.arg.data contains "preauth"
|
|
|
|
# System
|
|
modules: syscall.type in (delete_module, init_module)
|
|
container: container.id != host
|
|
interactive: proc.aname=sshd
|
|
syslog: fd.name = /dev/log
|
|
|
|
#######
|
|
# Rules
|
|
#######
|
|
|
|
# Don't write to binary dirs
|
|
write and bin_dir | Write to bin dir (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Don't modify binary dirs
|
|
modify and (bin_dir_rename or bin_dir_mkdir) | Modify bin dir (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Don't load shared objects coming from unexpected places
|
|
read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | .so from wrong place (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Attempts to access things that shouldn't be
|
|
# Disabled, somewhat noisy, need dupe suppression before enabling
|
|
# evt.res = EACCES | EACCESS (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Let's assume this is a node running elasticsearch
|
|
inbound and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1" | bad rip (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Only sysdig and docker can call setns
|
|
syscall.type = setns and not proc.name in (docker, sysdig) | Unexpected setns (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Shells should only be run by cron or sshd
|
|
proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | Unexpected shell (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Anything run by root
|
|
evt.type != switch and user.name = root and proc.name != sshd and interactive | Interactive root (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Chmod should only be run interactively (by a user)
|
|
syscall.type = chmod and not interactive | non-interactive chmod (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Shells in a container
|
|
container and proc.name = bash | shell in a container (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# Network traffic to/from standard utils
|
|
(fd.typechar = 4 or fd.typechar=6) and coreutils_binaries | network traffic to %proc.name (%proc.name %evt.dir %evt.type %evt.args %fd.name)
|
|
|
|
# SSH errors (failed logins, disconnects, ..)
|
|
syslog and ssh_error_message and evt.dir = < | output.syslog(evt, "warning", "sshd: %proc.name %evt.arg.data")
|