mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
* Let supervisor write more generally below /etc * Let perl+plesk scripts run shells/write below etc * Allow spaces after some cmdlines * Add additional shell spawner. * Add addl package mgmt binaries. * Add addl cases for java + jenkins Addl jar files to consider. * Add addl jenkins-related cmdlines Mostly related to node scripts run by jenkins * Let python running some mesos tasks spawn shells In this case marathon run by python * Let ucf write below etc Only below /etc/gconf for now. * Let dpkg-reconfigur indirectly write below /etc It may run programs that modify files below /etc * Add files/dirs/prefixes for writes below root Build a set of acceptable files/dirs/prefixes for writes below /root. Mostly triggered by apps that run directly as root. * Add addl shell spawn binaries. * Also let java + sbt spawn shells in containers Not seen only at host level * Make sure the file below etc is /etc/ Make sure the file below /etc is really below the directory etc aka /etc/xxx. Otherwise it would match a file /etcfoo. * Let rancher healthcheck spawn shells The name healthcheck is relatively innocuous so also look at the parent process. * Add addl shell container shell spawn binaries * Add addl x2go binaries * Let rabbitq write its config files * Let rook write below /etc toolbox.sh is fairly generic so add a condition based on the image name. * Let consul-template spawn shells * Add rook/toolbox as a trusted container Their github pages recommend running privileged. * Add addl mail binary that can setuid * Let plesk autoinstaller spawn shells The name autoinstaller is fairly generic so also look at the parent. * Let php handlers write its config * Let addl pkg-* binary write to /etc indirectly * Add additional shell spawning binaries. * Add ability to specify user trusted containers New macro user_trusted_containers allows a user-provided set of containers that are trusted and are allowed to run privileged. * If npm runs node, let node spawn shells * Let python run airflow via a shell. * Add addl passenger commandlines (for shells) * Add addl ways datadog can be run * Let find run shells in containers. * Add rpmq as a rpm binary * Let httpd write below /etc/httpd/ * Let awstats/sa-update spawn shells * Add container entrypoint as a shell Some images have an extra shell level for image entrypoints. * Add an additional jenkins commandline * Let mysql write its config * Let openvpn write its config * Add addl root dirs/files Also move /root/.java to be a general prefix. * Let mysql_upgrade/opkg-cl spawn shells * Allow login to perform dns lookups With run with -h <host> to specify a remote host, some versions of login will do a dns lookup to try to resolve the host. * Let consul-template write haproxy config. * Also let mysql indirectly edit its config It might spawn a program to edit the config in addition to directly. * Allow certain sed temp files below /etc/ * Allow debian binaries to indirectly write to /etc They may spawn programs like sed, touch, etc to change files below /etc. * Add additional root file * Let rancher healthcheck be run more indirectly The grandparent as well as parent of healthcheck can be tini. * Add more cases for haproxy writing config Allow more files as well as more scripts to update the config. * Let vmtoolsd spawn shells on the host * Add an additional innocuous entrypoint shell * Let peer-finder (mongodb) spawn shells * Split application rules to separate file. Move the contents of application rules, which have never been enabled by default, to a separate file. It's only installed in the mail falco packages. * Add more build-related command lines * Let perl running openresty spawn shells * Let countly write nginx config * Let confd spawn shells * Also let aws spawn shells in containers.
170 lines
7.2 KiB
YAML
170 lines
7.2 KiB
YAML
################################################################
|
|
# By default all application-related rules are disabled for
|
|
# performance reasons. Depending on the application(s) you use,
|
|
# uncomment the corresponding rule definitions for
|
|
# application-specific activity monitoring.
|
|
################################################################
|
|
|
|
# Elasticsearch ports
|
|
- macro: elasticsearch_cluster_port
|
|
condition: fd.sport=9300
|
|
- macro: elasticsearch_api_port
|
|
condition: fd.sport=9200
|
|
- macro: elasticsearch_port
|
|
condition: elasticsearch_cluster_port or elasticsearch_api_port
|
|
|
|
# - rule: Elasticsearch unexpected network inbound traffic
|
|
# desc: inbound network traffic to elasticsearch on a port other than the standard ports
|
|
# condition: user.name = elasticsearch and inbound and not elasticsearch_port
|
|
# output: "Inbound network traffic to Elasticsearch on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: Elasticsearch unexpected network outbound traffic
|
|
# desc: outbound network traffic from elasticsearch on a port other than the standard ports
|
|
# condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
|
|
# output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
|
|
# ActiveMQ ports
|
|
- macro: activemq_cluster_port
|
|
condition: fd.sport=61616
|
|
- macro: activemq_web_port
|
|
condition: fd.sport=8161
|
|
- macro: activemq_port
|
|
condition: activemq_web_port or activemq_cluster_port
|
|
|
|
# - rule: Activemq unexpected network inbound traffic
|
|
# desc: inbound network traffic to activemq on a port other than the standard ports
|
|
# condition: user.name = activemq and inbound and not activemq_port
|
|
# output: "Inbound network traffic to ActiveMQ on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: Activemq unexpected network outbound traffic
|
|
# desc: outbound network traffic from activemq on a port other than the standard ports
|
|
# condition: user.name = activemq and outbound and not activemq_cluster_port
|
|
# output: "Outbound network traffic from ActiveMQ on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
|
|
# Cassandra ports
|
|
# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
|
|
- macro: cassandra_thrift_client_port
|
|
condition: fd.sport=9160
|
|
- macro: cassandra_cql_port
|
|
condition: fd.sport=9042
|
|
- macro: cassandra_cluster_port
|
|
condition: fd.sport=7000
|
|
- macro: cassandra_ssl_cluster_port
|
|
condition: fd.sport=7001
|
|
- macro: cassandra_jmx_port
|
|
condition: fd.sport=7199
|
|
- macro: cassandra_port
|
|
condition: >
|
|
cassandra_thrift_client_port or
|
|
cassandra_cql_port or cassandra_cluster_port or
|
|
cassandra_ssl_cluster_port or cassandra_jmx_port
|
|
|
|
# - rule: Cassandra unexpected network inbound traffic
|
|
# desc: inbound network traffic to cassandra on a port other than the standard ports
|
|
# condition: user.name = cassandra and inbound and not cassandra_port
|
|
# output: "Inbound network traffic to Cassandra on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: Cassandra unexpected network outbound traffic
|
|
# desc: outbound network traffic from cassandra on a port other than the standard ports
|
|
# condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
|
|
# output: "Outbound network traffic from Cassandra on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# Couchdb ports
|
|
# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
|
|
- macro: couchdb_httpd_port
|
|
condition: fd.sport=5984
|
|
- macro: couchdb_httpd_ssl_port
|
|
condition: fd.sport=6984
|
|
# xxx can't tell what clustering ports are used. not writing rules for this
|
|
# yet.
|
|
|
|
# Fluentd ports
|
|
- macro: fluentd_http_port
|
|
condition: fd.sport=9880
|
|
- macro: fluentd_forward_port
|
|
condition: fd.sport=24224
|
|
|
|
# - rule: Fluentd unexpected network inbound traffic
|
|
# desc: inbound network traffic to fluentd on a port other than the standard ports
|
|
# condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
|
|
# output: "Inbound network traffic to Fluentd on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: Tdagent unexpected network outbound traffic
|
|
# desc: outbound network traffic from fluentd on a port other than the standard ports
|
|
# condition: user.name = td-agent and outbound and not fluentd_forward_port
|
|
# output: "Outbound network traffic from Fluentd on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# Gearman ports
|
|
# http://gearman.org/protocol/
|
|
# - rule: Gearman unexpected network outbound traffic
|
|
# desc: outbound network traffic from gearman on a port other than the standard ports
|
|
# condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
|
|
# output: "Outbound network traffic from Gearman on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# Zookeeper
|
|
- macro: zookeeper_port
|
|
condition: fd.sport = 2181
|
|
|
|
# Kafka ports
|
|
# - rule: Kafka unexpected network inbound traffic
|
|
# desc: inbound network traffic to kafka on a port other than the standard ports
|
|
# condition: user.name = kafka and inbound and fd.sport != 9092
|
|
# output: "Inbound network traffic to Kafka on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# Memcached ports
|
|
# - rule: Memcached unexpected network inbound traffic
|
|
# desc: inbound network traffic to memcached on a port other than the standard ports
|
|
# condition: user.name = memcached and inbound and fd.sport != 11211
|
|
# output: "Inbound network traffic to Memcached on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: Memcached unexpected network outbound traffic
|
|
# desc: any outbound network traffic from memcached. memcached never initiates outbound connections.
|
|
# condition: user.name = memcached and outbound
|
|
# output: "Unexpected Memcached outbound connection (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
|
|
# MongoDB ports
|
|
- macro: mongodb_server_port
|
|
condition: fd.sport = 27017
|
|
- macro: mongodb_shardserver_port
|
|
condition: fd.sport = 27018
|
|
- macro: mongodb_configserver_port
|
|
condition: fd.sport = 27019
|
|
- macro: mongodb_webserver_port
|
|
condition: fd.sport = 28017
|
|
|
|
# - rule: Mongodb unexpected network inbound traffic
|
|
# desc: inbound network traffic to mongodb on a port other than the standard ports
|
|
# condition: >
|
|
# user.name = mongodb and inbound and not (mongodb_server_port or
|
|
# mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
|
|
# output: "Inbound network traffic to MongoDB on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# MySQL ports
|
|
# - rule: Mysql unexpected network inbound traffic
|
|
# desc: inbound network traffic to mysql on a port other than the standard ports
|
|
# condition: user.name = mysql and inbound and fd.sport != 3306
|
|
# output: "Inbound network traffic to MySQL on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|
|
|
|
# - rule: HTTP server unexpected network inbound traffic
|
|
# desc: inbound network traffic to a http server program on a port other than the standard ports
|
|
# condition: proc.name in (http_server_binaries) and inbound and fd.sport != 80 and fd.sport != 443
|
|
# output: "Inbound network traffic to HTTP Server on unexpected port (connection=%fd.name)"
|
|
# priority: WARNING
|