mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
7436bc0952
A new macro package_mgmt_binaries includes dpkg and rpm. Those programs are allowed to create directories and modify files below binary directories. I'm not adding them to other trusted sets for now, though.
583 lines
26 KiB
YAML
583 lines
26 KiB
YAML
#############
|
|
# Definitions
|
|
#############
|
|
|
|
# File actions
|
|
|
|
|
|
# Currently disabled as read/write are ignored syscalls. The nearly
|
|
# similar open_write/open_read check for files being opened for
|
|
# reading/writing.
|
|
# - macro: write
|
|
# condition: (syscall.type=write and fd.type in (file, directory))
|
|
# - macro: read
|
|
# condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory))
|
|
|
|
- macro: open_write
|
|
condition: >
|
|
(evt.type=open or evt.type=openat) and
|
|
fd.typechar='f' and
|
|
(evt.arg.flags contains O_WRONLY or
|
|
evt.arg.flags contains O_RDWR or
|
|
evt.arg.flags contains O_CREAT or
|
|
evt.arg.flags contains O_TRUNC)
|
|
- macro: open_read
|
|
condition: >
|
|
(evt.type=open or evt.type=openat) and
|
|
fd.typechar='f' and
|
|
(evt.arg.flags contains O_RDONLY or
|
|
evt.arg.flags contains O_RDWR)
|
|
|
|
- macro: rename
|
|
condition: syscall.type = rename
|
|
- macro: mkdir
|
|
condition: syscall.type = mkdir
|
|
- macro: remove
|
|
condition: syscall.type in (remove, rmdir, unlink, unlink_at)
|
|
|
|
- macro: modify
|
|
condition: rename or remove
|
|
|
|
- macro: spawn_process
|
|
condition: syscall.type = execve
|
|
|
|
# File categories
|
|
- macro: terminal_file_fd
|
|
condition: fd.name=/dev/ptmx or fd.directory=/dev/pts
|
|
- macro: bin_dir
|
|
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
|
|
|
|
- macro: bin_dir_mkdir
|
|
condition: evt.arg[0] contains /bin/ or evt.arg[0] contains /sbin/ or evt.arg[0] contains /usr/bin/ or evt.arg[0] contains /usr/sbin/
|
|
- macro: bin_dir_rename
|
|
condition: evt.arg[1] contains /bin/ or evt.arg[1] contains /sbin/ or evt.arg[1] contains /usr/bin/ or evt.arg[1] contains /usr/sbin/
|
|
|
|
- macro: etc_dir
|
|
condition: fd.directory contains /etc
|
|
|
|
- macro: ubuntu_so_dirs
|
|
condition: fd.directory contains /lib/x86_64-linux-gnu or fd.directory contains /usr/lib/x86_64-linux-gnu or fd.directory contains /usr/lib/sudo
|
|
- macro: centos_so_dirs
|
|
condition: fd.directory contains /lib64 or fd.directory contains /user/lib64 or fd.directory contains /usr/libexec
|
|
- macro: linux_so_dirs
|
|
condition: ubuntu_so_dirs or centos_so_dirs or fd.name=/etc/ld.so.cache
|
|
|
|
- macro: coreutils_binaries
|
|
condition: >
|
|
proc.name in (truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who,
|
|
groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat,
|
|
basename, split, nice, yes, whoami, sha224sum, hostid, users, stdbuf,
|
|
base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test,
|
|
comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname,
|
|
tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout,
|
|
tail, [, seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred,
|
|
tac, link, chroot, vdir, chown, touch, ls, dd, uname, true, pwd, date,
|
|
chgrp, chmod, mktemp, cat, mknod, sync, ln, false, rm, mv, cp, echo,
|
|
readlink, sleep, stty, mkdir, df, dir, rmdir, touch)
|
|
- macro: adduser_binaries
|
|
condition: proc.name in (adduser, deluser, addgroup, delgroup)
|
|
- macro: login_binaries
|
|
condition: proc.name in (bin, login, su, sbin, nologin, bin, faillog, lastlog, newgrp, sg)
|
|
|
|
# dpkg -L passwd | grep bin | xargs -L 1 basename | tr "\\n" ","
|
|
- macro: passwd_binaries
|
|
condition: >
|
|
proc.name in (sbin, shadowconfig, sbin, grpck, pwunconv, grpconv, pwck,
|
|
groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod,
|
|
groupadd, groupdel, grpunconv, chgpasswd, userdel, bin, chage, chsh,
|
|
gpasswd, chfn, expiry, passwd, vigr, cpgr)
|
|
|
|
# repoquery -l shadow-utils | grep bin | xargs -L 1 basename | tr "\\n" ","
|
|
- macro: shadowutils_binaries
|
|
condition: >
|
|
proc.name in (chage, gpasswd, lastlog, newgrp, sg, adduser, chpasswd,
|
|
groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv,
|
|
newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vigr, vipw)
|
|
|
|
- macro: docker_binaries
|
|
condition: proc.name in (docker, exe)
|
|
|
|
- macro: http_server_binaries
|
|
condition: proc.name in (nginx, httpd, httpd-foregroun, lighttpd)
|
|
|
|
- macro: db_server_binaries
|
|
condition: proc.name in (mysqld)
|
|
|
|
- macro: server_binaries
|
|
condition: http_server_binaries or db_server_binaries or docker_binaries or proc.name in (sshd)
|
|
|
|
- macro: package_mgmt_binaries
|
|
condition: proc.name in (dpkg, rpm)
|
|
|
|
# A canonical set of processes that run other programs with different
|
|
# privileges or as a different user.
|
|
- macro: userexec_binaries
|
|
condition: proc.name in (sudo, su)
|
|
|
|
- macro: system_binaries
|
|
condition: coreutils_binaries or adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries
|
|
|
|
- macro: mail_binaries
|
|
condition: proc.name in (sendmail, postfix, procmail)
|
|
|
|
- macro: sensitive_files
|
|
condition: fd.name contains /etc/shadow or fd.name = /etc/sudoers or fd.directory = /etc/sudoers.d or fd.directory = /etc/pam.d or fd.name = /etc/pam.conf
|
|
|
|
# Indicates that the process is new. Currently detected using time
|
|
# since process was started, using a threshold of 5 seconds.
|
|
- macro: proc_is_new
|
|
condition: proc.duration <= 5000000000
|
|
|
|
# Network
|
|
- macro: inbound
|
|
condition: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)
|
|
|
|
# Currently sendto is an ignored syscall, otherwise this could also check for (syscall.type=sendto and evt.dir=>)
|
|
- macro: outbound
|
|
condition: syscall.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6)
|
|
|
|
- macro: ssh_port
|
|
condition: fd.lport=22
|
|
|
|
# Ssh
|
|
- macro: ssh_error_message
|
|
condition: evt.arg.data contains "Invalid user" or evt.arg.data contains "preauth"
|
|
|
|
# System
|
|
- macro: modules
|
|
condition: syscall.type in (delete_module, init_module)
|
|
- macro: container
|
|
condition: container.id != host
|
|
- macro: interactive
|
|
condition: (proc.aname=sshd and proc.name != sshd) or proc.name=systemd-logind
|
|
- macro: syslog
|
|
condition: fd.name = /dev/log
|
|
- macro: cron
|
|
condition: proc.name in (cron, crond)
|
|
- macro: parent_cron
|
|
condition: proc.pname in (cron, crond)
|
|
|
|
# System users that should never log into a system. Consider adding your own
|
|
# service users (e.g. 'apache' or 'mysqld') here.
|
|
- macro: system_users
|
|
condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)
|
|
|
|
|
|
#######
|
|
# Rules
|
|
#######
|
|
|
|
- rule: write_binary_dir
|
|
desc: an attempt to write to any file below a set of binary directories
|
|
condition: evt.dir = > and open_write and bin_dir
|
|
output: "File below a known binary directory opened for writing (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: write_etc
|
|
desc: an attempt to write to any file below /etc
|
|
condition: evt.dir = > and open_write and etc_dir
|
|
output: "File below /etc opened for writing (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: read_sensitive_file_untrusted
|
|
desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.
|
|
condition: open_read and not server_binaries and not userexec_binaries and not proc.name in (iptables, ps, systemd-logind, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash) and not cron and sensitive_files
|
|
output: "Sensitive file opened for reading by non-trusted program (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: read_sensitive_file_trusted_after_startup
|
|
desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. The idea is that trusted programs might read these files at startup to load initial state, but not afterwards.
|
|
condition: open_read and server_binaries and not proc_is_new and sensitive_files
|
|
output: "Sensitive file opened for reading by trusted program after startup (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: db_program_spawn_process
|
|
desc: a database-server related program spawning a new process after startup. This shouldn\'t occur and is a followon from some SQL injection attacks.
|
|
condition: db_server_binaries and not proc_is_new and spawn_process
|
|
output: "Database-related program spawned new process after startup (%user.name %proc.name %evt.type %evt.args)"
|
|
priority: WARNING
|
|
|
|
- rule: modify_binary_dirs
|
|
desc: an attempt to modify any file below a set of binary directories.
|
|
condition: modify and bin_dir_rename and not package_mgmt_binaries
|
|
output: "File below known binary directory renamed/removed (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: mkdir_binary_dirs
|
|
desc: an attempt to create a directory below a set of binary directories.
|
|
condition: mkdir and bin_dir_mkdir and not package_mgmt_binaries
|
|
output: "Directory below known binary directory created (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
# Don't load shared objects coming from unexpected places
|
|
# Commenting this out for now--there are lots of shared library
|
|
# locations below /usr/lib for things like python, perl, etc. We may
|
|
# want to just add /usr/lib to the list, but that is really
|
|
# permissive.
|
|
# - condition: open_read and fd.name contains .so and not (linux_so_dirs)
|
|
# output: "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
|
# priority: WARNING
|
|
|
|
- rule: syscall_returns_eaccess
|
|
desc: any system call that returns EACCESS. This is not always a strong indication of a problem, hence the INFO priority.
|
|
condition: evt.res = EACCESS
|
|
output: "System call returned EACCESS (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: INFO
|
|
|
|
- rule: change_thread_namespace
|
|
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
|
|
condition: syscall.type = setns and not proc.name in (docker, sysdig, dragent)
|
|
output: "Namespace change (setns) by unexpected program (%user.name %proc.name %evt.type %evt.args)"
|
|
priority: WARNING
|
|
|
|
- rule: run_shell_untrusted
|
|
desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries.
|
|
condition: proc.name = bash and evt.dir=< and evt.type in (clone, execve) and proc.pname exists and not parent_cron and not proc.pname in (bash, sshd, sudo, docker, su, tmux, screen, emacs, systemd, flock, fs-bash, nginx, monit, supervisord)
|
|
output: "Shell spawned by untrusted binary (%user.name %proc.name %proc.pname %evt.type %evt.args)"
|
|
priority: WARNING
|
|
|
|
# Anything run interactively by root
|
|
# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
|
|
# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
|
|
# priority: WARNING
|
|
|
|
- rule: system_user_interactive
|
|
desc: an attempt to run interactive commands by a system (i.e. non-login) user
|
|
condition: system_users and interactive
|
|
output: "System user ran an interactive command (%user.name %proc.name %evt.type %evt.args)"
|
|
priority: WARNING
|
|
|
|
- rule: chmod_sensitive_files
|
|
desc: an attempt to chmod any important binary or sensitive file (e.g. files containing user/password/authentication information)
|
|
condition: syscall.type = chmod and (system_binaries or sensitive_files)
|
|
output: "Permissions change (chmod) on sensitive file/system binary (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: run_shell_in_container
|
|
desc: an attempt to spawn a shell by a non-shell program in a container. Container entrypoints are excluded.
|
|
condition: container and proc.name = bash and evt.dir=< and evt.type in (clone, execve) and proc.pname exists and not proc.pname in (bash, docker)
|
|
output: "Shell spawned in a container other than entrypoint (%user.name %container.id %container.name %proc.name %proc.pname %evt.type %evt.args)"
|
|
priority: WARNING
|
|
|
|
# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
|
|
- rule: system_binaries_network_activity
|
|
desc: any network activity performed by system binaries that are not expected to send or receive any network traffic
|
|
condition: fd.sockfamily = ip and system_binaries
|
|
output: "Known system binary sent/received network traffic (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: ssh_error_syslog
|
|
desc: any ssh errors (failed logins, disconnects, ...) sent to syslog
|
|
condition: syslog and ssh_error_message and evt.dir = <
|
|
output: "sshd sent error message to syslog (%proc.name %evt.arg.data)"
|
|
priority: WARNING
|
|
|
|
- rule: non_sudo_suid
|
|
desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges.
|
|
condition: evt.type=setuid and evt.dir=> and not user.name=root and not userexec_binaries
|
|
output: "Unexpected setuid call by non-sudo, non-root program (%user.name %proc.name %evt.type %evt.args)"
|
|
priority: WARNING
|
|
|
|
- rule: user_mgmt_binaries
|
|
desc: activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup.
|
|
condition: not proc.name in (su, sudo) and not container and (adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries)
|
|
output: "User management binary command run outside of container (%user.name %proc.name %evt.type %evt.args)"
|
|
priority: WARNING
|
|
|
|
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
|
|
- rule: create_files_below_dev
|
|
desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
|
|
condition: (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null
|
|
output: "File created below /dev by untrusted program (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
# Elasticsearch ports
|
|
- macro: elasticsearch_cluster_port
|
|
condition: fd.sport=9300
|
|
- macro: elasticsearch_api_port
|
|
condition: fd.sport=9200
|
|
- macro: elasticsearch_port
|
|
condition: elasticsearch_cluster_port or elasticsearch_api_port
|
|
|
|
- rule: elasticsearch_unexpected_network_inbound
|
|
desc: inbound network traffic to elasticsearch on a port other than the standard ports
|
|
condition: user.name = elasticsearch and inbound and not elasticsearch_port
|
|
output: "Inbound network traffic to Elasticsearch on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: elasticsearch_unexpected_network_outbound
|
|
desc: outbound network traffic from elasticsearch on a port other than the standard ports
|
|
condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
|
|
output: "Outbound network traffic from Elasticsearch on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
|
|
# ActiveMQ ports
|
|
- macro: activemq_cluster_port
|
|
condition: fd.sport=61616
|
|
- macro: activemq_web_port
|
|
condition: fd.sport=8161
|
|
- macro: activemq_port
|
|
condition: activemq_web_port or activemq_cluster_port
|
|
|
|
- rule: activemq_unexpected_network_inbound
|
|
desc: inbound network traffic to activemq on a port other than the standard ports
|
|
condition: user.name = activemq and inbound and not activemq_port
|
|
output: "Inbound network traffic to ActiveMQ on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: activemq_unexpected_network_outbound
|
|
desc: outbound network traffic from activemq on a port other than the standard ports
|
|
condition: user.name = activemq and outbound and not activemq_cluster_port
|
|
output: "Outbound network traffic from ActiveMQ on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
|
|
# Cassandra ports
|
|
# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
|
|
- macro: cassandra_thrift_client_port
|
|
condition: fd.sport=9160
|
|
- macro: cassandra_cql_port
|
|
condition: fd.sport=9042
|
|
- macro: cassandra_cluster_port
|
|
condition: fd.sport=7000
|
|
- macro: cassandra_ssl_cluster_port
|
|
condition: fd.sport=7001
|
|
- macro: cassandra_jmx_port
|
|
condition: fd.sport=7199
|
|
- macro: cassandra_port
|
|
condition: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port
|
|
|
|
- rule: cassandra_unexpected_network_inbound
|
|
desc: inbound network traffic to cassandra on a port other than the standard ports
|
|
condition: user.name = cassandra and inbound and not cassandra_port
|
|
output: "Inbound network traffic to Cassandra on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: cassandra_unexpected_network_outbound
|
|
desc: outbound network traffic from cassandra on a port other than the standard ports
|
|
condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
|
|
output: "Outbound network traffic from Cassandra on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
# Couchbase ports
|
|
# http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html
|
|
# Web Administration Port
|
|
- macro: couchbase_web_port
|
|
condition: fd.sport=8091
|
|
# Couchbase API Port
|
|
- macro: couchbase_api_port
|
|
condition: fd.sport=8092
|
|
# Internal/External Bucket Port for SSL
|
|
- macro: couchbase_ssl_bucket_port
|
|
condition: fd.sport=11207
|
|
# Internal Bucket Port
|
|
- macro: couchbase_bucket_port
|
|
condition: fd.sport=11209
|
|
# Internal/External Bucket Port
|
|
- macro: couchbase_bucket_port_ie
|
|
condition: fd.sport=11210
|
|
# Client interface (proxy)
|
|
- macro: couchbase_client_interface_port
|
|
condition: fd.sport=11211
|
|
# Incoming SSL Proxy
|
|
- macro: couchbase_incoming_ssl
|
|
condition: fd.sport=11214
|
|
# Internal Outgoing SSL Proxy
|
|
- macro: couchbase_outgoing_ssl
|
|
condition: fd.sport=11215
|
|
# Internal REST HTTPS for SSL
|
|
- macro: couchbase_internal_rest_port
|
|
condition: fd.sport=18091
|
|
# Internal CAPI HTTPS for SSL
|
|
- macro: couchbase_internal_capi_port
|
|
condition: fd.sport=18092
|
|
# Erlang Port Mapper ( epmd )
|
|
- macro: couchbase_epmd_port
|
|
condition: fd.sport=4369
|
|
# Node data exchange
|
|
- macro: couchbase_dataexchange_port
|
|
condition: fd.sport>=21100 and fd.sport<=21299
|
|
|
|
- macro: couchbase_internal_port
|
|
condition: couchbase_bucket_port or couchbase_epmd_port or couchbase_dataexchange_port
|
|
- macro: couchbase_port
|
|
condition: >
|
|
couchbase_web_port or couchbase_api_port or couchbase_ssl_bucket_port or
|
|
couchbase_internal_port or couchbase_bucket_port_ie or
|
|
couchbase_client_interface_port or couchbase_incoming_ssl or
|
|
couchbase_outgoing_ssl or couchbase_internal_rest_port or
|
|
couchbase_internal_capi_port
|
|
|
|
- rule: couchbase_unexpected_network_inbound
|
|
desc: inbound network traffic to couchbase on a port other than the standard ports
|
|
condition: user.name = couchbase and inbound and not couchbase_port
|
|
output: "Inbound network traffic to Couchbase on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: couchbase_unexpected_network_outbound
|
|
desc: outbound network traffic from couchbase on a port other than the standard ports
|
|
condition: user.name = couchbase and outbound and not couchbase_internal_port
|
|
output: "Outbound network traffic from Couchbase on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
|
|
# Couchdb ports
|
|
# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
|
|
- macro: couchdb_httpd_port
|
|
condition: fd.sport=5984
|
|
- macro: couchdb_httpd_ssl_port
|
|
condition: fd.sport=6984
|
|
# xxx can't tell what clustering ports are used. not writing rules for this
|
|
# yet.
|
|
|
|
# Etcd ports
|
|
- macro: etcd_client_port
|
|
condition: fd.sport=2379
|
|
- macro: etcd_peer_port
|
|
condition: fd.sport=2380
|
|
# need to double-check which user etcd runs as
|
|
- rule: etcd_unexpected_network_inbound
|
|
desc: inbound network traffic to etcd on a port other than the standard ports
|
|
condition: user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port)
|
|
output: "Inbound network traffic to Etcd on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: etcd_unexpected_network_outbound
|
|
desc: outbound network traffic from etcd on a port other than the standard ports
|
|
condition: user.name = etcd and outbound and not couchbase_internal_port
|
|
output: "Outbound network traffic from Etcd on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
|
|
# Fluentd ports
|
|
- macro: fluentd_http_port
|
|
condition: fd.sport=9880
|
|
- macro: fluentd_forward_port
|
|
condition: fd.sport=24224
|
|
|
|
- rule: fluentd_unexpected_network_inbound
|
|
desc: inbound network traffic to fluentd on a port other than the standard ports
|
|
condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
|
|
output: "Inbound network traffic to Fluentd on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: tdagent_unexpected_network_outbound
|
|
desc: outbound network traffic from fluentd on a port other than the standard ports
|
|
condition: user.name = td-agent and outbound and not fluentd_forward_port
|
|
output: "Outbound network traffic from Fluentd on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
# Gearman ports
|
|
# http://gearman.org/protocol/
|
|
- rule: gearman_unexpected_network_outbound
|
|
desc: outbound network traffic from gearman on a port other than the standard ports
|
|
condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
|
|
output: "Outbound network traffic from Gearman on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
# Zookeeper
|
|
- macro: zookeeper_port
|
|
condition: fd.sport = 2181
|
|
|
|
# HBase ports
|
|
# http://blog.cloudera.com/blog/2013/07/guide-to-using-apache-hbase-ports/
|
|
- macro: hbase_master_port
|
|
condition: fd.sport = 60000
|
|
- macro: hbase_master_info_port
|
|
condition: fd.sport = 60010
|
|
- macro: hbase_regionserver_port
|
|
condition: fd.sport = 60020
|
|
- macro: hbase_regionserver_info_port
|
|
condition: fd.sport = 60030
|
|
- macro: hbase_rest_port
|
|
condition: fd.sport = 8080
|
|
- macro: hbase_rest_info_port
|
|
condition: fd.sport = 8085
|
|
- macro: hbase_regionserver_thrift_port
|
|
condition: fd.sport = 9090
|
|
- macro: hbase_thrift_info_port
|
|
condition: fd.sport = 9095
|
|
|
|
# If you're not running HBase under the 'hbase' user, adjust first expression
|
|
# in each rule below
|
|
- rule: hbase_unexpected_network_inbound
|
|
desc: inbound network traffic to hbase on a port other than the standard ports
|
|
condition: >
|
|
user.name = hbase and inbound and not (hbase_master_port or
|
|
hbase_master_info_port or hbase_regionserver_port or
|
|
hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or
|
|
hbase_regionserver_thrift_port or hbase_thrift_info_port)
|
|
output: "Inbound network traffic to HBase on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: hbase_unexpected_network_outbound
|
|
desc: outbound network traffic from hbase on a port other than the standard ports
|
|
condition: user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port)
|
|
output: "Outbound network traffic from HBase on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
|
|
# Kafka ports
|
|
- rule: kafka_unexpected_network_inbound
|
|
desc: inbound network traffic to kafka on a port other than the standard ports
|
|
condition: user.name = kafka and inbound and fd.sport != 9092
|
|
output: "Inbound network traffic to Kafka on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
# Memcached ports
|
|
- rule: memcached_unexpected_network_inbound
|
|
desc: inbound network traffic to memcached on a port other than the standard ports
|
|
condition: user.name = memcached and inbound and fd.sport != 11211
|
|
output: "Inbound network traffic to Memcached on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: memcached_network_outbound
|
|
desc: any outbound network traffic from memcached. memcached never initiates outbound connections.
|
|
condition: user.name = memcached and outbound
|
|
output: "Unexpected Memcached outbound connection (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
|
|
# MongoDB ports
|
|
- macro: mongodb_server_port
|
|
condition: fd.sport = 27017
|
|
- macro: mongodb_shardserver_port
|
|
condition: fd.sport = 27018
|
|
- macro: mongodb_configserver_port
|
|
condition: fd.sport = 27019
|
|
- macro: mongodb_webserver_port
|
|
condition: fd.sport = 28017
|
|
|
|
- rule: mongodb_unexpected_network_inbound
|
|
desc: inbound network traffic to mongodb on a port other than the standard ports
|
|
condition: user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
|
|
output: "Inbound network traffic to MongoDB on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
# MySQL ports
|
|
- rule: mysql_unexpected_network_inbound
|
|
desc: inbound network traffic to mysql on a port other than the standard ports
|
|
condition: user.name = mysql and inbound and fd.sport != 3306
|
|
output: "Inbound network traffic to MySQL on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
- rule: http_server_unexpected_network_inbound
|
|
desc: inbound network traffic to a http server program on a port other than the standard ports
|
|
condition: http_server_binaries and inbound and fd.sport != 80 and fd.sport != 443
|
|
output: "Inbound network traffic to HTTP Server on unexpected port (%user.name %proc.name %evt.type %evt.args %fd.name)"
|
|
priority: WARNING
|
|
|
|
# fs-bash is a restricted version of bash suitable for use in curl <curl> | sh installers.
|
|
- rule: installer_bash_starts_network_server
|
|
desc: an attempt by any program that is a child of fs-bash to start listening for network connections
|
|
condition: evt.type=listen and proc.aname=fs-bash
|
|
output: "Unexpected listen call by a child process of fs-bash (%proc.name %evt.type %evt.args)"
|
|
priority: WARNING
|
|
|
|
- rule: installer_bash_starts_session
|
|
desc: an attempt by any program that is a child of fs-bash to start a new session (process group)
|
|
condition: evt.type=setsid and proc.aname=fs-bash
|
|
output: "Unexpected setsid call by a child process of fs-bash (%proc.name %evt.type %evt.args)"
|
|
priority: WARNING
|