Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor shell rules #301

Merged
merged 20 commits into from
Nov 28, 2017
Merged

Refactor shell rules #301

merged 20 commits into from
Nov 28, 2017

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Nov 17, 2017

Refactor the shell-related rules to reduce false positives. These changes significantly decrease the scope of the rules so they trigger only for shells spawned below specific processes instead of anywhere. See the commit messages for more details.

@mstemm
Refactor shell rules to avoid FPs.
6538317 
Refactoring the shell related rules to avoid FPs. Instead of considering
all shells suspicious and trying to carve out exceptions for the
legitimate uses of shells, only consider shells spawned below certain
processes suspicious.

The set of processes is a collection of commonly used web servers,
databases, nosql document stores, mail programs, message queues, process
monitors, application servers, etc.

Also, runsv is also considered a top level process that denotes a
service. This allows a way for more flexible servers like ad-hoc nodejs
express apps, etc to denote themselves as a full server process.
@mstemm
Update event generator to reflect new shell rules
98e6ea2 
spawn_shell is now a silent action. its replacement is
spawn_shell_under_httpd, which respawns itself as httpd and then runs a
shell.

db_program_spawn_binaries now runs ls instead of a shell so it only
matches db_program_spawn_process.
@mstemm
Comment out old shell related rules
bccc8f9
@mstemm
Modify nodejs example to work w/ new shell rules
3fe050f 
Start the express server using runit's runsv, which allows falco to
consider any shells run by it as suspicious.
@mstemm
Use the updated argument for mkdir
e83444c 
In draios/sysdig#757 the path argument for mkdir
moved to the second argument. This only became visible in the unit tests
once the trace files were updated to reflect the other shell rule
changes--the trace files had the old format.
@mstemm
Update unit tests for shell rules changes
6f610ed 
Shell in container doesn't exist any longer and its functionality has
been subsumed by run shell untrusted.
@mstemm
Allow git binaries to run shells
f213bb6 
In some cases, these are run below a service runsv so we still need
exceptions for them.
@mstemm
Let consul agent spawn curl for health checks
e8adb27
@mstemm
Don't protect tomcat
5a85cf1 
There's enough evidence of people spawning general commands that we
can't protect it.
@mstemm
Reorder exceptions, add rabbitmq exception
447cad8 
Move the nginx exception to the main rule instead of the
protected_shell_spawner macro. Also add erl_child_setup (related to
rabbitmq) as an allowed shell spawner.
@mstemm
Add additional spawn binaries
211ba31 
All off these are either below nginx, httpd, or runsv but should still
be allowed to spawn shells.
@mstemm
Exclude shells when ancestor is a pkg mgmt binary
1f549db 
Skip shells when any process ancestor (parent, gparent, etc) is a
package management binary. This includes the program needrestart. This
is a deep search but should prevent a lot of other more detailed
exceptions trying to find the specific scripts run as a part of
installations.
@mstemm
Skip shells related to serf
aaab255 
Serf is a service discovery tool and can in some cases be spawned by
apache/nginx. Also allow shells that are just checking the status of
pids via kill -0.
@mstemm
Add several exclusions back
c548ae0 
Add several exclusions back from the shell in container rule. These are
all allowed shell spawns that happen to be below
nginx/fluentd/apache/etc.
@mstemm
Remove commented-out rules
23fe787 
This saves space as well as cleanup. I haven't yet removed the
macros/lists used by these rules and not used anywhere else. I'll do
that cleanup in a separate step.
@mstemm
Also exclude based on command lines
1afa049 
Add back the exclusions based on command lines, using the existing set
of command lines.
@mstemm
Add addl exclusions for shells
e1cb9d2 
Of note is runsv, which means it can directly run shells (the ./run and
./finish scripts), but the things it runs can not.
@mstemm
Don't trigger on shells spawning shells
a0786c7 
We'll detect the first shell and not any other shells it spawns.
@mstemm
Allow "runc:" parents to count as a cont entrypnt
dee9f01 
In some cases, the initial process for a container can have a parent
"runc:[0:PARENT]", so also allow those cases to count as a container
entrypoint.
@mstemm
Use container_entrypoint macro
008938b 
Use the container_entrypoint macro to denote entering a container and
also allow exe to be one of the processes that's the parent of an
entrypoint.
@mstemm mstemm merged commit d6d975e into dev Nov 28, 2017
@mstemm mstemm deleted the refactor-shell-rules branch November 28, 2017 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@mstemm