From 12391ee50838905fae6b1e05d2b9068d993c35f5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 10 Aug 2016 13:48:06 -0700 Subject: [PATCH 1/2] Eliminate FPs. Docker 1.12 split docker into docker and dockerd, so add dockerd as a docker binary. Also be consistent about using docker_binares instead of just references to docker. Also add ldconfig as a program that can write to files below /etc. --- rules/falco_rules.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 791e9b77fde..178d1be76af 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -93,7 +93,7 @@ items: [setup-backend, dragent] - list: docker_binaries - items: [docker, exe] + items: [docker, dockerd, exe] - list: http_server_binaries items: [nginx, httpd, httpd-foregroun, lighttpd] @@ -186,7 +186,7 @@ - macro: write_etc_common condition: > etc_dir and evt.dir = < and open_write - and not proc.name in (shadowutils_binaries, sysdigcloud_binaries, package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, ldconfig.real) + and not proc.name in (shadowutils_binaries, sysdigcloud_binaries, package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, ldconfig.real, ldconfig) and not proc.pname in (sysdigcloud_binaries) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java) @@ -258,13 +258,13 @@ - rule: change_thread_namespace desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. - condition: evt.type = setns and not proc.name in (docker, sysdig, dragent, nsenter, exe) + condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter) output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)" priority: WARNING - rule: run_shell_untrusted desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries. - condition: spawned_process and not container and proc.name = bash and proc.pname exists and not proc.pname in (cron_binaries, bash, sshd, sudo, docker, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent) + condition: spawned_process and not container and proc.name = bash and proc.pname exists and not proc.pname in (cron_binaries, bash, sshd, sudo, docker_binaries, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent) output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING @@ -281,7 +281,7 @@ - rule: run_shell_in_container desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded. - condition: spawned_process and container and proc.name = bash and proc.pname exists and not proc.pname in (sh, bash, docker) + condition: spawned_process and container and proc.name = bash and proc.pname exists and not proc.pname in (sh, bash, docker_binaries) output: "Shell spawned in a container other than entrypoint (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING From 39ae7680a7b93d02686184ec57b360071587fc2d Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 10 Aug 2016 14:15:26 -0700 Subject: [PATCH 2/2] Handle dbus-daemon-launch-helper. It starts dbus-daemon. Process names are truncated, though, so use dbus-daemon-lau. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 178d1be76af..e576fb943ab 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -304,7 +304,7 @@ # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs - rule: non_sudo_setuid desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges. - condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, sshd) + condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, sshd, dbus-daemon-lau) output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name command=%proc.cmdline uid=%evt.arg.uid)" priority: WARNING