From de7f60f7b2b283b447e309fd5c9c60733e5d37cf Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 16 Jun 2016 17:03:44 -0700 Subject: [PATCH] Performance/FP rule updates. Make changes to rules to improve performance and reduce FPs: - Rely on an upcoming change to sysdig (https://github.com/draios/sysdig/pull/610) that allows specifying an open/openat for reading/writing, without having to search through all the flags individually. - Switch to consistently using evt.type instead of syscall.type. - Move positive tests like etc_dir, bin_dir, etc., which are most likely to not succeed, to the beginning of rules, so they have a greater chance to cause the rest of the rule to be skipped, which saves time. - Using exim as a mail program--exim also can suid to root. - apt-get install curl--add a new macro for ssl management binaries and allow them to write below /etc and read sensitive files. - starting/stopping dhcp networking-add a new macro for dhcp client - binaries and allow them to write below /etc. - Add exe (docker-related program) as a program that can set a namespace using setns. - Don't count /dev/tty as an important file under /dev. --- rules/falco_rules.yaml | 69 +++++++++++++++++++++++------------------- 1 file changed, 38 insertions(+), 31 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 038c6a42fc7..81382e80472 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -14,26 +14,17 @@ # condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory)) - macro: open_write - condition: > - (evt.type=open or evt.type=openat) and - fd.typechar='f' and - (evt.arg.flags contains O_WRONLY or - evt.arg.flags contains O_RDWR or - evt.arg.flags contains O_CREAT or - evt.arg.flags contains O_TRUNC) + condition: evt.type in (open, openat) and evt.is_open_write=true and fd.typechar='f' + - macro: open_read - condition: > - (evt.type=open or evt.type=openat) and - fd.typechar='f' and - (evt.arg.flags contains O_RDONLY or - evt.arg.flags contains O_RDWR) + condition: evt.type in (open, openat) and evt.is_open_read=true and fd.typechar='f' - macro: rename - condition: syscall.type = rename + condition: evt.type = rename - macro: mkdir - condition: syscall.type = mkdir + condition: evt.type = mkdir - macro: remove - condition: syscall.type in (remove, rmdir, unlink, unlink_at) + condition: evt.type in (rmdir, unlink, unlinkat) - macro: modify condition: rename or remove @@ -124,7 +115,13 @@ # The truncated dpkg-preconfigu is intentional, process names are # truncated at the sysdig level. - macro: package_mgmt_binaries - condition: proc.name in (dpkg, dpkg-preconfigu, rpm, rpmkey, yum) + condition: proc.name in (dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend) + +- macro: ssl_mgmt_binaries + condition: proc.name in (ca-certificates) + +- macro: dhcp_binaries + condition: proc.name in (dhclient, dhclient-script) # A canonical set of processes that run other programs with different # privileges or as a different user. @@ -138,7 +135,7 @@ condition: (coreutils_binaries or user_mgmt_binaries) - macro: mail_binaries - condition: proc.name in (sendmail, sendmail-msp, postfix, procmail) + condition: proc.name in (sendmail, sendmail-msp, postfix, procmail, exim4) - macro: sensitive_files condition: (fd.name contains /etc/shadow or fd.name = /etc/sudoers or fd.directory in (/etc/sudoers.d, /etc/pam.d) or fd.name = /etc/pam.conf) @@ -150,11 +147,11 @@ # Network - macro: inbound - condition: ((syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)) + condition: ((evt.type=listen and evt.dir=>) or (evt.type=accept and evt.dir=<)) -# Currently sendto is an ignored syscall, otherwise this could also check for (syscall.type=sendto and evt.dir=>) +# Currently sendto is an ignored syscall, otherwise this could also check for (evt.type=sendto and evt.dir=>) - macro: outbound - condition: syscall.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6) + condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6) - macro: ssh_port condition: fd.lport=22 @@ -165,7 +162,7 @@ # System - macro: modules - condition: syscall.type in (delete_module, init_module) + condition: evt.type in (delete_module, init_module) - macro: container condition: container.id != host - macro: interactive @@ -189,26 +186,36 @@ - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories - condition: evt.dir = < and open_write and not package_mgmt_binaries and bin_dir + condition: evt.dir = < and open_write and bin_dir and not package_mgmt_binaries output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING +- macro: write_etc_common + condition: > + evt.dir = < and open_write and etc_dir and not shadowutils_binaries + and not sysdigcloud_binaries_parent + and not package_mgmt_binaries + and not ssl_mgmt_binaries + and not dhcp_binaries + and not proc.name in (ldconfig.real) + and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java) + - rule: write_etc desc: an attempt to write to any file below /etc, not in a pipe installer session - condition: evt.dir = < and open_write and not shadowutils_binaries and not sysdigcloud_binaries_parent and not package_mgmt_binaries and etc_dir and not proc.sname=fbash + condition: write_etc_common and not proc.sname=fbash output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING # Within a fbash session, the severity is lowered to INFO - rule: write_etc_installer desc: an attempt to write to any file below /etc, in a pipe installer session - condition: evt.dir = < and open_write and not shadowutils_binaries and not sysdigcloud_binaries_parent and not package_mgmt_binaries and etc_dir and proc.sname=fbash + condition: write_etc_common and proc.sname=fbash output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name) within pipe installer session" priority: INFO - rule: read_sensitive_file_untrusted desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs. - condition: open_read and not user_mgmt_binaries and not userexec_binaries and not proc.name in (iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash, sshd) and not cron and sensitive_files + condition: open_read and sensitive_files and not user_mgmt_binaries and not userexec_binaries and not package_mgmt_binaries and not proc.name in (iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash, sshd) and not cron and not proc.cmdline contains /usr/bin/mandb output: "Sensitive file opened for reading by non-trusted program (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING @@ -221,7 +228,7 @@ # Only let rpm-related programs write to the rpm database - rule: write_rpm_database desc: an attempt to write to the rpm database by any non-rpm related program - condition: open_write and not proc.name in (rpm,rpmkey,yum) and fd.directory=/var/lib/rpm + condition: open_write and fd.directory=/var/lib/rpm and not proc.name in (rpm,rpmkey,yum) output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)" priority: WARNING @@ -261,7 +268,7 @@ - rule: change_thread_namespace desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. - condition: syscall.type = setns and not proc.name in (docker, sysdig, dragent) + condition: evt.type = setns and not proc.name in (docker, sysdig, dragent, nsenter, exe) output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)" priority: WARNING @@ -284,7 +291,7 @@ - rule: run_shell_in_container desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded. - condition: container and proc.name = bash and spawned_process and proc.pname exists and not proc.pname in (bash, docker) + condition: container and proc.name = bash and spawned_process and proc.pname exists and not proc.pname in (sh, bash, docker) output: "Shell spawned in a container other than entrypoint (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING @@ -304,10 +311,10 @@ # output: "sshd sent error message to syslog (error=%evt.buffer)" # priority: WARNING -# sshd, sendmail-msp, sendmail attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs +# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs - rule: non_sudo_setuid desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges. - condition: evt.type=setuid and evt.dir=> and not user.name=root and not userexec_binaries and not proc.name in (sshd, sendmail-msp, sendmail) + condition: evt.type=setuid and evt.dir=> and not user.name=root and not userexec_binaries and not mail_binaries and not proc.name in (sshd) output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name command=%proc.cmdline uid=%evt.arg.uid)" priority: WARNING @@ -320,7 +327,7 @@ # (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153) - rule: create_files_below_dev desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev. - condition: (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and not fd.name in (/dev/null,/dev/stdin,/dev/stdout,/dev/stderr) + condition: (evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and not fd.name in (/dev/null, /dev/tty) output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING