Fix/address addl rules fps #1372
Merged
Commits on Aug 31, 2020
-
rule(Change thread namespace): Require proc name
In some cases, dropped events around the time a new container is started can result in missing the exec/clone for a process that does a setns to enter the namespace of a container. Here's an example from an oss capture: ``` 282273 09:01:22.098095673 30 runc:[0:PARENT] (168555) < setns res=0 282283 09:01:22.098138869 30 runc:[0:PARENT] (168555) < setns res=0 282295 09:01:22.098179685 30 runc:[0:PARENT] (168555) < setns res=0 517284 09:01:30.128723777 13 <NA> (168909) < setns res=0 517337 09:01:30.129054963 13 <NA> (168909) < setns res=0 517451 09:01:30.129560037 2 <NA> (168890) < setns res=0 524597 09:01:30.162741004 19 <NA> (168890) < setns res=0 527433 09:01:30.179786170 18 runc:[0:PARENT] (168927) < setns res=0 527448 09:01:30.179852428 18 runc:[0:PARENT] (168927) < setns res=0 535566 09:01:30.232420372 25 nsenter (168938) < setns res=0 537412 09:01:30.246200357 0 nsenter (168941) < setns res=0 554163 09:01:30.347158783 17 nsenter (168950) < setns res=0 659908 09:01:31.064622960 12 runc:[0:PARENT] (169023) < setns res=0 659919 09:01:31.064665759 12 runc:[0:PARENT] (169023) < setns res=0 732062 09:01:31.608297074 4 nsenter (169055) < setns res=0 812985 09:01:32.217527319 6 runc:[0:PARENT] (169077) < setns res=0 812991 09:01:32.217579396 6 runc:[0:PARENT] (169077) < setns res=0 813000 09:01:32.217632211 6 runc:[0:PARENT] (169077) < setns res=0 ``` When this happens, it can cause false positives for the "Change thread namespace" rule as it allows certain process names like "runc", "containerd", etc to perform setns calls. Other rules already use the proc_name_exists macro to require that the process name exists. This change adds proc_name_exists to the Change Thread Namespace rule as well. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
rule(Read sensitive file untrusted): linux-bench
Let programs spawned by linux-bench (CIS Linux Benchmark program) read /etc/shadow. Tests in the benchmark check for permissions of the file and accounts in the contents of the file. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Commits on Sep 2, 2020
-
rule(Update Package Repository): restrict files
Previously any write to a file called sources.list would match the access_repositories condition, even a file /usr/tmp/..../sources.list. Change the macro so the files in repository_files must be somewhere below any of repository_directories. Also allow programs spawned by package management programs to change these files, using package_mgmt_ancestor_procs. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
rule(Write below etc): add calco exceptions
Add several calico images and command line programs that end up writing below /etc/calico. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
rule(Write below root): add mysqlsh
Let mysqlsh write below /root/.mysqlsh. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
rule(Read sensitive file untrusted):google_oslogin
Related to https://github.com/GoogleCloudPlatform/guest-oslogin, full cmdline is google_oslogin_control. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
rule(Launch Privileged Container): sort/reorg list
Sort the items in the list falco_privileged_images alphabetically and also separate them into individual lines. Make it easier to note changes to the entries in the list using git blame. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
rule(Launch Privileged Container) add images
Most of these are seen in GKE and are uses for core routing/metrics collection. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
rule(Create HostNetwork Pod): add images
Add a set of images known to run in the host network. Mostly related to GKE, sometimes plus metrics collection. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
rule(Disallowed K8s User): add known users
Seen when using K8s cluster autoscaling or addon manager. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Rule(Pod Created in Kube Namespace): add images
Add several images seen in GKE environments that can run in the kube-system namespace. Also change the names of the lists to be more specific. The old names are retained but are kept around for backwards compatibility. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
rule(System ClusterRole Modified/Deleted): + role
Add system:managed-certificate-controller as a system role that can be modified. Can be changed as a part of upgrades. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Start versioning trace files with a unique date. Any time we need to create new trace files, change TRACE_FILES_VERSION in this script and copy to traces-{positive,negative,info}-<VERSION>.zip. The zip file should unzip to traces-{positive,negative,info}, without any version. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.