-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix/address addl rules fps #1372
Commits on Aug 31, 2020
-
rule(Change thread namespace): Require proc name
In some cases, dropped events around the time a new container is started can result in missing the exec/clone for a process that does a setns to enter the namespace of a container. Here's an example from an oss capture: ``` 282273 09:01:22.098095673 30 runc:[0:PARENT] (168555) < setns res=0 282283 09:01:22.098138869 30 runc:[0:PARENT] (168555) < setns res=0 282295 09:01:22.098179685 30 runc:[0:PARENT] (168555) < setns res=0 517284 09:01:30.128723777 13 <NA> (168909) < setns res=0 517337 09:01:30.129054963 13 <NA> (168909) < setns res=0 517451 09:01:30.129560037 2 <NA> (168890) < setns res=0 524597 09:01:30.162741004 19 <NA> (168890) < setns res=0 527433 09:01:30.179786170 18 runc:[0:PARENT] (168927) < setns res=0 527448 09:01:30.179852428 18 runc:[0:PARENT] (168927) < setns res=0 535566 09:01:30.232420372 25 nsenter (168938) < setns res=0 537412 09:01:30.246200357 0 nsenter (168941) < setns res=0 554163 09:01:30.347158783 17 nsenter (168950) < setns res=0 659908 09:01:31.064622960 12 runc:[0:PARENT] (169023) < setns res=0 659919 09:01:31.064665759 12 runc:[0:PARENT] (169023) < setns res=0 732062 09:01:31.608297074 4 nsenter (169055) < setns res=0 812985 09:01:32.217527319 6 runc:[0:PARENT] (169077) < setns res=0 812991 09:01:32.217579396 6 runc:[0:PARENT] (169077) < setns res=0 813000 09:01:32.217632211 6 runc:[0:PARENT] (169077) < setns res=0 ``` When this happens, it can cause false positives for the "Change thread namespace" rule as it allows certain process names like "runc", "containerd", etc to perform setns calls. Other rules already use the proc_name_exists macro to require that the process name exists. This change adds proc_name_exists to the Change Thread Namespace rule as well. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 8fb3dcb - Browse repository at this point
Copy the full SHA 8fb3dcbView commit details -
rule(Read sensitive file untrusted): linux-bench
Let programs spawned by linux-bench (CIS Linux Benchmark program) read /etc/shadow. Tests in the benchmark check for permissions of the file and accounts in the contents of the file. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 7452d52 - Browse repository at this point
Copy the full SHA 7452d52View commit details
Commits on Sep 2, 2020
-
rule(Update Package Repository): restrict files
Previously any write to a file called sources.list would match the access_repositories condition, even a file /usr/tmp/..../sources.list. Change the macro so the files in repository_files must be somewhere below any of repository_directories. Also allow programs spawned by package management programs to change these files, using package_mgmt_ancestor_procs. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 89a26a5 - Browse repository at this point
Copy the full SHA 89a26a5View commit details -
rule(Write below etc): add calco exceptions
Add several calico images and command line programs that end up writing below /etc/calico. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 95f06a5 - Browse repository at this point
Copy the full SHA 95f06a5View commit details -
rule(Write below root): add mysqlsh
Let mysqlsh write below /root/.mysqlsh. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 00fab2b - Browse repository at this point
Copy the full SHA 00fab2bView commit details -
rule(Read sensitive file untrusted):google_oslogin
Related to https://github.com/GoogleCloudPlatform/guest-oslogin, full cmdline is google_oslogin_control. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e0954c4 - Browse repository at this point
Copy the full SHA e0954c4View commit details -
rule(Launch Privileged Container): sort/reorg list
Sort the items in the list falco_privileged_images alphabetically and also separate them into individual lines. Make it easier to note changes to the entries in the list using git blame. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for c906a0f - Browse repository at this point
Copy the full SHA c906a0fView commit details -
rule(Launch Privileged Container) add images
Most of these are seen in GKE and are uses for core routing/metrics collection. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for b13dbef - Browse repository at this point
Copy the full SHA b13dbefView commit details -
rule(Create HostNetwork Pod): add images
Add a set of images known to run in the host network. Mostly related to GKE, sometimes plus metrics collection. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for d5c21e7 - Browse repository at this point
Copy the full SHA d5c21e7View commit details -
rule(Disallowed K8s User): add known users
Seen when using K8s cluster autoscaling or addon manager. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 1f5f298 - Browse repository at this point
Copy the full SHA 1f5f298View commit details -
Rule(Pod Created in Kube Namespace): add images
Add several images seen in GKE environments that can run in the kube-system namespace. Also change the names of the lists to be more specific. The old names are retained but are kept around for backwards compatibility. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 0990ea4 - Browse repository at this point
Copy the full SHA 0990ea4View commit details -
rule(System ClusterRole Modified/Deleted): + role
Add system:managed-certificate-controller as a system role that can be modified. Can be changed as a part of upgrades. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for f38c8f4 - Browse repository at this point
Copy the full SHA f38c8f4View commit details -
Start versioning trace files with a unique date. Any time we need to create new trace files, change TRACE_FILES_VERSION in this script and copy to traces-{positive,negative,info}-<VERSION>.zip. The zip file should unzip to traces-{positive,negative,info}, without any version. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 36bb3b1 - Browse repository at this point
Copy the full SHA 36bb3b1View commit details