New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule updates 2018 02.v1 #321

merged 8 commits into from Feb 20, 2018


None yet
2 participants

mstemm commented Feb 9, 2018

Changes to reduce false positives as well as handling suggested use cases from customers.

@mattpag could you take a look at the last 2 commits (ssh/nodeport support?)

mstemm added some commits Jan 31, 2018

Add additional allowed files below root.
These are related to node.js apps.
Let gugent write to (root) + GuestAgent.log
vRA7 Guest Agent writes to GuestAgent.log with a cwd of root.
Add additional root files and directories
All seen in legitimate cases.
Let nginx run aws s3 cp
Possibly seen as a part of consul deployments and/or openresty.

@mstemm mstemm requested a review from mattpag Feb 9, 2018


There's an inconsistency between the comment and the implementation for the macro allowed_ssh_hosts: I suppose you want to set it to ssh_port (as the comment says), otherwise the rule will trigger for every non local ssh connection. Or am I missing something?
The rule for detecting nodeport connections looks good.

mstemm added some commits Feb 9, 2018

Add rule for disallowed ssh connections
New rule "Disallowed SSH Connection" detects ssh connection attempts
other than those allowed by the macro allowed_ssh_hosts. The default
version of the macro allows any ssh connection, so the rule never
triggers by default.

The macro could be overridden in a local/user rules file, though.
Detect contacting NodePort svcs in containers
New rule "Unexpected K8s NodePort Connection" detects attempts to
contact K8s NodePort services (i.e. ports >=30000) from within

It requires overridding a macro nodeport_containers which specifies a
set of containers that are allowed to use these port ranges. By default
every container is allowed.

This comment has been minimized.


mstemm commented Feb 9, 2018

yeah, that was a typo on my part. I had changed it for testing, but hadn't changed it back. It's fixed now.

@mstemm mstemm merged commit 414c9a0 into dev Feb 20, 2018

3 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
continuous-integration/travis-ci/push The Travis CI build passed
sign-off-checker The commit doesn't require sysdig sign-off CLA because it belongs to mstemm part of draios/falco collaborators

@mstemm mstemm deleted the rule-updates-2018-02.v1 branch Feb 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment