Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule updates 2019 06.v4 #685

Merged
merged 4 commits into from
Jul 1, 2019
Merged

Rule updates 2019 06.v4 #685

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1297779
rule update: add placeholder for rules write below root/etc
Kaizhe Jun 21, 2019
5399af4
add openshift image to whitelist
Kaizhe Jun 21, 2019
8a765e2
add rfc_1918_address macro
Kaizhe Jun 21, 2019
35a5193
rule update: fix syntax error
Kaizhe Jun 28, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 26 additions & 3 deletions rules/falco_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,13 +311,17 @@
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
(evt.rawres >= 0 or evt.res = EINPROGRESS))

# RFC1918 addresses were assigned for private network usage
- list: rfc_1918_addresses
items: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]

- macro: outbound
condition: >
(((evt.type = connect and evt.dir=<) or
(evt.type in (sendto,sendmsg) and evt.dir=< and
fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and (not fd.snet in rfc_1918_addresses) and
(evt.rawres >= 0 or evt.res = EINPROGRESS))

# Very similar to inbound/outbound, but combines the tests together
Expand Down Expand Up @@ -1148,6 +1152,10 @@
- macro: user_known_write_etc_conditions
condition: proc.name=confd

# This is a placeholder for user to extend the whitelist for write below etc rule
- macro: user_known_write_below_etc_activities
condition: (never_true)

- macro: write_etc_common
condition: >
etc_dir and evt.dir = < and open_write
Expand Down Expand Up @@ -1245,6 +1253,7 @@
and not checkpoint_writing_state
and not jboss_in_container_writing_passwd
and not etcd_manager_updating_dns
and not user_known_write_below_etc_activities

- rule: Write below etc
desc: an attempt to write to any file below /etc
Expand Down Expand Up @@ -1308,6 +1317,10 @@
- macro: user_known_write_root_conditions
condition: fd.name=/root/.bash_history

# This is a placeholder for user to extend the whitelist for write below root rule
- macro: user_known_write_below_root_activities
condition: (never_true)

- rule: Write below root
desc: an attempt to write to any file directly below / or /root
condition: >
Expand All @@ -1329,6 +1342,7 @@
and not rancher_writing_root
and not known_root_conditions
and not user_known_write_root_conditions
and not user_known_write_below_root_activities
output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
priority: ERROR
tags: [filesystem, mitre_persistence]
Expand Down Expand Up @@ -1470,12 +1484,18 @@
- list: user_known_change_thread_namespace_binaries
items: []

- macro: user_known_change_thread_namespace_activities
condition: (never_true)

- list: network_plugin_binaries
items: [aws-cni, azure-vnet]

- macro: calico_node
condition: (container.image.repository endswith calico/node and proc.name=calico-node)

- macro: weaveworks_scope
condition: (container.image.repository endswith weaveworks/scope and proc.name=scope)

- rule: Change thread namespace
desc: >
an attempt to change a program/thread\'s namespace (commonly done
Expand All @@ -1494,6 +1514,8 @@
and not rancher_agent
and not rancher_network_manager
and not calico_node
and not weaveworks_scope
and not user_known_change_thread_namespace_activities
output: >
Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository)
Expand Down Expand Up @@ -1672,6 +1694,7 @@
container.image.repository endswith /ose-pod or
container.image.repository endswith /ose-node or
container.image.repository endswith /ose-docker-registry or
container.image.repository endswith /prometheus-node-exporter or
container.image.repository endswith /image-inspector))

# These images are allowed both to run with --privileged and to mount
Expand Down Expand Up @@ -1703,7 +1726,7 @@
# In this file, it just takes one of the images in trusted_containers
# and repeats it.
- macro: user_trusted_containers
condition: (container.image.repository = docker.io/sysdig/agent)
condition: (container.image.repository endswith sysdig/agent)

- list: sematext_images
items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent,
Expand Down Expand Up @@ -1735,7 +1758,7 @@
# In this file, it just takes one of the images in falco_privileged_images
# and repeats it.
- macro: user_privileged_containers
condition: (container.image.repository = docker.io/sysdig/agent)
condition: (container.image.repository endswith sysdig/agent)

- list: rancher_images
items: [
Expand Down