Added rule to detect docker client in container #915
Conversation
|
Welcome @daviddetorres! It looks like this is your first PR to falcosecurity/falco 🎉 |
rules/falco_rules.yaml
Outdated
| # This rule detects the execution of the docker client inside a container | ||
| - rule: The docker client is executed in a container | ||
| desc: An event will trigger every time you run a docker client in a container | ||
| condition: evt.type = execve and evt.dir=< and container.id != host and proc.name in (docker_binaries) |
There was a problem hiding this comment.
can you make the changes to
- list: k8s_client_binaries
items: [docker, kubectl, crictl]
- rule: K8s client tool executed inside a container
condition: spawned_process and container and proc.name in (k8s_client_binaries)
tags: [container, mitre_execution]
There was a problem hiding this comment.
Thanks for the comments, Kaizhe. I didn't realize the macros for spawned process and container.
I'll modify the pull request and upload the changes.
There was a problem hiding this comment.
Also, I need some help for adding DCO signoff to a previous commit of this PR... I resolved a code review and forgot to add it. How could I add the DCO to an already existing commit?
(Sorry for the newbie mistake...).
There was a problem hiding this comment.
No, not a problem, I had this issue before :) take a look this one: https://stackoverflow.com/questions/13043357/git-sign-off-previous-commits
rules/falco_rules.yaml
Outdated
| - rule: The docker client is executed in a container | ||
| desc: An event will trigger every time you run a docker client in a container | ||
| condition: spawned_process and container and proc.name in (k8s_client_binaries) | ||
| output: "Docker or kubernetes client in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)" |
There was a problem hiding this comment.
Minor:
ouptut: Docker or kubernetes client executed in container
desc: Detect a k8s client tool executed inside a container
There was a problem hiding this comment.
Thanks Kaizhe for your support and help with my first PR in Falco... I'll commit this changes that you suggest, but before I'd like to fix the signature problem that it is giving in the this commit.
I followed the link that you suggested and I added a gpg key (verified) and also a "Signed-off-by" in the commit. Even though, the problem persist... Any clue about how to fix it?
There was a problem hiding this comment.
can you try rebase HEAD~3 and squash the one didn't commit?
There was a problem hiding this comment.
It seems it worked at last! Thanks again for the support :)
Commit pushed with your suggestions.
The rule detects the execution of the k8s client tool in a container and logs it with WARNING priority. Signed-off-by: David de Torres <detorres.david@gmail.com>
| @@ -2599,3 +2599,9 @@ | |||
| # there if you want to enable them by adding to | |||
| # falco_rules.local.yaml. | |||
|
|
|||
| - rule: The docker client is executed in a container | |||
| desc: Detect a k8s client tool executed inside a container | |||
| condition: spawned_process and container and proc.name in (k8s_client_binaries) | |||
There was a problem hiding this comment.
Did you accidentally delete the k8s_client_binaries list? And please move the rule above
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.
There was a problem hiding this comment.
Thanks again Kaizhe. You are really being patience with me in this PR...
There was a problem hiding this comment.
Thank you for your contribution! It is really appreciated!
Added accidentally deleted lines for the list of k8s client binaries. Signed-off-by: David de Torres <detorres.david@gmail.com>
|
/lgtm |
|
LGTM label has been added. Git tree hash: 504143d6001bdfe5dff3c38cb8c4bcad52141c2f
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, Kaizhe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Thanks for improving our ruleset @daviddetorres !!! |
What type of PR is this?
/kind feature
/kind rule-create
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
The motivation of this new rule is to detect suspicious activity like seen in the Graboid threat (more details here: https://unit42.paloaltonetworks.com/graboid-first-ever-cryptojacking-worm-found-in-images-on-docker-hub/).
There are rules for detection of miners, but not the scenario where the container is used to attack other vulnerable hosts via a docker client.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
The priority is set to WARNING, but I have doubts if it should be other. I don't have the experience enough to decide this part of the rule.
Does this PR introduce a user-facing change?:
NONE