Skip to content

Commit

Permalink
New rules related to containers.
Browse files Browse the repository at this point in the history
New rule 'File Open by Privileged Container' triggers when a container
that is running privileged opens a file.

New rule 'Sensitive Mount by Container' triggers when a container that
has a sensitive mount opens a file. Currently, a sensitive mount is a
mount of /proc.

This depends on draios/sysdig#655.
  • Loading branch information
mstemm committed Sep 9, 2016
1 parent 6254caf commit 0c4f440
Showing 1 changed file with 19 additions and 1 deletion.
20 changes: 19 additions & 1 deletion rules/falco_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -265,7 +265,7 @@
- rule: Change thread namespace
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter)
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)"
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id))"
priority: WARNING

- rule: Run shell untrusted
Expand All @@ -274,6 +274,24 @@
output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
priority: WARNING

- macro: trusted_containers
condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig)

- rule: File Open by Privileged Container
desc: Any open by a privileged container. Exceptions are made for known trusted images.
condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name)
priority: WARNING

- macro: sensitive_mount
condition: (container.mount.dest[/proc*] != "N/A")

- rule: Sensitive Mount by Container
desc: Any open by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images.
condition: (open_read or open_write) and container and sensitive_mount and not trusted_containers
output: File opened for read/write by container mounting sensitive directory (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name)
priority: WARNING

# Anything run interactively by root
# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
Expand Down

0 comments on commit 0c4f440

Please sign in to comment.