New rules related to containers.

New rule 'File Open by Privileged Container' triggers when a container that is running privileged opens a file. New rule 'Sensitive Mount by Container' triggers when a container that has a sensitive mount opens a file. Currently, a sensitive mount is a mount of /proc. This depends on draios/sysdig#655.
falcosecurity · Oct 24, 2016 · 4615c39 · 4615c39
1 parent 4585fd1
commit 4615c39
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -265,7 +265,7 @@
 - rule: Change thread namespace
   desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
   condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter)
-  output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)"
+  output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id))"
   priority: WARNING
 
 - rule: Run shell untrusted
@@ -274,6 +274,24 @@
   output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
   priority: WARNING
 
+- macro: trusted_containers
+  condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig)
+
+- rule: File Open by Privileged Container
+  desc: Any open by a privileged container. Exceptions are made for known trusted images.
+  condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
+  output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name)
+  priority: WARNING
+
+- macro: sensitive_mount
+  condition: (container.mount.dest[/proc*] != "N/A")
+
+- rule: Sensitive Mount by Container
+  desc: Any open by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images.
+  condition: (open_read or open_write) and container and sensitive_mount and not trusted_containers
+  output: File opened for read/write by container mounting sensitive directory (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name)
+  priority: WARNING
+
 # Anything run interactively by root
 # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
 #  output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"