diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index bea8769d..8747fe01 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -265,7 +265,7 @@ - rule: Change thread namespace desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. condition: evt.type = setns and not proc.name in (docker_binaries, sysdig, dragent, nsenter) - output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)" + output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id))" priority: WARNING - rule: Run shell untrusted @@ -274,6 +274,24 @@ output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING +- macro: trusted_containers + condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig) + +- rule: File Open by Privileged Container + desc: Any open by a privileged container. Exceptions are made for known trusted images. + condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers + output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name) + priority: WARNING + +- macro: sensitive_mount + condition: (container.mount.dest[/proc*] != "N/A") + +- rule: Sensitive Mount by Container + desc: Any open by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images. + condition: (open_read or open_write) and container and sensitive_mount and not trusted_containers + output: File opened for read/write by container mounting sensitive directory (user=%user.name command=%proc.cmdline container=%container.name (id=%container.id) file=%fd.name) + priority: WARNING + # Anything run interactively by root # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive # output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"