Update falco_rules.yaml #1694
Update falco_rules.yaml #1694
Conversation
Detecting exploits of CVE-2019-5736: runc container breakout.
|
@wcc526: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: wcc526 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/milestone 0.32.0 |
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
|
Rotten issues close after 30d of inactivity. Reopen the issue with Mark the issue as fresh with Provide feedback via https://github.com/falcosecurity/community. |
|
@poiana: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen /remove-lifecycle rotten |
|
@jasondellaluce: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/milestone 0.33.0 |
|
Hi @wcc526 Thanks for your PR :) For sure it's addressing a specific security use case which is great even though it's related to a 3+ years old vulnerability which has been patched in docker (and others) time ago. For sure this is an abnormal behaviour so I'm currently testing the rule to evaluate the false false positives due to the |
| @@ -3077,4 +3077,16 @@ | |||
| # Application rules have moved to application_rules.yaml. Please look | |||
| # there if you want to enable them by adding to | |||
| # falco_rules.local.yaml. | |||
| - list: docker_binaries | |||
| items: [dockerd, containerd-shim, "runc:[1:CHILD]"] | |||
There was a problem hiding this comment.
| items: [dockerd, containerd-shim, "runc:[1:CHILD]"] | |
| items: [dockerd, containerd-shim, "runc:[1:CHILD]", pause] |
There was a problem hiding this comment.
During the time I tested the rule I've seen some noise generated by proc.name = pause which should be whitelisted.
| - rule: Modify Container Entrypoint | ||
| desc: Detect file write activities on container entrypoint symlink (/proc/self/exe) | ||
| condition: > | ||
| open_write and (fd.name=/proc/self/exe or fd.name startswith /proc/self/fd/) and not docker_procs and container |
There was a problem hiding this comment.
During the time I tested the rule I also see some noise with proc.cmdline = "runc:[1:CHILD] init". Do you mind add it in the condition?
| open_write and (fd.name=/proc/self/exe or fd.name startswith /proc/self/fd/) and not docker_procs and container | ||
| output: > | ||
| %fd.name is open to write by process (%proc.name, %proc.exeline) | ||
| priority: WARNING |
There was a problem hiding this comment.
During my tests I saw the rule generating false positives on falcosidekick and argo which are two components which can word together this Falco. As we know the open_write isn't that accurate but it's the only option since we can use the write syscall. However the rule address a CVE and it's a good security use case.
My suggestion is to add the rule to the falco ruleset but with the enabled: false option to disable by default due to the noise that can generate.
|
The PR author seems to be unresponsive. /milestone 0.34.0 |
|
@leogr I'll rework that and open a new PR :) |
|
@leogr @jasondellaluce I think we can close this PR since already merged here #2188 |
|
/close |
|
@jasondellaluce: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Detecting exploits of CVE-2019-5736: runc container breakout.
What type of PR is this?
Any specific area of the project related to this PR?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: