Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new(rules): Directory traversal monitored file read #2118

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 37 additions & 13 deletions rules/falco_rules.yaml
Original file line number Diff line number Diff line change
@@ -29,13 +29,20 @@
# condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory))

- macro: open_write
condition: evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0
condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)

- macro: open_read
condition: evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0
condition: (evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0)

- macro: open_directory
condition: evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='d' and fd.num>=0
condition: (evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='d' and fd.num>=0)

# Failed file open attempts, useful to detect threat actors making mistakes
# https://man7.org/linux/man-pages/man3/errno.3.html
# evt.res=ENOENT - No such file or directory
# evt.res=EACCESS - Permission denied
- macro: open_file_failed
condition: (evt.type in (open,openat,openat2) and fd.typechar='f' and fd.num=-1 and evt.res startswith E)

- macro: never_true
condition: (evt.num=0)
@@ -51,32 +58,32 @@
condition: (proc.name!="<NA>")

- macro: rename
condition: evt.type in (rename, renameat, renameat2)
condition: (evt.type in (rename, renameat, renameat2))

- macro: mkdir
condition: evt.type in (mkdir, mkdirat)
condition: (evt.type in (mkdir, mkdirat))

- macro: remove
condition: evt.type in (rmdir, unlink, unlinkat)
condition: (evt.type in (rmdir, unlink, unlinkat))

- macro: modify
condition: rename or remove
condition: (rename or remove)

- macro: spawned_process
condition: evt.type in (execve, execveat) and evt.dir=<
condition: (evt.type in (execve, execveat) and evt.dir=<)

- macro: create_symlink
condition: evt.type in (symlink, symlinkat) and evt.dir=<
condition: (evt.type in (symlink, symlinkat) and evt.dir=<)

- macro: create_hardlink
condition: evt.type in (link, linkat) and evt.dir=<
condition: (evt.type in (link, linkat) and evt.dir=<)

- macro: chmod
condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<)

# File categories
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
condition: (fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin))

- macro: bin_dir_mkdir
condition: >
@@ -105,7 +112,7 @@
evt.arg.newpath startswith /usr/sbin/)

- macro: etc_dir
condition: fd.name startswith /etc/
condition: (fd.name startswith /etc/)

# This detects writes immediately below / or any write anywhere below /root
- macro: root_dir
@@ -912,7 +919,10 @@
items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh]

- macro: user_ssh_directory
condition: (fd.name glob '/home/*/.ssh/*')
condition: (fd.name contains '/.ssh/' and fd.name glob '/home/*/.ssh/*')

- macro: directory_traversal
condition: (fd.nameraw contains '../' and fd.nameraw glob '*../*../*')

# google_accounts_(daemon)
- macro: google_accounts_daemon_writing_ssh
@@ -957,6 +967,20 @@
priority: ERROR
tags: [filesystem, mitre_persistence]

- rule: Directory traversal monitored file read
desc: >
Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs).
System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious.
This rule includes failed file open attempts.
condition: (open_read or open_file_failed) and (etc_dir or user_ssh_directory or fd.name startswith /root/.ssh or fd.name contains "id_rsa") and directory_traversal and not proc.pname in (shell_binaries)
enabled: true
output: >
Read monitored file via directory traversal (username=%user.name useruid=%user.uid user_loginuid=%user.loginuid program=%proc.name exe=%proc.exepath
command=%proc.cmdline parent=%proc.pname file=%fd.name fileraw=%fd.nameraw parent=%proc.pname
gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository returncode=%evt.res cwd=%proc.cwd)
priority: WARNING
tags: [filesystem, mitre_discovery, mitre_exfiltration, mitre_credential_access]

# This rule is disabled by default as many system management tools
# like ansible, etc can read these files/paths. Enable it using this macro.