From 2592cd413687cb512490cbb4326818c05ca3fb8c Mon Sep 17 00:00:00 2001 From: Hi120ki <12624257+hi120ki@users.noreply.github.com> Date: Tue, 6 Sep 2022 17:58:35 +0900 Subject: [PATCH 1/8] add rule Read environment variable from /proc files Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com> --- rules/falco_rules.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8459385454d..9461489e4b8 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3202,3 +3202,21 @@ # Application rules have moved to application_rules.yaml. Please look # there if you want to enable them by adding to # falco_rules.local.yaml. + +- list: proc_environ_file_names + items: [/proc/self/environ, /proc/1/environ] + +- macro: proc_environ_files + condition: > + fd.name in (proc_environ_file_names) + +- rule: Read environment variable from /proc files + desc: An attempt to read process environment variables from /proc files + condition: > + container and open_read and proc_environ_files + enabled: true + output: > + Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name + command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository) + priority: WARNING + tags: [filesystem, mitre_credential_access, mitre_discovery] From a1fdc7a3e2204a715371657d22d508cd89f84e20 Mon Sep 17 00:00:00 2001 From: Hi120ki <12624257+hi120ki@users.noreply.github.com> Date: Thu, 8 Sep 2022 10:12:27 +0900 Subject: [PATCH 2/8] add host to target Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com> --- rules/falco_rules.yaml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9461489e4b8..598236d26bb 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3203,17 +3203,11 @@ # there if you want to enable them by adding to # falco_rules.local.yaml. -- list: proc_environ_file_names - items: [/proc/self/environ, /proc/1/environ] - -- macro: proc_environ_files - condition: > - fd.name in (proc_environ_file_names) - - rule: Read environment variable from /proc files desc: An attempt to read process environment variables from /proc files condition: > - container and open_read and proc_environ_files + open_read and (fd.name glob /proc/*/environ) + and not proc.name in (systemctl, systemd-detect-, cloud-id) enabled: true output: > Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name From ba28ee22182e2d20477fcf090eb6a4030ab6b3d8 Mon Sep 17 00:00:00 2001 From: Hi120ki <12624257+hi120ki@users.noreply.github.com> Date: Thu, 8 Sep 2022 11:09:21 +0900 Subject: [PATCH 3/8] add systemd-sysctl to allowlist Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com> --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 598236d26bb..f531597d883 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3207,7 +3207,7 @@ desc: An attempt to read process environment variables from /proc files condition: > open_read and (fd.name glob /proc/*/environ) - and not proc.name in (systemctl, systemd-detect-, cloud-id) + and not proc.name in (systemctl, systemd-detect-, cloud-id, systemd-sysctl) enabled: true output: > Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name From 157bce0256897875fac6fd7730441b92bf62185a Mon Sep 17 00:00:00 2001 From: Hi120ki <12624257+hi120ki@users.noreply.github.com> Date: Thu, 8 Sep 2022 15:35:27 +0900 Subject: [PATCH 4/8] revert to container Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com> --- rules/falco_rules.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f531597d883..413444d11b4 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3206,8 +3206,7 @@ - rule: Read environment variable from /proc files desc: An attempt to read process environment variables from /proc files condition: > - open_read and (fd.name glob /proc/*/environ) - and not proc.name in (systemctl, systemd-detect-, cloud-id, systemd-sysctl) + container and open_read and (fd.name glob /proc/*/environ) enabled: true output: > Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name From 3a4f7ad2addb16d3dd9522f4e2e5842194067989 Mon Sep 17 00:00:00 2001 From: Hi120ki <12624257+hi120ki@users.noreply.github.com> Date: Fri, 9 Sep 2022 09:47:54 +0900 Subject: [PATCH 5/8] add allowlist Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com> --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 413444d11b4..39b532004f1 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3203,10 +3203,14 @@ # there if you want to enable them by adding to # falco_rules.local.yaml. +- list: known_binaries_to_read_environment_variables_from_proc_files + items: [scsi_id] + - rule: Read environment variable from /proc files desc: An attempt to read process environment variables from /proc files condition: > container and open_read and (fd.name glob /proc/*/environ) + and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files) enabled: true output: > Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name From a077a6f2d2fa4403c2f69d6cefed48fbccd67ead Mon Sep 17 00:00:00 2001 From: Hi120ki <12624257+hi120ki@users.noreply.github.com> Date: Fri, 9 Sep 2022 16:52:10 +0900 Subject: [PATCH 6/8] Update rules/falco_rules.yaml to add argoexec into allowlist Co-authored-by: schie <77834235+darryk10@users.noreply.github.com> Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com> --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 39b532004f1..8c50b82a864 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3204,7 +3204,7 @@ # falco_rules.local.yaml. - list: known_binaries_to_read_environment_variables_from_proc_files - items: [scsi_id] + items: [scsi_id, argoexec] - rule: Read environment variable from /proc files desc: An attempt to read process environment variables from /proc files From 6a46b0ff24ee6ba60c8254063b89eaa60945da27 Mon Sep 17 00:00:00 2001 From: Hi120ki <12624257+hi120ki@users.noreply.github.com> Date: Fri, 9 Sep 2022 16:52:30 +0900 Subject: [PATCH 7/8] Update rules/falco_rules.yaml to delete enabled field Co-authored-by: schie <77834235+darryk10@users.noreply.github.com> Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com> --- rules/falco_rules.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8c50b82a864..93b70426971 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3211,7 +3211,6 @@ condition: > container and open_read and (fd.name glob /proc/*/environ) and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files) - enabled: true output: > Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository) From 40ecf547ddc532be62e146495bd53ad69e905e46 Mon Sep 17 00:00:00 2001 From: Hi120ki <12624257+hi120ki@users.noreply.github.com> Date: Thu, 15 Sep 2022 09:56:20 +0900 Subject: [PATCH 8/8] put open_read in the beginning of the rule Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com> --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 93b70426971..dd663058f5e 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3209,7 +3209,7 @@ - rule: Read environment variable from /proc files desc: An attempt to read process environment variables from /proc files condition: > - container and open_read and (fd.name glob /proc/*/environ) + open_read and container and (fd.name glob /proc/*/environ) and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files) output: > Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name