Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new rule that detect retrieving environment variables from /proc files #2193

Merged
merged 8 commits into from
Sep 16, 2022
Merged

Add new rule that detect retrieving environment variables from /proc files #2193

Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
2592cd4
add rule Read environment variable from /proc files
hi120ki Sep 6, 2022
a1fdc7a
add host to target
hi120ki Sep 8, 2022
ba28ee2
add systemd-sysctl to allowlist
hi120ki Sep 8, 2022
157bce0
revert to container
hi120ki Sep 8, 2022
3a4f7ad
add allowlist
hi120ki Sep 9, 2022
a077a6f
Update rules/falco_rules.yaml to add argoexec into allowlist
hi120ki Sep 9, 2022
6a46b0f
Update rules/falco_rules.yaml to delete enabled field
hi120ki Sep 9, 2022
40ecf54
put open_read in the beginning of the rule
hi120ki Sep 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions rules/falco_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3202,3 +3202,18 @@
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.

- list: known_binaries_to_read_environment_variables_from_proc_files
items: [scsi_id]
hi120ki marked this conversation as resolved.
Show resolved Hide resolved

- rule: Read environment variable from /proc files
desc: An attempt to read process environment variables from /proc files
condition: >
container and open_read and (fd.name glob /proc/*/environ)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to optimize rule checking performance, it is good to put open_read in the beginning of the rule.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I put open_read in the beginning of the rule.

and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files)
enabled: true
hi120ki marked this conversation as resolved.
Show resolved Hide resolved
output: >
Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name
command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
priority: WARNING
tags: [filesystem, mitre_credential_access, mitre_discovery]