From 8866f754808c5d8a7a23b9b7fc3c2b8451eb281f Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Wed, 7 Nov 2018 18:22:48 +0000 Subject: [PATCH 1/3] add new rules for package management process launched and network tool process launched --- rules/falco_rules.yaml | 50 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 19ea82e7ae5..f920ff846b6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -178,17 +178,23 @@ - list: deb_binaries items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key, - apt-listchanges, unattended-upgr, apt-add-reposit + apt-listchanges, unattended-upgr, apt-add-reposit, apt-config, apt-cache ] # The truncated dpkg-preconfigu is intentional, process names are # truncated at the sysdig level. - list: package_mgmt_binaries - items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client] + items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk] - macro: package_mgmt_procs condition: proc.name in (package_mgmt_binaries) +- macro: package_mgmt_ancestor_procs + condition: proc.pname in (package_mgmt_binaries) or + proc.aname[2] in (package_mgmt_binaries) or + proc.aname[3] in (package_mgmt_binaries) or + proc.aname[4] in (package_mgmt_binaries) + - macro: coreos_write_ssh_dir condition: (proc.name=update-ssh-keys and fd.name startswith /home/core/.ssh) @@ -1747,6 +1753,46 @@ priority: NOTICE tags: [network, k8s, container] +- list: network_tool_binaries + items: [nc, ncat, nmap] + +- macro: network_tool_procs + condition: proc.name in (network_tool_binaries) + +# Container is supposed to be immutable. Package management should be done in building the image. +- rule: Launch Package Management Process + desc: Package management process ran insdie container + condition: > + spawned_process and container and user.name != "_apt" and package_mgmt_procs and not package_mgmt_ancestor_procs + output: > + Package management process launched (user=%user.name + command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image) + priority: ERROR + tags: [process] + +- rule: Netcat Remote Code Execution + desc: Netcat Program runs inside container that allows remote code execution + condition: > + spawned_process and container and + ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or + (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec")) + ) + output: > + Netcat runs inside container that allows remote code execution (user=%user.name + command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image) + priority: WARNING + tags: [network, process] + +- rule: Lauch Suspicious Network Tool + desc: Detect network tools launched inside container + condition: > + spawned_process and container and network_tool_procs + output: > + Network tool launched (user=%user.name + command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image) + priority: NOTICE + tags: [network, process] + # Application rules have moved to application_rules.yaml. Please look # there if you want to enable them by adding to # falco_rules.local.yaml. From 77ccb4e693b76d5760130877a328dcf4fd3aebe4 Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Fri, 9 Nov 2018 18:54:33 +0000 Subject: [PATCH 2/3] fix typo and improve readability --- rules/falco_rules.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f920ff846b6..a71d273cb62 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1760,12 +1760,12 @@ condition: proc.name in (network_tool_binaries) # Container is supposed to be immutable. Package management should be done in building the image. -- rule: Launch Package Management Process - desc: Package management process ran insdie container +- rule: Launch Package Management Process in Container + desc: Package management process ran inside container condition: > spawned_process and container and user.name != "_apt" and package_mgmt_procs and not package_mgmt_ancestor_procs output: > - Package management process launched (user=%user.name + Package management process launched in container (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image) priority: ERROR tags: [process] From d9e13acaff5d5b11450c07fc621fef6c7e2bdc18 Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Fri, 9 Nov 2018 18:59:01 +0000 Subject: [PATCH 3/3] v3 --- rules/falco_rules.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a71d273cb62..78dbf1359a3 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1770,7 +1770,7 @@ priority: ERROR tags: [process] -- rule: Netcat Remote Code Execution +- rule: Netcat Remote Code Execution in Container desc: Netcat Program runs inside container that allows remote code execution condition: > spawned_process and container and @@ -1783,12 +1783,12 @@ priority: WARNING tags: [network, process] -- rule: Lauch Suspicious Network Tool +- rule: Lauch Suspicious Network Tool in Container desc: Detect network tools launched inside container condition: > spawned_process and container and network_tool_procs output: > - Network tool launched (user=%user.name + Network tool launched in container (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image) priority: NOTICE tags: [network, process]