Skip to content

Commit

Permalink
cleanup(rules): improve kernel module rule
Browse files Browse the repository at this point in the history 
A major refactor of Falco now exposes each syscall Falco's libs
supports to the end user :)

Official support starts with Falco 0.35.0

Signed-off-by: Melissa Kilby <[email protected]>
  • Loading branch information
@incertum @poiana
incertum authored and poiana committed Apr 4, 2023
1 parent 694adf5 commit 05d269e
Showing 1 changed file with 11 additions and 3 deletions.
14 changes: 11 additions & 3 deletions rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@

# Starting with version 8, the Falco engine supports exceptions.
# However the Falco rules file does not use them by default.
- required_engine_version: 16
- required_engine_version: 17

# Currently disabled as read/write are ignored syscalls. The nearly
# similar open_write/open_read check for files being opened for
Expand Down Expand Up @@ -86,6 +86,9 @@
- macro: chmod
condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<)

- macro: init_module
condition: (evt.type=init_module and evt.dir=<)

# File categories
- macro: bin_dir
condition: (fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin))
Expand Down Expand Up @@ -3150,10 +3153,15 @@
- list: white_listed_modules
items: []

# init_module syscall is available since Falco 0.35.0
# rule coverage now extends to modprobe usage
- rule: Linux Kernel Module Injection Detected
desc: Detect kernel module was injected (from container).
condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules) and thread.cap_effective icontains sys_module
output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)
condition: ((spawned_process and proc.name=insmod) or init_module)
and container
and not proc.args in (white_listed_modules)
and thread.cap_effective icontains sys_module
output: Linux Kernel Module injection from container detected (user=%user.name uid=%user.uid user_loginuid=%user.loginuid process_name=%proc.name parent_process_name=%proc.pname parent_exepath=%proc.pexepath %proc.aname[2] %proc.aexepath[2] module=%proc.args %container.info image=%container.image.repository:%container.image.tag res=%evt.res syscall=%evt.type)
priority: WARNING
tags: [host, container, process, mitre_execution, mitre_persistence, TA0002]

Expand Down

0 comments on commit 05d269e

Please sign in to comment.