From 1feae90c74943a7152972d94a39ed80965c26614 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 17 Jan 2018 20:29:45 -0800 Subject: [PATCH] Rule updates vdec2 (#315) * Additional rpm writers, root directories salt-minion can also touch the rpm database, and some node packages write below /root/.config/configstore. * Add smbd as a protected shell spawner. It's a server-like program. * Also handle .ash_history default shell for alpine linux * Add exceptions for veritas Let many veritas programs write below /etc/vx. Let one veritas-related perl script read sensitive files. * Allow postgres to run wal-e https://github.com/wal-e/wal-e, archiving program for postgres. * Let consul (agent) run addl scripts Also let consul (agent, but the distinction is in the command line args) to run nc in addition to curl. Also rename the macro. * Let postgres setuid to itself Let postgres setuid to itself. Seen by archiving programs like wal-e. * Also allow consul to run alert check scripts "sh -c /bin/consul-alerts watch checks --alert-addr 0.0.0.0:9000 ..." * Add additional privileged containers. Openshift's logging support containers generally run privileged. * Let addl progs write below /etc/lvm Add lvcreate as a program that can write below /etc/lvm and rename the macro to lvprogs_writing_lvm_archive. * Let glide write below root https://glide.sh/, package management for go. * Let sosreport read sensitive files. * Let scom server read sensitive files. Microsoft System Center Operations Manager (SCOM). * Let kube-router run privileged. https://github.com/cloudnativelabs/kube-router * Let needrestart_binaries spawns shells Was included in prior version of shell rules, adding back. * Let splunk spawn shells below /opt/splunkforwarder * Add yum-cron as a rpm binary * Add a different way to run denyhosts. Strange that the program is denyhosts.py but observed in actual environments. * Let nrpe setuid to nagios. * Also let postgres run wal-e wrt shells Previously added as an exception for db program spawned process, need to add as an exception for run shell untrusted. * Remove installer shell-related rules They aren't used that often and removing them cleans up space for new rules we want to add soon. --- rules/falco_rules.yaml | 132 +++++++++++++++++++---------------------- 1 file changed, 60 insertions(+), 72 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 0522f891b8e..eb7e452cac7 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -183,10 +183,10 @@ # interpreted by the filter expression. - list: rpm_binaries items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma, - repoquery, rpmkeys, rpmq] + repoquery, rpmkeys, rpmq, yum-cron] - macro: rpm_procs - condition: proc.name in (rpm_binaries) + condition: proc.name in (rpm_binaries) or proc.name in (salt-minion) - list: deb_binaries items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, apt, apt-get, aptitude, @@ -389,9 +389,10 @@ - macro: parent_python_running_denyhosts condition: > - (proc.pname=python and - (proc.pcmdline contains /usr/sbin/denyhosts or - proc.pcmdline contains /usr/local/bin/denyhosts.py)) + (proc.cmdline startswith "denyhosts.py /usr/bin/denyhosts.py" or + (proc.pname=python and + (proc.pcmdline contains /usr/sbin/denyhosts or + proc.pcmdline contains /usr/local/bin/denyhosts.py))) - macro: parent_python_running_sdchecks condition: > @@ -587,6 +588,9 @@ - macro: python_mesos_marathon_scripting condition: (proc.pcmdline startswith "python3 /marathon-lb/marathon_lb.py") +- macro: splunk_running_forwarder + condition: (proc.pname=splunkd and proc.cmdline startswith "sh -c /opt/splunkforwarder") + - macro: parent_running_datastax condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or (proc.pcmdline startswith "nodetool /opt/dse/bin/")) @@ -612,8 +616,8 @@ - macro: htpasswd_writing_passwd condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd) -- macro: dmeventd_writing_lvm_archive - condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or +- macro: lvprogs_writing_lvm_archive + condition: (proc.name in (dmeventd,lvcreate) and (fd.name startswith /etc/lvm/archive or fd.name startswith /etc/lvm/backup)) - macro: ovsdb_writing_openvswitch condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch) @@ -637,6 +641,18 @@ - macro: countly_writing_nginx_conf condition: (proc.cmdline startswith "nodejs /opt/countly/bin" and fd.name startswith /etc/nginx) +- list: veritas_binaries + items: [vxconfigd, sfcache, vxclustadm, vxdctl, vxprint, vxdmpadm, vxdisk, vxdg, vxassist, vxtune] + +- macro: veritas_driver_script + condition: (proc.cmdline startswith "perl /opt/VRTSsfmh/bin/mh_driver.pl") + +- macro: veritas_progs + condition: (proc.name in (veritas_binaries) or veritas_driver_script) + +- macro: veritas_writing_config + condition: (veritas_progs and fd.name startswith /etc/vx) + - macro: exe_running_docker_save condition: (container and proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker)) @@ -783,7 +799,7 @@ and not supervise_writing_status and not pki_realm_writing_realms and not htpasswd_writing_passwd - and not dmeventd_writing_lvm_archive + and not lvprogs_writing_lvm_archive and not ovsdb_writing_openvswitch and not datadog_writing_conf and not curl_writing_pki_db @@ -802,14 +818,14 @@ and not countly_writing_nginx_conf - rule: Write below etc - desc: an attempt to write to any file below /etc, not in a pipe installer session + desc: an attempt to write to any file below /etc condition: write_etc_common and not proc.sname=fbash output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])" priority: ERROR tags: [filesystem] - list: known_root_files - items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.aws/credentials, + items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials, /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock] - list: known_root_directories @@ -823,11 +839,13 @@ or fd.name startswith /root/.ivy2 or fd.name startswith /root/.config/Cypress or fd.name startswith /root/.config/pulse + or fd.name startswith /root/.config/configstore or fd.name startswith /root/jenkins/workspace or fd.name startswith /root/.jenkins or fd.name startswith /root/.cache or fd.name startswith /root/.sbt or fd.name startswith /root/.java + or fd.name startswith /root/.glide or fd.name startswith /root/.sonar) - rule: Write below root @@ -842,16 +860,6 @@ priority: ERROR tags: [filesystem] -# Within a fbash session, the severity is lowered to INFO -- rule: Write below etc in installer - desc: an attempt to write to any file below /etc, in a pipe installer session - condition: write_etc_common and proc.sname=fbash - output: > - File below /etc opened for writing (user=%user.name command=%proc.cmdline - file=%fd.name) within pipe installer session - priority: INFO - tags: [filesystem] - - macro: cmp_cp_by_passwd condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts) @@ -871,7 +879,8 @@ items: [ iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update, - pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file + pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport, + scxcimservera ] # Add conditions to this macro (probably in a separate file, @@ -904,6 +913,7 @@ and not run_by_chef and not user_read_sensitive_file_conditions and not perl_running_plesk + and not veritas_driver_script output: > Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) @@ -918,11 +928,18 @@ priority: ERROR tags: [filesystem, software_mgmt] +- macro: postgres_running_wal_e + condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e") + - rule: DB program spawned process desc: > a database-server related program spawned a new process other than itself. This shouldn\'t occur and is a follow on from some SQL injection attacks. - condition: proc.pname in (db_server_binaries) and spawned_process and not proc.name in (db_server_binaries) + condition: > + proc.pname in (db_server_binaries) + and spawned_process + and not proc.name in (db_server_binaries) + and not postgres_running_wal_e output: > Database-related program spawned process other than itself (user=%user.name program=%proc.cmdline parent=%proc.pname) @@ -1014,7 +1031,7 @@ - list: protected_shell_spawning_binaries items: [ http_server_binaries, db_server_binaries, nosql_server_binaries, mail_binaries, - fluentd, flanneld, splunkd, consul, runsv + fluentd, flanneld, splunkd, consul, smbd, runsv ] - macro: parent_java_running_zookeeper @@ -1050,8 +1067,11 @@ - macro: nginx_starting_nginx condition: (proc.pname=nginx and proc.cmdline contains "/usr/sbin/nginx -c /etc/nginx/nginx.conf") -- macro: consul_running_curl - condition: (proc.pname=consul and proc.cmdline startswith "sh -c curl") +- macro: consul_running_net_scripts + condition: (proc.pname=consul and (proc.cmdline startswith "sh -c curl" or proc.cmdline startswith "sh -c nc")) + +- macro: consul_running_alert_checks + condition: (proc.pname=consul and proc.cmdline startswith "sh -c /bin/consul-alerts") - macro: serf_script condition: (proc.cmdline startswith "sh -c serf") @@ -1084,18 +1104,22 @@ and proc.pname exists and protected_shell_spawner and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries, + needrestart_binaries, erl_child_setup, exechealthz, PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf, lb-controller, nvidia-installe, runsv, statsite) and not proc.cmdline in (known_shell_spawn_cmdlines) and not proc.aname in (unicorn_launche) - and not consul_running_curl + and not consul_running_net_scripts + and not consul_running_alert_checks and not nginx_starting_nginx and not run_by_package_mgmt_binaries and not serf_script and not check_process_status and not run_by_foreman and not python_mesos_marathon_scripting + and not splunk_running_forwarder + and not postgres_running_wal_e and not user_shell_container_exclusions output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname @@ -1114,7 +1138,10 @@ container.image startswith quay.io/coreos/flannel or container.image startswith gcr.io/google_containers/kube-proxy or container.image startswith calico/node or - container.image startswith rook/toolbox) + container.image startswith rook/toolbox or + container.image startswith registry.access.redhat.com/openshift3/logging-fluentd or + container.image startswith registry.access.redhat.com/openshift3/logging-elasticsearch or + container.image startswith cloudnativelabs/kube-router) # Add conditions to this macro (probably in a separate file, # overwriting this macro) to specify additional containers that are @@ -1350,7 +1377,11 @@ (user.name=postfix and evt.arg.uid=postfix) or (user.name=pki-agent and evt.arg.uid=pki-agent) or (user.name=pki-acme and evt.arg.uid=pki-acme) or - (user.name=nfsnobody and evt.arg.uid=nfsnobody)) + (user.name=nfsnobody and evt.arg.uid=nfsnobody) or + (user.name=postgres and evt.arg.uid=postgres)) + +- macro: nrpe_becoming_nagios + condition: (proc.name=nrpe and evt.arg.uid=nagios) # In containers, the user name might be for a uid that exists in the # container but not on the host. (See @@ -1371,6 +1402,7 @@ and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries, nomachine_binaries) and not java_running_sdjagent + and not nrpe_becoming_nagios output: > Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname command=%proc.cmdline uid=%evt.arg.uid) @@ -1419,54 +1451,10 @@ priority: ERROR tags: [filesystem] -# fbash is a small shell script that runs bash, and is suitable for use in curl | fbash installers. -- rule: Installer bash starts network server - desc: an attempt by a program in a pipe installer session to start listening for network connections - condition: evt.type=listen and proc.sname=fbash - output: "Unexpected listen call by a process in a fbash session (command=%proc.cmdline)" - priority: NOTICE - tags: [network] - -- rule: Installer bash starts session - desc: an attempt by a program in a pipe installer session to start a new session - condition: evt.type=setsid and proc.sname=fbash - output: "Unexpected setsid call by a process in fbash session (command=%proc.cmdline)" - priority: NOTICE - tags: [process] - -- rule: Installer bash non https connection - desc: an attempt by a program in a pipe installer session to make an outgoing connection on a non-http(s) port - condition: proc.sname=fbash and outbound and not fd.sport in (80, 443, 53) - output: > - Outbound connection on non-http(s) port by a process in a fbash session - (command=%proc.cmdline connection=%fd.name) - priority: NOTICE - tags: [network] - # It'd be nice if we could warn when processes in a fbash session try # to download from any nonstandard location? This is probably blocked # on https://github.com/draios/falco/issues/88 though. -# Notice when processes try to run chkconfig/systemctl.... to install a service. -# Note: this is not a WARNING, as you'd expect some service management -# as a part of doing the installation. -- rule: Installer bash manages service - desc: an attempt by a program in a pipe installer session to manage a system service (systemd/chkconfig) - condition: evt.type=execve and proc.name in (chkconfig, systemctl) and proc.sname=fbash - output: "Service management program run by process in a fbash session (command=%proc.cmdline)" - priority: INFO - tags: [software_mgmt] - -# Notice when processes try to run any package management binary within a fbash session. -# Note: this is not a WARNING, as you'd expect some package management -# as a part of doing the installation -- rule: Installer bash runs pkgmgmt program - desc: an attempt by a program in a pipe installer session to run a package management binary - condition: evt.type=execve and package_mgmt_procs and proc.sname=fbash - output: "Package management program run by process in a fbash session (command=%proc.cmdline)" - priority: INFO - tags: [software_mgmt] - ########################### # Application-Related Rules ###########################