Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cleanup(rules): cleanup rules disabled by default - 3 #2168

Merged
merged 2 commits into from
Aug 26, 2022
Merged

cleanup(rules): cleanup rules disabled by default - 3 #2168

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fa2bec4
cleanup(rules): cleanup rules disabled by default - 3
incertum Aug 18, 2022
62ed95d
cleanup(rules): cleanup redundant use of always_true macros
incertum Aug 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 14 additions & 42 deletions rules/falco_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -369,11 +369,9 @@
# use the fd.*ip and fd.*ip.name fields to match connection
# information against ips, netmasks, and complete domain names.
#
# To use this rule, you should modify consider_all_outbound_conns and
# To use this rule, you should enable it and
# populate allowed_{source,destination}_{ipaddrs,networks,domains} with the
# values that make sense for your environment.
- macro: consider_all_outbound_conns
condition: (never_true)

# Note that this can be either individual IPs or netmasks
- list: allowed_outbound_destination_ipaddrs
Expand All @@ -388,17 +386,15 @@
- rule: Unexpected outbound connection destination
desc: Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names
condition: >
consider_all_outbound_conns and outbound and not
outbound and not
((fd.sip in (allowed_outbound_destination_ipaddrs)) or
(fd.snet in (allowed_outbound_destination_networks)) or
(fd.sip.name in (allowed_outbound_destination_domains)))
enabled: false
output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [network]

- macro: consider_all_inbound_conns
condition: (never_true)

- list: allowed_inbound_source_ipaddrs
items: ['"127.0.0.1"']

Expand All @@ -411,10 +407,11 @@
- rule: Unexpected inbound connection source
desc: Detect any inbound connection from a source outside of an allowed set of ips, networks, or domain names
condition: >
consider_all_inbound_conns and inbound and not
inbound and not
((fd.cip in (allowed_inbound_source_ipaddrs)) or
(fd.cnet in (allowed_inbound_source_networks)) or
(fd.cip.name in (allowed_inbound_source_domains)))
enabled: false
output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [network]
Expand Down Expand Up @@ -464,30 +461,23 @@
tags: [file, mitre_persistence]

# This rule is not enabled by default, as there are many legitimate
# readers of shell config files. If you want to enable it, modify the
# following macro.

- macro: consider_shell_config_reads
condition: (never_true)
# readers of shell config files.

- rule: Read Shell Configuration File
desc: Detect attempts to read shell configuration files by non-shell programs
condition: >
open_read and
consider_shell_config_reads and
(fd.filename in (shell_config_filenames) or
fd.name in (shell_config_files) or
fd.directory in (shell_config_directories)) and
(not proc.name in (shell_binaries))
enabled: false
output: >
a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority:
WARNING
tags: [file, mitre_discovery]

- macro: consider_all_cron_jobs
condition: (never_true)

- macro: user_known_cron_jobs
condition: (never_true)

Expand All @@ -496,8 +486,8 @@
condition: >
((open_write and fd.name startswith /etc/cron) or
(spawned_process and proc.name = "crontab")) and
consider_all_cron_jobs and
not user_known_cron_jobs
enabled: false
output: >
Cron jobs were scheduled to run (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
Expand Down Expand Up @@ -2658,9 +2648,6 @@
WARNING
tags: [process, mitre_defense_evasion]

- macro: consider_all_chmods
condition: (always_true)

- list: user_known_chmod_applications
items: [hyperkube, kubelet, k3s-agent]

Expand All @@ -2676,7 +2663,7 @@
this means that the application will run with the privileges of the owning user or group respectively.
Detect setuid or setgid bits set via chmod
condition: >
consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
and not proc.name in (user_known_chmod_applications)
and not exe_running_docker_save
and not user_known_set_setuid_or_setgid_bit_conditions
Expand All @@ -2691,10 +2678,7 @@
- list: exclude_hidden_directories
items: [/root/.cassandra]

# To use this rule, you should modify consider_hidden_file_creation.
- macro: consider_hidden_file_creation
condition: (never_true)

# The rule is disabled by default.
- macro: user_known_create_hidden_file_activities
condition: (never_true)

Expand All @@ -2704,9 +2688,9 @@
((modify and evt.arg.newpath contains "/.") or
(mkdir and evt.arg.path contains "/.") or
(open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories))) and
consider_hidden_file_creation and
not user_known_create_hidden_file_activities
and not exe_running_docker_save
enabled: false
output: >
Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
Expand Down Expand Up @@ -2916,10 +2900,6 @@
priority: NOTICE
tags: [network, mitre_discovery]

# Change to (always_true) to enable rule 'Network connection outside local subnet'
- macro: enabled_rule_network_only_subnet
condition: (never_true)

# Namespaces where the rule is enforce
- list: namespace_scope_network_only_subnet
items: []
Expand All @@ -2930,8 +2910,8 @@
fd.ip = "0.0.0.0" or
fd.net = "127.0.0.0/8"

# # The rule is disabled by default.
# # How to test:
# # Change macro enabled_rule_network_only_subnet to condition: always_true
# # Add 'default' to namespace_scope_network_only_subnet
# # Run:
# kubectl run --generator=run-pod/v1 -n default -i --tty busybox --image=busybox --rm -- wget google.com -O /var/google.html
Expand All @@ -2940,11 +2920,11 @@
- rule: Network Connection outside Local Subnet
desc: Detect traffic to image outside local subnet.
condition: >
enabled_rule_network_only_subnet and
inbound_outbound and
container and
not network_local_subnet and
k8s.ns.name in (namespace_scope_network_only_subnet)
enabled: false
output: >
Network connection outside local subnet
(command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
Expand All @@ -2953,9 +2933,6 @@
priority: WARNING
tags: [network]

- macro: allowed_port
condition: (never_true)

- list: allowed_image
items: [] # add image to monitor, i.e.: bitnami/nginx

Expand All @@ -2976,12 +2953,12 @@
- rule: Outbound or Inbound Traffic not to Authorized Server Process and Port
desc: Detect traffic that is not to authorized server process and port.
condition: >
allowed_port and
inbound_outbound and
container and
container.image.repository in (allowed_image) and
not proc.name in (authorized_server_binary) and
not fd.sport in (authorized_server_port)
enabled: false
output: >
Network connection outside authorized port and binary
(command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
Expand Down Expand Up @@ -3019,7 +2996,6 @@
desc: New executable created in a container due to chmod
condition: >
chmod and
consider_all_chmods and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
Expand Down Expand Up @@ -3120,16 +3096,12 @@
priority: WARNING
tags: [container, cis, mitre_lateral_movement]

- macro: consider_userfaultfd_activities
condition: (always_true)

- list: user_known_userfaultfd_processes
items: []

- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
condition: >
consider_userfaultfd_activities and
evt.type = userfaultfd and
user.uid != 0 and
(evt.rawres >= 0 or evt.res != -1) and
Expand Down