From 18f36c794050173a823c6c2124749e33ebfbb09d Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 1 Dec 2017 12:32:36 -0800 Subject: [PATCH 1/3] Let kubelet running loopback spawn shells Seen by @JPLachance, thanks for the heads up! --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index d7ce1395f46..82f9a67be9b 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -565,6 +565,9 @@ - macro: java_running_sdjagent condition: proc.name=java and proc.cmdline contains sdjagent.jar +- macro: kubelet_running_loopback + condition: (proc.pname=kubelet and proc.name=loopback) + - macro: parent_java_running_confluence condition: (proc.pname=java and proc.pcmdline contains "-classpath /opt/atlassian/confluence") @@ -965,6 +968,7 @@ and not proc.name startswith "runc:" and not proc.pname in (sysdigcloud_binaries) and not java_running_sdjagent + and not kubelet_running_loopback output: > Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline parent=%proc.pname %container.info) From ea0327517d05c99ff5ddd52f510b18354e5aa0bd Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 5 Dec 2017 08:48:45 -0800 Subject: [PATCH 2/3] Let docker's "exe" broadly write to files. As a part of some docker commands like "docker save", etc, the program exe can write from files on the host filesystem /var/lib/docker/... to a variety of files within the container. Allow this via a macro exe_running_docker_save that checks the commandline as well as the parent and use it as an exclusion for the write below binary dir/root/etc rules. --- rules/falco_rules.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 82f9a67be9b..605bd54e2d9 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -633,13 +633,16 @@ - macro: countly_writing_nginx_conf condition: (proc.cmdline startswith "nodejs /opt/countly/bin" and fd.name startswith /etc/nginx) +- macro: exe_running_docker_save + condition: (container and proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker)) + ############### # General Rules ############### - rule: Write below binary dir desc: an attempt to write to any file below a set of binary directories - condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs + condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs and not exe_running_docker_save output: > File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name) @@ -755,6 +758,7 @@ and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries) and not fd.name pmatch (safe_etc_dirs) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) + and not exe_running_docker_save and not ansible_running_python and not python_running_denyhosts and not fluentd_writing_conf_files @@ -828,6 +832,7 @@ root_dir and evt.dir = < and open_write and not fd.name in (known_root_files) and not fd.directory in (known_root_directories) + and not exe_running_docker_save and not known_root_conditions output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name)" priority: ERROR From 862802f830e89808b25cc352d7c28b7a76cecf68 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 11 Dec 2017 17:16:17 -0800 Subject: [PATCH 3/3] Let chef perform more tasks - Let chef-client generally read sensitive files and write below /etc. - Let python running a chef script yum-dump.py write the rpm database. --- rules/falco_rules.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 605bd54e2d9..0522f891b8e 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -360,6 +360,9 @@ - macro: ansible_running_python condition: (proc.name in (python, pypy) and proc.cmdline contains ansible) +- macro: chef_running_yum_dump + condition: (proc.name=python and proc.cmdline contains yum-dump.py) + - macro: parent_beam_running_python condition: proc.pcmdline="python pipeline.py -c conf.json" @@ -527,7 +530,8 @@ # Chef is similar. - macro: run_by_chef condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or - proc.aname[2]=chef-client or proc.aname[3]=chef-client) + proc.aname[2]=chef-client or proc.aname[3]=chef-client or + proc.name=chef-client) - macro: run_by_adclient condition: (proc.aname[2]=adclient or proc.aname[3]=adclient or proc.aname[4]=adclient) @@ -909,7 +913,7 @@ # Only let rpm-related programs write to the rpm database - rule: Write below rpm database desc: an attempt to write to the rpm database by any non-rpm related program - condition: fd.name startswith /var/lib/rpm and open_write and not rpm_procs and not ansible_running_python + condition: fd.name startswith /var/lib/rpm and open_write and not rpm_procs and not ansible_running_python and not chef_running_yum_dump output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)" priority: ERROR tags: [filesystem, software_mgmt]