Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kh add process rules #461

Merged
merged 3 commits into from
Nov 9, 2018
Merged

Conversation

Kaizhe
Copy link
Contributor

@Kaizhe Kaizhe commented Nov 7, 2018

To test this PR:

  1. Checkout the branch

  2. Launch falco container with the updated falco rule yaml file

  3. Run the following script:

#!/bin/bash

set -eux 

client=$(docker run -d --name client kaizheh/nginx-docker)

server=$(docker run -d --name server kaizheh/nginx-docker)

docker exec server bash -c "apt-get update && apt-get -y install nmap"

docker exec server bash -c "nc -lp 1234 -c 'cat /etc/passwd'" &

server_ip=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $server)

docker exec client bash -c "nc $server_ip 1234"

To verify the output from falco container:

18:22:08.037417144: Error Package management process launched (user=root command=apt-get update container_id=7a222f00f4d0 container_name=server image=kaizheh/nginx-docker)
18:22:09.249714486: Error Package management process launched (user=root command=apt-get -y install nmap container_id=7a222f00f4d0 container_name=server image=kaizheh/nginx-docker)
18:22:19.057577326: Warning Netcat runs inside container that allows remote code execution (user=root command=nc -lp 1234 -c cat /etc/passwd container_id=7a222f00f4d0 container_name=server image=kaizheh/nginx-docker)
18:22:19.174572057: Notice Network tool launched (user=root command=nc 172.17.0.4 1234 container_id=1f2800fba7bc container_name=client image=kaizheh/nginx-docker)

@Kaizhe
Copy link
Contributor Author

Kaizhe commented Nov 7, 2018

Rationale behind adding these rules:

  1. package management tool can be used to download utils for malicious purpose (e.g. nmap). Given the micro service container scenario, package management should be done in the image build time for best practice.
  2. Nmap can be used for reconnaissance purpose in customer's enviroment.
  3. nc(netcat) and ncat can be either used for port scanning purpose or reverse shell.

@mstemm mstemm force-pushed the rule-updates-2018-11.v1 branch from 629b22a to 9871712 Compare November 9, 2018 18:28
@mstemm mstemm self-requested a review November 9, 2018 18:46
Copy link
Contributor

@mstemm mstemm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the additions! They will be useful. Just some small typos/readability suggestions.

rules/falco_rules.yaml Outdated Show resolved Hide resolved
rules/falco_rules.yaml Outdated Show resolved Hide resolved
rules/falco_rules.yaml Outdated Show resolved Hide resolved
@mstemm mstemm force-pushed the kh_add-process-rules branch from 2819f20 to 09853f5 Compare November 9, 2018 19:51
@mstemm mstemm merged commit 7244cec into rule-updates-2018-11.v1 Nov 9, 2018
@mstemm mstemm deleted the kh_add-process-rules branch November 9, 2018 20:55
@mstemm mstemm mentioned this pull request Dec 27, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants