From f4382f38ebf2b73bd44aaecb04995d1197f8253e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 19 Nov 2018 11:01:57 -0800 Subject: [PATCH 1/5] Improved inbound/outbound macros Improved versions of inbound/outbound macros that add coverage for recvfrom/recvmsg, sendto/sendmsg and also ignore non-blocking syscalls in a different way. --- rules/falco_rules.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 78dbf1359a3..7350e12bdcc 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -268,14 +268,18 @@ # Network - macro: inbound condition: > - (((evt.type in (accept,listen) and evt.dir=<)) or + (((evt.type in (accept,listen) and evt.dir=<) or + (evt.type in (recvfrom,recvmsg) and evt.dir=< and + fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and (fd.typechar = 4 or fd.typechar = 6) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS)) - macro: outbound condition: > - (((evt.type = connect and evt.dir=<)) or + (((evt.type = connect and evt.dir=<) or + (evt.type in (sendto,sendmsg) and evt.dir=< and + fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and (fd.typechar = 4 or fd.typechar = 6) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS)) From bb018fed1f1f821aee9271ae4ee1fa2b4ba284f8 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 12 Dec 2018 11:15:59 -0800 Subject: [PATCH 2/5] Let nginx-ingress-c(ontroller) write to /etc/nginx Process truncated due to comm limit. Also fix some parentheses for another write_etc_common macro. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 7350e12bdcc..9d172b22571 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -638,7 +638,7 @@ condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom)) - macro: nginx_writing_conf - condition: (proc.name=nginx and fd.name startswith /etc/nginx) + condition: (proc.name in (nginx,nginx-ingress-c) and fd.name startswith /etc/nginx) - macro: nginx_writing_certs condition: > @@ -849,7 +849,7 @@ condition: (proc.aname[2] in (dpkg-reconfigur, dpkg-preconfigu)) - macro: ufw_writing_conf - condition: proc.name=ufw and fd.directory=/etc/ufw + condition: (proc.name=ufw and fd.directory=/etc/ufw) - macro: calico_writing_conf condition: > From 9fb48d5353e3716d210d452bc9352b2da67c3b5a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 12 Dec 2018 11:18:26 -0800 Subject: [PATCH 3/5] Let calico setns also. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9d172b22571..352f8a7a4c7 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1168,7 +1168,7 @@ as a part of creating a container) by calling setns. condition: > evt.type = setns - and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter) + and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter, calico) and not proc.name in (user_known_change_thread_namespace_binaries) and not proc.name startswith "runc:" and not proc.pname in (sysdigcloud_binaries) From 8d37b181628649b5779ddbabcc40071b1726f2a8 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 12 Dec 2018 11:36:33 -0800 Subject: [PATCH 4/5] Let prometheus-conf write its config Let prometheus-conf write its config below /etc/prometheus. --- rules/falco_rules.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 352f8a7a4c7..b2df521e16e 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -854,7 +854,10 @@ - macro: calico_writing_conf condition: > (proc.name = calico-node and fd.name startswith /etc/calico) - + +- macro: prometheus_conf_writing_conf + condition: (proc.name=prometheus-conf and fd.directory=/etc/prometheus/config_out) + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -958,6 +961,7 @@ and not istio_writing_conf and not ufw_writing_conf and not calico_writing_conf + and not prometheus_conf_writing_conf - rule: Write below etc desc: an attempt to write to any file below /etc From 38d44b580229e4ab92a6ec1fb50da6ca5e303083 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 12 Dec 2018 11:37:16 -0800 Subject: [PATCH 5/5] Let openshift oc write to /etc/origin/node --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index b2df521e16e..901e9b01b58 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -858,6 +858,9 @@ - macro: prometheus_conf_writing_conf condition: (proc.name=prometheus-conf and fd.directory=/etc/prometheus/config_out) +- macro: openshift_writing_conf + condition: (proc.name=oc and fd.name=/etc/origin/node/node.kubeconfig) + # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of # programs writing below specific directories below @@ -962,6 +965,7 @@ and not ufw_writing_conf and not calico_writing_conf and not prometheus_conf_writing_conf + and not openshift_writing_conf - rule: Write below etc desc: an attempt to write to any file below /etc