Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improved inbound/outbound macros #470

Merged
merged 5 commits into from
Jan 9, 2019
Merged

Improved inbound/outbound macros #470

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f4382f3
Improved inbound/outbound macros
mstemm Nov 19, 2018
bb018fe
Let nginx-ingress-c(ontroller) write to /etc/nginx
mstemm Dec 12, 2018
9fb48d5
Let calico setns also.
mstemm Dec 12, 2018
8d37b18
Let prometheus-conf write its config
mstemm Dec 12, 2018
38d44b5
Let openshift oc write to /etc/origin/node
mstemm Dec 12, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 18 additions & 6 deletions rules/falco_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,14 +268,18 @@
# Network
- macro: inbound
condition: >
(((evt.type in (accept,listen) and evt.dir=<)) or
(((evt.type in (accept,listen) and evt.dir=<) or
(evt.type in (recvfrom,recvmsg) and evt.dir=< and
fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
(evt.rawres >= 0 or evt.res = EINPROGRESS))

- macro: outbound
condition: >
(((evt.type = connect and evt.dir=<)) or
(((evt.type = connect and evt.dir=<) or
(evt.type in (sendto,sendmsg) and evt.dir=< and
fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
(evt.rawres >= 0 or evt.res = EINPROGRESS))
Expand Down Expand Up @@ -634,7 +638,7 @@
condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom))

- macro: nginx_writing_conf
condition: (proc.name=nginx and fd.name startswith /etc/nginx)
condition: (proc.name in (nginx,nginx-ingress-c) and fd.name startswith /etc/nginx)

- macro: nginx_writing_certs
condition: >
Expand Down Expand Up @@ -845,12 +849,18 @@
condition: (proc.aname[2] in (dpkg-reconfigur, dpkg-preconfigu))

- macro: ufw_writing_conf
condition: proc.name=ufw and fd.directory=/etc/ufw
condition: (proc.name=ufw and fd.directory=/etc/ufw)

- macro: calico_writing_conf
condition: >
(proc.name = calico-node and fd.name startswith /etc/calico)


- macro: prometheus_conf_writing_conf
condition: (proc.name=prometheus-conf and fd.directory=/etc/prometheus/config_out)

- macro: openshift_writing_conf
condition: (proc.name=oc and fd.name=/etc/origin/node/node.kubeconfig)

# Add conditions to this macro (probably in a separate file,
# overwriting this macro) to allow for specific combinations of
# programs writing below specific directories below
Expand Down Expand Up @@ -954,6 +964,8 @@
and not istio_writing_conf
and not ufw_writing_conf
and not calico_writing_conf
and not prometheus_conf_writing_conf
and not openshift_writing_conf

- rule: Write below etc
desc: an attempt to write to any file below /etc
Expand Down Expand Up @@ -1164,7 +1176,7 @@
as a part of creating a container) by calling setns.
condition: >
evt.type = setns
and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter, calico)
and not proc.name in (user_known_change_thread_namespace_binaries)
and not proc.name startswith "runc:"
and not proc.pname in (sysdigcloud_binaries)
Expand Down