Skip to content

Commit

Permalink
cleanup(rules): initially tag all rules disabled by default w/ maturi…
Browse files Browse the repository at this point in the history
…ty_sandbox level

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
  • Loading branch information
incertum authored and poiana committed Jul 14, 2023
1 parent 144820c commit 49ade64
Showing 1 changed file with 31 additions and 30 deletions.
61 changes: 31 additions & 30 deletions rules/falco_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@
# limitations under the License.
#

# Information about rules tags and fields can be found here: https://falco.org/docs/rules/#tags-for-current-falco-ruleset
# The initial item in the `tags` fields reflects the maturity level of the rules introduced upon the proposal https://github.com/falcosecurity/rules/blob/main/proposals/20230605-rules-adoption-management-maturity-framework.md
# `tags` fields also include information about the type of workload inspection (host and/or container), and Mitre Attack killchain phases and Mitre TTP code(s)
# Mitre Attack References:
# [1] https://attack.mitre.org/tactics/enterprise/
# [2] https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

# Starting with version 8, the Falco engine supports exceptions.
# However the Falco rules file does not use them by default.
- required_engine_version: 17
Expand All @@ -27,12 +34,6 @@
# - macro: read
# condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory))

# Information about rules tags and fields can be found here: https://falco.org/docs/rules/#tags-for-current-falco-ruleset
# `tags` fields also include information about the type of workload inspection, Mitre Attack killchain phases and Mitre TTP code(s)
# Mitre Attack References:
# [1] https://attack.mitre.org/tactics/enterprise/
# [2] https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

- macro: open_write
condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)

Expand Down Expand Up @@ -382,7 +383,7 @@
enabled: false
output: Disallowed SSH Connection (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [host, container, network, mitre_command_and_control, mitre_lateral_movement, T1021.004]
tags: [maturity_sandbox, host, container, network, mitre_command_and_control, mitre_lateral_movement, T1021.004]

# These rules and supporting macros are more of an example for how to
# use the fd.*ip and fd.*ip.name fields to match connection
Expand Down Expand Up @@ -412,7 +413,7 @@
enabled: false
output: Disallowed outbound connection destination (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [host, container, network, mitre_command_and_control, TA0011]
tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011]

- list: allowed_inbound_source_ipaddrs
items: ['"127.0.0.1"']
Expand All @@ -433,7 +434,7 @@
enabled: false
output: Disallowed inbound connection source (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [host, container, network, mitre_command_and_control, TA0011]
tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011]

- list: bash_config_filenames
items: [.bashrc, .bash_profile, .bash_history, .bash_login, .bash_logout, .inputrc, .profile]
Expand Down Expand Up @@ -494,7 +495,7 @@
a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository)
priority:
WARNING
tags: [host, container, filesystem, mitre_discovery, T1546.004]
tags: [maturity_sandbox, host, container, filesystem, mitre_discovery, T1546.004]

- macro: user_known_cron_jobs
condition: (never_true)
Expand All @@ -511,7 +512,7 @@
file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
NOTICE
tags: [host, container, filesystem, mitre_persistence, T1053.003]
tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1053.003]

# Use this to test whether the event occurred within a container.

Expand Down Expand Up @@ -1002,7 +1003,7 @@
ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid
command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)
priority: ERROR
tags: [host, container, filesystem, mitre_discovery, T1005]
tags: [maturity_sandbox, host, container, filesystem, mitre_discovery, T1005]

- list: safe_etc_dirs
items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d. /etc/alertmanager]
Expand Down Expand Up @@ -1606,7 +1607,7 @@
Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid
parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
priority: NOTICE
tags: [host, container, process, mitre_privilege_escalation, mitre_lateral_movement, T1611]
tags: [maturity_sandbox, host, container, process, mitre_privilege_escalation, mitre_lateral_movement, T1611]

# The binaries in this list and their descendents are *not* allowed
# spawn shells. This includes the binaries spawning shells directly as
Expand Down Expand Up @@ -2191,7 +2192,7 @@
Program run with disallowed HTTP_PROXY environment variable
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)
priority: NOTICE
tags: [host, container, users, mitre_command_and_control, T1090, T1204]
tags: [maturity_sandbox, host, container, users, mitre_command_and_control, T1090, T1204]

# In some environments, any attempt by a interpreted program (perl,
# python, ruby, etc) to listen for incoming connections or perform
Expand All @@ -2207,7 +2208,7 @@
Interpreted program received/listened for network traffic
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [host, container, network, mitre_exfiltration, TA0011]
tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011]

- rule: Interpreted procs outbound network activity
desc: Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)
Expand All @@ -2218,7 +2219,7 @@
Interpreted program performed outgoing network connection
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [host, container, network, mitre_exfiltration, TA0011]
tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011]

- list: openvpn_udp_ports
items: [1194, 1197, 1198, 8080, 9201]
Expand Down Expand Up @@ -2257,7 +2258,7 @@
Unexpected UDP Traffic Seen
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [host, container, network, mitre_exfiltration, TA0011]
tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011]

# With the current restriction on system calls handled by falco
# (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't
Expand Down Expand Up @@ -2396,7 +2397,7 @@
output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline pid=%proc.pid connection=%fd.name %container.info image=%container.image.repository:%container.image.tag)
priority: NOTICE
enabled: false
tags: [network, aws, container, mitre_discovery, T1565]
tags: [maturity_sandbox, network, aws, container, mitre_discovery, T1565]


# This rule is not enabled by default, since this rule is for cloud environment(GCP, AWS and Azure) only.
Expand All @@ -2413,7 +2414,7 @@
enabled: false
output: Outbound connection to cloud instance metadata service (command=%proc.cmdline pid=%proc.pid connection=%fd.name %container.info image=%container.image.repository:%container.image.tag)
priority: NOTICE
tags: [network, container, mitre_discovery, T1565]
tags: [maturity_sandbox, network, container, mitre_discovery, T1565]

# Containers from IBM Cloud
- list: ibm_cloud_containers
Expand Down Expand Up @@ -2740,7 +2741,7 @@
command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
NOTICE
tags: [host, container, process, users, mitre_persistence, T1548.001]
tags: [maturity_sandbox, host, container, process, users, mitre_persistence, T1548.001]

- list: exclude_hidden_directories
items: [/root/.cassandra]
Expand All @@ -2763,7 +2764,7 @@
file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
NOTICE
tags: [host, container, filesystem, mitre_persistence, T1564.001]
tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1564.001]

- list: remote_file_copy_binaries
items: [rsync, scp, sftp, dcp]
Expand Down Expand Up @@ -2912,7 +2913,7 @@
enabled: false
output: Outbound connection to IP/Port flagged by https://cryptoioc.ch (command=%proc.cmdline pid=%proc.pid port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
priority: CRITICAL
tags: [host, container, network, mitre_execution, T1496]
tags: [maturity_sandbox, host, container, network, mitre_execution, T1496]

- rule: Detect crypto miners using the Stratum protocol
desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp'
Expand Down Expand Up @@ -2996,7 +2997,7 @@
image=%container.image.repository namespace=%k8s.ns.name
fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
priority: WARNING
tags: [container, network, mitre_discovery, T1046]
tags: [maturity_sandbox, container, network, mitre_discovery, T1046]

- list: allowed_image
items: [] # add image to monitor, i.e.: bitnami/nginx
Expand Down Expand Up @@ -3032,7 +3033,7 @@
(command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
image=%container.image.repository)
priority: WARNING
tags: [container, network, mitre_discovery, TA0011]
tags: [maturity_sandbox, container, network, mitre_discovery, TA0011]

- macro: user_known_stand_streams_redirect_activities
condition: (never_true)
Expand Down Expand Up @@ -3076,7 +3077,7 @@
enabled: false
output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
priority: ERROR
tags: [container, process, filesystem, mitre_execution, T1059]
tags: [maturity_sandbox, container, process, filesystem, mitre_execution, T1059]

# ****************************************************************************
# * "Container Drift Detected (open+create)" requires FALCO_ENGINE_VERSION 6 *
Expand All @@ -3094,7 +3095,7 @@
enabled: false
output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
priority: ERROR
tags: [container, process, filesystem, mitre_execution, T1059]
tags: [maturity_sandbox, container, process, filesystem, mitre_execution, T1059]

- list: c2_server_ip_list
items: []
Expand Down Expand Up @@ -3134,7 +3135,7 @@
output: Outbound connection to C2 server (c2_domain=%fd.sip.name c2_addr=%fd.sip command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
priority: WARNING
enabled: false
tags: [host, container, network, mitre_command_and_control, TA0011]
tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011]

- list: allowed_container_images_loading_kernel_module
items: []
Expand Down Expand Up @@ -3166,7 +3167,7 @@
enabled: false
output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
priority: INFO
tags: [container, process, users, mitre_execution, T1610]
tags: [maturity_sandbox, container, process, users, mitre_execution, T1610]

# This rule helps detect CVE-2021-3156:
# A privilege escalation to root through heap-based buffer overflow
Expand Down Expand Up @@ -3295,7 +3296,7 @@
output: Java process class file download (user=%user.name user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type connection=%fd.name server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto process=%proc.name command=%proc.cmdline pid=%proc.pid parent=%proc.pname buffer=%evt.buffer container_id=%container.id image=%container.image.repository)
priority: CRITICAL
enabled: false
tags: [host, container, process, mitre_initial_access, T1190]
tags: [maturity_sandbox, host, container, process, mitre_initial_access, T1190]

- list: docker_binaries
items: [docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current]
Expand All @@ -3311,7 +3312,7 @@
output: >
Detect Potential Container Breakout Exploit (CVE-2019-5736) (user=%user.name process=%proc.name file=%fd.name cmdline=%proc.cmdline pid=%proc.pid %container.info)
priority: WARNING
tags: [container, filesystem, mitre_initial_access, T1611]
tags: [maturity_sandbox, container, filesystem, mitre_initial_access, T1611]

- list: known_binaries_to_read_environment_variables_from_proc_files
items: [scsi_id, argoexec]
Expand Down

0 comments on commit 49ade64

Please sign in to comment.