Skip to content

Commit

Permalink
Rule updates 2019 05.v1 (#590)
Browse files Browse the repository at this point in the history 
* Fix parentheses for rpm_procs macro

Ensures a preceding not will apply to the whole macro

* Let anything write to /etc/fluent/configs.d

It looks like a lot of scripted programs (shell scripts running cp, sed,
arbitrary ruby programs) are run by fluentd to set up config. They're
too generic to identify, so jut add /etc/fluent/configs.d to
safe_etc_dirs, sadly.

* Let java setup write to /etc/passwd in containers

/opt/jboss/container/java/run/run-java.sh and /opt/run-java/run-java.sh
write to /etc/passwd in a contaner, probably to add a user. Add an
exception for them.
  • Loading branch information
@mstemm
mstemm authored May 1, 2019
1 parent 772d4f9 commit 0100835
Showing 1 changed file with 10 additions and 2 deletions.
12 changes: 10 additions & 2 deletions rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,7 @@
items: [probe_rpminfo, probe_rpmverify, probe_rpmverifyfile, probe_rpmverifypackage]

- macro: rpm_procs
condition: proc.name in (rpm_binaries, openscap_rpm_binaries) or proc.name in (salt-minion)
condition: (proc.name in (rpm_binaries, openscap_rpm_binaries) or proc.name in (salt-minion))

- list: deb_binaries
items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
Expand Down Expand Up @@ -983,7 +983,7 @@
tags: [filesystem, mitre_discovery]

- list: safe_etc_dirs
items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig]
items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d]

- macro: fluentd_writing_conf_files
condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf))
Expand Down Expand Up @@ -1029,6 +1029,13 @@
fd.name startswith "/etc/rancher-dns")
)

- macro: jboss_in_container_writing_passwd
condition: >
((proc.cmdline="run-java.sh /opt/jboss/container/java/run/run-java.sh"
or proc.cmdline="run-java.sh /opt/run-java/run-java.sh")
and container
and fd.name=/etc/passwd)
- macro: curl_writing_pki_db
condition: (proc.name=curl and fd.directory=/etc/pki/nssdb)

Expand Down Expand Up @@ -1198,6 +1205,7 @@
and not prometheus_conf_writing_conf
and not openshift_writing_conf
and not rancher_writing_conf
and not jboss_in_container_writing_passwd
- rule: Write below etc
desc: an attempt to write to any file below /etc
Expand Down

0 comments on commit 0100835

Please sign in to comment.