Skip to content

Commit

Permalink
updated
Browse files Browse the repository at this point in the history 
Signed-off-by: h4l0gen <[email protected]>
  • Loading branch information
@h4l0gen
h4l0gen committed Mar 24, 2024
1 parent a2b1470 commit 6f14d4b
Show file tree
Hide file tree
Showing 3 changed files with 346 additions and 314 deletions.
175 changes: 92 additions & 83 deletions rules/falco-incubating_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,23 +103,23 @@

- list: ssh_binaries
items: [
sshd, sftp-server, ssh-agent,
ssh, scp, sftp,
ssh-keygen, ssh-keysign, ssh-keyscan, ssh-add
sshd, sftp-server, ssh-agent,
ssh, scp, sftp,
ssh-keygen, ssh-keysign, ssh-keyscan, ssh-add
]

- list: coreutils_binaries
items: [
truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who,
groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat,
basename, split, nice, "yes", whoami, sha224sum, hostid, users, stdbuf,
base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test,
comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname,
tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout,
tail, "[", seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred,
tac, link, chroot, vdir, chown, touch, ls, dd, uname, "true", pwd, date,
chgrp, chmod, mktemp, cat, mknod, sync, ln, "false", rm, mv, cp, echo,
readlink, sleep, stty, mkdir, df, dir, rmdir, touch
truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who,
groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat,
basename, split, nice, "yes", whoami, sha224sum, hostid, users, stdbuf,
base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test,
comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname,
tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout,
tail, "[", seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred,
tac, link, chroot, vdir, chown, touch, ls, dd, uname, "true", pwd, date,
chgrp, chmod, mktemp, cat, mknod, sync, ln, "false", rm, mv, cp, echo,
readlink, sleep, stty, mkdir, df, dir, rmdir, touch
]

# dpkg -L login |
Expand All @@ -131,8 +131,8 @@
# tr "\\n" ","
- list: login_binaries
items: [
login, systemd, '"(systemd)"', systemd-logind, su,
nologin, faillog, lastlog, newgrp, sg
login, systemd, '"(systemd)"', systemd-logind, su,
nologin, faillog, lastlog, newgrp, sg
]

# dpkg -L passwd |
Expand All @@ -144,28 +144,30 @@
# tr "\\n" ","
- list: passwd_binaries
items: [
shadowconfig, grpck, pwunconv, grpconv, pwck,
groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod,
groupadd, groupdel, grpunconv, chgpasswd, userdel, chage, chsh, gpasswd,
chfn, expiry, passwd, vigr, cpgr, adduser, addgroup, deluser, delgroup
shadowconfig, grpck, pwunconv, grpconv, pwck,
groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod,
groupadd, groupdel, grpunconv, chgpasswd, userdel, chage, chsh, gpasswd,
chfn, expiry, passwd, vigr, cpgr, adduser, addgroup, deluser, delgroup
]

# repoquery -l shadow-utils | grep bin | xargs ls -ld | grep -v '^d' |
# awk '{print $9}' | xargs -L 1 basename | tr "\\n" ","
- list: shadowutils_binaries
items: [
chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd,
groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, grpck,
grpconv, grpunconv, newusers, pwck, pwconv, pwunconv, useradd,
userdel, usermod, vigr, vipw, unix_chkpwd
chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd,
groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, grpck,
grpconv, grpunconv, newusers, pwck, pwconv, pwunconv, useradd,
userdel, usermod, vigr, vipw, unix_chkpwd
]

- list: sysdigcloud_binaries
items: [setup-backend, dragent, sdchecks]

- list: k8s_binaries
items: [hyperkube, skydns, kube2sky, exechealthz, weave-net,
loopback, bridge, openshift-sdn, openshift]
items: [
hyperkube, skydns, kube2sky, exechealthz, weave-net,
loopback, bridge, openshift-sdn, openshift
]

- list: lxd_binaries
items: [lxd, lxcfs]
Expand All @@ -177,17 +179,18 @@
# interpreted by the filter expression.
- list: rpm_binaries
items: [
dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"',
rhsmcertd-worke, rhsmcertd, subscription-ma,
repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb]
dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"',
rhsmcertd-worke, rhsmcertd, subscription-ma,
repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb
]

- list: deb_binaries
items: [
dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get,
aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova,
apt-key, apt-listchanges, unattended-upgr, apt-add-reposit,
apt-cache, apt.systemd.dai
dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get,
aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova,
apt-key, apt-listchanges, unattended-upgr, apt-add-reposit,
apt-cache, apt.systemd.dai
]
- list: python_package_managers
items: [pip, pip3, conda]
Expand All @@ -196,9 +199,10 @@
# truncated at the falcosecurity-libs level.
- list: package_mgmt_binaries
items: [
rpm_binaries, deb_binaries, update-alternat, gem, npm,
python_package_managers, sane-utils.post, alternatives, chef-client,
apk, snapd]
rpm_binaries, deb_binaries, update-alternat, gem, npm,
python_package_managers, sane-utils.post, alternatives, chef-client,
apk, snapd
]

- macro: package_mgmt_procs
condition: (proc.name in (package_mgmt_binaries))
Expand All @@ -217,9 +221,9 @@

- list: known_setuid_binaries
items: [
sshd, dbus-daemon-lau, ping, ping6, critical-stack-, pmmcli,
filemng, PassengerAgent, bwrap, osdetect, nginxmng, sw-engine-fpm,
start-stop-daem
sshd, dbus-daemon-lau, ping, ping6, critical-stack-, pmmcli,
filemng, PassengerAgent, bwrap, osdetect, nginxmng, sw-engine-fpm,
start-stop-daem
]

- list: user_mgmt_binaries
Expand All @@ -236,9 +240,9 @@

- list: mail_binaries
items: [
sendmail, sendmail-msp, postfix, procmail, exim4,
pickup, showq, mailq, dovecot, imap-login, imap,
mailmng-core, pop3-login, dovecot-lda, pop3
sendmail, sendmail-msp, postfix, procmail, exim4,
pickup, showq, mailq, dovecot, imap-login, imap,
mailmng-core, pop3-login, dovecot-lda, pop3
]

# RFC1918 addresses were assigned for private network usage
Expand Down Expand Up @@ -606,10 +610,11 @@
- list: redhat_io_images_privileged
items: [
registry.redhat.io/openshift-logging/fluentd-rhel8,
registry.redhat.io/openshift4/ose-csi-node-driver-registrar,
registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel8,
registry.redhat.io/openshift4/ose-local-storage-diskmaker]
registry.redhat.io/openshift-logging/fluentd-rhel8,
registry.redhat.io/openshift4/ose-csi-node-driver-registrar,
registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel8,
registry.redhat.io/openshift4/ose-local-storage-diskmaker
]

- macro: redhat_image
condition: >
Expand Down Expand Up @@ -661,11 +666,12 @@

- list: sematext_images
items: [
docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent,
docker.io/sematext/logagent,
registry.access.redhat.com/sematext/sematext-agent-docker,
registry.access.redhat.com/sematext/agent,
registry.access.redhat.com/sematext/logagent]
docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent,
docker.io/sematext/logagent,
registry.access.redhat.com/sematext/sematext-agent-docker,
registry.access.redhat.com/sematext/agent,
registry.access.redhat.com/sematext/logagent
]

# Falco containers
- list: falco_containers
Expand All @@ -682,34 +688,34 @@
# TODO: Remove k8s.gcr.io reference after 01/Dec/2023
- list: falco_privileged_images
items: [
falco_containers,
docker.io/calico/node,
calico/node,
docker.io/cloudnativelabs/kube-router,
docker.io/docker/ucp-agent,
docker.io/mesosphere/mesos-slave,
docker.io/rook/toolbox,
docker.io/sysdig/sysdig,
gcr.io/google_containers/kube-proxy,
gcr.io/google-containers/startup-script,
gcr.io/projectcalico-org/node,
gke.gcr.io/kube-proxy,
gke.gcr.io/gke-metadata-server,
gke.gcr.io/netd-amd64,
gke.gcr.io/watcher-daemonset,
gcr.io/google-containers/prometheus-to-sd,
k8s.gcr.io/ip-masq-agent-amd64,
k8s.gcr.io/kube-proxy,
k8s.gcr.io/prometheus-to-sd,
registry.k8s.io/ip-masq-agent-amd64,
registry.k8s.io/kube-proxy,
registry.k8s.io/prometheus-to-sd,
quay.io/calico/node,
sysdig/sysdig,
sematext_images,
k8s.gcr.io/dns/k8s-dns-node-cache,
registry.k8s.io/dns/k8s-dns-node-cache,
mcr.microsoft.com/oss/kubernetes/kube-proxy
falco_containers,
docker.io/calico/node,
calico/node,
docker.io/cloudnativelabs/kube-router,
docker.io/docker/ucp-agent,
docker.io/mesosphere/mesos-slave,
docker.io/rook/toolbox,
docker.io/sysdig/sysdig,
gcr.io/google_containers/kube-proxy,
gcr.io/google-containers/startup-script,
gcr.io/projectcalico-org/node,
gke.gcr.io/kube-proxy,
gke.gcr.io/gke-metadata-server,
gke.gcr.io/netd-amd64,
gke.gcr.io/watcher-daemonset,
gcr.io/google-containers/prometheus-to-sd,
k8s.gcr.io/ip-masq-agent-amd64,
k8s.gcr.io/kube-proxy,
k8s.gcr.io/prometheus-to-sd,
registry.k8s.io/ip-masq-agent-amd64,
registry.k8s.io/kube-proxy,
registry.k8s.io/prometheus-to-sd,
quay.io/calico/node,
sysdig/sysdig,
sematext_images,
k8s.gcr.io/dns/k8s-dns-node-cache,
registry.k8s.io/dns/k8s-dns-node-cache,
mcr.microsoft.com/oss/kubernetes/kube-proxy
]

- macro: falco_privileged_containers
Expand Down Expand Up @@ -887,8 +893,10 @@
items: [0, 9, 80, 3306]

- list: expected_udp_ports
items: [53, openvpn_udp_ports, l2tp_udp_ports, statsd_ports,
ntp_ports, test_connect_ports]
items: [
53, openvpn_udp_ports, l2tp_udp_ports, statsd_ports,
ntp_ports, test_connect_ports
]

- macro: expected_udp_traffic
condition: fd.port in (expected_udp_ports)
Expand Down Expand Up @@ -1124,8 +1132,9 @@

- list: network_tool_binaries
items: [
nc, ncat, netcat, nmap, dig, tcpdump, tshark, ngrep, telnet,
mitmproxy, socat, zmap]
nc, ncat, netcat, nmap, dig, tcpdump, tshark, ngrep, telnet,
mitmproxy, socat, zmap
]

- macro: network_tool_procs
condition: (proc.name in (network_tool_binaries))
Expand Down
Loading

0 comments on commit 6f14d4b

Please sign in to comment.