diff --git a/rules/falco-deprecated_rules.yaml b/rules/falco-deprecated_rules.yaml index 0ea49058..6af26440 100644 --- a/rules/falco-deprecated_rules.yaml +++ b/rules/falco-deprecated_rules.yaml @@ -111,8 +111,8 @@ terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_deprecated, host, container, network, - mitre_latera_movement, T1021.004 + maturity_deprecated, host, container, network, + mitre_latera_movement, T1021.004 ] # These rules and supporting macros are more of an example for how to @@ -157,8 +157,8 @@ priority: NOTICE tags: [ - maturity_deprecated, host, container, network, - mitre_command_and_control, TA0011 + maturity_deprecated, host, container, network, + mitre_command_and_control, TA0011 ] # Use this to test whether the event occurred within a container. # When displaying container information in the output field, use @@ -222,8 +222,8 @@ terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_deprecated, container, network, mitre_discovery, TA0011, - NIST_800-53_CM-7 + maturity_deprecated, container, network, mitre_discovery, TA0011, + NIST_800-53_CM-7 ] - list: c2_server_ip_list @@ -258,6 +258,6 @@ priority: WARNING enabled: false tags: [ - maturity_deprecated, host, container, network, - mitre_command_and_control, TA0011 + maturity_deprecated, host, container, network, + mitre_command_and_control, TA0011 ] diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index c41554d4..8fc56e26 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -103,23 +103,23 @@ - list: ssh_binaries items: [ - sshd, sftp-server, ssh-agent, - ssh, scp, sftp, - ssh-keygen, ssh-keysign, ssh-keyscan, ssh-add + sshd, sftp-server, ssh-agent, + ssh, scp, sftp, + ssh-keygen, ssh-keysign, ssh-keyscan, ssh-add ] - list: coreutils_binaries items: [ - truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who, - groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat, - basename, split, nice, "yes", whoami, sha224sum, hostid, users, stdbuf, - base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test, - comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname, - tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout, - tail, "[", seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, - shred, tac, link, chroot, vdir, chown, touch, ls, dd, uname, "true", pwd, - date, chgrp, chmod, mktemp, cat, mknod, sync, ln, "false", rm, mv, cp, - echo, readlink, sleep, stty, mkdir, df, dir, rmdir, touch + truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who, + groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat, + basename, split, nice, "yes", whoami, sha224sum, hostid, users, stdbuf, + base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test, + comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname, + tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout, + tail, "[", seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, + shred, tac, link, chroot, vdir, chown, touch, ls, dd, uname, "true", pwd, + date, chgrp, chmod, mktemp, cat, mknod, sync, ln, "false", rm, mv, cp, + echo, readlink, sleep, stty, mkdir, df, dir, rmdir, touch ] # dpkg -L login | @@ -131,8 +131,8 @@ # tr "\\n" "," - list: login_binaries items: [ - login, systemd, '"(systemd)"', systemd-logind, su, - nologin, faillog, lastlog, newgrp, sg + login, systemd, '"(systemd)"', systemd-logind, su, + nologin, faillog, lastlog, newgrp, sg ] # dpkg -L passwd | @@ -144,20 +144,20 @@ # tr "\\n" "," - list: passwd_binaries items: [ - shadowconfig, grpck, pwunconv, grpconv, pwck, - groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod, - groupadd, groupdel, grpunconv, chgpasswd, userdel, chage, chsh, gpasswd, - chfn, expiry, passwd, vigr, cpgr, adduser, addgroup, deluser, delgroup + shadowconfig, grpck, pwunconv, grpconv, pwck, + groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod, + groupadd, groupdel, grpunconv, chgpasswd, userdel, chage, chsh, gpasswd, + chfn, expiry, passwd, vigr, cpgr, adduser, addgroup, deluser, delgroup ] # repoquery -l shadow-utils | grep bin | xargs ls -ld | grep -v '^d' | # awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," - list: shadowutils_binaries items: [ - chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd, - groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, grpck, - grpconv, grpunconv, newusers, pwck, pwconv, pwunconv, useradd, - userdel, usermod, vigr, vipw, unix_chkpwd + chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd, + groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, grpck, + grpconv, grpunconv, newusers, pwck, pwconv, pwunconv, useradd, + userdel, usermod, vigr, vipw, unix_chkpwd ] - list: sysdigcloud_binaries @@ -165,8 +165,8 @@ - list: k8s_binaries items: [ - hyperkube, skydns, kube2sky, exechealthz, weave-net, - loopback, bridge, openshift-sdn, openshift + hyperkube, skydns, kube2sky, exechealthz, weave-net, + loopback, bridge, openshift-sdn, openshift ] - list: lxd_binaries @@ -179,18 +179,18 @@ # interpreted by the filter expression. - list: rpm_binaries items: [ - dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"', - rhsmcertd-worke, rhsmcertd, subscription-ma, - repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump, - abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb + dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"', + rhsmcertd-worke, rhsmcertd, subscription-ma, + repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump, + abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb ] - list: deb_binaries items: [ - dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, - aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova, - apt-key, apt-listchanges, unattended-upgr, apt-add-reposit, - apt-cache, apt.systemd.dai + dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, + aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova, + apt-key, apt-listchanges, unattended-upgr, apt-add-reposit, + apt-cache, apt.systemd.dai ] - list: python_package_managers items: [pip, pip3, conda] @@ -199,9 +199,9 @@ # truncated at the falcosecurity-libs level. - list: package_mgmt_binaries items: [ - rpm_binaries, deb_binaries, update-alternat, gem, npm, - python_package_managers, sane-utils.post, alternatives, chef-client, - apk, snapd + rpm_binaries, deb_binaries, update-alternat, gem, npm, + python_package_managers, sane-utils.post, alternatives, chef-client, + apk, snapd ] - macro: package_mgmt_procs @@ -221,9 +221,9 @@ - list: known_setuid_binaries items: [ - sshd, dbus-daemon-lau, ping, ping6, critical-stack-, pmmcli, - filemng, PassengerAgent, bwrap, osdetect, nginxmng, sw-engine-fpm, - start-stop-daem + sshd, dbus-daemon-lau, ping, ping6, critical-stack-, pmmcli, + filemng, PassengerAgent, bwrap, osdetect, nginxmng, sw-engine-fpm, + start-stop-daem ] - list: user_mgmt_binaries @@ -240,9 +240,9 @@ - list: mail_binaries items: [ - sendmail, sendmail-msp, postfix, procmail, exim4, - pickup, showq, mailq, dovecot, imap-login, imap, - mailmng-core, pop3-login, dovecot-lda, pop3 + sendmail, sendmail-msp, postfix, procmail, exim4, + pickup, showq, mailq, dovecot, imap-login, imap, + mailmng-core, pop3-login, dovecot-lda, pop3 ] # RFC1918 addresses were assigned for private network usage @@ -269,8 +269,10 @@ (evt.rawres >= 0 or evt.res = EINPROGRESS)) - list: bash_config_filenames - items: [.bashrc, .bash_profile, .bash_history, .bash_login, - .bash_logout, .inputrc, .profile] + items: [ + .bashrc, .bash_profile, .bash_history, .bash_login, + .bash_logout, .inputrc, .profile + ] - list: bash_config_files items: [/etc/profile, /etc/bashrc] @@ -322,8 +324,8 @@ terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_incubating, host, container, filesystem, mitre_persistence, - T1546.004 + maturity_incubating, host, container, filesystem, mitre_persistence, + T1546.004 ] - macro: user_known_cron_jobs @@ -345,8 +347,8 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_incubating, host, container, filesystem, mitre_execution, - T1053.003 + maturity_incubating, host, container, filesystem, mitre_execution, + T1053.003 ] # Use this to test whether the event occurred within a container. @@ -457,7 +459,7 @@ terminal=%proc.tty %container.info) priority: ERROR tags: [ - maturity_incubating, host, container, filesystem, mitre_collection, T1005 + maturity_incubating, host, container, filesystem, mitre_collection, T1005 ] - macro: calico_node @@ -495,8 +497,8 @@ exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [ - maturity_incubating, host, container, process, database, mitre_execution, - T1190 + maturity_incubating, host, container, process, database, mitre_execution, + T1190 ] # This list allows for easy additions to the set of commands allowed @@ -551,8 +553,8 @@ terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_incubating, host, container, process, - mitre_privilege_escalation, T1611 + maturity_incubating, host, container, process, + mitre_privilege_escalation, T1611 ] - rule: Change namespace privileges via unshare @@ -609,10 +611,10 @@ - list: redhat_io_images_privileged items: [ - registry.redhat.io/openshift-logging/fluentd-rhel8, - registry.redhat.io/openshift4/ose-csi-node-driver-registrar, - registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel8, - registry.redhat.io/openshift4/ose-local-storage-diskmaker + registry.redhat.io/openshift-logging/fluentd-rhel8, + registry.redhat.io/openshift4/ose-csi-node-driver-registrar, + registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel8, + registry.redhat.io/openshift4/ose-local-storage-diskmaker ] - macro: redhat_image @@ -665,11 +667,11 @@ - list: sematext_images items: [ - docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, - docker.io/sematext/logagent, - registry.access.redhat.com/sematext/sematext-agent-docker, - registry.access.redhat.com/sematext/agent, - registry.access.redhat.com/sematext/logagent + docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, + docker.io/sematext/logagent, + registry.access.redhat.com/sematext/sematext-agent-docker, + registry.access.redhat.com/sematext/agent, + registry.access.redhat.com/sematext/logagent ] # Falco containers @@ -688,34 +690,34 @@ # TODO: Remove k8s.gcr.io reference after 01/Dec/2023 - list: falco_privileged_images items: [ - falco_containers, - docker.io/calico/node, - calico/node, - docker.io/cloudnativelabs/kube-router, - docker.io/docker/ucp-agent, - docker.io/mesosphere/mesos-slave, - docker.io/rook/toolbox, - docker.io/sysdig/sysdig, - gcr.io/google_containers/kube-proxy, - gcr.io/google-containers/startup-script, - gcr.io/projectcalico-org/node, - gke.gcr.io/kube-proxy, - gke.gcr.io/gke-metadata-server, - gke.gcr.io/netd-amd64, - gke.gcr.io/watcher-daemonset, - gcr.io/google-containers/prometheus-to-sd, - k8s.gcr.io/ip-masq-agent-amd64, - k8s.gcr.io/kube-proxy, - k8s.gcr.io/prometheus-to-sd, - registry.k8s.io/ip-masq-agent-amd64, - registry.k8s.io/kube-proxy, - registry.k8s.io/prometheus-to-sd, - quay.io/calico/node, - sysdig/sysdig, - sematext_images, - k8s.gcr.io/dns/k8s-dns-node-cache, - registry.k8s.io/dns/k8s-dns-node-cache, - mcr.microsoft.com/oss/kubernetes/kube-proxy + falco_containers, + docker.io/calico/node, + calico/node, + docker.io/cloudnativelabs/kube-router, + docker.io/docker/ucp-agent, + docker.io/mesosphere/mesos-slave, + docker.io/rook/toolbox, + docker.io/sysdig/sysdig, + gcr.io/google_containers/kube-proxy, + gcr.io/google-containers/startup-script, + gcr.io/projectcalico-org/node, + gke.gcr.io/kube-proxy, + gke.gcr.io/gke-metadata-server, + gke.gcr.io/netd-amd64, + gke.gcr.io/watcher-daemonset, + gcr.io/google-containers/prometheus-to-sd, + k8s.gcr.io/ip-masq-agent-amd64, + k8s.gcr.io/kube-proxy, + k8s.gcr.io/prometheus-to-sd, + registry.k8s.io/ip-masq-agent-amd64, + registry.k8s.io/kube-proxy, + registry.k8s.io/prometheus-to-sd, + quay.io/calico/node, + sysdig/sysdig, + sematext_images, + k8s.gcr.io/dns/k8s-dns-node-cache, + registry.k8s.io/dns/k8s-dns-node-cache, + mcr.microsoft.com/oss/kubernetes/kube-proxy ] - macro: falco_privileged_containers @@ -758,8 +760,8 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: INFO tags: [ - maturity_incubating, container, cis, mitre_execution, T1610, - PCI_DSS_10.2.5 + maturity_incubating, container, cis, mitre_execution, T1610, + PCI_DSS_10.2.5 ] # These capabilities were used in the past to escape from containers @@ -896,8 +898,8 @@ - list: expected_udp_ports items: [ - 53, openvpn_udp_ports, l2tp_udp_ports, statsd_ports, - ntp_ports, test_connect_ports + 53, openvpn_udp_ports, l2tp_udp_ports, statsd_ports, + ntp_ports, test_connect_ports ] - macro: expected_udp_traffic @@ -920,7 +922,7 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_incubating, host, container, network, mitre_exfiltration, TA0011 + maturity_incubating, host, container, network, mitre_exfiltration, TA0011 ] - macro: somebody_becoming_themselves @@ -983,8 +985,8 @@ terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_incubating, host, container, users, - mitre_privilege_escalation, T1548.001 + maturity_incubating, host, container, users, + mitre_privilege_escalation, T1548.001 ] - macro: user_known_user_management_activities @@ -1030,14 +1032,14 @@ exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [ - maturity_incubating, host, users, software_mgmt, mitre_persistence, - T1098 + maturity_incubating, host, users, software_mgmt, mitre_persistence, + T1098 ] - list: allowed_dev_files items: [ - /dev/null, /dev/stdin, /dev/stdout, /dev/stderr, - /dev/random, /dev/urandom, /dev/console, /dev/kmsg + /dev/null, /dev/stdin, /dev/stdout, /dev/stderr, + /dev/random, /dev/urandom, /dev/console, /dev/kmsg ] - macro: user_known_create_files_below_dev_activities @@ -1098,8 +1100,8 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_incubating, network, aws, container, mitre_credential_access, - T1552.005 + maturity_incubating, network, aws, container, mitre_credential_access, + T1552.005 ] # This rule is not enabled by default, since this rule is for @@ -1134,8 +1136,8 @@ - list: network_tool_binaries items: [ - nc, ncat, netcat, nmap, dig, tcpdump, tshark, ngrep, telnet, - mitmproxy, socat, zmap + nc, ncat, netcat, nmap, dig, tcpdump, tshark, ngrep, telnet, + mitmproxy, socat, zmap ] - macro: network_tool_procs @@ -1183,8 +1185,8 @@ exe_flags=%evt.arg.flags %container.info) priority: ERROR tags: [ - maturity_incubating, container, process, software_mgmt, - mitre_persistence, T1505 + maturity_incubating, container, process, software_mgmt, + mitre_persistence, T1505 ] - macro: user_known_network_tool_activities @@ -1210,7 +1212,7 @@ exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [ - maturity_incubating, container, network, process, mitre_execution, T1059 + maturity_incubating, container, network, process, mitre_execution, T1059 ] - rule: Launch Suspicious Network Tool on Host @@ -1283,11 +1285,10 @@ user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) - priority: - WARNING + priority: WARNING tags: [ - maturity_incubating, host, container, process, filesystem, - mitre_defense_evasion, T1070 + maturity_incubating, host, container, process, filesystem, + mitre_defense_evasion, T1070 ] - list: user_known_chmod_applications @@ -1327,8 +1328,8 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_incubating, host, container, process, users, - mitre_privilege_escalation, T1548.001 + maturity_incubating, host, container, process, users, + mitre_privilege_escalation, T1548.001 ] - list: remote_file_copy_binaries @@ -1359,8 +1360,8 @@ exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [ - maturity_incubating, container, network, process, mitre_exfiltration, - T1020 + maturity_incubating, container, network, process, mitre_exfiltration, + T1020 ] # Namespaces where the rule is enforce @@ -1402,8 +1403,8 @@ terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_incubating, container, network, mitre_discovery, T1046, - PCI_DSS_6.4.2 + maturity_incubating, container, network, mitre_discovery, T1046, + PCI_DSS_6.4.2 ] - macro: mount_info @@ -1449,8 +1450,8 @@ exe_flags=%evt.arg.flags %container.info) priority: WARNING tags: [ - maturity_incubating, container, cis, filesystem, - mitre_privilege_escalation, T1611 + maturity_incubating, container, cis, filesystem, + mitre_privilege_escalation, T1611 ] - list: ingress_remote_file_copy_binaries @@ -1490,15 +1491,15 @@ exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [ - maturity_incubating, container, network, process, - mitre_command_and_control, TA0011 + maturity_incubating, container, network, process, + mitre_command_and_control, TA0011 ] - list: docker_binaries items: [ - docker, dockerd, containerd-shim, "runc:[1:CHILD]", - pause, exe, docker-compose, docker-entrypoi, docker-runc-cur, - docker-current, dockerd-current + docker, dockerd, containerd-shim, "runc:[1:CHILD]", + pause, exe, docker-compose, docker-entrypoi, docker-runc-cur, + docker-current, dockerd-current ] - list: known_binaries_to_read_environment_variables_from_proc_files @@ -1526,8 +1527,8 @@ terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_incubating, container, filesystem, process, - mitre_discovery, T1083 + maturity_incubating, container, filesystem, process, + mitre_discovery, T1083 ] # The steps libcontainer performs to set up the root program @@ -1577,7 +1578,7 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_incubating, container, filesystem, mitre_exfiltration, TA0010 + maturity_incubating, container, filesystem, mitre_exfiltration, TA0010 ] - rule: Adding ssh keys to authorized_keys @@ -1629,6 +1630,6 @@ exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [ - maturity_incubating, host, container, users, mitre_privilege_escalation, - TA0004 + maturity_incubating, host, container, users, mitre_privilege_escalation, + TA0004 ] diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml index 69332fe8..1800eefd 100644 --- a/rules/falco-sandbox_rules.yaml +++ b/rules/falco-sandbox_rules.yaml @@ -158,20 +158,20 @@ # tr "\\n" "," - list: passwd_binaries items: [ - shadowconfig, grpck, pwunconv, grpconv, pwck, groupmod, vipw, - pwconv, useradd, newusers, cppw, chpasswd, usermod, groupadd, - groupdel, grpunconv, chgpasswd, userdel, chage, chsh, gpasswd, - chfn, expiry, passwd, vigr, cpgr, adduser, addgroup, deluser, delgroup + shadowconfig, grpck, pwunconv, grpconv, pwck, groupmod, vipw, + pwconv, useradd, newusers, cppw, chpasswd, usermod, groupadd, + groupdel, grpunconv, chgpasswd, userdel, chage, chsh, gpasswd, + chfn, expiry, passwd, vigr, cpgr, adduser, addgroup, deluser, delgroup ] # repoquery -l shadow-utils | grep bin | xargs ls -ld | grep -v '^d' | # awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," - list: shadowutils_binaries items: [ - chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd, - groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, grpck, - grpconv, grpunconv, newusers, pwck, pwconv, pwunconv, useradd, userdel, - usermod, vigr, vipw, unix_chkpwd + chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd, + groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, grpck, + grpconv, grpunconv, newusers, pwck, pwconv, pwunconv, useradd, userdel, + usermod, vigr, vipw, unix_chkpwd ] - list: sysdigcloud_binaries @@ -179,8 +179,8 @@ - list: interpreted_binaries items: [ - lua, node, perl, perl5, perl6, php, python, python2, - python3, ruby, tcl + lua, node, perl, perl5, perl6, php, python, python2, + python3, ruby, tcl ] - macro: interpreted_procs @@ -191,16 +191,16 @@ # interpreted by the filter expression. - list: rpm_binaries items: [ - dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"', - rhsmcertd-worke, rhsmcertd, subscription-ma, repoquery, rpmkeys, - rpmq, yum-cron, yum-config-mana, yum-debug-dump, abrt-action-sav, - rpmdb_stat, microdnf, rhn_check, yumdb + dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"', + rhsmcertd-worke, rhsmcertd, subscription-ma, repoquery, rpmkeys, + rpmq, yum-cron, yum-config-mana, yum-debug-dump, abrt-action-sav, + rpmdb_stat, microdnf, rhn_check, yumdb ] - list: openscap_rpm_binaries items: [ - probe_rpminfo, probe_rpmverify, probe_rpmverifyfile, - probe_rpmverifypackage + probe_rpminfo, probe_rpmverify, probe_rpmverifyfile, + probe_rpmverifypackage ] - macro: rpm_procs @@ -209,10 +209,10 @@ - list: deb_binaries items: [ - dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, - apt-get, aptitude, frontend, preinst, add-apt-reposit, - apt-auto-remova, apt-key, apt-listchanges, unattended-upgr, - apt-add-reposit, apt-cache, apt.systemd.dai + dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, + apt-get, aptitude, frontend, preinst, add-apt-reposit, + apt-auto-remova, apt-key, apt-listchanges, unattended-upgr, + apt-add-reposit, apt-cache, apt.systemd.dai ] - list: python_package_managers items: [pip, pip3, conda] @@ -221,9 +221,9 @@ # truncated at the falcosecurity-libs level. - list: package_mgmt_binaries items: [ - rpm_binaries, deb_binaries, update-alternat, gem, npm, - python_package_managers, sane-utils.post, alternatives, chef-client, - apk, snapd + rpm_binaries, deb_binaries, update-alternat, gem, npm, + python_package_managers, sane-utils.post, alternatives, chef-client, + apk, snapd ] - macro: package_mgmt_procs @@ -253,9 +253,9 @@ - list: mail_config_binaries items: [ - update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, - update_db, update_mc, ssmtp.postinst, mailq, postalias, postfix.config., - postfix.config, postfix-script, postconf + update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, + update_db, update_mc, ssmtp.postinst, mailq, postalias, postfix.config., + postfix.config, postfix-script, postconf ] # Network @@ -321,14 +321,14 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_sandbox, host, container, network, - mitre_command_and_control, TA0011 + maturity_sandbox, host, container, network, + mitre_command_and_control, TA0011 ] - list: bash_config_filenames items: [ - .bashrc, .bash_profile, .bash_history, .bash_login, .bash_logout, - .inputrc, .profile + .bashrc, .bash_profile, .bash_history, .bash_login, .bash_logout, + .inputrc, .profile ] - list: bash_config_files @@ -375,8 +375,8 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_sandbox, host, container, filesystem, - mitre_discovery, T1546.004 + maturity_sandbox, host, container, filesystem, + mitre_discovery, T1546.004 ] # Use this to test whether the event occurred within a container. @@ -564,8 +564,8 @@ - list: veritas_binaries items: [ - vxconfigd, sfcache, vxclustadm, vxdctl, vxprint, vxdmpadm, - vxdisk, vxdg, vxassist, vxtune + vxconfigd, sfcache, vxclustadm, vxdctl, vxprint, vxdmpadm, + vxdisk, vxdg, vxassist, vxtune ] - macro: veritas_driver_script @@ -743,8 +743,8 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: ERROR tags: [ - maturity_sandbox, host, container, filesystem, mitre_persistence, - T1543 + maturity_sandbox, host, container, filesystem, mitre_persistence, + T1543 ] # If you'd like to generally monitor a wider set of directories on top @@ -752,8 +752,8 @@ # the following rule and lists. - list: monitored_directories items: [ - /boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, - /usr/local/bin, /root/.ssh + /boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, + /usr/local/bin, /root/.ssh ] - macro: user_ssh_directory @@ -812,14 +812,14 @@ terminal=%proc.tty %container.info) priority: ERROR tags: [ - maturity_sandbox, host, container, filesystem, mitre_persistence, T1543 + maturity_sandbox, host, container, filesystem, mitre_persistence, T1543 ] - list: safe_etc_dirs items: [ - /etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, - /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d. - /etc/alertmanager + /etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, + /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d. + /etc/alertmanager ] - macro: fluentd_writing_conf_files @@ -1144,17 +1144,17 @@ command=%proc.cmdline terminal=%proc.tty %container.info) priority: ERROR tags: [ - maturity_sandbox, host, container, filesystem, mitre_persistence, T1098 + maturity_sandbox, host, container, filesystem, mitre_persistence, T1098 ] - list: known_root_files items: [ - /root/.monit.state, /root/.auth_tokens, /root/.bash_history, - /root/.ash_history, /root/.aws/credentials, /root/.viminfo.tmp, - /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, - /root/.babel.json, /root/.localstack, /root/.node_repl_history, - /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, - /root/.rnd, /root/.wget-hsts, /health, /exec.fifo + /root/.monit.state, /root/.auth_tokens, /root/.bash_history, + /root/.ash_history, /root/.aws/credentials, /root/.viminfo.tmp, + /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, + /root/.babel.json, /root/.localstack, /root/.node_repl_history, + /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, + /root/.rnd, /root/.wget-hsts, /health, /exec.fifo ] - list: known_root_directories @@ -1263,7 +1263,7 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: ERROR tags: [ - maturity_sandbox, host, container, filesystem, mitre_persistence, TA0003 + maturity_sandbox, host, container, filesystem, mitre_persistence, TA0003 ] - macro: amazon_linux_running_python_yum @@ -1300,8 +1300,8 @@ terminal=%proc.tty %container.info) priority: ERROR tags: [ - maturity_sandbox, host, container, filesystem, software_mgmt, - mitre_persistence, T1072 + maturity_sandbox, host, container, filesystem, software_mgmt, + mitre_persistence, T1072 ] - macro: user_known_modify_bin_dir_activities @@ -1328,8 +1328,8 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: ERROR tags: [ - maturity_sandbox, host, container, filesystem, mitre_defense_evasion, - T1222.002 + maturity_sandbox, host, container, filesystem, mitre_defense_evasion, + T1222.002 ] - macro: user_known_mkdir_bin_dir_activities @@ -1356,8 +1356,8 @@ terminal=%proc.tty %container.info) priority: ERROR tags: [ - maturity_sandbox, host, container, filesystem, mitre_persistence, - T1222.002 + maturity_sandbox, host, container, filesystem, mitre_persistence, + T1222.002 ] # https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html @@ -1418,17 +1418,17 @@ # host filesystem. - list: falco_sensitive_mount_images items: [ - falco_containers, - docker.io/sysdig/sysdig, sysdig/sysdig, - gcr.io/google_containers/hyperkube, - gcr.io/google_containers/kube-proxy, docker.io/calico/node, - docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, - docker.io/consul, docker.io/datadog/docker-dd-agent, - docker.io/datadog/agent, docker.io/docker/ucp-agent, - docker.io/gliderlabs/logspout, - docker.io/netdata/netdata, docker.io/google/cadvisor, - docker.io/prom/node-exporter, amazon/amazon-ecs-agent, - prom/node-exporter, amazon/cloudwatch-agent + falco_containers, + docker.io/sysdig/sysdig, sysdig/sysdig, + gcr.io/google_containers/hyperkube, + gcr.io/google_containers/kube-proxy, docker.io/calico/node, + docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, + docker.io/consul, docker.io/datadog/docker-dd-agent, + docker.io/datadog/agent, docker.io/docker/ucp-agent, + docker.io/gliderlabs/logspout, + docker.io/netdata/netdata, docker.io/google/cadvisor, + docker.io/prom/node-exporter, amazon/amazon-ecs-agent, + prom/node-exporter, amazon/cloudwatch-agent ] - macro: falco_sensitive_mount_containers @@ -1592,8 +1592,8 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_sandbox, network, k8s, container, mitre_persistence, - T1205.001, NIST_800-53_AC-6 + maturity_sandbox, network, k8s, container, mitre_persistence, + T1205.001, NIST_800-53_AC-6 ] - list: exclude_hidden_directories @@ -1628,87 +1628,87 @@ priority: NOTICE tags: [ - maturity_sandbox, host, container, filesystem, mitre_defense_evasion, - T1564.001 + maturity_sandbox, host, container, filesystem, mitre_defense_evasion, + T1564.001 ] - list: miner_ports items: [ - 25, 3333, 3334, 3335, 3336, 3357, 4444, - 5555, 5556, 5588, 5730, 6099, 6666, 7777, - 7778, 8000, 8001, 8008, 8080, 8118, 8333, - 8888, 8899, 9332, 9999, 14433, 14444, - 45560, 45700 + 25, 3333, 3334, 3335, 3336, 3357, 4444, + 5555, 5556, 5588, 5730, 6099, 6666, 7777, + 7778, 8000, 8001, 8008, 8080, 8118, 8333, + 8888, 8899, 9332, 9999, 14433, 14444, + 45560, 45700 ] - list: miner_domains items: [ - "asia1.ethpool.org", "ca.minexmr.com", - "cn.stratum.slushpool.com", "de.minexmr.com", - "eth-ar.dwarfpool.com", "eth-asia.dwarfpool.com", - "eth-asia1.nanopool.org", "eth-au.dwarfpool.com", - "eth-au1.nanopool.org", "eth-br.dwarfpool.com", - "eth-cn.dwarfpool.com", "eth-cn2.dwarfpool.com", - "eth-eu.dwarfpool.com", "eth-eu1.nanopool.org", - "eth-eu2.nanopool.org", "eth-hk.dwarfpool.com", - "eth-jp1.nanopool.org", "eth-ru.dwarfpool.com", - "eth-ru2.dwarfpool.com", "eth-sg.dwarfpool.com", - "eth-us-east1.nanopool.org", "eth-us-west1.nanopool.org", - "eth-us.dwarfpool.com", "eth-us2.dwarfpool.com", - "eu.stratum.slushpool.com", "eu1.ethermine.org", - "eu1.ethpool.org", "fr.minexmr.com", - "mine.moneropool.com", "mine.xmrpool.net", - "pool.minexmr.com", "pool.monero.hashvault.pro", - "pool.supportxmr.com", "sg.minexmr.com", - "sg.stratum.slushpool.com", "stratum-eth.antpool.com", - "stratum-ltc.antpool.com", "stratum-zec.antpool.com", - "stratum.antpool.com", "us-east.stratum.slushpool.com", - "us1.ethermine.org", "us1.ethpool.org", - "us2.ethermine.org", "us2.ethpool.org", - "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", - "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", - "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", - "xmr-us-west1.nanopool.org", "xmr.crypto-pool.fr", - "xmr.pool.minergate.com", "rx.unmineable.com", - "ss.antpool.com", "dash.antpool.com", - "eth.antpool.com", "zec.antpool.com", - "xmc.antpool.com", "btm.antpool.com", - "stratum-dash.antpool.com", "stratum-xmc.antpool.com", - "stratum-btm.antpool.com" + "asia1.ethpool.org", "ca.minexmr.com", + "cn.stratum.slushpool.com", "de.minexmr.com", + "eth-ar.dwarfpool.com", "eth-asia.dwarfpool.com", + "eth-asia1.nanopool.org", "eth-au.dwarfpool.com", + "eth-au1.nanopool.org", "eth-br.dwarfpool.com", + "eth-cn.dwarfpool.com", "eth-cn2.dwarfpool.com", + "eth-eu.dwarfpool.com", "eth-eu1.nanopool.org", + "eth-eu2.nanopool.org", "eth-hk.dwarfpool.com", + "eth-jp1.nanopool.org", "eth-ru.dwarfpool.com", + "eth-ru2.dwarfpool.com", "eth-sg.dwarfpool.com", + "eth-us-east1.nanopool.org", "eth-us-west1.nanopool.org", + "eth-us.dwarfpool.com", "eth-us2.dwarfpool.com", + "eu.stratum.slushpool.com", "eu1.ethermine.org", + "eu1.ethpool.org", "fr.minexmr.com", + "mine.moneropool.com", "mine.xmrpool.net", + "pool.minexmr.com", "pool.monero.hashvault.pro", + "pool.supportxmr.com", "sg.minexmr.com", + "sg.stratum.slushpool.com", "stratum-eth.antpool.com", + "stratum-ltc.antpool.com", "stratum-zec.antpool.com", + "stratum.antpool.com", "us-east.stratum.slushpool.com", + "us1.ethermine.org", "us1.ethpool.org", + "us2.ethermine.org", "us2.ethpool.org", + "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", + "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", + "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", + "xmr-us-west1.nanopool.org", "xmr.crypto-pool.fr", + "xmr.pool.minergate.com", "rx.unmineable.com", + "ss.antpool.com", "dash.antpool.com", + "eth.antpool.com", "zec.antpool.com", + "xmc.antpool.com", "btm.antpool.com", + "stratum-dash.antpool.com", "stratum-xmc.antpool.com", + "stratum-btm.antpool.com" ] - list: https_miner_domains items: [ - "ca.minexmr.com", - "cn.stratum.slushpool.com", - "de.minexmr.com", - "fr.minexmr.com", - "mine.moneropool.com", - "mine.xmrpool.net", - "pool.minexmr.com", - "sg.minexmr.com", - "stratum-eth.antpool.com", - "stratum-ltc.antpool.com", - "stratum-zec.antpool.com", - "stratum.antpool.com", - "xmr.crypto-pool.fr", - "ss.antpool.com", - "stratum-dash.antpool.com", - "stratum-xmc.antpool.com", - "stratum-btm.antpool.com", - "btm.antpool.com" + "ca.minexmr.com", + "cn.stratum.slushpool.com", + "de.minexmr.com", + "fr.minexmr.com", + "mine.moneropool.com", + "mine.xmrpool.net", + "pool.minexmr.com", + "sg.minexmr.com", + "stratum-eth.antpool.com", + "stratum-ltc.antpool.com", + "stratum-zec.antpool.com", + "stratum.antpool.com", + "xmr.crypto-pool.fr", + "ss.antpool.com", + "stratum-dash.antpool.com", + "stratum-xmc.antpool.com", + "stratum-btm.antpool.com", + "btm.antpool.com" ] - list: http_miner_domains items: [ - "ca.minexmr.com", - "de.minexmr.com", - "fr.minexmr.com", - "mine.moneropool.com", - "mine.xmrpool.net", - "pool.minexmr.com", - "sg.minexmr.com", - "xmr.crypto-pool.fr" + "ca.minexmr.com", + "de.minexmr.com", + "fr.minexmr.com", + "mine.moneropool.com", + "mine.xmrpool.net", + "pool.minexmr.com", + "sg.minexmr.com", + "xmr.crypto-pool.fr" ] # Add rule based on crypto mining IOCs @@ -1771,7 +1771,7 @@ terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) priority: CRITICAL tags: [ - maturity_sandbox, host, container, process, mitre_impact, T1496 + maturity_sandbox, host, container, process, mitre_impact, T1496 ] - list: k8s_client_binaries @@ -1780,15 +1780,15 @@ # TODO: Remove k8s.gcr.io reference after 01/Dec/2023 - list: user_known_k8s_ns_kube_system_images items: [ - k8s.gcr.io/fluentd-gcp-scaler, - k8s.gcr.io/node-problem-detector/node-problem-detector, - registry.k8s.io/fluentd-gcp-scaler, - registry.k8s.io/node-problem-detector/node-problem-detector + k8s.gcr.io/fluentd-gcp-scaler, + k8s.gcr.io/node-problem-detector/node-problem-detector, + registry.k8s.io/fluentd-gcp-scaler, + registry.k8s.io/node-problem-detector/node-problem-detector ] - list: user_known_k8s_images items: [ - mcr.microsoft.com/aks/hcp/hcp-tunnel-front + mcr.microsoft.com/aks/hcp/hcp-tunnel-front ] # Whitelist for known docker client binaries run inside container @@ -1870,7 +1870,7 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: ERROR tags: [ - maturity_sandbox, container, process, filesystem, mitre_execution, T1059 + maturity_sandbox, container, process, filesystem, mitre_execution, T1059 ] # **************************************************************************** @@ -1898,7 +1898,7 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: ERROR tags: [ - maturity_sandbox, container, process, filesystem, mitre_execution, T1059 + maturity_sandbox, container, process, filesystem, mitre_execution, T1059 ] - list: run_as_root_image_list @@ -1958,8 +1958,8 @@ terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) priority: CRITICAL tags: [ - maturity_sandbox, host, container, filesystem, users, - mitre_privilege_escalation, T1548.003 + maturity_sandbox, host, container, filesystem, users, + mitre_privilege_escalation, T1548.003 ] - list: user_known_userfaultfd_processes @@ -1982,7 +1982,7 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: CRITICAL tags: [ - maturity_sandbox, host, container, process, mitre_defense_evasion, TA0005 + maturity_sandbox, host, container, process, mitre_defense_evasion, TA0005 ] # This rule helps detect CVE-2021-4034: @@ -2006,8 +2006,8 @@ exe_flags=%evt.arg.flags%container.info) priority: CRITICAL tags: [ - maturity_sandbox, host, container, process, users, - mitre_privilege_escalation, TA0004 + maturity_sandbox, host, container, process, users, + mitre_privilege_escalation, TA0004 ] # Rule for detecting potential Log4Shell (CVE-2021-44228) exploitation @@ -2033,15 +2033,15 @@ priority: CRITICAL enabled: false tags: [ - maturity_sandbox, host, container, process, mitre_initial_access, - T1190 + maturity_sandbox, host, container, process, mitre_initial_access, + T1190 ] - list: docker_binaries items: [ - docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, - docker-compose, docker-entrypoi, docker-runc-cur, docker-current, - dockerd-current + docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, + docker-compose, docker-entrypoi, docker-runc-cur, docker-current, + dockerd-current ] - macro: docker_procs @@ -2126,7 +2126,7 @@ exe_flags=%evt.arg.flags %container.info) priority: INFO tags: [ - maturity_sandbox, container, process, mitre_command_and_control, T1132 + maturity_sandbox, container, process, mitre_command_and_control, T1132 ] - list: recon_binaries @@ -2161,5 +2161,5 @@ exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [ - maturity_sandbox, host, container, process, mitre_reconnaissance, TA0043 + maturity_sandbox, host, container, process, mitre_reconnaissance, TA0043 ] diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 87002b8c..56b7beaa 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -134,8 +134,8 @@ - list: login_binaries items: [ - login, systemd, '"(systemd)"', systemd-logind, su, - nologin, faillog, lastlog, newgrp, sg + login, systemd, '"(systemd)"', systemd-logind, su, + nologin, faillog, lastlog, newgrp, sg ] # dpkg -L passwd | @@ -147,21 +147,21 @@ # tr "\\n" "," - list: passwd_binaries items: [ - shadowconfig, grpck, pwunconv, grpconv, pwck, - groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod, - groupadd, groupdel, grpunconv, chgpasswd, userdel, chage, chsh, - gpasswd, chfn, expiry, passwd, vigr, cpgr, adduser, - addgroup, deluser, delgroup + shadowconfig, grpck, pwunconv, grpconv, pwck, + groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod, + groupadd, groupdel, grpunconv, chgpasswd, userdel, chage, chsh, + gpasswd, chfn, expiry, passwd, vigr, cpgr, adduser, + addgroup, deluser, delgroup ] # repoquery -l shadow-utils | grep bin | xargs ls -ld | grep -v '^d' | # awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," - list: shadowutils_binaries items: [ - chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd, - groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, - grpck, grpconv, grpunconv, newusers, pwck, pwconv, pwunconv, - useradd, userdel, usermod, vigr, vipw, unix_chkpwd + chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd, + groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, + grpck, grpconv, grpunconv, newusers, pwck, pwconv, pwunconv, + useradd, userdel, usermod, vigr, vipw, unix_chkpwd ] - list: http_server_binaries @@ -188,18 +188,18 @@ # interpreted by the filter expression. - list: rpm_binaries items: [ - dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"', - rhsmcertd-worke, rhsmcertd, subscription-ma, repoquery, rpmkeys, - rpmq, yum-cron, yum-config-mana, yum-debug-dump, - abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb + dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"', + rhsmcertd-worke, rhsmcertd, subscription-ma, repoquery, rpmkeys, + rpmq, yum-cron, yum-config-mana, yum-debug-dump, + abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb ] - list: deb_binaries items: [ - dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, - apt-get, aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova, - apt-key, apt-listchanges, unattended-upgr, apt-add-reposit, apt-cache, - apt.systemd.dai + dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, + apt-get, aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova, + apt-key, apt-listchanges, unattended-upgr, apt-add-reposit, apt-cache, + apt.systemd.dai ] - list: python_package_managers items: [pip, pip3, conda] @@ -208,9 +208,9 @@ # truncated at the falcosecurity-libs level. - list: package_mgmt_binaries items: [ - rpm_binaries, deb_binaries, update-alternat, gem, npm, - python_package_managers, - sane-utils.post, alternatives, chef-client, apk, snapd + rpm_binaries, deb_binaries, update-alternat, gem, npm, + python_package_managers, + sane-utils.post, alternatives, chef-client, apk, snapd ] - macro: run_by_package_mgmt_binaries @@ -226,8 +226,8 @@ - list: hids_binaries items: [ - aide, aide.wrapper, update-aide.con, logcheck, syslog-summary, - osqueryd, ossec-syscheckd + aide, aide.wrapper, update-aide.con, logcheck, syslog-summary, + osqueryd, ossec-syscheckd ] - list: vpn_binaries @@ -238,21 +238,21 @@ - list: mail_binaries items: [ - sendmail, sendmail-msp, postfix, procmail, exim4, - pickup, showq, mailq, dovecot, imap-login, imap, - mailmng-core, pop3-login, dovecot-lda, pop3 + sendmail, sendmail-msp, postfix, procmail, exim4, + pickup, showq, mailq, dovecot, imap-login, imap, + mailmng-core, pop3-login, dovecot-lda, pop3 ] - list: mail_config_binaries items: [ - update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, - update_db, update_mc, ssmtp.postinst, mailq, postalias, postfix.config., - postfix.config, postfix-script, postconf + update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, + update_db, update_mc, ssmtp.postinst, mailq, postalias, postfix.config., + postfix.config, postfix-script, postconf ] - list: sensitive_file_names items: [ - /etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf + /etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf ] - list: sensitive_directory_names @@ -391,12 +391,12 @@ Access patterns outside of this (here path traversal) can be regarded as suspicious. This rule includes failed file open attempts. condition: > - (open_read or open_file_failed) + ((open_read or open_file_failed) and (etc_dir or user_ssh_directory or - fd.name startswith /root/.ssh or - fd.name contains "id_rsa") - and directory_traversal - and not proc.pname in (shell_binaries) + fd.name startswith "/root/.ssh" or + fd.name contains "id_rsa") and + directory_traversal and + not proc.pname in (shell_binaries)) enabled: true output: > Read monitored file via directory traversal @@ -407,8 +407,8 @@ command=%proc.cmdline terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_stable, host, container, filesystem, - mitre_credential_access, T1555 + maturity_stable, host, container, filesystem, + mitre_credential_access, T1555 ] - macro: cmp_cp_by_passwd @@ -444,17 +444,17 @@ command=%proc.cmdline terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_stable, host, container, filesystem, mitre_credential_access, - T1555 + maturity_stable, host, container, filesystem, mitre_credential_access, + T1555 ] - list: read_sensitive_file_binaries items: [ - iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, - vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update, - pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, - sosreport, scxcimservera, adclient, rtvscand, cockpit-session, userhelper, - ossec-syscheckd + iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, + vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update, + pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, + sosreport, scxcimservera, adclient, rtvscand, cockpit-session, userhelper, + ossec-syscheckd ] # Add conditions to this macro (probably in a separate file, @@ -530,8 +530,8 @@ terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_stable, host, container, filesystem, mitre_credential_access, - T1555 + maturity_stable, host, container, filesystem, mitre_credential_access, + T1555 ] - macro: postgres_running_wal_e @@ -575,8 +575,8 @@ # has apache as an ancestor. - list: protected_shell_spawning_binaries items: [ - http_server_binaries, db_server_binaries, nosql_server_binaries, - mail_binaries, fluentd, flanneld, splunkd, consul, smbd, runsv, PM2 + http_server_binaries, db_server_binaries, nosql_server_binaries, + mail_binaries, fluentd, flanneld, splunkd, consul, smbd, runsv, PM2 ] - macro: parent_java_running_zookeeper @@ -756,8 +756,8 @@ %container.info) priority: NOTICE tags: [ - maturity_stable, host, container, process, shell, - mitre_execution, T1059.004 + maturity_stable, host, container, process, shell, + mitre_execution, T1059.004 ] # These images are allowed both to run with --privileged and to mount @@ -772,12 +772,12 @@ - list: sematext_images items: [ - docker.io/sematext/sematext-agent-docker, - docker.io/sematext/agent, - docker.io/sematext/logagent, - registry.access.redhat.com/sematext/sematext-agent-docker, - registry.access.redhat.com/sematext/agent, - registry.access.redhat.com/sematext/logagent + docker.io/sematext/sematext-agent-docker, + docker.io/sematext/agent, + docker.io/sematext/logagent, + registry.access.redhat.com/sematext/sematext-agent-docker, + registry.access.redhat.com/sematext/agent, + registry.access.redhat.com/sematext/logagent ] # Falco containers @@ -799,34 +799,34 @@ # TODO: Remove k8s.gcr.io reference after 01/Dec/2023 - list: falco_privileged_images items: [ - falco_containers, - docker.io/calico/node, - calico/node, - docker.io/cloudnativelabs/kube-router, - docker.io/docker/ucp-agent, - docker.io/mesosphere/mesos-slave, - docker.io/rook/toolbox, - docker.io/sysdig/sysdig, - gcr.io/google_containers/kube-proxy, - gcr.io/google-containers/startup-script, - gcr.io/projectcalico-org/node, - gke.gcr.io/kube-proxy, - gke.gcr.io/gke-metadata-server, - gke.gcr.io/netd-amd64, - gke.gcr.io/watcher-daemonset, - gcr.io/google-containers/prometheus-to-sd, - k8s.gcr.io/ip-masq-agent-amd64, - k8s.gcr.io/kube-proxy, - k8s.gcr.io/prometheus-to-sd, - registry.k8s.io/ip-masq-agent-amd64, - registry.k8s.io/kube-proxy, - registry.k8s.io/prometheus-to-sd, - quay.io/calico/node, - sysdig/sysdig, - sematext_images, - k8s.gcr.io/dns/k8s-dns-node-cache, - registry.k8s.io/dns/k8s-dns-node-cache, - mcr.microsoft.com/oss/kubernetes/kube-proxy + falco_containers, + docker.io/calico/node, + calico/node, + docker.io/cloudnativelabs/kube-router, + docker.io/docker/ucp-agent, + docker.io/mesosphere/mesos-slave, + docker.io/rook/toolbox, + docker.io/sysdig/sysdig, + gcr.io/google_containers/kube-proxy, + gcr.io/google-containers/startup-script, + gcr.io/projectcalico-org/node, + gke.gcr.io/kube-proxy, + gke.gcr.io/gke-metadata-server, + gke.gcr.io/netd-amd64, + gke.gcr.io/watcher-daemonset, + gcr.io/google-containers/prometheus-to-sd, + k8s.gcr.io/ip-masq-agent-amd64, + k8s.gcr.io/kube-proxy, + k8s.gcr.io/prometheus-to-sd, + registry.k8s.io/ip-masq-agent-amd64, + registry.k8s.io/kube-proxy, + registry.k8s.io/prometheus-to-sd, + quay.io/calico/node, + sysdig/sysdig, + sematext_images, + k8s.gcr.io/dns/k8s-dns-node-cache, + registry.k8s.io/dns/k8s-dns-node-cache, + mcr.microsoft.com/oss/kubernetes/kube-proxy ] # The steps libcontainer performs to set up the root program @@ -884,8 +884,8 @@ exe_flags=%evt.arg.flags %container.info) priority: INFO tags: [ - maturity_stable, host, container, users, mitre_execution, - T1059, NIST_800-53_AC-2 + maturity_stable, host, container, users, mitre_execution, + T1059, NIST_800-53_AC-2 ] # In some cases, a shell is expected to be run in a container. @@ -926,39 +926,39 @@ # fall back to allowing certain command lines. - list: known_shell_spawn_cmdlines items: [ - '"sh -c uname -p 2> /dev/null"', - '"sh -c uname -s 2>&1"', - '"sh -c uname -r 2>&1"', - '"sh -c uname -v 2>&1"', - '"sh -c uname -a 2>&1"', - '"sh -c ruby -v 2>&1"', - '"sh -c getconf CLK_TCK"', - '"sh -c getconf PAGESIZE"', - '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"', - '"sh -c LANG=C /sbin/ldconfig -p 2>/dev/null"', - '"sh -c /sbin/ldconfig -p 2>/dev/null"', - '"sh -c stty -a 2>/dev/null"', - '"sh -c stty -a < /dev/tty"', - '"sh -c stty -g < /dev/tty"', - '"sh -c node index.js"', - '"sh -c node index"', - '"sh -c node ./src/start.js"', - '"sh -c node app.js"', - '"sh -c node -e \"require(''nan'')\""', - '"sh -c node -e \"require(''nan'')\")"', - '"sh -c node $NODE_DEBUG_OPTION index.js "', - '"sh -c crontab -l 2"', - '"sh -c lsb_release -a"', - '"sh -c lsb_release -is 2>/dev/null"', - '"sh -c whoami"', - '"sh -c node_modules/.bin/bower-installer"', - '"sh -c /bin/hostname -f 2> /dev/null"', - '"sh -c locale -a"', - '"sh -c -t -i"', - '"sh -c openssl version"', - '"bash -c id -Gn kafadmin"', - '"sh -c /bin/sh -c ''date +%%s''"', - '"sh -c /usr/share/lighttpd/create-mime.conf.pl"' + '"sh -c uname -p 2> /dev/null"', + '"sh -c uname -s 2>&1"', + '"sh -c uname -r 2>&1"', + '"sh -c uname -v 2>&1"', + '"sh -c uname -a 2>&1"', + '"sh -c ruby -v 2>&1"', + '"sh -c getconf CLK_TCK"', + '"sh -c getconf PAGESIZE"', + '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"', + '"sh -c LANG=C /sbin/ldconfig -p 2>/dev/null"', + '"sh -c /sbin/ldconfig -p 2>/dev/null"', + '"sh -c stty -a 2>/dev/null"', + '"sh -c stty -a < /dev/tty"', + '"sh -c stty -g < /dev/tty"', + '"sh -c node index.js"', + '"sh -c node index"', + '"sh -c node ./src/start.js"', + '"sh -c node app.js"', + '"sh -c node -e \"require(''nan'')\""', + '"sh -c node -e \"require(''nan'')\")"', + '"sh -c node $NODE_DEBUG_OPTION index.js "', + '"sh -c crontab -l 2"', + '"sh -c lsb_release -a"', + '"sh -c lsb_release -is 2>/dev/null"', + '"sh -c whoami"', + '"sh -c node_modules/.bin/bower-installer"', + '"sh -c /bin/hostname -f 2> /dev/null"', + '"sh -c locale -a"', + '"sh -c -t -i"', + '"sh -c openssl version"', + '"bash -c id -Gn kafadmin"', + '"sh -c /bin/sh -c ''date +%%s''"', + '"sh -c /usr/share/lighttpd/create-mime.conf.pl"' ] # This list allows for easy additions to the set of commands allowed @@ -979,9 +979,9 @@ # Containers from IBM Cloud - list: ibm_cloud_containers items: - - icr.io/ext/sysdig/agent - - registry.ng.bluemix.net/armada-master/metrics-server-amd64 - - registry.ng.bluemix.net/armada-master/olm + - icr.io/ext/sysdig/agent + - registry.ng.bluemix.net/armada-master/metrics-server-amd64 + - registry.ng.bluemix.net/armada-master/olm # In a local/user rules file, list the namespace or container images that are # allowed to contact the K8s API Server from within a container. This @@ -1123,8 +1123,8 @@ exe_flags=%evt.arg.flags %container.info) priority: WARNING tags: [ - maturity_stable, host, container, process, - filesystem, mitre_credential_access, T1552.001 + maturity_stable, host, container, process, + filesystem, mitre_credential_access, T1552.001 ] - list: log_directories @@ -1132,8 +1132,8 @@ - list: log_files items: [ - syslog, auth.log, secure, kern.log, cron, user.log, - dpkg.log, last.log, yum.log, access_log, mysql.log, mysqld.log + syslog, auth.log, secure, kern.log, cron, user.log, + dpkg.log, last.log, yum.log, access_log, mysql.log, mysqld.log ] - macro: access_log_files @@ -1181,8 +1181,8 @@ terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_stable, host, container, filesystem, - mitre_defense_evasion, T1070, NIST_800-53_AU-10 + maturity_stable, host, container, filesystem, + mitre_defense_evasion, T1070, NIST_800-53_AU-10 ] - list: data_remove_commands @@ -1211,8 +1211,8 @@ exe_flags=%evt.arg.flags %container.info) priority: WARNING tags: [ - maturity_stable, host, container, process, filesystem, mitre_impact, - T1485 + maturity_stable, host, container, process, filesystem, mitre_impact, + T1485 ] - rule: Create Symlink Over Sensitive Files @@ -1232,8 +1232,8 @@ command=%proc.cmdline terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_stable, host, container, filesystem, mitre_credential_access, - T1555 + maturity_stable, host, container, filesystem, mitre_credential_access, + T1555 ] - rule: Create Hardlink Over Sensitive Files @@ -1252,8 +1252,8 @@ command=%proc.cmdline terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_stable, host, container, filesystem, mitre_credential_access, - T1555 + maturity_stable, host, container, filesystem, mitre_credential_access, + T1555 ] - list: user_known_packet_socket_binaries @@ -1278,8 +1278,8 @@ terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_stable, container, network, mitre_credential_access, - T1557.002 + maturity_stable, container, network, mitre_credential_access, + T1557.002 ] - macro: user_known_stand_streams_redirect_activities @@ -1371,8 +1371,8 @@ exe_flags=%evt.arg.flags %container.info) priority: WARNING tags: [ - maturity_stable, container, cis, process, - mitre_privilege_escalation, T1611 + maturity_stable, container, cis, process, + mitre_privilege_escalation, T1611 ] - rule: Detect release_agent File Container Escapes @@ -1394,15 +1394,15 @@ command=%proc.cmdline terminal=%proc.tty %container.info) priority: CRITICAL tags: [ - maturity_stable, container, process, mitre_privilege_escalation, - T1611 + maturity_stable, container, process, mitre_privilege_escalation, + T1611 ] - list: docker_binaries items: [ - docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, - docker-compose, docker-entrypoi, docker-runc-cur, docker-current, - dockerd-current + docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, + docker-compose, docker-entrypoi, docker-runc-cur, docker-current, + dockerd-current ] - list: known_ptrace_binaries @@ -1438,8 +1438,8 @@ terminal=%proc.tty %container.info) priority: WARNING tags: [ - maturity_stable, host, container, process, mitre_privilege_escalation, - T1055.008 + maturity_stable, host, container, process, mitre_privilege_escalation, + T1055.008 ] - rule: PTRACE anti-debug attempt @@ -1459,7 +1459,7 @@ terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_stable, host, container, process, mitre_defense_evasion, T1622 + maturity_stable, host, container, process, mitre_defense_evasion, T1622 ] - macro: private_aws_credentials @@ -1492,8 +1492,8 @@ exe_flags=%evt.arg.flags %container.info) priority: WARNING tags: [ - maturity_stable, host, container, process, aws, - mitre_credential_access, T1552 + maturity_stable, host, container, process, aws, + mitre_credential_access, T1552 ] - rule: Execution from /dev/shm @@ -1561,8 +1561,8 @@ exe_flags=%evt.arg.flags %container.info) priority: CRITICAL tags: [ - maturity_stable, container, process, mitre_persistence, - TA0003, PCI_DSS_11.5.1 + maturity_stable, container, process, mitre_persistence, + TA0003, PCI_DSS_11.5.1 ] # RFC1918 addresses were assigned for private network usage @@ -1610,7 +1610,7 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: NOTICE tags: [ - maturity_stable, host, container, network, process, mitre_execution, T1059 + maturity_stable, host, container, network, process, mitre_execution, T1059 ] - list: known_memfd_execution_binaries @@ -1640,5 +1640,5 @@ %container.info) priority: CRITICAL tags: [ - maturity_stable, host, container, process, mitre_defense_evasion, T1620 + maturity_stable, host, container, process, mitre_defense_evasion, T1620 ]