From 0c88cb06f16feb235c1b611a82555d1a29c9301f Mon Sep 17 00:00:00 2001 From: h4l0gen Date: Sat, 23 Mar 2024 02:05:54 +0530 Subject: [PATCH] updated falco rules files Signed-off-by: h4l0gen --- rules/falco-deprecated_rules.yaml | 6 +- rules/falco-incubating_rules.yaml | 48 ++++---- rules/falco-sandbox_rules.yaml | 191 +++++++++++++++--------------- rules/falco_rules.yaml | 24 ++-- 4 files changed, 136 insertions(+), 133 deletions(-) diff --git a/rules/falco-deprecated_rules.yaml b/rules/falco-deprecated_rules.yaml index 469b8fac..60d20a77 100644 --- a/rules/falco-deprecated_rules.yaml +++ b/rules/falco-deprecated_rules.yaml @@ -32,7 +32,7 @@ # Starting with version 8, the Falco engine supports exceptions. # However the Falco rules file does not use them by default. - --- +--- - required_engine_version: '0.31.0' # This macro `never_true` is used as placeholder for @@ -154,7 +154,7 @@ priority: NOTICE tags: [maturity_deprecated, host, container, network, - mitre_command_and_control, TA0011] + mitre_command_and_control, TA0011] # Use this to test whether the event occurred within a container. # When displaying container information in the output field, use # %container.info, without any leading term (file=%fd.name @@ -251,4 +251,4 @@ priority: WARNING enabled: false tags: [maturity_deprecated, host, container, network, - mitre_command_and_control, TA0011] + mitre_command_and_control, TA0011] diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index 4c79c989..aaccdd64 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -179,15 +179,15 @@ # interpreted by the filter expression. - list: rpm_binaries items: [dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"', - rhsmcertd-worke, rhsmcertd, subscription-ma, - repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump, - abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb] + rhsmcertd-worke, rhsmcertd, subscription-ma, + repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump, + abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb] - list: deb_binaries items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, - aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova, - apt-key, apt-listchanges, unattended-upgr, apt-add-reposit, - apt-cache, apt.systemd.dai + aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova, + apt-key, apt-listchanges, unattended-upgr, apt-add-reposit, + apt-cache, apt.systemd.dai ] - list: python_package_managers items: [pip, pip3, conda] @@ -196,8 +196,8 @@ # truncated at the falcosecurity-libs level. - list: package_mgmt_binaries items: [rpm_binaries, deb_binaries, update-alternat, gem, npm, - python_package_managers, sane-utils.post, alternatives, chef-client, - apk, snapd] + python_package_managers, sane-utils.post, alternatives, chef-client, + apk, snapd] - macro: package_mgmt_procs condition: (proc.name in (package_mgmt_binaries)) @@ -317,7 +317,7 @@ priority: WARNING tags: [maturity_incubating, host, container, filesystem, mitre_persistence, - T1546.004] + T1546.004] - macro: user_known_cron_jobs condition: (never_true) @@ -339,7 +339,7 @@ priority: NOTICE tags: [maturity_incubating, host, container, filesystem, mitre_execution, - T1053.003] + T1053.003] # Use this to test whether the event occurred within a container. # @@ -540,7 +540,7 @@ terminal=%proc.tty %container.info) priority: NOTICE tags: [maturity_incubating, host, container, process, - mitre_privilege_escalation, T1611] + mitre_privilege_escalation, T1611] - rule: Change namespace privileges via unshare desc: > @@ -596,9 +596,9 @@ - list: redhat_io_images_privileged items: [registry.redhat.io/openshift-logging/fluentd-rhel8, - registry.redhat.io/openshift4/ose-csi-node-driver-registrar, - registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel8, - registry.redhat.io/openshift4/ose-local-storage-diskmaker] + registry.redhat.io/openshift4/ose-csi-node-driver-registrar, + registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel8, + registry.redhat.io/openshift4/ose-local-storage-diskmaker] - macro: redhat_image condition: > @@ -650,10 +650,10 @@ - list: sematext_images items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, - docker.io/sematext/logagent, - registry.access.redhat.com/sematext/sematext-agent-docker, - registry.access.redhat.com/sematext/agent, - registry.access.redhat.com/sematext/logagent] + docker.io/sematext/logagent, + registry.access.redhat.com/sematext/sematext-agent-docker, + registry.access.redhat.com/sematext/agent, + registry.access.redhat.com/sematext/logagent] # Falco containers - list: falco_containers @@ -1004,7 +1004,7 @@ exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [maturity_incubating, host, users, software_mgmt, mitre_persistence, - T1098] + T1098] - list: allowed_dev_files items: [ @@ -1070,7 +1070,7 @@ parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: NOTICE tags: [maturity_incubating, network, aws, container, mitre_credential_access, - T1552.005] + T1552.005] # This rule is not enabled by default, since this rule is for # cloud environment(GCP, AWS and Azure) only. @@ -1104,7 +1104,7 @@ - list: network_tool_binaries items: [nc, ncat, netcat, nmap, dig, tcpdump, tshark, ngrep, telnet, - mitmproxy, socat, zmap] + mitmproxy, socat, zmap] - macro: network_tool_procs condition: (proc.name in (network_tool_binaries)) @@ -1291,7 +1291,7 @@ priority: NOTICE tags: [maturity_incubating, host, container, process, users, - mitre_privilege_escalation, T1548.001] + mitre_privilege_escalation, T1548.001] - list: remote_file_copy_binaries items: [rsync, scp, sftp, dcp] @@ -1457,8 +1457,8 @@ - list: docker_binaries items: [docker, dockerd, containerd-shim, "runc:[1:CHILD]", - pause, exe, docker-compose, docker-entrypoi, docker-runc-cur, - docker-current, dockerd-current] + pause, exe, docker-compose, docker-entrypoi, docker-runc-cur, + docker-current, dockerd-current] - list: known_binaries_to_read_environment_variables_from_proc_files items: [scsi_id, argoexec] diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml index d8343570..283df7e8 100644 --- a/rules/falco-sandbox_rules.yaml +++ b/rules/falco-sandbox_rules.yaml @@ -178,7 +178,7 @@ - list: interpreted_binaries items: [lua, node, perl, perl5, perl6, php, python, python2, - python3, ruby, tcl] + python3, ruby, tcl] - macro: interpreted_procs condition: > @@ -188,13 +188,13 @@ # interpreted by the filter expression. - list: rpm_binaries items: [dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"', - rhsmcertd-worke, rhsmcertd, subscription-ma, repoquery, rpmkeys, - rpmq, yum-cron, yum-config-mana, yum-debug-dump, abrt-action-sav, - rpmdb_stat, microdnf, rhn_check, yumdb] + rhsmcertd-worke, rhsmcertd, subscription-ma, repoquery, rpmkeys, + rpmq, yum-cron, yum-config-mana, yum-debug-dump, abrt-action-sav, + rpmdb_stat, microdnf, rhn_check, yumdb] - list: openscap_rpm_binaries items: [probe_rpminfo, probe_rpmverify, probe_rpmverifyfile, - probe_rpmverifypackage] + probe_rpmverifypackage] - macro: rpm_procs condition: (proc.name in (rpm_binaries, openscap_rpm_binaries) or @@ -202,9 +202,10 @@ - list: deb_binaries items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, - apt-get, aptitude, frontend, preinst, add-apt-reposit, - apt-auto-remova, apt-key, apt-listchanges, unattended-upgr, - apt-add-reposit, apt-cache, apt.systemd.dai] + apt-get, aptitude, frontend, preinst, add-apt-reposit, + apt-auto-remova, apt-key, apt-listchanges, unattended-upgr, + apt-add-reposit, apt-cache, apt.systemd.dai + ] - list: python_package_managers items: [pip, pip3, conda] @@ -652,7 +653,7 @@ k8s.pod.name startswith calico) - macro: calico_writing_envvars - condition: (proc.name=start_runit and fd.name startswith "/etc/envvars" and + condition: (proc.name=start_runit and fd.name startswith "/etc/envvars" and container.image.repository endswith "calico/node") - list: repository_files @@ -1122,12 +1123,14 @@ [maturity_sandbox, host, container, filesystem, mitre_persistence, T1098] - list: known_root_files - items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, - /root/.ash_history, /root/.aws/credentials, /root/.viminfo.tmp, - /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, - /root/.babel.json, /root/.localstack, /root/.node_repl_history, - /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, - /root/.rnd, /root/.wget-hsts, /health, /exec.fifo] + items: [ + /root/.monit.state, /root/.auth_tokens, /root/.bash_history, + /root/.ash_history, /root/.aws/credentials, /root/.viminfo.tmp, + /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, + /root/.babel.json, /root/.localstack, /root/.node_repl_history, + /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, + /root/.rnd, /root/.wget-hsts, /health, /exec.fifo + ] - list: known_root_directories items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami] @@ -1383,17 +1386,17 @@ # host filesystem. - list: falco_sensitive_mount_images items: [ - falco_containers, - docker.io/sysdig/sysdig, sysdig/sysdig, - gcr.io/google_containers/hyperkube, - gcr.io/google_containers/kube-proxy, docker.io/calico/node, - docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, - docker.io/consul, docker.io/datadog/docker-dd-agent, - docker.io/datadog/agent, docker.io/docker/ucp-agent, - docker.io/gliderlabs/logspout, - docker.io/netdata/netdata, docker.io/google/cadvisor, - docker.io/prom/node-exporter, amazon/amazon-ecs-agent, - prom/node-exporter, amazon/cloudwatch-agent + falco_containers, + docker.io/sysdig/sysdig, sysdig/sysdig, + gcr.io/google_containers/hyperkube, + gcr.io/google_containers/kube-proxy, docker.io/calico/node, + docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, + docker.io/consul, docker.io/datadog/docker-dd-agent, + docker.io/datadog/agent, docker.io/docker/ucp-agent, + docker.io/gliderlabs/logspout, + docker.io/netdata/netdata, docker.io/google/cadvisor, + docker.io/prom/node-exporter, amazon/amazon-ecs-agent, + prom/node-exporter, amazon/cloudwatch-agent ] - macro: falco_sensitive_mount_containers @@ -1594,81 +1597,81 @@ - list: miner_ports items: [ - 25, 3333, 3334, 3335, 3336, 3357, 4444, - 5555, 5556, 5588, 5730, 6099, 6666, 7777, - 7778, 8000, 8001, 8008, 8080, 8118, 8333, - 8888, 8899, 9332, 9999, 14433, 14444, - 45560, 45700 + 25, 3333, 3334, 3335, 3336, 3357, 4444, + 5555, 5556, 5588, 5730, 6099, 6666, 7777, + 7778, 8000, 8001, 8008, 8080, 8118, 8333, + 8888, 8899, 9332, 9999, 14433, 14444, + 45560, 45700 ] - list: miner_domains items: [ - "asia1.ethpool.org", "ca.minexmr.com", - "cn.stratum.slushpool.com", "de.minexmr.com", - "eth-ar.dwarfpool.com", "eth-asia.dwarfpool.com", - "eth-asia1.nanopool.org", "eth-au.dwarfpool.com", - "eth-au1.nanopool.org", "eth-br.dwarfpool.com", - "eth-cn.dwarfpool.com", "eth-cn2.dwarfpool.com", - "eth-eu.dwarfpool.com", "eth-eu1.nanopool.org", - "eth-eu2.nanopool.org", "eth-hk.dwarfpool.com", - "eth-jp1.nanopool.org", "eth-ru.dwarfpool.com", - "eth-ru2.dwarfpool.com", "eth-sg.dwarfpool.com", - "eth-us-east1.nanopool.org", "eth-us-west1.nanopool.org", - "eth-us.dwarfpool.com", "eth-us2.dwarfpool.com", - "eu.stratum.slushpool.com", "eu1.ethermine.org", - "eu1.ethpool.org", "fr.minexmr.com", - "mine.moneropool.com", "mine.xmrpool.net", - "pool.minexmr.com", "pool.monero.hashvault.pro", - "pool.supportxmr.com", "sg.minexmr.com", - "sg.stratum.slushpool.com", "stratum-eth.antpool.com", - "stratum-ltc.antpool.com", "stratum-zec.antpool.com", - "stratum.antpool.com", "us-east.stratum.slushpool.com", - "us1.ethermine.org", "us1.ethpool.org", - "us2.ethermine.org", "us2.ethpool.org", - "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", - "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", - "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", - "xmr-us-west1.nanopool.org", "xmr.crypto-pool.fr", - "xmr.pool.minergate.com", "rx.unmineable.com", - "ss.antpool.com", "dash.antpool.com", - "eth.antpool.com", "zec.antpool.com", - "xmc.antpool.com", "btm.antpool.com", - "stratum-dash.antpool.com", "stratum-xmc.antpool.com", - "stratum-btm.antpool.com" + "asia1.ethpool.org", "ca.minexmr.com", + "cn.stratum.slushpool.com", "de.minexmr.com", + "eth-ar.dwarfpool.com", "eth-asia.dwarfpool.com", + "eth-asia1.nanopool.org", "eth-au.dwarfpool.com", + "eth-au1.nanopool.org", "eth-br.dwarfpool.com", + "eth-cn.dwarfpool.com", "eth-cn2.dwarfpool.com", + "eth-eu.dwarfpool.com", "eth-eu1.nanopool.org", + "eth-eu2.nanopool.org", "eth-hk.dwarfpool.com", + "eth-jp1.nanopool.org", "eth-ru.dwarfpool.com", + "eth-ru2.dwarfpool.com", "eth-sg.dwarfpool.com", + "eth-us-east1.nanopool.org", "eth-us-west1.nanopool.org", + "eth-us.dwarfpool.com", "eth-us2.dwarfpool.com", + "eu.stratum.slushpool.com", "eu1.ethermine.org", + "eu1.ethpool.org", "fr.minexmr.com", + "mine.moneropool.com", "mine.xmrpool.net", + "pool.minexmr.com", "pool.monero.hashvault.pro", + "pool.supportxmr.com", "sg.minexmr.com", + "sg.stratum.slushpool.com", "stratum-eth.antpool.com", + "stratum-ltc.antpool.com", "stratum-zec.antpool.com", + "stratum.antpool.com", "us-east.stratum.slushpool.com", + "us1.ethermine.org", "us1.ethpool.org", + "us2.ethermine.org", "us2.ethpool.org", + "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", + "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", + "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", + "xmr-us-west1.nanopool.org", "xmr.crypto-pool.fr", + "xmr.pool.minergate.com", "rx.unmineable.com", + "ss.antpool.com", "dash.antpool.com", + "eth.antpool.com", "zec.antpool.com", + "xmc.antpool.com", "btm.antpool.com", + "stratum-dash.antpool.com", "stratum-xmc.antpool.com", + "stratum-btm.antpool.com" ] - list: https_miner_domains items: [ - "ca.minexmr.com", - "cn.stratum.slushpool.com", - "de.minexmr.com", - "fr.minexmr.com", - "mine.moneropool.com", - "mine.xmrpool.net", - "pool.minexmr.com", - "sg.minexmr.com", - "stratum-eth.antpool.com", - "stratum-ltc.antpool.com", - "stratum-zec.antpool.com", - "stratum.antpool.com", - "xmr.crypto-pool.fr", - "ss.antpool.com", - "stratum-dash.antpool.com", - "stratum-xmc.antpool.com", - "stratum-btm.antpool.com", - "btm.antpool.com" + "ca.minexmr.com", + "cn.stratum.slushpool.com", + "de.minexmr.com", + "fr.minexmr.com", + "mine.moneropool.com", + "mine.xmrpool.net", + "pool.minexmr.com", + "sg.minexmr.com", + "stratum-eth.antpool.com", + "stratum-ltc.antpool.com", + "stratum-zec.antpool.com", + "stratum.antpool.com", + "xmr.crypto-pool.fr", + "ss.antpool.com", + "stratum-dash.antpool.com", + "stratum-xmc.antpool.com", + "stratum-btm.antpool.com", + "btm.antpool.com" ] - list: http_miner_domains items: [ - "ca.minexmr.com", - "de.minexmr.com", - "fr.minexmr.com", - "mine.moneropool.com", - "mine.xmrpool.net", - "pool.minexmr.com", - "sg.minexmr.com", - "xmr.crypto-pool.fr" + "ca.minexmr.com", + "de.minexmr.com", + "fr.minexmr.com", + "mine.moneropool.com", + "mine.xmrpool.net", + "pool.minexmr.com", + "sg.minexmr.com", + "xmr.crypto-pool.fr" ] # Add rule based on crypto mining IOCs @@ -1739,15 +1742,15 @@ # TODO: Remove k8s.gcr.io reference after 01/Dec/2023 - list: user_known_k8s_ns_kube_system_images items: [ - k8s.gcr.io/fluentd-gcp-scaler, - k8s.gcr.io/node-problem-detector/node-problem-detector, - registry.k8s.io/fluentd-gcp-scaler, - registry.k8s.io/node-problem-detector/node-problem-detector + k8s.gcr.io/fluentd-gcp-scaler, + k8s.gcr.io/node-problem-detector/node-problem-detector, + registry.k8s.io/fluentd-gcp-scaler, + registry.k8s.io/node-problem-detector/node-problem-detector ] - list: user_known_k8s_images items: [ - mcr.microsoft.com/aks/hcp/hcp-tunnel-front + mcr.microsoft.com/aks/hcp/hcp-tunnel-front ] # Whitelist for known docker client binaries run inside container diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 46e6c3f0..2ee50f34 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -203,8 +203,8 @@ # truncated at the falcosecurity-libs level. - list: package_mgmt_binaries items: [rpm_binaries, deb_binaries, update-alternat, gem, npm, - python_package_managers, - sane-utils.post, alternatives, chef-client, apk, snapd] + python_package_managers, + sane-utils.post, alternatives, chef-client, apk, snapd] - macro: run_by_package_mgmt_binaries condition: (proc.aname in (package_mgmt_binaries, needrestart)) @@ -218,9 +218,9 @@ items: [login_binaries, passwd_binaries, shadowutils_binaries] - list: hids_binaries - items: > - [aide, aide.wrapper, update-aide.con, logcheck, syslog-summary, - osqueryd, ossec-syscheckd] + items: [ + aide, aide.wrapper, update-aide.con, logcheck, syslog-summary, + osqueryd, ossec-syscheckd] - list: vpn_binaries items: [openvpn] @@ -774,11 +774,11 @@ condition: > - list: sematext_images items: [docker.io/sematext/sematext-agent-docker, - docker.io/sematext/agent, - docker.io/sematext/logagent, - registry.access.redhat.com/sematext/sematext-agent-docker, - registry.access.redhat.com/sematext/agent, - registry.access.redhat.com/sematext/logagent] + docker.io/sematext/agent, + docker.io/sematext/logagent, + registry.access.redhat.com/sematext/sematext-agent-docker, + registry.access.redhat.com/sematext/agent, + registry.access.redhat.com/sematext/logagent] # Falco containers - list: falco_containers @@ -1390,8 +1390,8 @@ condition: > - list: docker_binaries items: [docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, - docker-compose, docker-entrypoi, docker-runc-cur, docker-current, - dockerd-current] + docker-compose, docker-entrypoi, docker-runc-cur, docker-current, + dockerd-current] - list: known_ptrace_binaries items: []