Модуль runtime-audit-engine: примеры

1apiVersion: deckhouse.io/v1alpha1
2kind: FalcoAuditRules
3metadata:
4  name: ownership-permissions
5spec:
6  rules:
7  - macro:
8      name: spawned_process
9      condition: (evt.type in (execve, execveat) and evt.dir=<)
10  - rule:
11      name: Detect Ownership Change
12      desc: detect file permission/ownership change
13      condition: >
14        spawned_process and proc.name in (chmod, chown) and proc.args contains "/tmp/"
15      output: >
16        The file or directory below has had its permissions or ownership changed (user=%user.name
17        command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
18      priority: Warning
19      tags: [filesystem]

1apiVersion: deckhouse.io/v1alpha1
2kind: FalcoAuditRules
3metadata:
4  name: nginx-unexpected-port
5spec:
6  rules:
7  - macro:
8      name: container
9      condition: (container.id != host)
10  - macro:
11      name: inbound
12      condition: >
13        (((evt.type in (accept,listen) and evt.dir=<)) or
14        (fd.typechar = 4 or fd.typechar = 6) and
15        (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))
16  - macro:
17      name: outbound
18      condition: >
19        (((evt.type = connect and evt.dir=<)) or
20        (fd.typechar = 4 or fd.typechar = 6) and
21        (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))
22  - macro:
23      name: app_nginx
24      condition: container and container.image contains "nginx"
25  - rule:
26      name: Unauthorized process opened an outbound connection (nginx)
27      desc: nginx process tried to open an outbound connection and is not whitelisted
28      condition: outbound and evt.rawres >= 0 and app_nginx
29      output: |-
30        Non-whitelisted process opened an outbound connection (command=%proc.cmdline connection=%fd.name)
31      priority: Warning
32  - list:
33      name: nginx_allowed_inbound_ports_tcp
34      items: [80, 443, 8080, 8443]
35  - rule:
36      name: Unexpected inbound TCP connection nginx
37      desc: detect inbound traffic to nginx using tcp on a port outside of expected set
38      condition: |
39        inbound and evt.rawres >= 0 and not fd.sport in (nginx_allowed_inbound_ports_tcp) and app_nginx
40      output: |-
41        Inbound network connection to nginx on unexpected port
42        (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
43      priority: Notice

1apiVersion: deckhouse.io/v1alpha1
2kind: FalcoAuditRules
3metadata:
4  name: run-shell-in-container
5spec:
6  rules:
7  - macro: 
8      name: container
9      condition: container.id != host
10  - macro: 
11      name: spawned_process
12      condition: evt.type = execve and evt.dir=<
13  - rule: 
14      name: run_shell_in_container
15      desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
16      condition: container and proc.name = bash and spawned_process and proc.pname exists and not proc.pname in (bash, docker)
17      output: "Shell spawned in a container other than entrypoint (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
18      priority: Warning