文章目錄
- File Opened for Writing
- File Opened for Reading
- Never True
- Always True
- Proc Name is Set
- File System Object Renamed
- New Directory Created
- File System Object Removed
- File System Object Modified
- New Process Spawned
- Common Directories for Binaries
- Shell is Started
- Known Sensitive Files
- Newly Created Process
- Outbound Network Connections
- Inbound or Outbound Network Connections
- Object is a Container
- Interactive Process Spawned
- 通用 SSH 端口
- 允許的 SSH 主機
- 使用者列入白名單的容器
- 允許生成shell的容器
- 允許與 EC2 中繼資料服務通信的容器
- Kubernetes API 伺服器
- 允許與 Kubernetes API 通信的容器
- 允許與 Kubernetes 服務節點端口通信的容器
上篇我們學習falco的規則運用,其中宏(macro)是指可重用方式定義規則的公共子部分的方法。
Falco 規則集定義了許多宏,可以更輕松地開始編寫規則。這些宏為許多常見場景提供了快捷方式,并且可以在任何使用者定義的規則集中使用。Falco 還提供了應該由使用者覆寫的宏,以提供特定于使用者環境的設定。提供的宏也可以附加到本地規則檔案中。
File Opened for Writing
- macro: open_write
condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0
File Opened for Reading
- macro: open_read
condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0
Never True
- macro: never_true
condition: (evt.num=0)
Always True
- macro: always_true
condition: (evt.num=>0)
Proc Name is Set
- macro: proc_name_exists
condition: (proc.name!="<NA>")
File System Object Renamed
- macro: proc_name_exists
condition: (proc.name!="<NA>")
New Directory Created
- macro: mkdir
condition: evt.type = mkdir
File System Object Removed
- macro: remove
condition: evt.type in (rmdir, unlink, unlinkat)
File System Object Modified
- macro: modify
condition: rename
New Process Spawned
- macro: spawned_process
condition: evt.type = execve and evt.dir=<
Common Directories for Binaries
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
Shell is Started
- macro: shell_procs
condition: (proc.name in (shell_binaries))
Known Sensitive Files
- macro: sensitive_files
condition: >
fd.name startswith /etc and
(fd.name in (sensitive_file_names)
or fd.directory in (/etc/sudoers.d, /etc/pam.d))
Newly Created Process
- macro: proc_is_new
condition: proc.duration <= 5000000000
Inbound Network Connections
- macro: inbound
condition: >
(((evt.type in (accept,listen) and evt.dir=<)) or
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))
Outbound Network Connections
- macro: outbound
condition: >
(((evt.type = connect and evt.dir=<)) or
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))
Inbound or Outbound Network Connections
- macro: inbound_outbound
condition: >
(((evt.type in (accept,listen,connect) and evt.dir=<)) or
(fd.typechar = 4 or fd.typechar = 6) and
(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))
Object is a Container
- macro: container
condition: container.id != host
Interactive Process Spawned
- macro: interactive
condition: >
((proc.aname=sshd and proc.name != sshd) or
proc.name=systemd-logind or proc.name=login)
通用 SSH 端口
覆寫此宏以反映環境中提供 SSH 服務的端口。
- macro: ssh_port
condition: fd.sport=22
允許的 SSH 主機
覆寫此宏以反映可以連接配接到已知 SSH 端口(即堡壘或跳轉框)的主機。
- macro: allowed_ssh_hosts
condition: ssh_port
使用者列入白名單的容器
允許在特權模式下運作的白名單容器。
- macro: user_trusted_containers
condition: (container.image startswith sysdig/agent)
允許生成shell的容器
将允許生成 shell 的容器列入白名單,如果在 CI/CD 管道中使用容器,則可能需要這樣做。
- macro: user_shell_container_exclusions
condition: (never_true)
允許與 EC2 中繼資料服務通信的容器
将允許與 EC2 中繼資料服務通信的容器列入白名單。預設值:任何容器。
- macro: ec2_metadata_containers
condition: container
Kubernetes API 伺服器
- macro: k8s_api_server
condition: (fd.sip="1.2.3.4" and fd.sport=8080)
允許與 Kubernetes API 通信的容器
- macro: k8s_containers
condition: >
(container.image startswith gcr.io/google_containers/hyperkube-amd64 or
container.image startswith gcr.io/google_containers/kube2sky or
container.image startswith sysdig/agent or
container.image startswith sysdig/falco or
container.image startswith sysdig/sysdig)
允許與 Kubernetes 服務節點端口通信的容器
- macro: nodeport_containers
condition: container