From 8bd69b8ad54424d39ea04f07f91383e3acf39705 Mon Sep 17 00:00:00 2001
From: Michael Styne <mstyne+github@ubersmith.com>
Date: Tue, 30 Jul 2024 15:18:13 -0400
Subject: [PATCH] - falco updates

---
 roles/ubersmith/files/falco_rules.local.yaml    | 12 ++++++++++++
 roles/ubersmith/tasks/main.yml                  |  1 +
 roles/ubersmith/templates/docker-compose.yml.j2 | 16 +++++++---------
 3 files changed, 20 insertions(+), 9 deletions(-)
 create mode 100644 roles/ubersmith/files/falco_rules.local.yaml

diff --git a/roles/ubersmith/files/falco_rules.local.yaml b/roles/ubersmith/files/falco_rules.local.yaml
new file mode 100644
index 0000000..e4feb5f
--- /dev/null
+++ b/roles/ubersmith/files/falco_rules.local.yaml
@@ -0,0 +1,12 @@
+- macro: uber_dir
+  condition: (fd.directory in (/var/www/ubersmith_root, /var/lib/docker/volumes/ubersmith_webroot/_data, /usr/local/ubersmith))
+
+- rule: Write below Ubersmith directory
+  desc: > 
+    Trying to write to any file below Ubersmith directories. This is an effective rule for detecting unusual behavior associated with system 
+    changes, including compliance-related cases.
+  condition: >
+    open_write and evt.dir=< 
+    and uber_dir
+  output: File below Ubersmith directory opened for writing (file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
+  priority: ERROR
\ No newline at end of file
diff --git a/roles/ubersmith/tasks/main.yml b/roles/ubersmith/tasks/main.yml
index 9db3bca..f704852 100644
--- a/roles/ubersmith/tasks/main.yml
+++ b/roles/ubersmith/tasks/main.yml
@@ -110,6 +110,7 @@
        - "{{ ubersmith_home }}/conf/certbot/etc/renewal-hooks/deploy"
        - "{{ ubersmith_home }}/conf/certbot/log"
        - "{{ ubersmith_home }}/conf/sso"
+       - "{{ ubersmith_home }}/conf/falco"
        - "{{ ubersmith_home }}/app/custom"
        - "{{ ubersmith_home }}/app/custom/locale"
        - "{{ ubersmith_home }}/app/custom/plugins"
diff --git a/roles/ubersmith/templates/docker-compose.yml.j2 b/roles/ubersmith/templates/docker-compose.yml.j2
index e534bff..4a5313c 100644
--- a/roles/ubersmith/templates/docker-compose.yml.j2
+++ b/roles/ubersmith/templates/docker-compose.yml.j2
@@ -231,24 +231,22 @@ services:
   falco:
     image: falcosecurity/falco-no-driver:latest
     hostname: falco.{{ container_domain }}
-    cap_drop:
-     - all 
-    cap_add:
-     - sys_admin
-     - sys_resource
-     - sys_ptrace
-    command: falco -o engine.kind=ebpf
-    security_opt: 
+    privileged: true
+    security_opt:
      - apparmor:unconfined
     logging:
       driver: syslog
       options:
         tag: ubersmith/falco
+    tty: true
     volumes:
      - /var/run/docker.sock:/host/var/run/docker.sock
-     - /root/.falco:/root/.falco
      - /proc:/host/proc:ro
      - /etc:/host/etc
+     - "{{ ubersmith_home }}/conf/falco/falco_rules.local.yaml:/etc/falco/falco_rules.local.yaml"
+    depends_on:
+      web:
+        condition: service_started
   clamav:
     image: clamav/clamav:1.3_base
     hostname: clamav.{{ container_domain }}