diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 82de27c36..d1b967f06 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -15,6 +15,13 @@ # limitations under the License. # +# Information about rules tags and fields can be found here: https://falco.org/docs/rules/#tags-for-current-falco-ruleset +# The initial item in the `tags` fields reflects the maturity level of the rules introduced upon the proposal https://github.com/falcosecurity/rules/blob/main/proposals/20230605-rules-adoption-management-maturity-framework.md +# `tags` fields also include information about the type of workload inspection (host and/or container), and Mitre Attack killchain phases and Mitre TTP code(s) +# Mitre Attack References: +# [1] https://attack.mitre.org/tactics/enterprise/ +# [2] https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json + # Starting with version 8, the Falco engine supports exceptions. # However the Falco rules file does not use them by default. - required_engine_version: 17 @@ -27,12 +34,6 @@ # - macro: read # condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory)) -# Information about rules tags and fields can be found here: https://falco.org/docs/rules/#tags-for-current-falco-ruleset -# `tags` fields also include information about the type of workload inspection, Mitre Attack killchain phases and Mitre TTP code(s) -# Mitre Attack References: -# [1] https://attack.mitre.org/tactics/enterprise/ -# [2] https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json - - macro: open_write condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0) @@ -382,7 +383,7 @@ enabled: false output: Disallowed SSH Connection (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [host, container, network, mitre_command_and_control, mitre_lateral_movement, T1021.004] + tags: [maturity_sandbox, host, container, network, mitre_command_and_control, mitre_lateral_movement, T1021.004] # These rules and supporting macros are more of an example for how to # use the fd.*ip and fd.*ip.name fields to match connection @@ -412,7 +413,7 @@ enabled: false output: Disallowed outbound connection destination (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [host, container, network, mitre_command_and_control, TA0011] + tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011] - list: allowed_inbound_source_ipaddrs items: ['"127.0.0.1"'] @@ -433,7 +434,7 @@ enabled: false output: Disallowed inbound connection source (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [host, container, network, mitre_command_and_control, TA0011] + tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011] - list: bash_config_filenames items: [.bashrc, .bash_profile, .bash_history, .bash_login, .bash_logout, .inputrc, .profile] @@ -494,7 +495,7 @@ a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [host, container, filesystem, mitre_discovery, T1546.004] + tags: [maturity_sandbox, host, container, filesystem, mitre_discovery, T1546.004] - macro: user_known_cron_jobs condition: (never_true) @@ -511,7 +512,7 @@ file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [host, container, filesystem, mitre_persistence, T1053.003] + tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1053.003] # Use this to test whether the event occurred within a container. @@ -1002,7 +1003,7 @@ ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository) priority: ERROR - tags: [host, container, filesystem, mitre_discovery, T1005] + tags: [maturity_sandbox, host, container, filesystem, mitre_discovery, T1005] - list: safe_etc_dirs items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d. /etc/alertmanager] @@ -1606,7 +1607,7 @@ Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [host, container, process, mitre_privilege_escalation, mitre_lateral_movement, T1611] + tags: [maturity_sandbox, host, container, process, mitre_privilege_escalation, mitre_lateral_movement, T1611] # The binaries in this list and their descendents are *not* allowed # spawn shells. This includes the binaries spawning shells directly as @@ -2191,7 +2192,7 @@ Program run with disallowed HTTP_PROXY environment variable (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags) priority: NOTICE - tags: [host, container, users, mitre_command_and_control, T1090, T1204] + tags: [maturity_sandbox, host, container, users, mitre_command_and_control, T1090, T1204] # In some environments, any attempt by a interpreted program (perl, # python, ruby, etc) to listen for incoming connections or perform @@ -2207,7 +2208,7 @@ Interpreted program received/listened for network traffic (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [host, container, network, mitre_exfiltration, TA0011] + tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011] - rule: Interpreted procs outbound network activity desc: Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.) @@ -2218,7 +2219,7 @@ Interpreted program performed outgoing network connection (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [host, container, network, mitre_exfiltration, TA0011] + tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011] - list: openvpn_udp_ports items: [1194, 1197, 1198, 8080, 9201] @@ -2257,7 +2258,7 @@ Unexpected UDP Traffic Seen (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [host, container, network, mitre_exfiltration, TA0011] + tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011] # With the current restriction on system calls handled by falco # (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't @@ -2396,7 +2397,7 @@ output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline pid=%proc.pid connection=%fd.name %container.info image=%container.image.repository:%container.image.tag) priority: NOTICE enabled: false - tags: [network, aws, container, mitre_discovery, T1565] + tags: [maturity_sandbox, network, aws, container, mitre_discovery, T1565] # This rule is not enabled by default, since this rule is for cloud environment(GCP, AWS and Azure) only. @@ -2413,7 +2414,7 @@ enabled: false output: Outbound connection to cloud instance metadata service (command=%proc.cmdline pid=%proc.pid connection=%fd.name %container.info image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [network, container, mitre_discovery, T1565] + tags: [maturity_sandbox, network, container, mitre_discovery, T1565] # Containers from IBM Cloud - list: ibm_cloud_containers @@ -2740,7 +2741,7 @@ command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [host, container, process, users, mitre_persistence, T1548.001] + tags: [maturity_sandbox, host, container, process, users, mitre_persistence, T1548.001] - list: exclude_hidden_directories items: [/root/.cassandra] @@ -2763,7 +2764,7 @@ file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [host, container, filesystem, mitre_persistence, T1564.001] + tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1564.001] - list: remote_file_copy_binaries items: [rsync, scp, sftp, dcp] @@ -2912,7 +2913,7 @@ enabled: false output: Outbound connection to IP/Port flagged by https://cryptoioc.ch (command=%proc.cmdline pid=%proc.pid port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository) priority: CRITICAL - tags: [host, container, network, mitre_execution, T1496] + tags: [maturity_sandbox, host, container, network, mitre_execution, T1496] - rule: Detect crypto miners using the Stratum protocol desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp' @@ -2996,7 +2997,7 @@ image=%container.image.repository namespace=%k8s.ns.name fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name) priority: WARNING - tags: [container, network, mitre_discovery, T1046] + tags: [maturity_sandbox, container, network, mitre_discovery, T1046] - list: allowed_image items: [] # add image to monitor, i.e.: bitnami/nginx @@ -3032,7 +3033,7 @@ (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [container, network, mitre_discovery, TA0011] + tags: [maturity_sandbox, container, network, mitre_discovery, TA0011] - macro: user_known_stand_streams_redirect_activities condition: (never_true) @@ -3076,7 +3077,7 @@ enabled: false output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) priority: ERROR - tags: [container, process, filesystem, mitre_execution, T1059] + tags: [maturity_sandbox, container, process, filesystem, mitre_execution, T1059] # **************************************************************************** # * "Container Drift Detected (open+create)" requires FALCO_ENGINE_VERSION 6 * @@ -3094,7 +3095,7 @@ enabled: false output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) priority: ERROR - tags: [container, process, filesystem, mitre_execution, T1059] + tags: [maturity_sandbox, container, process, filesystem, mitre_execution, T1059] - list: c2_server_ip_list items: [] @@ -3134,7 +3135,7 @@ output: Outbound connection to C2 server (c2_domain=%fd.sip.name c2_addr=%fd.sip command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: WARNING enabled: false - tags: [host, container, network, mitre_command_and_control, TA0011] + tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011] - list: allowed_container_images_loading_kernel_module items: [] @@ -3166,7 +3167,7 @@ enabled: false output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags) priority: INFO - tags: [container, process, users, mitre_execution, T1610] + tags: [maturity_sandbox, container, process, users, mitre_execution, T1610] # This rule helps detect CVE-2021-3156: # A privilege escalation to root through heap-based buffer overflow @@ -3295,7 +3296,7 @@ output: Java process class file download (user=%user.name user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type connection=%fd.name server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto process=%proc.name command=%proc.cmdline pid=%proc.pid parent=%proc.pname buffer=%evt.buffer container_id=%container.id image=%container.image.repository) priority: CRITICAL enabled: false - tags: [host, container, process, mitre_initial_access, T1190] + tags: [maturity_sandbox, host, container, process, mitre_initial_access, T1190] - list: docker_binaries items: [docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current] @@ -3311,7 +3312,7 @@ output: > Detect Potential Container Breakout Exploit (CVE-2019-5736) (user=%user.name process=%proc.name file=%fd.name cmdline=%proc.cmdline pid=%proc.pid %container.info) priority: WARNING - tags: [container, filesystem, mitre_initial_access, T1611] + tags: [maturity_sandbox, container, filesystem, mitre_initial_access, T1611] - list: known_binaries_to_read_environment_variables_from_proc_files items: [scsi_id, argoexec]