new(rules): add "Disallowed SSH Connection Non Standard Port" rule

[incertum]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

During the latest audit I noticed a major coverage gap in the upstream rules wrt SSH connections. This rule adds yet another detection to the upstream rules to alert on various types of payloads that can be used in command injection attacks that can lead to RCE.

@loresuso @darryk10 @leogr

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[github-actions]

Rules files suggestions

falco_rules.yaml

Comparing 8ddd10259d39f329f3cf6b80cde2220127528b81 with latest tag falco-rules-1.0.1

Major changes:

• Rule Delete Bash History has been removed
• Macro consider_network_tools_on_host has been removed
• Macro always_true has been removed
• Rule Disallowed SSH Connection has less tags than before
• Rule Schedule Cron Jobs has less tags than before
• Rule Update Package Repository has less tags than before
• Rule Directory traversal monitored file read has less tags than before
• Rule Read ssh information has less tags than before
• Rule Read sensitive file trusted after startup has less tags than before
• Rule Read sensitive file untrusted has less tags than before
• Rule Modify binary dirs has less tags than before
• Rule Change thread namespace has less tags than before
• Rule Launch Privileged Container has less tags than before
• Rule Launch Excessively Capable Container has less tags than before
• Rule Launch Sensitive Mount Container has less tags than before
• Rule System procs network activity has less tags than before
• Rule Program run with disallowed http proxy env has less tags than before
• Rule User mgmt binaries has less tags than before
• Rule Create files below dev has less tags than before
• Rule Contact EC2 Instance Metadata Service From Container has less tags than before
• Rule Unexpected K8s NodePort Connection has been disabled at default
• Rule Launch Suspicious Network Tool in Container has less tags than before
• Rule Launch Suspicious Network Tool on Host has been disabled at default
• Rule Launch Suspicious Network Tool on Host has less tags than before
• Rule Remove Bulk Data from Disk has less tags than before
• Rule Set Setuid or Setgid bit has less tags than before
• Rule Create Hidden Files or Directories has less tags than before
• Rule Launch Remote File Copy Tools in Container has less tags than before
• Rule Create Symlink Over Sensitive Files has less tags than before
• Rule Create Hardlink Over Sensitive Files has less tags than before
• Rule Detect outbound connections to common miner pool ports has less tags than before
• Rule Detect crypto miners using the Stratum protocol has less tags than before
• Rule Packet socket created in container has less tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
• Rule Linux Kernel Module Injection Detected has less tags than before
• Rule Debugfs Launched in Privileged Container has less tags than before
• Rule Mount Launched in Privileged Container has less tags than before
• Rule Detect release_agent File Container Escapes has less tags than before
• Rule Read environment variable from /proc files has less tags than before
• Rule PTRACE attached to process has less tags than before
• Rule Execution from /dev/shm has less tags than before

Minor changes:

• Rule Disallowed SSH Connection Non Standard Port has been added
• Macro ssh_non_standard_ports_network has been added
• List ssh_non_standard_ports has been added

Patch changes:

• Rule Disallowed SSH Connection changed its output fields
• Rule Disallowed SSH Connection has more tags than before
• Rule Unexpected outbound connection destination changed its output fields
• Rule Unexpected outbound connection destination has more tags than before
• Rule Unexpected inbound connection source changed its output fields
• Rule Unexpected inbound connection source has more tags than before
• Rule Modify Shell Configuration File changed its output fields
• Rule Modify Shell Configuration File has more tags than before
• Rule Read Shell Configuration File changed its output fields
• Rule Read Shell Configuration File has more tags than before
• Rule Schedule Cron Jobs changed its output fields
• Rule Schedule Cron Jobs has more tags than before
• Rule Update Package Repository changed its output fields
• Rule Update Package Repository has more tags than before
• Rule Write below binary dir changed its output fields
• Rule Write below binary dir has more tags than before
• Rule Write below monitored dir changed its output fields
• Rule Write below monitored dir has more tags than before
• Rule Directory traversal monitored file read changed its output fields
• Rule Directory traversal monitored file read has more tags than before
• Rule Read ssh information changed its output fields
• Rule Read ssh information has more tags than before
• Rule Write below etc changed its output fields
• Rule Write below etc has more tags than before
• Rule Write below root changed its output fields
• Rule Write below root has more tags than before
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file trusted after startup has more tags than before
• Rule Read sensitive file untrusted changed its output fields
• Rule Read sensitive file untrusted has more tags than before
• Rule Write below rpm database changed its output fields
• Rule Write below rpm database has more tags than before
• Rule DB program spawned process changed its output fields
• Rule DB program spawned process has more tags than before
• Rule Modify binary dirs changed its output fields
• Rule Modify binary dirs has more tags than before
• Rule Mkdir binary dirs changed its output fields
• Rule Mkdir binary dirs has more tags than before
• Rule Change thread namespace changed its output fields
• Rule Change thread namespace has more tags than before
• Rule Run shell untrusted changed its output fields
• Rule Run shell untrusted has more tags than before
• Rule Run shell untrusted has a more urgent priority than before
• Rule Launch Privileged Container changed its output fields
• Rule Launch Privileged Container has more tags than before
• Rule Launch Excessively Capable Container changed its output fields
• Rule Launch Excessively Capable Container has more tags than before
• Rule Launch Sensitive Mount Container changed its output fields
• Rule Launch Sensitive Mount Container has more tags than before
• Rule Launch Disallowed Container changed its output fields
• Rule Launch Disallowed Container has more tags than before
• Rule System user interactive changed its output fields
• Rule System user interactive has more tags than before
• Rule Terminal shell in container has more tags than before
• Rule System procs network activity changed its output fields
• Rule System procs network activity has more tags than before
• Rule Program run with disallowed http proxy env changed its output fields
• Rule Program run with disallowed http proxy env has more tags than before
• Rule Interpreted procs inbound network activity changed its output fields
• Rule Interpreted procs inbound network activity has more tags than before
• Rule Interpreted procs outbound network activity changed its output fields
• Rule Interpreted procs outbound network activity has more tags than before
• Rule Unexpected UDP Traffic changed its output fields
• Rule Unexpected UDP Traffic has more tags than before
• Rule Non sudo setuid changed its output fields
• Rule Non sudo setuid has more tags than before
• Rule User mgmt binaries changed its output fields
• Rule User mgmt binaries has more tags than before
• Rule Create files below dev changed its output fields
• Rule Create files below dev has more tags than before
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container has more tags than before
• Rule Contact cloud metadata service from container has been enabled at default
• Rule Contact cloud metadata service from container changed its output fields
• Rule Contact cloud metadata service from container has more tags than before
• Rule Contact K8S API Server From Container changed its output fields
• Rule Contact K8S API Server From Container has more tags than before
• Rule Unexpected K8s NodePort Connection changed its output fields
• Rule Unexpected K8s NodePort Connection has more tags than before
• Rule Launch Package Management Process in Container changed its output fields
• Rule Launch Package Management Process in Container has more tags than before
• Rule Netcat Remote Code Execution in Container changed its output fields
• Rule Netcat Remote Code Execution in Container has more tags than before
• Rule Launch Suspicious Network Tool in Container changed its output fields
• Rule Launch Suspicious Network Tool in Container has more tags than before
• Rule Launch Suspicious Network Tool on Host changed its output fields
• Rule Launch Suspicious Network Tool on Host has more tags than before
• Rule Search Private Keys or Passwords changed its output fields
• Rule Search Private Keys or Passwords has more tags than before
• Rule Clear Log Activities changed its output fields
• Rule Clear Log Activities has more tags than before
• Rule Remove Bulk Data from Disk changed its output fields
• Rule Remove Bulk Data from Disk has more tags than before
• Rule Delete or rename shell history changed its output fields
• Rule Delete or rename shell history has more tags than before
• Rule Set Setuid or Setgid bit changed its output fields
• Rule Set Setuid or Setgid bit has more tags than before
• Rule Create Hidden Files or Directories changed its output fields
• Rule Create Hidden Files or Directories has more tags than before
• Rule Launch Remote File Copy Tools in Container changed its output fields
• Rule Launch Remote File Copy Tools in Container has more tags than before
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Symlink Over Sensitive Files has more tags than before
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files has more tags than before
• Rule Detect outbound connections to common miner pool ports changed its output fields
• Rule Detect outbound connections to common miner pool ports has more tags than before
• Rule Detect crypto miners using the Stratum protocol changed its output fields
• Rule Detect crypto miners using the Stratum protocol has more tags than before
• Rule The docker client is executed in a container changed its output fields
• Rule The docker client is executed in a container has more tags than before
• Rule Packet socket created in container changed its output fields
• Rule Packet socket created in container has more tags than before
• Rule Network Connection outside Local Subnet changed its output fields
• Rule Network Connection outside Local Subnet has more tags than before
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port changed its output fields
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
• Rule Container Drift Detected (chmod) changed its output fields
• Rule Container Drift Detected (chmod) has more tags than before
• Rule Container Drift Detected (open+create) changed its output fields
• Rule Container Drift Detected (open+create) has more tags than before
• Rule Outbound Connection to C2 Servers changed its output fields
• Rule Outbound Connection to C2 Servers has more tags than before
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Linux Kernel Module Injection Detected has more tags than before
• Rule Container Run as Root User changed its output fields
• Rule Container Run as Root User has more tags than before
• Rule Sudo Potential Privilege Escalation changed its output fields
• Rule Sudo Potential Privilege Escalation has more tags than before
• Rule Debugfs Launched in Privileged Container changed its output fields
• Rule Debugfs Launched in Privileged Container has more tags than before
• Rule Mount Launched in Privileged Container changed its output fields
• Rule Mount Launched in Privileged Container has more tags than before
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process changed its output fields
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has more tags than before
• Rule Launch Ingress Remote File Copy Tools in Container changed its output fields
• Rule Launch Ingress Remote File Copy Tools in Container has more tags than before
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) changed its output fields
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has more tags than before
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule Detect release_agent File Container Escapes has more tags than before
• Rule Java Process Class File Download changed its output fields
• Rule Java Process Class File Download has more tags than before
• Rule Modify Container Entrypoint changed its output fields
• Rule Modify Container Entrypoint has more tags than before
• Rule Read environment variable from /proc files changed its output fields
• Rule Read environment variable from /proc files has more tags than before
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE attached to process has more tags than before
• Rule PTRACE anti-debug attempt changed its output fields
• Rule PTRACE anti-debug attempt has more tags than before
• Rule Find AWS Credentials changed its output fields
• Rule Find AWS Credentials has more tags than before
• Rule Execution from /dev/shm changed its output fields
• Rule Execution from /dev/shm has more tags than before
• Rule Drop and execute new binary in container changed its output fields
• Rule Drop and execute new binary in container has more tags than before

[darryk10]

Hi @incertum ,
the use case looks pretty solid to me and during my tests I haven't seen much noise coming from this rule. Great rule and use case! This might be a good rule to enable by default after the graduation based on the framework!

[poiana]

LGTM label has been added.

Git tree hash: 311b518002ff43be1da7ad553b6ed066e27de36f

[incertum]

Thanks @darryk10 agreed this one can be bumped to Stable afterwards similarly to how we plan it for the memfd + exec case.

[Andreagit97]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, darryk10, incertum

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment