falco 【3】 default macro

falco 【3】 default macro

文章目录

​​File Opened for Writing​​​​File Opened for Reading​​​​Never True​​​​Always True​​​​Proc Name is Set​​​​File System Object Renamed​​​​New Directory Created​​​​File System Object Removed​​​​File System Object Modified​​​​New Process Spawned​​​​Common Directories for Binaries​​​​Shell is Started​​​​Known Sensitive Files​​​​Newly Created Process​​​​Outbound Network Connections​​​​Inbound or Outbound Network Connections​​​​Object is a Container​​​​Interactive Process Spawned​​​​通用 SSH 端口​​​​允许的 SSH 主机​​​​用户列入白名单的容器​​​​允许生成shell的容器​​​​允许与 EC2 元数据服务通信的容器​​​​Kubernetes API 服务器​​​​允许与 Kubernetes API 通信的容器​​​​允许与 Kubernetes 服务节点端口通信的容器​​

上篇我们学习​​falco的规则​​​运用，其中宏（macro）是指可重用方式定义规则的公共子部分的方法。 Falco 规则集定义了许多宏，可以更轻松地开始编写规则。这些宏为许多常见场景提供了快捷方式，并且可以在任何用户定义的规则集中使用。Falco 还提供了应该由用户覆盖的宏，以提供特定于用户环境的设置。提供的宏也可以附加到本地规则文件中。

File Opened for Writing

- macro: open_write condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0

File Opened for Reading

- macro: open_read condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0

Never True

- macro: never_true condition: (evt.num=0)

Always True

- macro: always_true condition: (evt.num=>0)

Proc Name is Set

- macro: proc_name_exists condition: (proc.name!="")

File System Object Renamed

- macro: proc_name_exists condition: (proc.name!="")

New Directory Created

- macro: mkdir condition: evt.type = mkdir

File System Object Removed

- macro: remove condition: evt.type in (rmdir, unlink, unlinkat)

File System Object Modified

- macro: modify condition: rename

New Process Spawned

- macro: spawned_process condition: evt.type = execve and evt.dir=<

Common Directories for Binaries

- macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

Shell is Started

- macro: shell_procs condition: (proc.name in (shell_binaries))

Known Sensitive Files

- macro: sensitive_files condition: > fd.name startswith /etc and (fd.name in (sensitive_file_names) or fd.directory in (/etc/sudoers.d, /etc/pam.d))

Newly Created Process

- macro: proc_is_new condition: proc.duration <= 5000000000Inbound Network Connections- macro: inbound condition: > (((evt.type in (accept,listen) and evt.dir=<)) or (fd.typechar = 4 or fd.typechar = 6) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))

Outbound Network Connections

- macro: outbound condition: > (((evt.type = connect and evt.dir=<)) or (fd.typechar = 4 or fd.typechar = 6) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))

Inbound or Outbound Network Connections

- macro: inbound_outbound condition: > (((evt.type in (accept,listen,connect) and evt.dir=<)) or (fd.typechar = 4 or fd.typechar = 6) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))

Object is a Container

- macro: container condition: container.id != host

Interactive Process Spawned

- macro: interactive condition: > ((proc.aname=sshd and proc.name != sshd) or proc.name=systemd-logind or proc.name=login)

通用 SSH 端口

覆盖此宏以反映环境中提供 SSH 服务的端口。

- macro: ssh_port condition: fd.sport=22

允许的 SSH 主机

覆盖此宏以反映可以连接到已知 SSH 端口（即堡垒或跳转框）的主机。

- macro: allowed_ssh_hosts condition: ssh_port

用户列入白名单的容器

允许在特权模式下运行的白名单容器。

- macro: user_trusted_containers condition: (container.image startswith sysdig/agent)

允许生成shell的容器

将允许生成 shell 的容器列入白名单，如果在 CI/CD 管道中使用容器，则可能需要这样做。

- macro: user_shell_container_exclusions condition: (never_true)

允许与 EC2 元数据服务通信的容器

将允许与 EC2 元数据服务通信的容器列入白名单。默认值：任何容器。

- macro: ec2_metadata_containers condition: container

Kubernetes API 服务器

在此处设置 Kubernetes API 服务的 IP。

- macro: k8s_api_server condition: (fd.sip="1.2.3.4" and fd.sport=8080)

允许与 Kubernetes API 通信的容器

将允许与 Kubernetes API 服务通信的容器列入白名单。需要设置 k8s_api_server。

- macro: k8s_containers condition: > (container.image startswith gcr.io/google_containers/hyperkube-amd64 or container.image startswith gcr.io/google_containers/kube2sky or container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig)

允许与 Kubernetes 服务节点端口通信的容器

- macro: nodeport_containers condition: container

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。