Mark Stemm mstemm

## JQ Filters for K8s Audit Events
# Split all objects and pass them to each filter below

# Create/Delete Namespace
(select(.verb == "create" and .objectRef.resource=="namespaces") |
    "[" + .stageTimestamp + "] " + "Namespace Created: name=" + .objectRef.name),

(select(.verb == "delete" and .objectRef.resource=="namespaces") |
    "[" + .stageTimestamp + "] " + "Namespace Deleted: name=" + .objectRef.name),

# Create/Delete Deployment

## falco_rules.yaml
#############
# Definitions
#############

# File actions


# Currently disabled as read/write are ignored syscalls. The nearly
# similar open_write/open_read check for files being opened for
# reading/writing.

## falco_rules.yaml
#############
# Definitions
#############

# File actions


# Currently disabled as read/write are ignored syscalls. The nearly
# similar open_write/open_read check for files being opened for
# reading/writing.

## packet_sockets_using_falco.yaml
- rule: raw_network_socket
  desc: an attempt to open a raw network socket by an unexpected program
  condition: evt.type=socket and evt.dir=> and evt.arg.domain=AF_PACKET and not proc.name=tcpdump
  output: Raw network socket opened by unexpected program (user=%user.name command=%proc.cmdline domain=%evt.arg.domain)
  priority: WARNING

## falco_sample_rules.yaml
- macro: bin_dir
  condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

- macro: open_write
  condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f'

- macro: package_mgmt_binaries
  items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend]

- rule: Write below binary dir

## sample_auditd.rules
# Alert whenever anyone performs the mount() system call.
-a always,exit -S mount

# Alert whenever anyone performs an unlink() for a file below /usr/bin
-a always,exit -S unlink -S unlinkat -F dir=/usr/bin -F success=1

# Watch all activity related to /etc/shadow
# -k puts this rule and the following rule in a group
-w /etc/shadow -p wa -k passwd_mgmt

## usr.sbin.tcpdump.apparmor
# From /etc/apparmor.d/usr.sbin.tcpdump on Ubuntu 9.04 and https://wiki.ubuntu.com/AppArmor#Example_profile

#include <tunables/global>

/usr/sbin/tcpdump {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability net_raw,

## seccomp_policy.c
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <assert.h>
#include <linux/seccomp.h>
#include <sys/prctl.h>
#include "seccomp-bpf.h"

void install_syscall_filter()

## seccomp_strict.c
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <linux/seccomp.h>
#include <sys/prctl.h>


int main(int argc, char **argv)
{

## Falco 0.4.0 Sample Rules
- rule: File Open by Privileged Container
  desc: Any open by a privileged container. Exceptions are made for known trusted images.
  condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
  output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
  priority: WARNING

- macro: sensitive_mount
  condition: (container.mount.dest[/proc*] != "N/A")

- rule: Sensitive Mount by Container
	# Split all objects and pass them to each filter below

	# Create/Delete Namespace
	(select(.verb == "create" and .objectRef.resource=="namespaces") \|
	"[" + .stageTimestamp + "] " + "Namespace Created: name=" + .objectRef.name),

	(select(.verb == "delete" and .objectRef.resource=="namespaces") \|
	"[" + .stageTimestamp + "] " + "Namespace Deleted: name=" + .objectRef.name),

	# Create/Delete Deployment
	#############
	# Definitions
	#############

	# File actions


	# Currently disabled as read/write are ignored syscalls. The nearly
	# similar open_write/open_read check for files being opened for
	# reading/writing.
	- rule: raw_network_socket
	desc: an attempt to open a raw network socket by an unexpected program
	condition: evt.type=socket and evt.dir=> and evt.arg.domain=AF_PACKET and not proc.name=tcpdump
	output: Raw network socket opened by unexpected program (user=%user.name command=%proc.cmdline domain=%evt.arg.domain)
	priority: WARNING
	- macro: bin_dir
	condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

	- macro: open_write
	condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f'

	- macro: package_mgmt_binaries
	items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend]

	- rule: Write below binary dir
	# Alert whenever anyone performs the mount() system call.
	-a always,exit -S mount

	# Alert whenever anyone performs an unlink() for a file below /usr/bin
	-a always,exit -S unlink -S unlinkat -F dir=/usr/bin -F success=1

	# Watch all activity related to /etc/shadow
	# -k puts this rule and the following rule in a group
	-w /etc/shadow -p wa -k passwd_mgmt
	# From /etc/apparmor.d/usr.sbin.tcpdump on Ubuntu 9.04 and https://wiki.ubuntu.com/AppArmor#Example_profile

	#include <tunables/global>

	/usr/sbin/tcpdump {
	#include <abstractions/base>
	#include <abstractions/nameservice>
	#include <abstractions/user-tmp>

	capability net_raw,
	#include <fcntl.h>
	#include <stdio.h>
	#include <string.h>
	#include <unistd.h>
	#include <assert.h>
	#include <linux/seccomp.h>
	#include <sys/prctl.h>
	#include "seccomp-bpf.h"

	void install_syscall_filter()
	- rule: File Open by Privileged Container
	desc: Any open by a privileged container. Exceptions are made for known trusted images.
	condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
	output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
	priority: WARNING

	- macro: sensitive_mount
	condition: (container.mount.dest[/proc*] != "N/A")

	- rule: Sensitive Mount by Container