Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added an event for default stable rule "Execution from /dev/shm" #125

Merged
merged 7 commits into from
Apr 5, 2024

Conversation

GLVSKiriti
Copy link
Contributor

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind documentation

/kind tests

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area commands

/area pkg

/area events

What this PR does / why we need it:
Added an event for default stable rule "Execution from /dev/shm"

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
@GLVSKiriti
Copy link
Contributor Author

@leogr The doubt I have is just executing the command /dev/shm/example_script,sh will trigger this rule even example_script.sh doesn't exist? If no then first I will add 2 more commands for creating a example_script.sh.

        filePath := "/dev/shm/example_script.sh"
	err := os.WriteFile(filePath, []byte("#!/bin/bash\necho 'Hello from example_script.sh'"), 0755)
	cmd := exec.Command(filePath)
	err = cmd.Run()
	return err

instead of

        cmd := exec.Command("/dev/shm/example_script.sh")
	return cmd.Run()

Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
@poiana poiana added size/M and removed size/S labels Mar 18, 2024
Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
@leogr
Copy link
Member

leogr commented Mar 18, 2024

@leogr The doubt I have is just executing the command /dev/shm/example_script,sh will trigger this rule even example_script.sh doesn't exist?

It would be ok anyway. IIRC the rule is looking for the script execution, so also just an attempt should trigger it.

@LucaGuerra any thougths?

Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
@GLVSKiriti
Copy link
Contributor Author

GLVSKiriti commented Mar 18, 2024

@leogr The doubt I have is just executing the command /dev/shm/example_script,sh will trigger this rule even example_script.sh doesn't exist?

It would be ok anyway. IIRC the rule is looking for the script execution, so also just an attempt should trigger it.

@LucaGuerra any thougths?

Yeah I thought same but I dont know why if the file doesn't exist then rule is not triggering.
So now I made one and executed the .sh file from /dev/shm ,now the rule is triggering

@GLVSKiriti
Copy link
Contributor Author

I tested it by running the falco from source by running the command
sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco_rules.yaml

@leogr
Copy link
Member

leogr commented Mar 20, 2024

Hey @GLVSKiriti

thank you! I want to let you know that we are at Kubecon right now, so we may not be responsive this week. Please, be patient 👼 🙏

@GLVSKiriti
Copy link
Contributor Author

Hey @GLVSKiriti

thank you! I want to let you know that we are at Kubecon right now, so we may not be responsive this week. Please, be patient 👼 🙏

Thank you for letting me know!!

Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
@GLVSKiriti
Copy link
Contributor Author

GLVSKiriti commented Mar 22, 2024

@leogr Below is the screenshot where test is passed and warning message on left terminal triggers on executing event code as expected

ExecutionFromDevShm

@GLVSKiriti
Copy link
Contributor Author

@leogr Kindly tell me if there are any changes!!

@leogr
Copy link
Member

leogr commented Mar 26, 2024

@leogr Kindly tell me if there are any changes!!

Just need some more time to take look at it, sorry 🙏

cc @FedeDP @LucaGuerra let me know if you can help with this

…d comments

Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
@GLVSKiriti
Copy link
Contributor Author

GLVSKiriti commented Apr 3, 2024

This rule triggers when we just execute a script file from /dev/shm dir.

So I just created a script file in /dev/shm (Created /dev/shm dir's if there is none) and executed it. And this triggers this stable rule

@GLVSKiriti
Copy link
Contributor Author

@FedeDP your feedback on this? 👀

Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, it SGTM. Just noticed a minor issue (see my comment below).

However, before merging it, I suggest to evaluate another, simpler, alternative.

Since:

- list: shell_binaries
  items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]

- macro: shell_procs
  condition: (proc.name in (shell_binaries))

And the rule condition is:

condition: >
   spawned_process 
   and (proc.exe startswith "/dev/shm/" or 
       (proc.cwd startswith "/dev/shm/" and proc.exe startswith "./" ) or 
       (shell_procs and proc.args startswith "-c /dev/shm") or 
       (shell_procs and proc.args startswith "-i /dev/shm") or 
       (shell_procs and proc.args startswith "/dev/shm") or 
       (proc.cwd startswith "/dev/shm/" and proc.args startswith "./" )) 
   and not container.image.repository in (falco_privileged_images, trusted_images)

I think that running bash /dev/shm is enough to trigger the rule, even if /dev/shm does not exist. This would make this action extremely simply.

I quickly tried and it seems to work:

Screenshot from 2024-04-05 13-11-03

events/syscall/execution_from_dev_shm.go Outdated Show resolved Hide resolved
@LucaGuerra
Copy link

I think that running bash /dev/shm is enough to trigger the rule, even if /dev/shm does not exist. This would make this action extremely simply.

I took a look at the rule and the PR, my personal opinion is that I prefer the original event in the PR. While slower, it would be more robust in case the upstream rule changes (i.e. that rule is not guaranteed to trigger on bash /dev/shm if /dev/shm does not exist, but it must trigger on the script execution)

Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
@GLVSKiriti GLVSKiriti requested a review from leogr April 5, 2024 11:26
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per Luca's comment, let's stick with this more complete implementation.

@poiana poiana added the lgtm label Apr 5, 2024
@poiana
Copy link

poiana commented Apr 5, 2024

LGTM label has been added.

Git tree hash: 0d01a5afd9ceb3feefffea8beb5409b532f0830d

@poiana
Copy link

poiana commented Apr 5, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: GLVSKiriti, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana added the approved label Apr 5, 2024
@poiana poiana merged commit 8d53da5 into falcosecurity:main Apr 5, 2024
3 of 4 checks passed
@GLVSKiriti GLVSKiriti deleted the ExecutionFromDevshm branch April 5, 2024 12:40
@leogr leogr added this to the v0.12.0 milestone Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants