-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added an event for default stable rule "Execution from /dev/shm" #125
Conversation
Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
@leogr The doubt I have is just executing the command /dev/shm/example_script,sh will trigger this rule even example_script.sh doesn't exist? If no then first I will add 2 more commands for creating a example_script.sh.
instead of
|
Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
It would be ok anyway. IIRC the rule is looking for the script execution, so also just an attempt should trigger it. @LucaGuerra any thougths? |
Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
Yeah I thought same but I dont know why if the file doesn't exist then rule is not triggering. |
I tested it by running the falco from source by running the command |
Hey @GLVSKiriti thank you! I want to let you know that we are at Kubecon right now, so we may not be responsive this week. Please, be patient 👼 🙏 |
Thank you for letting me know!! |
Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
@leogr |
@leogr Kindly tell me if there are any changes!! |
Just need some more time to take look at it, sorry 🙏 cc @FedeDP @LucaGuerra let me know if you can help with this |
…d comments Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
This rule triggers when we just execute a script file from /dev/shm dir. So I just created a script file in /dev/shm (Created /dev/shm dir's if there is none) and executed it. And this triggers this stable rule |
@FedeDP your feedback on this? 👀 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, it SGTM. Just noticed a minor issue (see my comment below).
However, before merging it, I suggest to evaluate another, simpler, alternative.
Since:
- list: shell_binaries
items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]
- macro: shell_procs
condition: (proc.name in (shell_binaries))
And the rule condition is:
condition: >
spawned_process
and (proc.exe startswith "/dev/shm/" or
(proc.cwd startswith "/dev/shm/" and proc.exe startswith "./" ) or
(shell_procs and proc.args startswith "-c /dev/shm") or
(shell_procs and proc.args startswith "-i /dev/shm") or
(shell_procs and proc.args startswith "/dev/shm") or
(proc.cwd startswith "/dev/shm/" and proc.args startswith "./" ))
and not container.image.repository in (falco_privileged_images, trusted_images)
I think that running bash /dev/shm
is enough to trigger the rule, even if /dev/shm
does not exist. This would make this action extremely simply.
I quickly tried and it seems to work:
I took a look at the rule and the PR, my personal opinion is that I prefer the original event in the PR. While slower, it would be more robust in case the upstream rule changes (i.e. that rule is not guaranteed to trigger on |
Signed-off-by: GLVS Kiriti <glvskiriti2003369@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As per Luca's comment, let's stick with this more complete implementation.
LGTM label has been added. Git tree hash: 0d01a5afd9ceb3feefffea8beb5409b532f0830d
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: GLVSKiriti, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area events
What this PR does / why we need it:
Added an event for default stable rule "Execution from /dev/shm"
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: