fix(rules/falco_rules): solve shadowing issues with `Drop and execute…

… new binary in container` Rule was contributed by Lorenzo Susini in #20. Co-authored-by: Lorenzo Susini <[email protected]> Signed-off-by: Jason Dellaluce <[email protected]>
falcosecurity · Jun 20, 2023 · 9f5a03e · 9f5a03e
1 parent 49da65c
commit 9f5a03e
Showing 1 changed file with 24 additions and 24 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -496,30 +496,6 @@
     WARNING
   tags: [host, container, filesystem, mitre_discovery, T1546.004]
 
-# List of allowed container images that are known to execute binaries not part of their base image.
-# Users can use this list to better tune the rule below (i.e reducing false positives) by considering their workloads, 
-# since this requires application specific knowledge.
-- list: known_drop_and_execute_containers
-  items: []
-
-- rule: Drop and execute new binary in container
-  desc:
-    Detect if an executable not belonging to the base image of a container is being executed.
-    The drop and execute pattern can be observed very often after an attacker gained an initial foothold.
-    is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem.
-  condition: >
-    spawned_process
-    and container
-    and proc.is_exe_upper_layer=true 
-    and not container.image.repository in (known_drop_and_execute_containers)
-  output: > 
-    Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id
-    image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags
-    proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start
-    proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res)
-  priority: CRITICAL 
-  tags: [container, mitre_persistence, TA0003]
-
 - macro: user_known_cron_jobs
   condition: (never_true)
 
@@ -3417,6 +3393,30 @@
   output: "File execution detected from /dev/shm (proc.cmdline=%proc.cmdline connection=%fd.name user.name=%user.name user.loginuid=%user.loginuid container.id=%container.id evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository)"
   priority: WARNING
   tags: [host, container, mitre_execution, mitre_defense_evasion, T1036.005, T1059.004]
+
+# List of allowed container images that are known to execute binaries not part of their base image.
+# Users can use this list to better tune the rule below (i.e reducing false positives) by considering their workloads, 
+# since this requires application specific knowledge.
+- list: known_drop_and_execute_containers
+  items: []
+
+- rule: Drop and execute new binary in container
+  desc:
+    Detect if an executable not belonging to the base image of a container is being executed.
+    The drop and execute pattern can be observed very often after an attacker gained an initial foothold.
+    is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem.
+  condition: >
+    spawned_process
+    and container
+    and proc.is_exe_upper_layer=true 
+    and not container.image.repository in (known_drop_and_execute_containers)
+  output: > 
+    Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id
+    image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags
+    proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start
+    proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res)
+  priority: CRITICAL 
+  tags: [container, mitre_persistence, TA0003]
 
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to