From 25108ba0a38f4bc5ac00b130cc8627bd40847481 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 17 Jan 2017 10:03:21 -0800 Subject: [PATCH] Allow shells spawned by ansible. Changes to allow shells spawned by ansible. In general this is actually pretty difficult--on the remote managed machine, ansible performs actions simply by running python over ssh without any explicit ansible helper or command line. One (weak) hint is that the python scripts being run are usually under a directory with ansible in the name. So use that as the basis for a macro ansible_running_python. In turn, that macro is used as a negative condition for the run shell untrusted rule. This is a pretty fragile and easily exploited condition, so add a note to the macro saying so. --- rules/falco_rules.yaml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2234cb180e5..c00318ee1be 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -295,13 +295,21 @@ sshd, sudo, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent, aws, initdb, docker-compose, make, configure, awk, falco, fail2ban-server, apt-get, apt, - fleetctl, logrotate + fleetctl, logrotate, ansible ] +- macro: ansible_running_python + condition: proc.pname=python and proc.pcmdline contains ansible + - rule: Run shell untrusted desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries. - condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries) - output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" + condition: > + spawned_process and not container + and shell_procs + and proc.pname exists + and not proc.pname in (cron_binaries, shell_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries) + and not ansible_running_python + output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline)" priority: WARNING - macro: trusted_containers