This repository has been archived by the owner on May 3, 2022. It is now read-only.
forked from juju4/ansible-falco
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathexceptions.txt
74 lines (53 loc) · 6.19 KB
/
exceptions.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
falco: Unexpected setuid call by non-sudo, non-root program (user=messagebus command=dbus-daemon-lau org.freedesktop.systemd1 uid=root)
falco: File below /etc opened for writing (user=root command=vim /etc/profile file=/etc/.profile.swp)
falco[5404]: Shell spawned by untrusted binary (user=logcheck shell=bash parent=sh cmdline=bash /usr/sbin/logcheck)
## system upgrade: recommend to stop falco for the maintenance window?
## ansible usage
falco: File below known binary directory renamed/removed (user=root command=python /tmp/user/0/ansible_OPkTca/ansible_module_file.py operation=rename file=
falco: File below /etc opened for writing (user=root command=python /tmp/user/0/ansible_n83X_7/ansible_module_sysctl.py file=/etc/.ansible_m_sysctl_3O62zQ.conf)
## compilation (this one was invoked by a 'sudo gem2.0 install ...')
Shell spawned by untrusted binary (user=root shell=bash parent=make cmdline=bash -c /bin/bash ./libtool --tag=CC --mode=link gcc -g -Wall -fexceptions -version-info `grep -v '^#' /var/lib/gems/2.0.0/gems/ffi-1.9.14/ext/ffi_c/libffi/libtool-version` -o libffi.la -rpath /usr/local/lib src/debug.lo src/prep_cif.lo src/types.lo src/raw_api.lo src/java_raw_api.lo src/closures.lo src/x86/ffi64.lo src/x86/unix64.lo src/x86/ffi.lo src/x86/sysv.lo )
systemd[1]: Reloading.
falco[5404]: File below /etc opened for writing (user=root command=insserv file=/etc/init.d/.depend.boot)
falco[5404]: File below /etc opened for writing (user=root command=insserv file=/etc/init.d/.depend.start)
falco[5404]: File below /etc opened for writing (user=root command=insserv file=/etc/init.d/.depend.stop)
LXD
Namespace change (setns) by unexpected program (user=root command=lxd forkgetnet 31236 container=host)
Sensitive file opened for reading by non-trusted program (user=root parent=systemd command=lxd --group lxd --logfile=/var/log/lxd/lxd.log file=/var/lib/lxd/containers/default-ubuntu-1604/rootfs/etc/shadow)
Unexpected setuid call by non-sudo, non-root program (user=nobody parent=<NA> command=lxd forkexec default-ubuntu-1604 /var/lib/lxd/containers /var/log/lxd/default-ubuntu-1604/lxc.conf -- env TERM=screen USER=root HOME=/root -- cmd bash uid=root)
In lxd containers?
File below known binary directory renamed/removed (user=root command=apt-get install -q -y python-pip python-yaml python-jinja2 python-httplib2 python-paramiko python-pkg-resources operation=rename file=<NA> res=-2(ENOENT) oldpath=/usr/bin/as.dpkg-tmp newpath=/usr/bin/as )
Shell spawned in a container other than entrypoint (user=root container_id=default-ubuntu-1404 container_name=default-ubuntu-1404 shell=bash parent=sshd cmdline=bash -c # Check whether a command exists - returns 0 if it does, 1 if it does not
File below /etc opened for writing (user=root command=apt-get install -q -y bzip2 file findutils git gzip mercurial procps subversion sudo tar debianutils unzip xz-utils zip python-selinux file=/etc/fonts/conf.avail/65-khmer.conf.dpkg-new)
File below /etc opened for writing (user=root command=cloud-init /usr/bin/cloud-init modules --mode=config file=/etc/apt/sources.list)
File created below /dev by untrusted program (user=root command=cloud-init /usr/bin/cloud-init modules --mode=final file=/dev/console)
logcheck
Shell spawned by untrusted binary (user=logcheck shell=bash parent=sh cmdline=bash /usr/sbin/logcheck)
upgrade/check
Sensitive file opened for reading by non-trusted program (user=root command=cmp -s shadow.bak /etc/shadow file=/etc/shadow)
Unexpected setuid call by non-sudo, non-root program (user=proxy command=squid -YC -f /etc/squid/squid.conf uid=root)
Unexpected setuid call by non-sudo, non-root program (user=proxy command=pinger uid=proxy)
Unexpected setuid call by non-sudo, non-root program (user=postfix command=smtp -t unix -u -c uid=postfix)
File below /etc opened for writing (user=root command=cp /etc/resolv.conf etc/resolv.conf file=/var/spool/postfix/etc/resolv.conf)
File below /etc opened for writing (user=root command=cp /etc/localtime etc/localtime file=/var/spool/postfix/etc/localtime)
File below /etc opened for writing (user=root command=cp /etc/host.conf etc/host.conf file=/var/spool/postfix/etc/host.conf)
File below /etc opened for writing (user=root command=cp -L /etc/ssl/certs/ca-certificates.crt /var/spool/postfix//etc/ssl/certs file=/var/spool/postfix/etc/ssl/certs/ca-certificates.crt)
File below /etc opened for writing (user=root command=cp /etc/hosts etc/hosts file=/var/spool/postfix/etc/hosts)
File below /etc opened for writing (user=root command=cp /etc/services etc/services file=/var/spool/postfix/etc/services)
File below /etc opened for writing (user=root command=cp /etc/nsswitch.conf etc/nsswitch.conf file=/var/spool/postfix/etc/nsswitch.conf)
Sensitive file opened for reading by non-trusted program (user=root command=systemd file=/etc/pam.d/other)
Sensitive file opened for reading by non-trusted program (user=root command=systemd file=/etc/shadow)
Aide update
Sensitive file opened for reading by non-trusted program (user=root command=aide --config /var/lib/aide/aide.conf.autogenerated --update file=/etc/pam.d/vmtoolsd)
Sensitive file opened for reading by non-trusted program (user=root command=aide --config /var/lib/aide/aide.conf.autogenerated --update file=/etc/pam.d/atd)
Sensitive file opened for reading by non-trusted program (user=root command=aide --config /var/lib/aide/aide.conf.autogenerated --update file=/etc/pam.d/monit)
???
06:06:52.188929406: Warning Sensitive file opened for reading by non-trusted program (user=root parent=man-db.postinst command=perl -e @pwd = getpwnam("man"); $) = $( = $pwd[3]; $> = $< = $pwd[2];
exec "/usr/bin/mandb", @ARGV -- -pq file=/etc/shadow)
BUG
File below /etc opened for writing (user=jenkins command=kitchen /var/lib/jenkins/.gem/ruby/2.3.0/bin/kitchen test default-ubuntu-1404 file=/tmp/user/1000/default-ubuntu-1404-sandbox-20160910-18879-182q4q9/cis-rhel-ansible/roles/cis/files/etc/audit/audit.rules)
Q: whitelist in different rule files w macro references?
Q: whitelist just based on name? path, hash, signature? (ref: sudo, app whitelisting, ...)
Q: reference process tree? parent and parent of parent?
Q: during system upgrade better to disable falco?
Q: define list of containers to watch/not to watch?