Читать книгу Cloud Native Security - Chris Binnie - Страница 31

Next, we will look at how Falco's rulesets are constructed. Here is a more desktop-oriented rule, which should prevent applications (other than Skype or WebEx) from accessing the local camera:

- rule: access_camera desc: a process other than skype/webex tries to access the camera condition: evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex) output: Unexpected process opening camera video device (command=%proc.cmdline) priority: WARNING

As we can see, the rule consists of a name and description followed by three criteria. They are the condition Falco should look out for, the output it should report, and the priority level of the output.

Here is a container-specific rule to examine a bit closer:

- rule: change_thread_namespace desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. condition: syscall.type = setns and not proc.name in (docker, sysdig, dragent) output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline container=%container.id)" priority: WARNING

This rule pays close attention to a container moving between namespaces. The setns syscall that is marked as important is used to change namespace. The rule, however, ignores the event if docker, sysdig, or dragent initiate it.

Another example is a case study that Sysdig wrote about to help explain how a CVE could be mitigated using Falco, at the end of 2019. It was CVE-2019-14287 (cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287) that allowed a simple command to be run to make the sudo command run commands as the root user. To exploit the CVE, it was apparently as simple as using the sudo command as follows:

$ sudo -u#-1

In Listing 3.2 we can see the rule that the Sysdig team concocted to detect and then block the exploit within the CVE.

Listing 3.2: Detecting and Blocking the “sudo” CVE

- rule: Sudo Potential bypass of Runas user restrictions (CVE-2019-14287) desc: […snip…] This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification condition:> spawned_process and proc.name="sudo" and (proc.cmdline contains "-u#-1" or proc.cmdline contains "-u#4294967295") output: "Detect sudo exploit (CVE-2019-14287) (user=%user.name command=%proc.cmdline container=%container.info)" priority: CRITICAL tags: [filesystem, mitre_privilege_escalation]

Source: sysdig.com/blog/detecting-cve-2019-14287