Version v0.15.3

Falco Examples

Here are some examples of the types of behavior falco can detect.

For a more comprehnsive set of examples, see the full rules file at falco_rules.yaml.

A shell is run in a container

- macro: container
  condition: != host

- macro: spawned_process
  condition: evt.type = execve and evt.dir=<

- rule: run_shell_in_container
  desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
  condition: container and = bash and spawned_process and proc.pname exists and not proc.pname in (bash, docker)
  output: "Shell spawned in a container other than entrypoint ( parent=%proc.pname cmdline=%proc.cmdline)"
  priority: WARNING

Unexpected outbound Elasticsearch connection

- macro: outbound
  condition: syscall.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6)

- macro: elasticsearch_cluster_port

- rule: elasticsearch_unexpected_network_outbound
  desc: outbound network traffic from elasticsearch on a port other than the standard ports
  condition: = elasticsearch and outbound and not elasticsearch_cluster_port
  output: "Outbound network traffic from Elasticsearch on unexpected port ("
  priority: WARNING

Write to directory holding system binaries

- macro: open_write
  condition: >
    (evt.type=open or evt.type=openat) and
    fd.typechar='f' and
    (evt.arg.flags contains O_WRONLY or
    evt.arg.flags contains O_RDWR or
    evt.arg.flags contains O_CREAT or
    evt.arg.flags contains O_TRUNC)

- macro: package_mgmt_binaries
  condition: in (dpkg, dpkg-preconfigu, rpm, rpmkey, yum)

- macro: bin_dir
  condition: in (/bin, /sbin, /usr/bin, /usr/sbin)

- rule: write_binary_dir
  desc: an attempt to write to any file below a set of binary directories
  condition: evt.dir = < and open_write and not package_mgmt_binaries and bin_dir
  output: "File below a known binary directory opened for writing ( command=%proc.cmdline"
  priority: WARNING

Non-authorized container namespace change

- rule: change_thread_namespace
  desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
  condition: syscall.type = setns and not in (docker, sysdig, dragent)
  output: "Namespace change (setns) by unexpected program ( command=%proc.cmdline"
  priority: WARNING

Non-device files written in /dev (some rootkits do this)

- rule: create_files_below_dev
  desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
  condition: (evt.type = creat or evt.arg.flags contains O_CREAT) and != blkid and = /dev and != /dev/null
  output: "File created below /dev by untrusted program ( command=%proc.cmdline"
  priority: WARNING

Process other than skype/webex tries to access camera

- rule: access_camera
  desc: a process other than skype/webex tries to access the camera
  condition: evt.type = open and = /dev/video0 and not in (skype, webex)
  output: Unexpected process opening camera video device (command=%proc.cmdline)
  priority: WARNING