Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions labs/lab9/falco/rules/custom-rules.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
- rule: Write to /tmp by container
desc: Detect a process writing to the /tmp directory inside a container
condition: open_write and container.id != host and fd.name startswith /tmp/
output: Write to /tmp by container (container=%container.name user=%user.name file=%fd.name command=%proc.cmdline)
priority: WARNING
tags: [container, drift]

- list: known_miner_processes
items: [xmrig, ethminer, cgminer, t-rex, claymore]

- rule: Possible Cryptominer Activity
desc: Detect connections to common mining-pool ports or execution of known miner processes inside containers
condition: >
container.id != host
and
(
(
evt.type=connect
and
(
fd.sport in (3333, 4444, 5555, 7777, 14444, 19999, 45700)
or evt.args endswith ":3333"
or evt.args endswith ":4444"
or evt.args endswith ":5555"
or evt.args endswith ":7777"
or evt.args endswith ":14444"
or evt.args endswith ":19999"
or evt.args endswith ":45700"
)
)
or
(
evt.type in (execve, execveat)
and proc.name in (known_miner_processes)
)
)
output: Possible Cryptominer Activity (container=%container.name process=%proc.name command=%proc.cmdline target=%evt.args connection=%fd.name)
priority: CRITICAL
tags: [container, mitre_execution, mitre_command_and_control]
83 changes: 83 additions & 0 deletions labs/lab9/policies/extra/hardening.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
package main

pod_runs_as_non_root if {
input.spec.template.spec.securityContext.runAsNonRoot == true
}

container_runs_as_non_root(container) if {
container.securityContext.runAsNonRoot == true
}

drops_all_capabilities(container) if {
security_context := object.get(container, "securityContext", {})
capabilities := object.get(security_context, "capabilities", {})
dropped := object.get(capabilities, "drop", [])

"ALL" in dropped
}

# 1. Require runAsNonRoot at pod or container level.
deny contains msg if {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]

not pod_runs_as_non_root
not container_runs_as_non_root(container)

msg := sprintf(
"container %q must set runAsNonRoot: true at pod or container level",
[container.name],
)
}

# 2. Prevent processes from gaining additional privileges.
deny contains msg if {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]

not container.securityContext.allowPrivilegeEscalation == false

msg := sprintf(
"container %q must set allowPrivilegeEscalation: false",
[container.name],
)
}

# 3. Require all Linux capabilities to be dropped.
deny contains msg if {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]

not drops_all_capabilities(container)

msg := sprintf(
"container %q must drop ALL capabilities",
[container.name],
)
}

# 4. Require a memory limit for every container.
deny contains msg if {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]

not container.resources.limits.memory

msg := sprintf(
"container %q must set resources.limits.memory",
[container.name],
)
}

# 5. Require immutable images pinned by SHA-256 digest.
deny contains msg if {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]

not contains(container.image, "@sha256:")

msg := sprintf(
"container %q image must be pinned with an @sha256 digest",
[container.name],
)
}
Loading