Behavioural activity monitoring on CoreOS with Sysdig Falco
28
Transcript of Behavioural activity monitoring on CoreOS with Sysdig Falco
(htop, vmstat, netstat, lsof, tcpdump…)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
RUN apt-get install -y wget build-essential python python-dev python-pip python-virtualenvRUN wget http://nodejs.org/dist/node-latest.tar.gzRUN tar xvzf node-latest.tar.gzRUN cd node-v* && ./configure && CXX="g++ -Wno-unused-local-typedefs" make && CXX="g++ -Wno-unused-local-typedefs" make install
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•••
# Alert whenever anyone performs an unlink() for a file below /usr/bin-a always,exit -S unlink -S unlinkat -F dir=/usr/bin -F success=1
# Watch any invocation of /usr/bin/passwd-w /usr/bin/passwd -p x -k passwd_mgmt
Kernel
Docker
Container1
Container2
Container3
App Apprkt LXC
Kernel moduleInstrumentation
•
•••
••
•
•
•••
container.id != host and proc.name = bash
fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write
evt.type = setns and not proc.name in (docker, sysdig)
(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null
evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
•
- macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
- list: package_mgmt_binaries items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend]
- rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
●
●○
○
●
●
