1

Installed Falco drivers on the host.

Able to capture alerts for specific conditions like when there is a process spawned or if any script is getting executed inside the container. But the requirement is to trigger an alert whenever any manual command gets executed inside the container.

Is there any custom condition we use to generate an alert whenever any command gets executed inside a container?

Expecting the below condition should capture an alert whenever command line contains newline char or pressed enter inside a container or the command executed contains any .sh but this didn't work.

- rule: shell_in_container
  desc: notice shell activity within a container
  condition: >
    container.id != host and
    proc.cmdline contains "\n" or
    proc.cmdline endswith ".sh"

  output: >
    shell in a container
    (user=%user.name container_id=%container.id container_name=%container.name
    shell=%proc.name parent=%proc.pname source_ip=%fd.rip  cmdline=%proc.cmdline)
  priority: WARNING
fatihyildizhan
  • 8,614
  • 7
  • 64
  • 88
Harika
  • 11
  • 4
  • Able to capture alerts for almost every command gets executed inside the container. `- rule: shell_in_container desc: notice shell activity within a container condition: > container.id != host and evt.type = execve and (proc.pname = bash or proc.pname = sh) output: > shell in a container (user=%user.name command=%proc.cmdline timestamp=%evt.datetime.s pod_name=%k8s.pod.name) priority: informational` I want to capture source_ip / pod_ip & result of the command executed in the output section of the alert. Any help is appreciated. Thanks !! – Harika Jan 03 '23 at 11:12

2 Answers2

0

Your question made me go and read about falco(I learned a new lesson today). After installing falco and reading its documentation, I found a solution that seems to work.

- rule: shell_in_container
  desc: notice shell activity within a container
  condition: >
    container.id != host and
    proc.cmdline != ""

  output: >
    shell in a container
    (user=%user.name container_id=%container.id container_name=%container.name
    shell=%proc.name parent=%proc.pname source_ip=%fd.rip  cmdline=%proc.cmdline)
  priority: WARNING
Xirehat
  • 1,155
  • 1
  • 8
  • 20
  • Getting too many alerts with the above condition. Even there are duplicate alerts for the each commands gets executed inside a container. 12:53:13.264177733: Warning shell in a container (user=root container_id=d6900bc54e26 container_name=k8s_nginx_nginx_default_e7d77691-2413-4b4e-a14f-c214d5660c04_0 shell=rm parent=bash source_ip= cmdline=rm -rf harika) 12:53:13.264434065: Warning shell in a container (user=root container_id=d6900bc54e26 container_name=k8s_nginx_nginx_default_e7d77691-2413-4b4e-a14f-c214d5660c04_0 shell=rm parent=bash source_ip= cmdline=rm -rf harika) – Harika Jan 02 '23 at 13:01
0

Below rule is generating alerts whenever there is a manual command executed inside container (exec with bash or sh) with all the required fields in the output. Support for pod ip to be present in falco version 0.35. work is in progress. https://github.com/falcosecurity/libs/pull/708 and will be called container.ip (but effectively it is the Pod_IP since all containers share the network stack of the pod) and container.cni.json for a complete view in case you have dual-stack and multiple interfaces.

- rule: shell_in_container
  desc: notice shell activity within a container
  condition: >
    container.id != host and
    evt.type = execve and
    (proc.pname = bash or
    proc.pname = sh) and
    proc.cmdline != bash

  output: >
    (user=%user.name  command=%proc.cmdline timestamp=%evt.datetime.s container_id=%container.id container_name=%container.name pod_name=%k8s.pod.name proc_name=%proc.name proc_pname=%proc.pname res=%evt.res)
  priority: informational
Harika
  • 11
  • 4