search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.24k stars 893 forks source link

Supports observation ability on the file content of `(rename and renameat).oldpath`. #2555

Open MagpieRYL opened 1 year ago

MagpieRYL commented 1 year ago

Motivation

There are so many attacking tricks overwriting sensitive files for gaining control, like ~/.ssh/authorized_keys, /etc/crontab, ~/.bashrc, etc.

Sometimes, getting the content buffer written to files is helpful for threaten detection, but the content buffer cannot be observed by Falco when overwriting file by mv command, because mv actually works based on the rename syscall without any buffer arg.

So, if any attacker overwrites sensitive files using mv command, Falco just lost the observation ability on the written content.

some examples:

  1. C2 commands like reverse-shell written to /etc/crontab, ~/.bashrc: buffer detection.
  2. Mal-script's path inside a container is written to the core_pattern file of a mounted procfs from host, leading to container escape: buffer detection.
  3. Mal-script's path inside a container is written to the release_agent file of a mounted cgroupfs from host, leading to container escape: buffer detection.

Feature

Supports observation ability on the file content of (rename and renameat).oldpath.

MagpieRYL commented 1 year ago

anyone notice this request ?

Andreagit97 commented 1 year ago

Ei @MagpieRYL yes we noticed it, sorry for not answering! In this release, we will try to tackle the symlink resolution issue https://github.com/falcosecurity/libs/issues/1111...unfortunately we have no many developers working on our drivers so we cannot implement many features in parallel BTW we really appreciate all your feature suggestions, they are really valuable! Looking at all the issues you seem to have a deep knowledge of security/detection...could you be interested in helping us develop some of these features? Someone with your skills would really benefit the project and would allow us to accelerate the development of new security features

poiana commented 9 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 9 months ago

/remove-lifecycle stale

poiana commented 6 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 6 months ago

/remove-lifecycle stale

poiana commented 3 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 3 months ago

/remove-lifecycle stale

poiana commented 2 weeks ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 2 weeks ago

/remove-lifecycle stale