# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

images:
  pull_policy: IfNotPresent
  tags:
    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
    falco: docker.io/sysdig/falco:0.12.1
    image_repo_sync: docker.io/docker:17.07.0
  local_registry:
    active: false
    exclude:
      - dep_check
      - image_repo_sync


pod:
  resources:
    enabled: false
    falco:
      requests:
        memory: "128Mi"
        cpu: "20m"
      limits:
        memory: "128Mi"
        cpu: "30m"
  jobs:
    image_repo_sync:
      requests:
        memory: "128Mi"
        cpu: "20m"
      limits:
        memory: "128Mi"
        cpu: "30m"
  lifecycle:
    upgrades:
      daemonsets:
        pod_replacement_strategy: RollingUpdate
        falco:
          enabled: true
          min_ready_seconds: 0
          max_unavailable: 1
  tolerations:
    falco:
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master


conf:
  config:
    # The location of the rules file(s). This can contain one or more paths to
    # separate rules files.
    rules_file:
      - /etc/falco/falco_rules.yaml
      - /etc/falco/falco_rules.local.yaml
      - /etc/falco/rules.d

    # Whether to output events in json or text
    json_output: false

    # When using json output, whether or not to include the "output" property
    # itself (e.g. "File below a known binary directory opened for writing
    # (user=root ....") in the json output.
    json_include_output_property: true

    # Send information logs to stderr and/or syslog Note these are *not* security
    # notification logs! These are just Falco lifecycle (and possibly error) logs.
    log_stderr: true
    log_syslog: true

    # Minimum log level to include in logs. Note: these levels are
    # separate from the priority field of rules. This refers only to the
    # log level of falco's internal logging. Can be one of "emergency",
    # "alert", "critical", "error", "warning", "notice", "info", "debug".
    log_level: info

    # Minimum rule priority level to load and run. All rules having a
    # priority more severe than this level will be loaded/run.  Can be one
    # of "emergency", "alert", "critical", "error", "warning", "notice",
    # "info", "debug".
    priority: debug

    # Whether or not output to any of the output channels below is
    # buffered.
    buffered_outputs: false

    # A throttling mechanism implemented as a token bucket limits the
    # rate of falco notifications. This throttling is controlled by the following configuration
    # options:
    #  - rate: the number of tokens (i.e. right to send a notification)
    #    gained per second. Defaults to 1.
    #  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
    #
    # With these defaults, falco could send up to 1000 notifications after
    # an initial quiet period, and then up to 1 notification per second
    # afterward. It would gain the full burst back after 1000 seconds of
    # no activity.
    outputs:
      rate: 1
      max_burst: 1000

    # Where security notifications should go.
    # Multiple outputs can be enabled.
    syslog_output:
      enabled: true

    # If keep_alive is set to true, the file will be opened once and
    # continuously written to, with each output message on its own
    # line. If keep_alive is set to false, the file will be re-opened
    # for each output message.
    #
    # Also, the file will be closed and reopened if falco is signaled with
    # SIGUSR1.
    file_output:
      enabled: false
      keep_alive: false
      filename: ./events.txt

    stdout_output:
      enabled: true

    # Possible additional things you might want to do with program output:
    #   - send to a slack webhook:
    #         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
    #   - logging (alternate method than syslog):
    #         program: logger -t falco-test
    #   - send over a network connection:
    #         program: nc host.example.com 80

    # If keep_alive is set to true, the program will be started once and
    # continuously written to, with each output message on its own
    # line. If keep_alive is set to false, the program will be re-spawned
    # for each output message.
    #
    # Also, the program will be closed and reopened if falco is signaled with
    # SIGUSR1.
    program_output:
      enabled: false
      keep_alive: false
      program: mail -s "Falco Notification" someone@example.com
  rules:
    falco_rules: |
      - macro: open_write
        condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0
      - macro: open_read
        condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0
      - macro: never_true
        condition: (evt.num=0)
      - macro: always_true
        condition: (evt.num=>0)
      - macro: proc_name_exists
        condition: (proc.name!="<NA>")
      - macro: rename
        condition: evt.type in (rename, renameat)
      - macro: mkdir
        condition: evt.type = mkdir
      - macro: remove
        condition: evt.type in (rmdir, unlink, unlinkat)
      - macro: modify
        condition: rename or remove
      - macro: spawned_process
        condition: evt.type = execve and evt.dir=<
      - macro: bin_dir
        condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
      - macro: bin_dir_mkdir
        condition: >
          (evt.arg[1] startswith /bin/ or
           evt.arg[1] startswith /sbin/ or
           evt.arg[1] startswith /usr/bin/ or
           evt.arg[1] startswith /usr/sbin/)
      - macro: bin_dir_rename
        condition: >
          evt.arg[1] startswith /bin/ or
          evt.arg[1] startswith /sbin/ or
          evt.arg[1] startswith /usr/bin/ or
          evt.arg[1] startswith /usr/sbin/
      - macro: etc_dir
        condition: fd.name startswith /etc/
      - macro: root_dir
        condition: ((fd.directory=/ or fd.name startswith /root) and fd.name contains "/")
      - list: shell_binaries
        items: [bash, csh, ksh, sh, tcsh, zsh, dash]
      - list: shell_mgmt_binaries
        items: [add-shell, remove-shell]
      - macro: shell_procs
        condition: (proc.name in (shell_binaries))
      - list: coreutils_binaries
        items: [
          truncate, sha1sum, numfmt, fmt, fold, uniq, cut, who,
          groups, csplit, sort, expand, printf, printenv, unlink, tee, chcon, stat,
          basename, split, nice, "yes", whoami, sha224sum, hostid, users, stdbuf,
          base64, unexpand, cksum, od, paste, nproc, pathchk, sha256sum, wc, test,
          comm, arch, du, factor, sha512sum, md5sum, tr, runcon, env, dirname,
          tsort, join, shuf, install, logname, pinky, nohup, expr, pr, tty, timeout,
          tail, "[", seq, sha384sum, nl, head, id, mkfifo, sum, dircolors, ptx, shred,
          tac, link, chroot, vdir, chown, touch, ls, dd, uname, "true", pwd, date,
          chgrp, chmod, mktemp, cat, mknod, sync, ln, "false", rm, mv, cp, echo,
          readlink, sleep, stty, mkdir, df, dir, rmdir, touch
          ]
      - list: login_binaries
        items: [
          login, systemd, '"(systemd)"', systemd-logind, su,
          nologin, faillog, lastlog, newgrp, sg
          ]
      - list: passwd_binaries
        items: [
          shadowconfig, grpck, pwunconv, grpconv, pwck,
          groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod,
          groupadd, groupdel, grpunconv, chgpasswd, userdel, chage, chsh,
          gpasswd, chfn, expiry, passwd, vigr, cpgr
          ]
      - list: shadowutils_binaries
        items: [
          chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd,
          groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, grpck, grpconv, grpunconv,
          newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vigr, vipw, unix_chkpwd
          ]
      - list: sysdigcloud_binaries
        items: [setup-backend, dragent, sdchecks]
      - list: docker_binaries
        items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current]
      - list: k8s_binaries
        items: [hyperkube, skydns, kube2sky, exechealthz]
      - list: lxd_binaries
        items: [lxd, lxcfs]
      - list: http_server_binaries
        items: [nginx, httpd, httpd-foregroun, lighttpd, apache, apache2]
      - list: db_server_binaries
        items: [mysqld, postgres, sqlplus]
      - list: mysql_mgmt_binaries
        items: [mysql_install_d, mysql_ssl_rsa_s]
      - list: postgres_mgmt_binaries
        items: [pg_dumpall, pg_ctl, pg_lsclusters, pg_ctlcluster]
      - list: db_mgmt_binaries
        items: [mysql_mgmt_binaries, postgres_mgmt_binaries]
      - list: nosql_server_binaries
        items: [couchdb, memcached, redis-server, rabbitmq-server, mongod]
      - list: gitlab_binaries
        items: [gitlab-shell, gitlab-mon, gitlab-runner-b, git]
      - macro: server_procs
        condition: proc.name in (http_server_binaries, db_server_binaries, docker_binaries, sshd)
      - list: rpm_binaries
        items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
                repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
                abrt-action-sav, rpmdb_stat, microdnf]
      - macro: rpm_procs
        condition: proc.name in (rpm_binaries) or proc.name in (salt-minion)
      - list: deb_binaries
        items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
          frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key,
          apt-listchanges, unattended-upgr, apt-add-reposit
          ]
      - list: package_mgmt_binaries
        items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client]
      - macro: package_mgmt_procs
        condition: proc.name in (package_mgmt_binaries)
      - macro: coreos_write_ssh_dir
        condition: (proc.name=update-ssh-keys and fd.name startswith /home/core/.ssh)
      - macro: run_by_package_mgmt_binaries
        condition: proc.aname in (package_mgmt_binaries, needrestart)
      - list: ssl_mgmt_binaries
        items: [ca-certificates]
      - list: dhcp_binaries
        items: [dhclient, dhclient-script]
      - list: userexec_binaries
        items: [sudo, su, suexec]
      - list: known_setuid_binaries
        items: [
          sshd, dbus-daemon-lau, ping, ping6, critical-stack-, pmmcli,
          filemng, PassengerAgent, bwrap, osdetect, nginxmng, sw-engine-fpm,
          start-stop-daem
          ]
      - list: user_mgmt_binaries
        items: [login_binaries, passwd_binaries, shadowutils_binaries]
      - list: dev_creation_binaries
        items: [blkid, rename_device, update_engine, sgdisk]
      - list: hids_binaries
        items: [aide]
      - list: vpn_binaries
        items: [openvpn]
      - list: nomachine_binaries
        items: [nxexec, nxnode.bin, nxserver.bin, nxclient.bin]
      - macro: system_procs
        condition: proc.name in (coreutils_binaries, user_mgmt_binaries)
      - list: mail_binaries
        items: [
          sendmail, sendmail-msp, postfix, procmail, exim4,
          pickup, showq, mailq, dovecot, imap-login, imap,
          mailmng-core, pop3-login, dovecot-lda, pop3
          ]
      - list: mail_config_binaries
        items: [
          update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4,
          update_db, update_mc, ssmtp.postinst, mailq, postalias, postfix.config.,
          postfix.config, postfix-script
          ]
      - list: sensitive_file_names
        items: [/etc/shadow, /etc/sudoers, /etc/pam.conf]
      - macro: sensitive_files
        condition: >
          fd.name startswith /etc and
          (fd.name in (sensitive_file_names)
           or fd.directory in (/etc/sudoers.d, /etc/pam.d))
      - macro: proc_is_new
        condition: proc.duration <= 5000000000
      - macro: inbound
        condition: >
          (((evt.type in (accept,listen) and evt.dir=<)) or
           (fd.typechar = 4 or fd.typechar = 6) and
           (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
           (evt.rawres >= 0 or evt.res = EINPROGRESS))
      - macro: outbound
        condition: >
          (((evt.type = connect and evt.dir=<)) or
           (fd.typechar = 4 or fd.typechar = 6) and
           (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
           (evt.rawres >= 0 or evt.res = EINPROGRESS))
      - macro: inbound_outbound
        condition: >
          (((evt.type in (accept,listen,connect) and evt.dir=<)) or
           (fd.typechar = 4 or fd.typechar = 6) and
           (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
           (evt.rawres >= 0 or evt.res = EINPROGRESS))
      - macro: ssh_port
        condition: fd.sport=22
      - macro: allowed_ssh_hosts
        condition: ssh_port
      - rule: Disallowed SSH Connection
        desc: Detect any new ssh connection to a host other than those in an allowed group of hosts
        condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
        output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name)
        priority: NOTICE
        tags: [network]
      - macro: container
        condition: container.id != host
      - macro: interactive
        condition: >
          ((proc.aname=sshd and proc.name != sshd) or
          proc.name=systemd-logind or proc.name=login)
      - list: cron_binaries
        items: [anacron, cron, crond, crontab]
      - list: needrestart_binaries
        items: [needrestart, 10-dpkg, 20-rpm, 30-pacman]
      - list: sshkit_script_binaries
        items: [10_etc_sudoers., 10_passwd_group]
      - list: plesk_binaries
        items: [sw-engine, sw-engine-fpm, sw-engine-kv, filemng, f2bmng]
      - macro: system_users
        condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)
      - macro: parent_ansible_running_python
        condition: (proc.pname in (python, pypy) and proc.pcmdline contains ansible)
      - macro: parent_bro_running_python
        condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl)
      - macro: parent_python_running_denyhosts
        condition: >
          (proc.cmdline startswith "denyhosts.py /usr/bin/denyhosts.py" or
           (proc.pname=python and
           (proc.pcmdline contains /usr/sbin/denyhosts or
            proc.pcmdline contains /usr/local/bin/denyhosts.py)))
      - macro: parent_python_running_sdchecks
        condition: >
          (proc.pname in (python, python2.7) and
          (proc.pcmdline contains /opt/draios/bin/sdchecks))
      - macro: parent_linux_image_upgrade_script
        condition: proc.pname startswith linux-image-
      - macro: parent_java_running_echo
        condition: (proc.pname=java and proc.cmdline startswith "sh -c echo")
      - macro: parent_scripting_running_builds
        condition: >
          (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,ruby2.1,node,conda) and (
             proc.cmdline startswith "sh -c git" or
             proc.cmdline startswith "sh -c date" or
             proc.cmdline startswith "sh -c /usr/bin/g++" or
             proc.cmdline startswith "sh -c /usr/bin/gcc" or
             proc.cmdline startswith "sh -c gcc" or
             proc.cmdline startswith "sh -c if type gcc" or
             proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or
             proc.cmdline startswith "sh -c /var/www/edi/bin/sftp.sh" or
             proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or
             proc.cmdline startswith "sh -c make parent" or
             proc.cmdline startswith "node /jenkins/tools" or
             proc.cmdline startswith "sh -c '/usr/bin/node'" or
             proc.cmdline startswith "sh -c stty -a |" or
             proc.pcmdline startswith "node /opt/nodejs/bin/yarn" or
             proc.pcmdline startswith "node /usr/local/bin/yarn" or
             proc.pcmdline startswith "node /root/.config/yarn" or
             proc.pcmdline startswith "node /opt/yarn/bin/yarn.js"))
      - macro: httpd_writing_ssl_conf
        condition: >
          (proc.pname=run-httpd and
           (proc.cmdline startswith "sed -ri" or proc.cmdline startswith "sed -i") and
           (fd.name startswith /etc/httpd/conf.d/ or fd.name startswith /etc/httpd/conf))
      - macro: userhelper_writing_etc_security
        condition: (proc.name=userhelper and fd.name startswith /etc/security)
      - macro: parent_Xvfb_running_xkbcomp
        condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"')
      - macro: parent_nginx_running_serf
        condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf")
      - macro: parent_node_running_npm
        condition: (proc.pcmdline startswith "node /usr/local/bin/npm" or
                    proc.pcmdline startswith "node /usr/local/nodejs/bin/npm" or
                    proc.pcmdline startswith "node /opt/rh/rh-nodejs6/root/usr/bin/npm")
      - macro: parent_java_running_sbt
        condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar)
      - list: known_container_shell_spawn_cmdlines
        items: []
      - list: known_shell_spawn_binaries
        items: []
      - macro: ansible_running_python
        condition: (proc.name in (python, pypy) and proc.cmdline contains ansible)
      - macro: python_running_chef
        condition: (proc.name=python and (proc.cmdline contains yum-dump.py or proc.cmdline="python /usr/bin/chef-monitor.py"))
      - macro: python_running_denyhosts
        condition: >
          (proc.name=python and
          (proc.cmdline contains /usr/sbin/denyhosts or
           proc.cmdline contains /usr/local/bin/denyhosts.py))
      - macro: run_by_qualys
        condition: >
          (proc.pname=qualys-cloud-ag or
           proc.aname[2]=qualys-cloud-ag or
           proc.aname[3]=qualys-cloud-ag or
           proc.aname[4]=qualys-cloud-ag)
      - macro: run_by_sumologic_securefiles
        condition: >
          ((proc.cmdline="usermod -a -G sumologic_collector" or
            proc.cmdline="groupadd sumologic_collector") and
           (proc.pname=secureFiles.sh and proc.aname[2]=java))
      - macro: run_by_yum
        condition: ((proc.pname=sh and proc.aname[2]=yum) or
                    (proc.aname[2]=sh and proc.aname[3]=yum))
      - macro: run_by_ms_oms
        condition: >
          (proc.aname[3] startswith omsagent- or
           proc.aname[3] startswith scx-)
      - macro: run_by_google_accounts_daemon
        condition: >
          (proc.aname[1] startswith google_accounts or
           proc.aname[2] startswith google_accounts)
      - macro: run_by_chef
        condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or
                    proc.aname[2]=chef-client or proc.aname[3]=chef-client or
                    proc.name=chef-client)
      - macro: run_by_adclient
        condition: (proc.aname[2]=adclient or proc.aname[3]=adclient or proc.aname[4]=adclient)
      - macro: run_by_centrify
        condition: (proc.aname[2]=centrify or proc.aname[3]=centrify or proc.aname[4]=centrify)
      - macro: run_by_puppet
        condition: (proc.aname[2]=puppet or proc.aname[3]=puppet)
      - macro: run_by_foreman
        condition: >
          (user.name=foreman and
           (proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or
           (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby)))
      - macro: java_running_sdjagent
        condition: proc.name=java and proc.cmdline contains sdjagent.jar
      - macro: kubelet_running_loopback
        condition: (proc.pname=kubelet and proc.name=loopback)
      - macro: python_mesos_marathon_scripting
        condition: (proc.pcmdline startswith "python3 /marathon-lb/marathon_lb.py")
      - macro: splunk_running_forwarder
        condition: (proc.pname=splunkd and proc.cmdline startswith "sh -c /opt/splunkforwarder")
      - macro: parent_supervise_running_multilog
        condition: (proc.name=multilog and proc.pname=supervise)
      - macro: supervise_writing_status
        condition: (proc.name in (supervise,svc) and fd.name startswith "/etc/sb/")
      - macro: pki_realm_writing_realms
        condition: (proc.cmdline startswith "bash /usr/local/lib/pki/pki-realm" and fd.name startswith /etc/pki/realms)
      - macro: htpasswd_writing_passwd
        condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd)
      - macro: lvprogs_writing_conf
        condition: >
          (proc.name in (dmeventd,lvcreate,pvscan) and
           (fd.name startswith /etc/lvm/archive or
            fd.name startswith /etc/lvm/backup or
            fd.name startswith /etc/lvm/cache))
      - macro: ovsdb_writing_openvswitch
        condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch)
      - macro: perl_running_plesk
        condition: (proc.cmdline startswith "perl /opt/psa/admin/bin/plesk_agent_manager" or
                    proc.pcmdline startswith "perl /opt/psa/admin/bin/plesk_agent_manager")
      - macro: perl_running_updmap
        condition: (proc.cmdline startswith "perl /usr/bin/updmap")
      - macro: perl_running_centrifydc
        condition: (proc.cmdline startswith "perl /usr/share/centrifydc")
      - macro: parent_ucf_writing_conf
        condition: (proc.pname=ucf and proc.aname[2]=frontend)
      - macro: consul_template_writing_conf
        condition: >
          ((proc.name=consul-template and fd.name startswith /etc/haproxy) or
           (proc.name=reload.sh and proc.aname[2]=consul-template and fd.name startswith /etc/ssl))
      - macro: countly_writing_nginx_conf
        condition: (proc.cmdline startswith "nodejs /opt/countly/bin" and fd.name startswith /etc/nginx)
      - list: ms_oms_binaries
        items: [omi.postinst, omsconfig.posti, scx.postinst, omsadmin.sh, omiagent]
      - macro: ms_oms_writing_conf
        condition: >
          ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor)
             or proc.pname in (ms_oms_binaries)
             or proc.aname[2] in (ms_oms_binaries))
           and (fd.name startswith /etc/opt/omi or fd.name startswith /etc/opt/microsoft/omsagent))
      - macro: ms_scx_writing_conf
        condition: (proc.name in (GetLinuxOS.sh) and fd.name startswith /etc/opt/microsoft/scx)
      - macro: azure_scripts_writing_conf
        condition: (proc.pname startswith "bash /var/lib/waagent/" and fd.name startswith /etc/azure)
      - macro: azure_networkwatcher_writing_conf
        condition: (proc.name in (NetworkWatcherA) and fd.name=/etc/init.d/AzureNetworkWatcherAgent)
      - macro: couchdb_writing_conf
        condition: (proc.name=beam.smp and proc.cmdline contains couchdb and fd.name startswith /etc/couchdb)
      - macro: update_texmf_writing_conf
        condition: (proc.name=update-texmf and fd.name startswith /etc/texmf)
      - macro: slapadd_writing_conf
        condition: (proc.name=slapadd and fd.name startswith /etc/ldap)
      - macro: openldap_writing_conf
        condition: (proc.pname=run-openldap.sh and fd.name startswith /etc/openldap)
      - macro: ucpagent_writing_conf
        condition: (proc.name=apiserver and container.image startswith docker/ucp-agent and fd.name=/etc/authorization_config.cfg)
      - macro: iscsi_writing_conf
        condition: (proc.name=iscsiadm and fd.name startswith /etc/iscsi)
      - macro: symantec_writing_conf
        condition: >
          ((proc.name=symcfgd and fd.name startswith /etc/symantec) or
           (proc.name=navdefutil and fd.name=/etc/symc-defutils.conf))
      - macro: liveupdate_writing_conf
        condition: (proc.cmdline startswith "java LiveUpdate" and fd.name in (/etc/liveupdate.conf, /etc/Product.Catalog.JavaLiveUpdate))
      - macro: sosreport_writing_files
        condition: >
          (proc.name=urlgrabber-ext- and proc.aname[3]=sosreport and
           (fd.name startswith /etc/pkt/nssdb or fd.name startswith /etc/pki/nssdb))
      - macro: pkgmgmt_progs_writing_pki
        condition: >
          (proc.name=urlgrabber-ext- and proc.pname in (yum, yum-cron, repoquery) and
           (fd.name startswith /etc/pkt/nssdb or fd.name startswith /etc/pki/nssdb))
      - macro: update_ca_trust_writing_pki
        condition: (proc.pname=update-ca-trust and proc.name=trust and fd.name startswith /etc/pki)
      - macro: brandbot_writing_os_release
        condition: proc.name=brandbot and fd.name=/etc/os-release
      - macro: selinux_writing_conf
        condition: (proc.name in (semodule,genhomedircon,sefcontext_comp) and fd.name startswith /etc/selinux)
      - list: veritas_binaries
        items: [vxconfigd, sfcache, vxclustadm, vxdctl, vxprint, vxdmpadm, vxdisk, vxdg, vxassist, vxtune]
      - macro: veritas_driver_script
        condition: (proc.cmdline startswith "perl /opt/VRTSsfmh/bin/mh_driver.pl")
      - macro: veritas_progs
        condition: (proc.name in (veritas_binaries) or veritas_driver_script)
      - macro: veritas_writing_config
        condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom))
      - macro: nginx_writing_conf
        condition: (proc.name=nginx and fd.name startswith /etc/nginx)
      - macro: nginx_writing_certs
        condition: >
          (((proc.name=openssl and proc.pname=nginx-launch.sh) or proc.name=nginx-launch.sh) and fd.name startswith /etc/nginx/certs)
      - macro: chef_client_writing_conf
        condition: (proc.pcmdline startswith "chef-client /opt/gitlab" and fd.name startswith /etc/gitlab)
      - macro: centrify_writing_krb
        condition: (proc.name in (adjoin,addns) and fd.name startswith /etc/krb5)
      - macro: cockpit_writing_conf
        condition: >
          ((proc.pname=cockpit-kube-la or proc.aname[2]=cockpit-kube-la)
           and fd.name startswith /etc/cockpit)
      - macro: ipsec_writing_conf
        condition: (proc.name=start-ipsec.sh and fd.directory=/etc/ipsec)
      - macro: exe_running_docker_save
        condition: (proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker))
      - macro: sed_temporary_file
        condition: (proc.name=sed and fd.name startswith "/etc/sed")
      - macro: python_running_get_pip
        condition: (proc.cmdline startswith "python get-pip.py")
      - macro: python_running_ms_oms
        condition: (proc.cmdline startswith "python /var/lib/waagent/")
      - macro: gugent_writing_guestagent_log
        condition: (proc.name=gugent and fd.name=GuestAgent.log)
      - macro: dse_writing_tmp
        condition: (proc.name=dse-entrypoint and fd.name=/root/tmp__)
      - macro: zap_writing_state
        condition: (proc.name=java and proc.cmdline contains "jar /zap" and fd.name startswith /root/.ZAP)
      - macro: airflow_writing_state
        condition: (proc.name=airflow and fd.name startswith /root/airflow)
      - macro: rpm_writing_root_rpmdb
        condition: (proc.name=rpm and fd.directory=/root/.rpmdb)
      - macro: maven_writing_groovy
        condition: (proc.name=java and proc.cmdline contains "classpath /usr/local/apache-maven" and fd.name startswith /root/.groovy)
      - rule: Write below binary dir
        desc: an attempt to write to any file below a set of binary directories
        condition: >
          bin_dir and evt.dir = < and open_write
          and not package_mgmt_procs
          and not exe_running_docker_save
          and not python_running_get_pip
          and not python_running_ms_oms
        output: >
          File below a known binary directory opened for writing (user=%user.name
          command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
        priority: ERROR
        tags: [filesystem]
      - list: monitored_directories
        items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh, /etc/cardserver]
      - macro: user_ssh_directory
        condition: (fd.name startswith '/home' and fd.name contains '.ssh')
      - macro: mkinitramfs_writing_boot
        condition: (proc.pname in (mkinitramfs, update-initramf) and fd.directory=/boot)
      - macro: monitored_dir
        condition: >
          (fd.directory in (monitored_directories)
           or user_ssh_directory)
          and not mkinitramfs_writing_boot
      - rule: Write below monitored dir
        desc: an attempt to write to any file below a set of binary directories
        condition: >
          evt.dir = < and open_write and monitored_dir
          and not package_mgmt_procs
          and not coreos_write_ssh_dir
          and not exe_running_docker_save
          and not python_running_get_pip
          and not python_running_ms_oms
        output: >
          File below a monitored directory opened for writing (user=%user.name
          command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
        priority: ERROR
        tags: [filesystem]
      - list: safe_etc_dirs
        items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig]
      - macro: fluentd_writing_conf_files
        condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf))
      - macro: qualys_writing_conf_files
        condition: (proc.name=qualys-cloud-ag and fd.name=/etc/qualys/cloud-agent/qagent-log.conf)
      - macro: git_writing_nssdb
        condition: (proc.name=git-remote-http and fd.directory=/etc/pki/nssdb)
      - macro: plesk_writing_keys
        condition: (proc.name in (plesk_binaries) and fd.name startswith /etc/sw/keys)
      - macro: plesk_install_writing_apache_conf
        condition: (proc.cmdline startswith "bash -hB /usr/lib/plesk-9.0/services/webserver.apache configure"
                    and fd.name="/etc/apache2/apache2.conf.tmp")
      - macro: plesk_running_mktemp
        condition: (proc.name=mktemp and proc.aname[3] in (plesk_binaries))
      - macro: networkmanager_writing_resolv_conf
        condition: proc.aname[2]=nm-dispatcher and fd.name=/etc/resolv.conf
      - macro: add_shell_writing_shells_tmp
        condition: (proc.name=add-shell and fd.name=/etc/shells.tmp)
      - macro: duply_writing_exclude_files
        condition: (proc.name=touch and proc.pcmdline startswith "bash /usr/bin/duply" and fd.name startswith "/etc/duply")
      - macro: xmlcatalog_writing_files
        condition: (proc.name=update-xmlcatal and fd.directory=/etc/xml)
      - macro: datadog_writing_conf
        condition: ((proc.cmdline startswith "python /opt/datadog-agent" or
                     proc.cmdline startswith "entrypoint.sh /entrypoint.sh datadog start" or
                     proc.cmdline startswith "agent.py /opt/datadog-agent")
                    and fd.name startswith "/etc/dd-agent")
      - macro: curl_writing_pki_db
        condition: (proc.name=curl and fd.directory=/etc/pki/nssdb)
      - macro: haproxy_writing_conf
        condition: ((proc.name in (update-haproxy-,haproxy_reload.) or proc.pname in (update-haproxy-,haproxy_reload,haproxy_reload.))
                     and (fd.name=/etc/openvpn/client.map or fd.name startswith /etc/haproxy))
      - macro: java_writing_conf
        condition: (proc.name=java and fd.name=/etc/.java/.systemPrefs/.system.lock)
      - macro: rabbitmq_writing_conf
        condition: (proc.name=rabbitmq-server and fd.directory=/etc/rabbitmq)
      - macro: rook_writing_conf
        condition: (proc.name=toolbox.sh and container.image startswith rook/toolbox
                    and fd.directory=/etc/ceph)
      - macro: httpd_writing_conf_logs
        condition: (proc.name=httpd and fd.name startswith /etc/httpd/)
      - macro: mysql_writing_conf
        condition: >
          ((proc.name in (start-mysql.sh, run-mysqld) or proc.pname=start-mysql.sh) and
           (fd.name startswith /etc/mysql or fd.directory=/etc/my.cnf.d))
      - macro: redis_writing_conf
        condition: >
          (proc.name in (run-redis, redis-launcher.) and fd.name=/etc/redis.conf or fd.name startswith /etc/redis)
      - macro: openvpn_writing_conf
        condition: (proc.name in (openvpn,openvpn-entrypo) and fd.name startswith /etc/openvpn)
      - macro: php_handlers_writing_conf
        condition: (proc.name=php_handlers_co and fd.name=/etc/psa/php_versions.json)
      - macro: sed_writing_temp_file
        condition: >
          ((proc.aname[3]=cron_start.sh and fd.name startswith /etc/security/sed) or
           (proc.name=sed and (fd.name startswith /etc/apt/sources.list.d/sed or
                               fd.name startswith /etc/apt/sed or
                               fd.name startswith /etc/apt/apt.conf.d/sed)))
      - macro: cron_start_writing_pam_env
        condition: (proc.cmdline="bash /usr/sbin/start-cron" and fd.name=/etc/security/pam_env.conf)
      - macro: dpkg_scripting
        condition: (proc.aname[2] in (dpkg-reconfigur, dpkg-preconfigu))
      - macro: user_known_write_etc_conditions
        condition: proc.name=confd
      - macro: write_etc_common
        condition: >
          etc_dir and evt.dir = < and open_write
          and proc_name_exists
          and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries,
                                package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
                                dev_creation_binaries, shell_mgmt_binaries,
                                mail_config_binaries,
                                sshkit_script_binaries,
                                ldconfig.real, ldconfig, confd, gpg, insserv,
                                apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
                                systemd, systemd-machine, systemd-sysuser,
                                debconf-show, rollerd, bind9.postinst, sv,
                                gen_resolvconf., update-ca-certi, certbot, runsv,
                                qualys-cloud-ag, locales.postins, nomachine_binaries,
                                adclient, certutil, crlutil, pam-auth-update, parallels_insta,
                                openshift-launc, update-rc.d)
          and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries, dhcp_binaries)
          and not fd.name pmatch (safe_etc_dirs)
          and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
          and not sed_temporary_file
          and not exe_running_docker_save
          and not ansible_running_python
          and not python_running_denyhosts
          and not fluentd_writing_conf_files
          and not user_known_write_etc_conditions
          and not run_by_centrify
          and not run_by_adclient
          and not qualys_writing_conf_files
          and not git_writing_nssdb
          and not plesk_writing_keys
          and not plesk_install_writing_apache_conf
          and not plesk_running_mktemp
          and not networkmanager_writing_resolv_conf
          and not run_by_chef
          and not add_shell_writing_shells_tmp
          and not duply_writing_exclude_files
          and not xmlcatalog_writing_files
          and not parent_supervise_running_multilog
          and not supervise_writing_status
          and not pki_realm_writing_realms
          and not htpasswd_writing_passwd
          and not lvprogs_writing_conf
          and not ovsdb_writing_openvswitch
          and not datadog_writing_conf
          and not curl_writing_pki_db
          and not haproxy_writing_conf
          and not java_writing_conf
          and not dpkg_scripting
          and not parent_ucf_writing_conf
          and not rabbitmq_writing_conf
          and not rook_writing_conf
          and not php_handlers_writing_conf
          and not sed_writing_temp_file
          and not cron_start_writing_pam_env
          and not httpd_writing_conf_logs
          and not mysql_writing_conf
          and not openvpn_writing_conf
          and not consul_template_writing_conf
          and not countly_writing_nginx_conf
          and not ms_oms_writing_conf
          and not ms_scx_writing_conf
          and not azure_scripts_writing_conf
          and not azure_networkwatcher_writing_conf
          and not couchdb_writing_conf
          and not update_texmf_writing_conf
          and not slapadd_writing_conf
          and not symantec_writing_conf
          and not liveupdate_writing_conf
          and not sosreport_writing_files
          and not selinux_writing_conf
          and not veritas_writing_config
          and not nginx_writing_conf
          and not nginx_writing_certs
          and not chef_client_writing_conf
          and not centrify_writing_krb
          and not cockpit_writing_conf
          and not ipsec_writing_conf
          and not httpd_writing_ssl_conf
          and not userhelper_writing_etc_security
          and not pkgmgmt_progs_writing_pki
          and not update_ca_trust_writing_pki
          and not brandbot_writing_os_release
          and not redis_writing_conf
          and not openldap_writing_conf
          and not ucpagent_writing_conf
          and not iscsi_writing_conf
      - rule: Write below etc
        desc: an attempt to write to any file below /etc
        condition: write_etc_common
        output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
        priority: ERROR
        tags: [filesystem]
      - list: known_root_files
        items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
                /root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, /root/.babel.json, /root/.localstack,
                /root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd, /root/.wget-hsts]
      - list: known_root_directories
        items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami]
      - macro: known_root_conditions
        condition: (fd.name startswith /root/orcexec.
                    or fd.name startswith /root/.m2
                    or fd.name startswith /root/.npm
                    or fd.name startswith /root/.pki
                    or fd.name startswith /root/.ivy2
                    or fd.name startswith /root/.config/Cypress
                    or fd.name startswith /root/.config/pulse
                    or fd.name startswith /root/.config/configstore
                    or fd.name startswith /root/jenkins/workspace
                    or fd.name startswith /root/.jenkins
                    or fd.name startswith /root/.cache
                    or fd.name startswith /root/.sbt
                    or fd.name startswith /root/.java
                    or fd.name startswith /root/.glide
                    or fd.name startswith /root/.sonar
                    or fd.name startswith /root/.v8flag
                    or fd.name startswith /root/infaagent
                    or fd.name startswith /root/.local/lib/python
                    or fd.name startswith /root/.pm2
                    or fd.name startswith /root/.gnupg
                    or fd.name startswith /root/.pgpass
                    or fd.name startswith /root/.theano
                    or fd.name startswith /root/.gradle
                    or fd.name startswith /root/.android
                    or fd.name startswith /root/.ansible
                    or fd.name startswith /root/.crashlytics
                    or fd.name startswith /root/.dbus
                    or fd.name startswith /root/.composer
                    or fd.name startswith /root/.gconf
                    or fd.name startswith /root/.nv
                    or fd.name startswith /root/.local/share/jupyter
                    or fd.name startswith /root/oradiag_root
                    or fd.name startswith /root/workspace
                    or fd.name startswith /root/jvm
                    or fd.name startswith /root/.node-gyp)
      - rule: Write below root
        desc: an attempt to write to any file directly below / or /root
        condition: >
          root_dir and evt.dir = < and open_write
          and not fd.name in (known_root_files)
          and not fd.directory in (known_root_directories)
          and not exe_running_docker_save
          and not gugent_writing_guestagent_log
          and not dse_writing_tmp
          and not zap_writing_state
          and not airflow_writing_state
          and not rpm_writing_root_rpmdb
          and not maven_writing_groovy
          and not known_root_conditions
        output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
        priority: ERROR
        tags: [filesystem]
      - macro: cmp_cp_by_passwd
        condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)
      - rule: Read sensitive file trusted after startup
        desc: >
          an attempt to read any sensitive file (e.g. files containing user/password/authentication
          information) by a trusted program after startup. Trusted programs might read these files
          at startup to load initial state, but not afterwards.
        condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd"
        output: >
          Sensitive file opened for reading by trusted program after startup (user=%user.name
          command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2])
        priority: WARNING
        tags: [filesystem]
      - list: read_sensitive_file_binaries
        items: [
          iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
          vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
          pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
          scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd
          ]
      - macro: user_read_sensitive_file_conditions
        condition: cmp_cp_by_passwd
      - rule: Read sensitive file untrusted
        desc: >
          an attempt to read any sensitive file (e.g. files containing user/password/authentication
          information). Exceptions are made for known trusted programs.
        condition: >
          sensitive_files and open_read
          and proc_name_exists
          and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
           cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
           vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries,
           in.proftpd, mandb, salt-minion, postgres_mgmt_binaries)
          and not cmp_cp_by_passwd
          and not ansible_running_python
          and not proc.cmdline contains /usr/bin/mandb
          and not run_by_qualys
          and not run_by_chef
          and not user_read_sensitive_file_conditions
          and not perl_running_plesk
          and not perl_running_updmap
          and not veritas_driver_script
          and not perl_running_centrifydc
        output: >
          Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
          command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
        priority: WARNING
        tags: [filesystem]
      - rule: Write below rpm database
        desc: an attempt to write to the rpm database by any non-rpm related program
        condition: fd.name startswith /var/lib/rpm and open_write and not rpm_procs and not ansible_running_python and not python_running_chef
        output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline)"
        priority: ERROR
        tags: [filesystem, software_mgmt]
      - macro: postgres_running_wal_e
        condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e")
      - macro: redis_running_prepost_scripts
        condition: (proc.aname[2]=redis-server and (proc.cmdline contains "redis-server.post-up.d" or proc.cmdline contains "redis-server.pre-up.d"))
      - macro: rabbitmq_running_scripts
        condition: >
          (proc.pname=beam.smp and
          (proc.cmdline startswith "sh -c exec ps" or
           proc.cmdline startswith "sh -c exec inet_gethost" or
           proc.cmdline= "sh -s unix:cmd" or
           proc.cmdline= "sh -c exec /bin/sh -s unix:cmd 2>&1"))
      - macro: rabbitmqctl_running_scripts
        condition: (proc.aname[2]=rabbitmqctl and proc.cmdline startswith "sh -c ")
      - macro: run_by_appdynamics
        condition: (proc.pname=java and proc.pcmdline startswith "java -jar -Dappdynamics")
      - rule: DB program spawned process
        desc: >
          a database-server related program spawned a new process other than itself.
          This shouldn\'t occur and is a follow on from some SQL injection attacks.
        condition: >
          proc.pname in (db_server_binaries)
          and spawned_process
          and not proc.name in (db_server_binaries)
          and not postgres_running_wal_e
        output: >
          Database-related program spawned process other than itself (user=%user.name
          program=%proc.cmdline parent=%proc.pname)
        priority: NOTICE
        tags: [process, database]
      - rule: Modify binary dirs
        desc: an attempt to modify any file below a set of binary directories.
        condition: (bin_dir_rename) and modify and not package_mgmt_procs and not exe_running_docker_save
        output: >
          File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
          pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args)
        priority: ERROR
        tags: [filesystem]
      - rule: Mkdir binary dirs
        desc: an attempt to create a directory below a set of binary directories.
        condition: mkdir and bin_dir_mkdir and not package_mgmt_procs
        output: >
          Directory below known binary directory created (user=%user.name
          command=%proc.cmdline directory=%evt.arg.path)
        priority: ERROR
        tags: [filesystem]
      - list: user_known_change_thread_namespace_binaries
        items: []
      - rule: Change thread namespace
        desc: >
          an attempt to change a program/thread\'s namespace (commonly done
          as a part of creating a container) by calling setns.
        condition: >
          evt.type = setns
          and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
          and not proc.name in (user_known_change_thread_namespace_binaries)
          and not proc.name startswith "runc:"
          and not proc.pname in (sysdigcloud_binaries)
          and not java_running_sdjagent
          and not kubelet_running_loopback
        output: >
          Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
          parent=%proc.pname %container.info)
        priority: NOTICE
        tags: [process]
      - list: protected_shell_spawning_binaries
        items: [
          http_server_binaries, db_server_binaries, nosql_server_binaries, mail_binaries,
          fluentd, flanneld, splunkd, consul, smbd, runsv, PM2
          ]
      - macro: parent_java_running_zookeeper
        condition: (proc.pname=java and proc.pcmdline contains org.apache.zookeeper.server)
      - macro: parent_java_running_kafka
        condition: (proc.pname=java and proc.pcmdline contains kafka.Kafka)
      - macro: parent_java_running_elasticsearch
        condition: (proc.pname=java and proc.pcmdline contains org.elasticsearch.bootstrap.Elasticsearch)
      - macro: parent_java_running_activemq
        condition: (proc.pname=java and proc.pcmdline contains activemq.jar)
      - macro: parent_java_running_cassandra
        condition: (proc.pname=java and (proc.pcmdline contains "-Dcassandra.config.loader" or proc.pcmdline contains org.apache.cassandra.service.CassandraDaemon))
      - macro: parent_java_running_jboss_wildfly
        condition: (proc.pname=java and proc.pcmdline contains org.jboss)
      - macro: parent_java_running_glassfish
        condition: (proc.pname=java and proc.pcmdline contains com.sun.enterprise.glassfish)
      - macro: parent_java_running_hadoop
        condition: (proc.pname=java and proc.pcmdline contains org.apache.hadoop)
      - macro: parent_java_running_datastax
        condition: (proc.pname=java and proc.pcmdline contains com.datastax)
      - macro: nginx_starting_nginx
        condition: (proc.pname=nginx and proc.cmdline contains "/usr/sbin/nginx -c /etc/nginx/nginx.conf")
      - macro: nginx_running_aws_s3_cp
        condition: (proc.pname=nginx and proc.cmdline startswith "sh -c /usr/local/bin/aws s3 cp")
      - macro: consul_running_net_scripts
        condition: (proc.pname=consul and (proc.cmdline startswith "sh -c curl" or proc.cmdline startswith "sh -c nc"))
      - macro: consul_running_alert_checks
        condition: (proc.pname=consul and proc.cmdline startswith "sh -c /bin/consul-alerts")
      - macro: serf_script
        condition: (proc.cmdline startswith "sh -c serf")
      - macro: check_process_status
        condition: (proc.cmdline startswith "sh -c kill -0 ")
      - macro: possibly_node_in_container
        condition: (never_true and (proc.pname=node and proc.aname[3]=docker-containe))
      - macro: possibly_parent_java_running_tomcat
        condition: (never_true and proc.pname=java and proc.pcmdline contains org.apache.catalina.startup.Bootstrap)
      - macro: protected_shell_spawner
        condition: >
          (proc.aname in (protected_shell_spawning_binaries)
          or parent_java_running_zookeeper
          or parent_java_running_kafka
          or parent_java_running_elasticsearch
          or parent_java_running_activemq
          or parent_java_running_cassandra
          or parent_java_running_jboss_wildfly
          or parent_java_running_glassfish
          or parent_java_running_hadoop
          or parent_java_running_datastax
          or possibly_parent_java_running_tomcat
          or possibly_node_in_container)
      - list: mesos_shell_binaries
        items: [mesos-docker-ex, mesos-slave, mesos-health-ch]
      - rule: Run shell untrusted
        desc: an attempt to spawn a shell below a non-shell application. Specific applications are monitored.
        condition: >
          spawned_process
          and shell_procs
          and proc.pname exists
          and protected_shell_spawner
          and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries,
                                 needrestart_binaries,
                                 mesos_shell_binaries,
                                 erl_child_setup, exechealthz,
                                 PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
                                 lb-controller, nvidia-installe, runsv, statsite, erlexec)
          and not proc.cmdline in (known_shell_spawn_cmdlines)
          and not proc.aname in (unicorn_launche)
          and not consul_running_net_scripts
          and not consul_running_alert_checks
          and not nginx_starting_nginx
          and not nginx_running_aws_s3_cp
          and not run_by_package_mgmt_binaries
          and not serf_script
          and not check_process_status
          and not run_by_foreman
          and not python_mesos_marathon_scripting
          and not splunk_running_forwarder
          and not postgres_running_wal_e
          and not redis_running_prepost_scripts
          and not rabbitmq_running_scripts
          and not rabbitmqctl_running_scripts
          and not run_by_appdynamics
          and not user_shell_container_exclusions
        output: >
          Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
          cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
          aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7])
        priority: DEBUG
        tags: [shell]
      - macro: trusted_containers
        condition: (container.image startswith sysdig/agent or
                    (container.image startswith sysdig/falco and
                     not container.image startswith sysdig/falco-event-generator) or
                    container.image startswith quay.io/sysdig or
                    container.image startswith sysdig/sysdig or
                    container.image startswith gcr.io/google_containers/hyperkube or
                    container.image startswith quay.io/coreos/flannel or
                    container.image startswith gcr.io/google_containers/kube-proxy or
                    container.image startswith calico/node or
                    container.image startswith rook/toolbox or
                    container.image startswith registry.access.redhat.com/openshift3/logging-fluentd or
                    container.image startswith registry.access.redhat.com/openshift3/logging-elasticsearch or
                    container.image startswith registry.access.redhat.com/openshift3/metrics-cassandra or
                    container.image startswith openshift3/ose-sti-builder or
                    container.image startswith registry.access.redhat.com/openshift3/ose-sti-builder or
                    container.image startswith registry.access.redhat.com/openshift3/ose-docker-builder or
                    container.image startswith registry.access.redhat.com/openshift3/image-inspector or
                    container.image startswith cloudnativelabs/kube-router or
                    container.image startswith "consul:" or
                    container.image startswith mesosphere/mesos-slave or
                    container.image startswith istio/proxy_ or
                    container.image startswith datadog/docker-dd-agent or
                    container.image startswith datadog/agent or
                    container.image startswith docker/ucp-agent or
                    container.image startswith gliderlabs/logspout)
      - macro: user_trusted_containers
        condition: (container.image startswith sysdig/agent)
      - macro: user_sensitive_mount_containers
        condition: (container.image startswith sysdig/agent)
      - rule: Launch Privileged Container
        desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.
        condition: >
          evt.type=execve and proc.vpid=1 and container
          and container.privileged=true
          and not trusted_containers
          and not user_trusted_containers
        output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image)
        priority: INFO
        tags: [container, cis]
      - macro: sensitive_mount
        condition: (container.mount.dest[/proc*] != "N/A" or
                    container.mount.dest[/var/run/docker.sock] != "N/A" or
                    container.mount.dest[/] != "N/A" or
                    container.mount.dest[/etc] != "N/A" or
                    container.mount.dest[/root*] != "N/A")
      - macro: container_entrypoint
        condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], docker-runc, exe))
      - rule: Launch Sensitive Mount Container
        desc: >
          Detect the initial process started by a container that has a mount from a sensitive host directory
          (i.e. /proc). Exceptions are made for known trusted images.
        condition: >
          evt.type=execve and proc.vpid=1 and container
          and sensitive_mount
          and not trusted_containers
          and not user_sensitive_mount_containers
        output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image mounts=%container.mounts)
        priority: INFO
        tags: [container, cis]
      - macro: allowed_containers
        condition: (proc.vpid=1)
      - rule: Launch Disallowed Container
        desc: >
          Detect the initial process started by a container that is not in a list of allowed containers.
        condition: evt.type=execve and proc.vpid=1 and container and not allowed_containers
        output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image)
        priority: WARNING
        tags: [container]
      - rule: System user interactive
        desc: an attempt to run interactive commands by a system (i.e. non-login) user
        condition: spawned_process and system_users and interactive
        output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)"
        priority: INFO
        tags: [users]
      - rule: Terminal shell in container
        desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
        condition: >
          spawned_process and container
          and shell_procs and proc.tty != 0
          and container_entrypoint
        output: >
          A shell was spawned in a container with an attached terminal (user=%user.name %container.info
          shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)
        priority: NOTICE
        tags: [container, shell]
      - list: known_shell_spawn_cmdlines
        items: [
          '"sh -c uname -p 2> /dev/null"',
          '"sh -c uname -s 2>&1"',
          '"sh -c uname -r 2>&1"',
          '"sh -c uname -v 2>&1"',
          '"sh -c uname -a 2>&1"',
          '"sh -c ruby -v 2>&1"',
          '"sh -c getconf CLK_TCK"',
          '"sh -c getconf PAGESIZE"',
          '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"',
          '"sh -c LANG=C /sbin/ldconfig -p 2>/dev/null"',
          '"sh -c /sbin/ldconfig -p 2>/dev/null"',
          '"sh -c stty -a 2>/dev/null"',
          '"sh -c stty -a < /dev/tty"',
          '"sh -c stty -g < /dev/tty"',
          '"sh -c node index.js"',
          '"sh -c node index"',
          '"sh -c node ./src/start.js"',
          '"sh -c node app.js"',
          '"sh -c node -e \"require(''nan'')\""',
          '"sh -c node -e \"require(''nan'')\")"',
          '"sh -c node $NODE_DEBUG_OPTION index.js "',
          '"sh -c crontab -l 2"',
          '"sh -c lsb_release -a"',
          '"sh -c lsb_release -is 2>/dev/null"',
          '"sh -c whoami"',
          '"sh -c node_modules/.bin/bower-installer"',
          '"sh -c /bin/hostname -f 2> /dev/null"',
          '"sh -c locale -a"',
          '"sh -c  -t -i"',
          '"sh -c openssl version"',
          '"bash -c id -Gn kafadmin"',
          '"sh -c /bin/sh -c ''date +%%s''"'
          ]
      - list: user_known_shell_spawn_binaries
        items: []
      - macro: user_shell_container_exclusions
        condition: (never_true)
      - macro: login_doing_dns_lookup
        condition: (proc.name=login and fd.l4proto=udp and fd.sport=53)
      - rule: System procs network activity
        desc: any network activity performed by system binaries that are not expected to send or receive any network traffic
        condition: >
          (fd.sockfamily = ip and system_procs)
          and (inbound_outbound)
          and not proc.name in (systemd, hostid, id)
          and not login_doing_dns_lookup
        output: >
          Known system binary sent/received network traffic
          (user=%user.name command=%proc.cmdline connection=%fd.name)
        priority: NOTICE
        tags: [network]
      - list: openvpn_udp_ports
        items: [1194, 1197, 1198, 8080, 9201]
      - list: l2tp_udp_ports
        items: [500, 1701, 4500, 10000]
      - list: statsd_ports
        items: [8125]
      - list: ntp_ports
        items: [123]
      - list: test_connect_ports
        items: [0, 9, 80, 3306]
      - macro: do_unexpected_udp_check
        condition: (never_true)
      - list: expected_udp_ports
        items: [53, openvpn_udp_ports, l2tp_udp_ports, statsd_ports, ntp_ports, test_connect_ports]
      - macro: expected_udp_traffic
        condition: fd.port in (expected_udp_ports)
      - rule: Unexpected UDP Traffic
        desc: UDP traffic not on port 53 (DNS) or other commonly used ports
        condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic
        output: >
          Unexpected UDP Traffic Seen
          (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args)
        priority: NOTICE
        tags: [network]
      - macro: somebody_becoming_themself
        condition: ((user.name=nobody and evt.arg.uid=nobody) or
                    (user.name=www-data and evt.arg.uid=www-data) or
                    (user.name=_apt and evt.arg.uid=_apt) or
                    (user.name=postfix and evt.arg.uid=postfix) or
                    (user.name=pki-agent and evt.arg.uid=pki-agent) or
                    (user.name=pki-acme and evt.arg.uid=pki-acme) or
                    (user.name=nfsnobody and evt.arg.uid=nfsnobody) or
                    (user.name=postgres and evt.arg.uid=postgres))
      - macro: nrpe_becoming_nagios
        condition: (proc.name=nrpe and evt.arg.uid=nagios)
      - macro: known_user_in_container
        condition: (container and user.name != "N/A")
      - rule: Non sudo setuid
        desc: >
          an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
          suing to itself are also excluded, as setuid calls typically involve dropping privileges.
        condition: >
          evt.type=setuid and evt.dir=>
          and (known_user_in_container or not container)
          and not user.name=root and not somebody_becoming_themself
          and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                                nomachine_binaries)
          and not java_running_sdjagent
          and not nrpe_becoming_nagios
        output: >
          Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
          command=%proc.cmdline uid=%evt.arg.uid)
        priority: NOTICE
        tags: [users]
      - rule: User mgmt binaries
        desc: >
          activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
          Activity in containers is also excluded--some containers create custom users on top
          of a base linux distribution at startup.
          Some innocuous commandlines that don't actually change anything are excluded.
        condition: >
          spawned_process and proc.name in (user_mgmt_binaries) and
          not proc.name in (su, sudo, lastlog, nologin, unix_chkpwd) and not container and
          not proc.pname in (cron_binaries, systemd, systemd.postins, udev.postinst, run-parts) and
          not proc.cmdline startswith "passwd -S" and
          not proc.cmdline startswith "useradd -D" and
          not proc.cmdline startswith "systemd --version" and
          not run_by_qualys and
          not run_by_sumologic_securefiles and
          not run_by_yum and
          not run_by_ms_oms and
          not run_by_google_accounts_daemon
        output: >
          User management binary command run outside of container
          (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
        priority: NOTICE
        tags: [host, users]
      - list: allowed_dev_files
        items: [
          /dev/null, /dev/stdin, /dev/stdout, /dev/stderr,
          /dev/random, /dev/urandom, /dev/console, /dev/kmsg
          ]
      - rule: Create files below dev
        desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
        condition: >
          fd.directory = /dev and
          (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT))
          and not proc.name in (dev_creation_binaries)
          and not fd.name in (allowed_dev_files)
          and not fd.name startswith /dev/tty
        output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
        priority: ERROR
        tags: [filesystem]
      - macro: ec2_metadata_containers
        condition: container
      - rule: Contact EC2 Instance Metadata Service From Container
        desc: Detect attempts to contact the EC2 Instance Metadata Service from a container
        condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers
        output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image)
        priority: NOTICE
        tags: [network, aws, container]
      - macro: k8s_api_server
        condition: (fd.sip="1.2.3.4" and fd.sport=8080)
      - macro: k8s_containers
        condition: >
          (container.image startswith gcr.io/google_containers/hyperkube-amd64 or
           container.image startswith gcr.io/google_containers/kube2sky or
           container.image startswith sysdig/agent or
           container.image startswith sysdig/falco or
           container.image startswith sysdig/sysdig)
      - rule: Contact K8S API Server From Container
        desc: Detect attempts to contact the K8S API Server from a container
        condition: outbound and k8s_api_server and container and not k8s_containers
        output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image connection=%fd.name)
        priority: NOTICE
        tags: [network, k8s, container]
      - macro: nodeport_containers
        condition: container
      - rule: Unexpected K8s NodePort Connection
        desc: Detect attempts to use K8s NodePorts from a container
        condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers
        output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name)
        priority: NOTICE
        tags: [network, k8s, container]

    falco_rules_local: |
      ####################
      # Your custom rules!
      ####################

      # Add new rules, like this one
      # - rule: The program "sudo" is run in a container
      #   desc: An event will trigger every time you run sudo in a container
      #   condition: evt.type = execve and evt.dir=< and container.id != host and proc.name = sudo
      #   output: "Sudo run in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
      #   priority: ERROR
      #   tags: [users, container]

      # Or override/append to any rule, macro, or list from the Default Rules
    custom_rules: {}
      # Although Falco comes with a nice default rule set for detecting weird
      # behavior in containers, our users are going to customize the run-time
      # security rule sets or policies for the specific container images and
      # applications they run. This feature can be handled in this section.
      #
      # Example:
      #
      # rules-traefik.yaml: |-
      #   [ rule body ]

dependencies:
  dynamic:
    common:
      local_image_registry:
        jobs:
          - k8sksauth-image-repo-sync
        services:
          - endpoint: node
            service: local_image_registry
  static:
    falco:
      services: null
    image_repo_sync:
      services:
        - endpoint: internal
          service: local_image_registry

manifests:
  daemonset: true
  configmap_etc: true
  configmap_custom_rules: false
  configmap_bin: true