Sysdig Platform CLI - Rules
This section explains concepts and notations in the set of the Secure Rules commands provided.
Usage
The Rules section contains the following subcommands:
sdc-cli policy rule --help
Usage: sdc-cli policy rule [OPTIONS] COMMAND [ARGS]...
Options:
--help Show this message and exit.
Commands:
add-container Add a container rule
add-falco Add a falco rule
add-file Add a file system rule
add-network Add a network rule
add-process Add a process rule
add-syscall Add a syscall rule
del Delete rules
get Get rule
list List all rules
update Update rule
List all the existing rules
You can list all the existing rules with:
$ sdc-cli policy rule list
ids name ruleType
[80] All K8s Audit Events FALCO
[56] Anonymous Request Allowed FALCO
[62] Attach to cluster-admin Role FALCO
[57] Attach/Exec Pod FALCO
[19] Change thread namespace FALCO
[42] Clear Log Activities FALCO
Retrieve details of a rule
You can retrieve more information from a rule by name or ID by executing:
$ sdc-cli policy rule get 80
id: 80
name: All K8s Audit Events
description: Match all K8s Audit Events
details:
{
"ruleType": "FALCO",
"condition": {
"condition": "kall"
},
"output": "K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)",
"priority": "DEBUG",
"source": "k8s_audit",
"append": false
}
tags: ['k8s']
filename: k8s_audit_rules.yaml
Add a rule
Container rule
The container rules identify events from container engines to identify new images being executed.
$ sdc-cli policy rule add-container --help
Usage: sdc-cli policy rule add-container [OPTIONS] NAME DESCRIPTION
NAME: the name of the new rule.
DESCRIPTION: Description of rule
Options:
--not-matching The rule matches if the container does not match any of
the items in the list.
--container TEXT
--tag TEXT A rule tag.
--help Show this message and exit.
For example, if you want to blacklist cassandra:latest from your clusters, you could create a rule based on the
container image:
$ sdc-cli policy rule add-container \
--container cassandra:latest \
'Cassandra being run' \
'Detects cassandra:latest being run in the cluster'
id: 15505
name: Cassandra being run
description: Detects cassandra:latest being run in the cluster
details:
{
"ruleType": "CONTAINER",
"containers": {
"items": [
"cassandra:latest"
],
"matchItems": true
}
}
tags: []
filename: fast_engine_rules.yaml
File rules
File rules identify read or write access to files in defined paths:
$ sdc-cli policy rule add-file --help
Usage: sdc-cli policy rule add-file [OPTIONS] NAME DESCRIPTION
NAME: the name of the new rule.
DESCRIPTION: Description of rule
Options:
--rw-not-matching The rule matches if the read/write path does not match
any of the items in the list.
--rw-path TEXT read/write path
--ro-not-matching The rule matches if the read only path does not match any
of the items in the list.
--ro-path TEXT read only path
--tag TEXT A rule tag.
--help Show this message and exit.
For example, if you want to identify that a file is being open for write access under /bin, probably an
attacker is trying to modify our binaries, so we could create a rule based on that:
$ sdc-cli policy rule add-file \
--rw-path /bin \
'Opened a file with write access under /bin' \
'A file has been opened with write access under the /bin path'
id: 15507
name: Opened a file with write access under /bin
description: A file has been opened with write access under the /bin path
details:
{
"ruleType": "FILESYSTEM",
"readWritePaths": {
"items": [
"/bin"
],
"matchItems": true
},
"readPaths": {
"items": [],
"matchItems": true
}
}
tags: []
filename: fast_engine_rules.yaml
Network rules
Network rules identify events happening in the network:
$ sdc-cli policy rule add-network --help
Usage: sdc-cli policy rule add-network [OPTIONS] NAME DESCRIPTION
NAME: the name of the new rule.
DESCRIPTION: Description of rule
Options:
--inbound-deny If set all inbound connection attempts match this rule
--outbound-deny If set all outbound connection attempts match this rule
--tcp-not-matching The rule matches if the tcp port does not match any of
the items in the list.
--tcp-port TEXT tcp port
--udp-not-matching The rule matches if the udp port does not match any of
the items in the list.
--udp-port TEXT udp port
--tag TEXT A rule tag.
--help Show this message and exit.
Let’s say you want to block all incoming connections, and allow outbound only to 443 ports:
$ sdc-cli policy rule add-network \
--inbound-deny \
--tcp-port 443 \
'Not allowed connection detected' \
'A new detection not allowed has been detected'
id: 15508
name: Not allowed connection detected
description: A new detection not allowed has been detected
details:
{
"ruleType": "NETWORK",
"allInbound": true,
"allOutbound": false,
"tcpListenPorts": {
"items": [
"443"
],
"matchItems": true
},
"udpListenPorts": {
"items": [],
"matchItems": true
}
}
tags: []
filename: fast_engine_rules.yaml
Process rules
Process rules can detect new processes by name being executed:
$ sdc-cli policy rule add-process --help
Usage: sdc-cli policy rule add-process [OPTIONS] NAME DESCRIPTION
NAME: the name of the new rule.
DESCRIPTION: Description of rule
Options:
--not-matching The rule matches if the process does not match any of the
items in the list.
--process TEXT
--tag TEXT A rule tag.
--help Show this message and exit.
For example, if you want to detect a netcat running in your infrastructure, you could create a rule based on that:
$ sdc-cli policy rule add-process \
--process netcat \
--process nc \
--process ncat \
'Netcat process detected' \
'The netcat process execution has been detected'
id: 15509
name: Netcat process detected
description: The netcat process execution has been detected
details:
{
"ruleType": "PROCESS",
"processes": {
"items": [
"netcat",
"nc",
"ncat"
],
"matchItems": true
}
}
tags: []
filename: fast_engine_rules.yaml
Syscall rules
Syscall rules detect single system calls being executed in the infrastructure by any process.
$ sdc-cli policy rule add-syscall --help
Usage: sdc-cli policy rule add-syscall [OPTIONS] NAME DESCRIPTION
NAME: the name of the new rule.
DESCRIPTION: Description of rule
Options:
--not-matching The rule matches if the syscall does not match any of the
items in the list.
--syscall TEXT
--tag TEXT A rule tag.
--help Show this message and exit.
For example if we want to trigger a rule based on execve system calls, you can create a rule like:
$ sdc-cli policy rule add-syscall \
--syscall execve \
'Syscall detected: execve' \
'The execve syscall has been detected'
id: 15510
name: Syscall detected: execve
description: The execve syscall has been detected
details:
{
"ruleType": "SYSCALL",
"syscalls": {
"items": [
"execve"
],
"matchItems": true
}
}
tags: []
filename: fast_engine_rules.yaml
Falco rules
Falco rules are based on the Falco open source runtime security tool. These rules are the most flexible ones, and can detect everything detected by the previous rule kinds. Falco can consume events from different sources, and apply rules to these events to detect abnormal behavior. Currently Falco supports the following event sources:
| Source | Ingestion method |
|---|---|
| syscall | Ingests from the System calls of the host, instrumented by an agent |
| k8s_audit | Ingests from the K8s Audit Logs, receives events via HTTP from K8s itself |
The rule condition must follow the Falco syntax language and if it references macros or lists, those must exist in Secure first.
$ sdc-cli policy rule add-falco --help
Usage: sdc-cli policy rule add-falco [OPTIONS] NAME DESCRIPTION
NAME: the name of the new rule.
DESCRIPTION: Description of rule
Options:
--condition TEXT the full condition text exactly as represented in the yaml
file
--output TEXT A string describing the output string to generate when
this rule matches an event. Should exactly match the
output property of the rule's output field
--priority TEXT The falco rule's priority. This is only included so the
resulting rule can be converted back to yaml easily. For
the purposes of policy events, the policy's severity
should be used instead of this value. [ emergency, alert,
critical, error, warning, notice, informational, debug ]
--source TEXT The kinds of events this rule should run on. Note that
this is different that the file containing the rule. This
is naming an event source. [ k8s_audit, syscall ]
--tag TEXT A rule tag.
--help Show this message and exit.
For example, if you want to create a rule that a process is writing under /etc overwriting some configuration
file, you could create a rule with a condition like: open_write and fd.directory in (/etc).
$ sdc-cli policy rule add-falco \
--condition 'open_write and fd.directory in (/etc)' \
--source syscall \
--output 'a program opened a file for write under a config path (name=%proc.name file=%fd.name)' \
'Detected write under /etc' \
'There was a file opened with write access under a configuration path'
id: 15506
name: Detected write under /etc
description: There was a file opened with write access under a configuration path
details:
{
"ruleType": "FALCO",
"condition": {
"condition": "open_write and fd.directory in (/etc)",
"components": []
},
"output": "a program opened a file for write under a config path (name=%proc.name file=%fd.name)",
"priority": "WARNING",
"source": "syscall",
"append": false
}
tags: []
filename: falco_rules_local.yaml