mstemm

# Run these commands to get juttle-engine, the juttle development environment, and run some example programs.
# Full instructions: https://github.com/juttle/juttle-engine/blob/master/examples/README.md
# More info: https://github.com/juttle/juttle-engine, https://github.com/juttle/juttle

git clone https://github.com/juttle/juttle-engine
cd juttle-engine/examples && docker-compose -f dc-juttle-engine.yml -f elastic-newstracker/dc-elastic.yml -f cadvisor-influx/dc-cadvisor-influx.yml -f aws-cloudwatch/dc-aws-cloudwatch.yml up -d
DOCKER_MACHINE_HOST=`docker-machine ip default` && open http://$DOCKER_MACHINE_HOST:8080/?path=/examples/index.juttle

mstemm

- rule: File Open by Privileged Container
  desc: Any open by a privileged container. Exceptions are made for known trusted images.
  condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
  output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
  priority: WARNING

- macro: sensitive_mount
  condition: (container.mount.dest[/proc*] != "N/A")

- rule: Sensitive Mount by Container

mstemm

#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <linux/seccomp.h>
#include <sys/prctl.h>


int main(int argc, char **argv)
{

mstemm

#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <assert.h>
#include <linux/seccomp.h>
#include <sys/prctl.h>
#include "seccomp-bpf.h"

void install_syscall_filter()

mstemm

# From /etc/apparmor.d/usr.sbin.tcpdump on Ubuntu 9.04 and https://wiki.ubuntu.com/AppArmor#Example_profile

#include <tunables/global>

/usr/sbin/tcpdump {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability net_raw,

mstemm

# Alert whenever anyone performs the mount() system call.
-a always,exit -S mount

# Alert whenever anyone performs an unlink() for a file below /usr/bin
-a always,exit -S unlink -S unlinkat -F dir=/usr/bin -F success=1

# Watch all activity related to /etc/shadow
# -k puts this rule and the following rule in a group
-w /etc/shadow -p wa -k passwd_mgmt

mstemm

- macro: bin_dir
  condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
  
- macro: open_write
  condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f'
    
- macro: package_mgmt_binaries
  items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend]

- rule: Write below binary dir

mstemm

- rule: raw_network_socket
  desc: an attempt to open a raw network socket by an unexpected program
  condition: evt.type=socket and evt.dir=> and evt.arg.domain=AF_PACKET and not proc.name=tcpdump
  output: Raw network socket opened by unexpected program (user=%user.name command=%proc.cmdline domain=%evt.arg.domain)
  priority: WARNING

mstemm

#############
# Definitions
#############

# File actions


# Currently disabled as read/write are ignored syscalls. The nearly
# similar open_write/open_read check for files being opened for
# reading/writing.

mstemm

#############
# Definitions
#############

# File actions


# Currently disabled as read/write are ignored syscalls. The nearly
# similar open_write/open_read check for files being opened for
# reading/writing.