Update python script to support rapid response (#207)

0snug0 · web-flow · commit 527fd40424ca · 2022-05-24T07:19:26.000+02:00
diff --git a/fixtures/custom_rules.yaml b/fixtures/custom_rules.yaml
@@ -0,0 +1,260 @@
+####################
+# Your custom rules!
+####################
+
+# Add new rules, like this one
+# - rule: A shell is run in a container
+#   desc: An event will trigger every time you run a shell in a container
+#   condition: evt.type = execve and evt.dir=< and container.id != host and proc.name = bash
+#   output: "Suspect shell run in container (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
+#   priority: ERROR
+#   tags: [shell]
+
+# Or override any rule, macro, or list from the Default Rules
+---
+- macro: "user_known_network_tool_client_container"
+  condition: "container.image.repository=\"bbcdocker/go-synapse\" or container.image.repository=\"\
+    strimzi/kafka\" or container.image.repository=\"landoop/fast-data-dev\""
+  append: false
+
+- rule: "Launch Suspicious Network Tool in Container"
+  condition: "and not user_known_network_tool_client_container"
+  tags: []
+  append: true
+
+- rule: "Java app run shell untrusted"
+  desc: "an attempt to spawn a shell below a Java application."
+  condition: "spawned_process and shell_procs and proc.pname exists and proc.pname=java\n"
+  output: "Shell spawned by Java application (user=%user.name shell=%proc.name parent=%proc.pname\
+    \ cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]\
+    \ aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7]\
+    \ container_id=%container.id image=%container.image.repository)\n"
+  priority: "ALERT"
+  tags:
+  - "shell"
+  - "mitre_execution"
+  source: "syscall"
+  append: false
+
+- rule: "The docker client is executed in a container"
+  desc: "Detect a k8s client tool executed inside a container"
+  condition: "spawned_process and container and not user_known_k8s_client_container\
+    \ and proc.name in (k8s_client_binaries)"
+  output: "Docker or kubernetes client executed in container (user=%user.name %container.info\
+    \ parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag\
+    \ podname=%k8s.pod.name)"
+  priority: "WARNING"
+  tags:
+  - "container"
+  - "mitre_execution"
+  append: false
+
+- macro: "user_read_sensitive_file_conditions"
+  condition: "or container.image.repository=\"sysdig/agent\" or (container.id=host\
+    \ and fd.name=/etc/pam.d/sshd and proc.name=grep)"
+  append: true
+
+- rule: "Root user interactive"
+  desc: "an attempt to run interactive commands by root user"
+  condition: "spawned_process and user.name=\"root\" and interactive"
+  output: "Root user ran an interactive command (user=%user.name command=%proc.cmdline\
+    \ container_id=%container.id image=%container.image.repository)"
+  priority: "INFO"
+  tags:
+  - "mitre_remote_access_tools"
+  - "users"
+  append: false
+
+- list: "user_known_hostnetwork_images"
+  items:
+  - "gke.gcr.io/kube-proxy"
+  - "gke.gcr.io/kube-proxy-amd64"
+  - "newrelic/infrastructure-k8s"
+  - "k8s.gcr.io/prometheus-to-sd"
+  - "docker.io/sysdig/agent"
+  - "gcr.io/stackdriver-agents/stackdriver-logging-agent"
+  - "newrelic/newrelic-fluentbit-output"
+  - "gcr.io/gke-release/gke-metrics-agent"
+  - "quay.io/prometheus/node-exporter"
+  append: false
+
+- rule: "Create HostNetwork Pod"
+  condition: "and not ka.req.pod.containers.image.repository intersects (user_known_hostnetwork_images)"
+  output: "Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace\
+    \ images=%ka.req.pod.containers.repository)"
+  tags: []
+  append: true
+
+- list: "user_known_privileged_images"
+  items:
+  - "gcr.io/google-containers/startup-script"
+  - "gke.gcr.io/kube-proxy-amd64"
+  - "newrelic/infrastructure-k8s"
+  - "docker.io/sysdig/node-image-analyzer"
+  append: false
+
+- rule: "Create Privileged Pod"
+  condition: "and not ka.req.pod.containers.image.repository in (user_known_privileged_images)"
+  tags: []
+  append: true
+
+- list: "user_known_kube_namespace_images"
+  items:
+  - "gcr.io/google-containers/startup-script"
+  - "gke.gcr.io/kube-proxy-amd64"
+  - "k8s.gcr.io/gke-node-termination-handler"
+  - "gcr.io/gke-release/gke-metrics-agent"
+  - "k8s.gcr.io/k8s-dns-kube-dns-amd64"
+  - "k8s.gcr.io/prometheus-to-sd"
+  - "gke.gcr.io/k8s-dns-dnsmasq-nanny-amd64"
+  - "gke.gcr.io/k8s-dns-sidecar-amd64"
+  append: false
+
+- rule: "Pod Created in Kube Namespace"
+  condition: "and not ka.req.container.image.repository in (user_known_kube_namespace_images)"
+  tags: []
+  append: true
+
+- rule: "Update Package Repository"
+  condition: "and not exe_running_docker_save"
+  tags: []
+  append: true
+
+- rule: "Modify Shell Configuration File"
+  condition: "and not exe_running_docker_save"
+  tags: []
+  append: true
+
+- rule: "Change thread namespace"
+  condition: "and not (container.image.repository=\"datadog/agent\" and proc.name=\"\
+    system-probe\")"
+  tags: []
+  append: true
+
+- list: "user_known_gke_metadata_images"
+  items:
+  - "gke.gcr.io/kube-proxy-amd64"
+  - "gcr.io/gke-release/gke-metrics-agent"
+  - "gke.gcr.io/k8s-dns-kube-dns-amd64"
+  - "k8s.gcr.io/prometheus-to-sd"
+  - "newrelic/infrastructure-k8s"
+  - "datadog/agent"
+  - "gke.gcr.io/prometheus-to-sd"
+  - "sysdig/agent"
+  - "gcr.io/stackdriver-agents/stackdriver-logging-agent"
+  - "gcr.io/stackdriver-agents/metadata-agent-go"
+  - "istio/proxyv2"
+  - "newrelic/k8s-events-forwarder"
+  - "gke.gcr.io/calico/typha"
+  append: false
+
+- macro: "mariadb_snapshots_validator"
+  condition: "(container.image.repository=\"google/cloud-sdk\" and container.name\
+    \ contains \"snapshot-validator\")"
+  append: false
+
+- macro: "bbc_java_app_proc"
+  condition: "(container.image.repository startswith \"eu.gcr.io/bbc-registry/\" and\
+    \ proc.name=\"java\")"
+  append: false
+
+- macro: "gke_metadata_containers"
+  condition: "(container.image.repository in (user_known_gke_metadata_images)) or\
+    \ mariadb_snapshots_validator or proc.name=\"newrelic-daemon\" or (container.image.repository=\"\
+    docker.elastic.co/beats/filebeat\" and proc.name=\"filebeat\")"
+  append: false
+
+- rule: "Contact GKE Instance Metadata Service From Container"
+  desc: "Detect attempts to contact the GKE Instance Metadata Service from a container"
+  condition: "outbound and fd.sip=\"169.254.169.254\" and container and not gke_metadata_containers"
+  output: "Outbound connection to GKE instance metadata service (proc=%proc.name procp=%proc.pname\
+    \ procpp=%proc.aname[2] procppp=%proc.aname[3] procpppp=%proc.aname[4] command=%proc.cmdline\
+    \ connection=%fd.name container_infos=%container.info container=%container.name\
+    \ image=%container.image.repository:%container.image.tag)"
+  priority: "NOTICE"
+  tags:
+  - "gke"
+  - "container"
+  - "mitre_discovery"
+  - "network"
+  append: false
+
+- macro: "mariadb_snapshots"
+  condition: "(container.image.repository=\"mariadb\" and container.name contains\
+    \ \"snapshot-validated\") or (container.image.repository=\"mariadb\" and proc.name=\"\
+    sh\" and proc.pname=\"mysqld\")"
+  append: false
+
+- rule: "DB program spawned process"
+  condition: "and not mariadb_snapshots"
+  tags: []
+  append: true
+
+- macro: "user_known_clear_log_activities"
+  condition: "(container.image.repository=\"landoop/fast-data-dev\" and fd.name=\"\
+    /var/log/running-smart.log\")"
+  append: false
+
+- rule: "Clear Log Activities"
+  condition: "and not user_known_clear_log_activities"
+  tags: []
+  append: true
+
+- list: "user_known_sensitive_mount_images"
+  items:
+  - "newrelic/infrastructure-k8s"
+  - "quay.io/prometheus/node-exporter"
+  append: false
+
+- rule: "Create Sensitive Mount Pod"
+  condition: "and not ka.req.pod.containers.image.repository in (user_known_sensitive_mount_images)"
+  tags: []
+  append: true
+
+- list: "user_known_privilged_k8s_roles"
+  items:
+  - "mariadb-moderation-snapshot-validated"
+  - "mariadb-payment-servix-snapshot-validated"
+  - "mariadb-user-activity-snapshot-validated"
+  - "mariadb-user-wallet-servix-snapshot-validated"
+  - "mariadb-log-snapshot-validated"
+  - "mariadb-monetize-servix-snapshot-validated"
+  - "mariadb-sesterce-snapshot-validated"
+  - "mariadb-reports-snapshot-validated"
+  - "mariadb-dev-snapshot-validated"
+  - "mariadb-main-snapshot-validated"
+  - "mariadb-components-snapshot-validated"
+  - "prometheus-operator-admission"
+  - "mariadb-monetize-servix-daily-copy"
+  - "mariadb-sesterce-daily-copy"
+  - "mariadb-main-daily-copy"
+  - "mariadb-components-daily-copy"
+  - "mariadb-log-daily-copy"
+  - "mariadb-reports-daily-copy"
+  - "mariadb-moderation-daily-copy"
+  - "mariadb-payment-servix-daily-copy"
+  append: false
+
+- rule: "ClusterRole With Write Privileges Created"
+  condition: "and not ka.target.name in (user_known_privilged_k8s_roles)"
+  tags: []
+  append: true
+
+- rule: "Launch Remote File Copy Tools in Container"
+  condition: "and not user_known_remote_file_copy_activities"
+  tags: []
+  append: true
+
+- macro: "user_known_container_drift_open_create_activities"
+  condition: "(container.image.repository=\"docker.elastic.co/elasticsearch/elasticsearch\"\
+    \ and evt.arg.filename startswith \"/usr/share/elasticsearch/data/nodes\")"
+  append: false
+
+- rule: "Container Drift Detected (open+create)"
+  condition: "and not user_known_container_drift_open_create_activities"
+  tags: []
+  append: true
+
+- macro: "test_foo_bar"
+  condition: "never_true"
+  append: false
diff --git a/sdcclient/_common.py b/sdcclient/_common.py
@@ -765,7 +765,7 @@ def get_user_ids(self, users):
             return [True, list(res.values())]
 
     def create_team(self, name, memberships=None, filter='', description='', show='host', theme='#7BB0B2',
-                    perm_capture=False, perm_custom_events=False, perm_aws_data=False):
+                    perm_capture=False, perm_custom_events=False, perm_aws_data=False, perm_rapid_response=False):
         '''
         **Description**
             Creates a new team
@@ -780,6 +780,7 @@ def create_team(self, name, memberships=None, filter='', description='', show='h
             - **perm_capture**: if True, this team will be allowed to take sysdig captures.
             - **perm_custom_events**: if True, this team will be allowed to view all custom events from every user and agent.
             - **perm_aws_data**: if True, this team will have access to all AWS metrics and tags, regardless of the team's scope.
+            - **perm_rapid_response**: if True, this team will have access rapid response feature.
 
         **Success Return Value**
             The newly created team.
@@ -795,6 +796,7 @@ def create_team(self, name, memberships=None, filter='', description='', show='h
             'canUseSysdigCapture': perm_capture,
             'canUseCustomEvents': perm_custom_events,
             'canUseAwsMetrics': perm_aws_data,
+            'canUseRapidResponse': perm_rapid_response,
         }
 
         # Map user-names to IDs
@@ -820,7 +822,7 @@ def create_team(self, name, memberships=None, filter='', description='', show='h
         return self._request_result(res)
 
     def edit_team(self, name, memberships=None, filter=None, description=None, show=None, theme=None,
-                  perm_capture=None, perm_custom_events=None, perm_aws_data=None):
+                  perm_capture=None, perm_custom_events=None, perm_aws_data=None, perm_rapid_response=False):
         '''
         **Description**
            Edits an existing team. All arguments are optional. Team settings for any arguments unspecified will remain at their current settings.
@@ -835,6 +837,7 @@ def edit_team(self, name, memberships=None, filter=None, description=None, show=
             - **perm_capture**: if True, this team will be allowed to take sysdig captures.
             - **perm_custom_events**: if True, this team will be allowed to view all custom events from every user and agent.
             - **perm_aws_data**: if True, this team will have access to all AWS metrics and tags, regardless of the team's scope.
+            - **perm_rapid_response**: if True, this team will have access rapid response feature.
 
         **Success Return Value**
             The edited team.
@@ -853,6 +856,7 @@ def edit_team(self, name, memberships=None, filter=None, description=None, show=
             'canUseSysdigCapture': perm_capture if perm_capture else team['canUseSysdigCapture'],
             'canUseCustomEvents': perm_custom_events if perm_custom_events else team['canUseCustomEvents'],
             'canUseAwsMetrics': perm_aws_data if perm_aws_data else team['canUseAwsMetrics'],
+            'canUseRapidResponse': perm_rapid_response,
             'defaultTeamRole': team['defaultTeamRole'],
             'entryPoint': team['entryPoint'],
             'id': team['id'],
