Logging egress IPs per process with Falco (BPF)

did not work with the new experimental BPD
2023-05-07 18:12:11 +00:00 · 2023-05-07 18:12:11 +00:00 · be21cdfd94
commit be21cdfd94
parent 45bcf4e754
1 changed files with 20 additions and 0 deletions
--- a/falco/rules.d/egress.yaml
+++ b/falco/rules.d/egress.yaml
@ -0,0 +1,20 @@
+- rule: Log Established Connections Privileged
+  desc: Log process name, user, egress IP for established connections by privileged processes
+  condition: >
+    evt.type=connect and evt.dir=< and check_privileged
+  output: >
+    {"event_type": "privileged_connection", "process_name": "%proc.name", "user_name": "%user.name", "egress_ip": "%fd.sip"}
+  priority: INFO
+  tags: [network, process]
+
+- rule: Log Established Connections Non-Privileged
+  desc: Log process name, user, egress IP for established connections by non-privileged processes
+  condition: >
+    evt.type=connect and evt.dir=< and not check_privileged
+  output: >
+    {"event_type": "non_privileged_connection", "process_name": "%proc.name", "user_name": "%user.name", "egress_ip": "%fd.sip"}
+  priority: INFO
+  tags: [network, process]
+
+- macro: check_privileged
+  condition: (user.uid=0 or user.name=root)