Falco is a cloud-native runtime security tool that uses system calls to detect anomalous behavior. For Java applications, we need to monitor specific patterns like JVM exploitation, suspicious class loading, and application server attacks.
Core Falco Rules for Java Applications
1. Basic Java Process Monitoring
- rule: Java Process Execution desc: Detect execution of Java processes with suspicious parameters condition: > proc.name = java and (spawned_process or container) and not proc.args contains "-version" and not proc.args contains "-jar" and not proc.args contains "-cp" output: > Java process executed with suspicious arguments (user=%user.name command=%proc.cmdline %container.info) priority: WARNING tags: [process, java, runtime] - rule: Java Process in Container desc: Detect Java process running in container condition: > container and proc.name = java and not container.image.repository in (["openjdk", "eclipse-temurin", "ibm-semeru-runtime"]) output: > Java process running in non-standard container (user=%user.name command=%proc.cmdline container=%container.info) priority: INFO tags: [container, java, process]
2. JVM Exploitation & Memory Attacks
- rule: Java Debug Mode Enabled desc: Detect Java process running with debug parameters condition: > proc.name = java and (proc.args contains "-agentlib:jdwp" or proc.args contains "-Xdebug" or proc.args contains "-Xrunjdwp") output: > Java process running with debug mode enabled (user=%user.name command=%proc.cmdline %container.info) priority: WARNING tags: [java, debug, exploitation] - rule: Java JMX Remote Access desc: Detect Java process with remote JMX enabled condition: > proc.name = java and (proc.args contains "com.sun.management.jmxremote" or proc.args contains "-Dcom.sun.management.jmxremote.port" or proc.args contains "-Dcom.sun.management.jmxremote.authenticate=false") output: > Java process with potentially insecure JMX configuration (user=%user.name command=%proc.cmdline %container.info) priority: ERROR tags: [java, jmx, remote_access] - rule: Java Memory Dump Creation desc: Detect creation of Java memory/heap dumps condition: > proc.name = java and (proc.args contains "-XX:+HeapDumpOnOutOfMemoryError" or proc.args contains "-XX:HeapDumpPath" or proc.args contains "jmap" or proc.args contains "jcmd" and proc.args contains "GC.heap_dump") output: > Java heap dump operation detected (user=%user.name command=%proc.cmdline %container.info) priority: NOTICE tags: [java, memory, dump, sensitive_data]
3. Class Loading & Code Injection
- rule: Suspicious Java Class Loading desc: Detect loading of suspicious Java classes or JAR files condition: > proc.name = java and (proc.args contains "-javaagent" or proc.args icontains "ysoserial" or proc.args icontains "commons-collections" or proc.args icontains "marshalsec" or proc.args icontains "rogue-jndi") output: > Suspicious Java class loading detected (user=%user.name command=%proc.cmdline %container.info) priority: ERROR tags: [java, class_loading, exploitation] - rule: Java Instrumentation Agent desc: Detect Java agent instrumentation condition: > proc.name = java and proc.args contains "-javaagent" and not proc.args contains "/app/agents/" and not proc.args contains "/opt/java/agents/" output: > Unauthorized Java agent instrumentation (user=%user.name command=%proc.cmdline %container.info) priority: ERROR tags: [java, instrumentation, agent] - rule: JNDI Injection Attempt desc: Detect potential JNDI injection attempts condition: > proc.name = java and (proc.args contains "ldap://" or proc.args contains "rmi://" or proc.args contains "iiop://" or proc.args contains "com.sun.jndi" or proc.args contains "log4j2.formatMsgNoLookups") output: > Potential JNDI injection attempt detected (user=%user.name command=%proc.cmdline %container.info) priority: CRITICAL tags: [java, jndi, injection, log4shell]
4. File System Operations for Java Apps
- rule: Java Writing Sensitive Directories desc: Detect Java process writing to sensitive directories condition: > proc.name = java and container and (fd.name startswith /etc or fd.name startswith /root or fd.name startswith /proc/sys or fd.name startswith /sys) output: > Java process writing to sensitive directory (user=%user.name command=%proc.cmdline file=%fd.name %container.info) priority: WARNING tags: [java, filesystem, sensitive] - rule: Java Class File Modification desc: Detect modification of Java class files in running application condition: > proc.name = java and (fd.name endswith .class and (fd.directory contains "/WEB-INF/classes" or fd.directory contains "/BOOT-INF/classes" or fd.directory contains "tomcat/webapps") and (open_write or modify)) output: > Java class file modification detected (user=%user.name file=%fd.name %container.info) priority: ERROR tags: [java, class_file, modification, runtime_attack] - rule: Java Writing Executable Files desc: Detect Java process writing executable files condition: > proc.name = java and container and (fd.name endswith .sh or fd.name endswith .py or fd.name endswith .elf or fd.name endswith .bin) and open_write output: > Java process writing executable file (user=%user.name file=%fd.name %container.info) priority: WARNING tags: [java, filesystem, executable]
5. Network Operations for Java Apps
- rule: Java Outbound Network Connection desc: Detect Java process making outbound network connections condition: > proc.name = java and container and evt.type = connect and not fd.sip in (127.0.0.1, 0.0.0.0, ::1) and not fd.sport in (8080, 8443, 5005, 1099, 9010) output: > Java process making outbound network connection (user=%user.name command=%proc.cmdline connection=%fd.name %container.info) priority: NOTICE tags: [java, network, outbound] - rule: Java Reverse Shell Detection desc: Detect potential reverse shell from Java process condition: > proc.name = java and (evt.type = connect and (fd.sip != 127.0.0.1 and fd.sip != 0.0.0.0) and fd.sport in (4444, 1337, 31337, 12345, 54321)) or (proc.cmdline contains "bash" or proc.cmdline contains "sh" or proc.cmdline contains "nc" or proc.cmdline contains "netcat" or proc.cmdline contains "socat") output: > Potential reverse shell from Java process (user=%user.name command=%proc.cmdline connection=%fd.name %container.info) priority: CRITICAL tags: [java, reverse_shell, exploitation] - rule: Java Database Connection to Unknown Host desc: Detect Java app connecting to unknown database hosts condition: > proc.name = java and evt.type = connect and fd.sport in (5432, 3306, 1433, 27017, 6379) and not fd.sip in (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1) output: > Java app connecting to external database (user=%user.name connection=%fd.name %container.info) priority: WARNING tags: [java, database, network]
6. Container-Specific Java Rules
- rule: Java Process Escape Attempt desc: Detect Java process attempting container escape condition: > container and proc.name = java and (evt.type = mount or evt.type = chroot or evt.type = pivot_root or evt.type = unshare or evt.type = clone and syscall.args.flags contains "CLONE_NEWNS" or evt.type = clone and syscall.args.flags contains "CLONE_NEWUSER") output: > Java process attempting container escape (user=%user.name command=%proc.cmdline syscall=%syscall.type %container.info) priority: CRITICAL tags: [java, container, escape, privilege_escalation] - rule: Java Privilege Escalation desc: Detect Java process changing privileges condition: > proc.name = java and (evt.type = setuid or evt.type = setgid or evt.type = setresuid or evt.type = setresgid or evt.type = capset) output: > Java process changing privileges (user=%user.name command=%proc.cmdline syscall=%syscall.type %container.info) priority: ERROR tags: [java, privilege_escalation, security]
7. Application Server Specific Rules
- rule: Tomcat Manager Access desc: Detect access to Tomcat manager application condition: > proc.name = java and ((evt.type = open and fd.name contains "tomcat/conf/tomcat-users.xml") or (evt.type = connect and fd.lport = 8080 and proc.args contains "manager") or (fd.name contains "/manager/html" and open_write)) output: > Tomcat manager access detected (user=%user.name file=%fd.name %container.info) priority: WARNING tags: [java, tomcat, manager, web] - rule: Spring Boot Actuator Exploitation desc: Detect potential Spring Boot Actuator exploitation condition: > proc.name = java and ((evt.type = connect and fd.lport in (8080, 8443, 9001) and (fd.name contains "/actuator/env" or fd.name contains "/actuator/restart" or fd.name contains "/actuator/shutdown" or fd.name contains "/actuator/heapdump")) or (proc.args contains "spring-boot:run" and proc.args contains "-Dmanagement.endpoints.web.exposure.include=*")) output: > Potential Spring Boot Actuator exploitation (user=%user.name connection=%fd.name %container.info) priority: WARNING tags: [java, spring_boot, actuator, exploitation] - rule: Web Application Exploitation desc: Detect common web app exploitation patterns in Java condition: > proc.name = java and ((fd.name contains ".." and (fd.name contains ".jsp" or fd.name contains ".war")) or (evt.type = open and fd.name contains "/tmp/" and fd.name contains ".jsp") or (proc.args contains "Runtime.getRuntime().exec")) output: > Potential web application exploitation (user=%user.name file=%fd.name %container.info) priority: ERROR tags: [java, web, exploitation, rce]
8. Java-Specific System Call Monitoring
- rule: Java Native Code Execution desc: Detect Java process executing native code condition: > proc.name = java and (spawned_process and not proc.pname in (java, bash, sh, cat, ls, find, grep, awk, sed)) output: > Java process spawning unexpected native process (user=%user.name parent=%proc.pname child=%proc.name %container.info) priority: WARNING tags: [java, native, process] - rule: Java File Descriptor Manipulation desc: Detect Java process manipulating file descriptors condition: > proc.name = java and (evt.type = dup or evt.type = dup2 or evt.type = pipe or evt.type = socketpair) and container output: > Java process manipulating file descriptors (user=%user.name syscall=%syscall.type %container.info) priority: NOTICE tags: [java, file_descriptor, system_call]
9. Log4j and Logging Framework Exploitation
- rule: Log4j Exploitation Patterns
desc: Detect potential Log4j exploitation attempts
condition: >
proc.name = java and
((proc.args contains "${jndi:" or
proc.args contains "$ {jndi:" or
proc.args contains "${::-j" or
proc.args contains "log4j2.formatMsgNoLookups=false") or
(evt.type = connect and
(fd.sip contains "ldap://" or fd.sip contains "rmi://")))
output: >
Potential Log4j exploitation detected (user=%user.name command=%proc.cmdline %container.info)
priority: CRITICAL
tags: [java, log4j, log4shell, jndi, rce]
- rule: Java Log File Tampering
desc: Detect tampering with Java application logs
condition: >
proc.name = java and
(fd.name endswith .log and
(open_write or modify or rename) and
not proc.args contains "logback" and
not proc.args contains "log4j")
output: >
Java application log file tampering (user=%user.name file=%fd.name %container.info)
priority: WARNING
tags: [java, logs, tampering, security]
Customizable Rule Templates
Whitelisting Known Good Patterns
- list: trusted_java_images items: [ "openjdk:17-jre", "eclipse-temurin:17", "ibm-semeru-runtime:17", "mycompany/java-app:latest", "springio/spring-boot:latest" ] - list: trusted_java_args items: [ "-Dspring.profiles.active=prod", "-Xmx512m", "-Xms256m", "-Djava.security.egd=file:/dev/./urandom", "-Duser.timezone=UTC" ] - rule: Untrusted Java Container desc: Detect Java running in untrusted container image condition: > container and proc.name = java and not container.image.repository in (trusted_java_images) output: > Java process running in untrusted container (image=%container.image.repository user=%user.name %container.info) priority: NOTICE tags: [java, container, untrusted]
Deployment and Configuration
falco.yaml Configuration Snippet
# Enable Java-specific system calls syscall_event_drops: actions: - log - alert rate: 0.05 max_burst: 1000 # JSON output for integration json_output: true json_include_output_property: true # Java-specific rule files rules_file: - /etc/falco/falco_rules.yaml - /etc/falco/falco_rules_java.yaml - /etc/falco/java_app_rules.yaml
Docker Deployment Example
FROM falcosecurity/falco:latest # Copy custom Java rules COPY java_app_rules.yaml /etc/falco/java_app_rules.yaml COPY falco_rules_java.yaml /etc/falco/falco_rules_java.yaml # Enable container monitoring ENV FALCO_BPF_PROBE=""
Best Practices for Java Falco Rules
- Start with Broad Rules: Begin with general Java rules and refine based on your application behavior
- Whitelist Normal Operations: Identify and whitelist normal Java application behavior in your environment
- Monitor Container Environments: Java apps in containers have different security considerations
- Correlate with Application Logs: Combine Falco alerts with Java application logs for better context
- Regular Rule Updates: Keep Java rules updated as new vulnerabilities and attack techniques emerge
- Performance Considerations: Monitor Falco performance impact on Java applications
These rules provide a solid foundation for monitoring Java application security at the system call level, helping detect exploitation attempts, misconfigurations, and anomalous behavior in production environments.