From 010083538ff8b20d314c804ce94e6f86265ba891 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@gmail.com>
Date: Wed, 1 May 2019 10:40:12 -0700
Subject: [PATCH] Rule updates 2019 05.v1 (#590)

* Fix parentheses for rpm_procs macro

Ensures a preceding not will apply to the whole macro

* Let anything write to /etc/fluent/configs.d

It looks like a lot of scripted programs (shell scripts running cp, sed,
arbitrary ruby programs) are run by fluentd to set up config. They're
too generic to identify, so jut add /etc/fluent/configs.d to
safe_etc_dirs, sadly.

* Let java setup write to /etc/passwd in containers

/opt/jboss/container/java/run/run-java.sh and /opt/run-java/run-java.sh
write to /etc/passwd in a contaner, probably to add a user. Add an
exception for them.
---
 rules/falco_rules.yaml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 3c11dc99..a12a01dd 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -203,7 +203,7 @@
   items: [probe_rpminfo, probe_rpmverify, probe_rpmverifyfile, probe_rpmverifypackage]
 
 - macro: rpm_procs
-  condition: proc.name in (rpm_binaries, openscap_rpm_binaries) or proc.name in (salt-minion)
+  condition: (proc.name in (rpm_binaries, openscap_rpm_binaries) or proc.name in (salt-minion))
 
 - list: deb_binaries
   items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
@@ -983,7 +983,7 @@
   tags: [filesystem, mitre_discovery]
 
 - list: safe_etc_dirs
-  items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig]
+  items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d]
 
 - macro: fluentd_writing_conf_files
   condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf))
@@ -1029,6 +1029,13 @@
                    fd.name startswith "/etc/rancher-dns")
              )
 
+- macro: jboss_in_container_writing_passwd
+  condition: >
+    ((proc.cmdline="run-java.sh /opt/jboss/container/java/run/run-java.sh"
+      or proc.cmdline="run-java.sh /opt/run-java/run-java.sh")
+     and container
+     and fd.name=/etc/passwd)
+
 - macro: curl_writing_pki_db
   condition: (proc.name=curl and fd.directory=/etc/pki/nssdb)
 
@@ -1198,6 +1205,7 @@
     and not prometheus_conf_writing_conf
     and not openshift_writing_conf
     and not rancher_writing_conf
+    and not jboss_in_container_writing_passwd
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc