fix: make sure that when deleting shell history the system call is taken into account

Signed-off-by: Lorenzo Fontana <lo@linux.com>
2025-07-21 09:59:40 +00:00 · 2019-08-05 16:53:12 +00:00 · 2019-08-05 16:53:12 +00:00 · 03fbf432f1
commit 03fbf432f1
parent 94d89eaea2
1 changed files with 21 additions and 5 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -2381,13 +2381,29 @@
    WARNING
  tags: [process, mitre_persistence]
- rule: Delete Bash History
+- rule: Delete or rename shell history
-  desc: Detect bash history deletion
+  desc: Detect shell history deletion
  condition: >
-    ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
+    (modify and (
-     (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
+      evt.arg.name contains "bash_history" or
      evt.arg.name contains "zsh_history" or
      evt.arg.name contains "fish_read_history" or
      evt.arg.name endswith "fish_history" or
      evt.arg.oldpath contains "bash_history" or
      evt.arg.oldpath contains "zsh_history" or
      evt.arg.oldpath contains "fish_read_history" or
      evt.arg.oldpath endswith "fish_history" or
      evt.arg.path contains "bash_history" or
      evt.arg.path contains "zsh_history" or
      evt.arg.path contains "fish_read_history" or
      evt.arg.path endswith "fish_history")) or
    (open_write and (
      fd.name contains "bash_history" or
      fd.name contains "zsh_history" or
      fd.name contains "fish_read_history" or
      fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
  output: >
-    Bash history has been deleted (user=%user.name command=%proc.cmdline file=%fd.name %container.info)
+    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
  priority:
    WARNING
  tag: [process, mitre_defense_evation]