From 0ec46feef21ed5a9bba4336cb6b615481715efa5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 9 Aug 2017 10:09:33 -0700 Subject: [PATCH] Make setuid binaries a list Move the misc binaries that are allowed to setuid from the rule to its own list. Makes it easier to add to the list. --- rules/falco_rules.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f9b8464f..e04b3570 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -181,6 +181,9 @@ - list: userexec_binaries items: [sudo, su] +- list: known_setuid_binaries + items: [sshd, dbus-daemon-lau, ping, ping6, critical-stack-] + - list: user_mgmt_binaries items: [login_binaries, passwd_binaries, shadowutils_binaries] @@ -705,8 +708,7 @@ condition: > evt.type=setuid and evt.dir=> and not user.name=root and not somebody_becoming_themself - and not proc.name in (userexec_binaries, mail_binaries, docker_binaries, - sshd, dbus-daemon-lau, ping, ping6, critical-stack-, Xvfb) + and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries) and not java_running_sdjagent output: > Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname