github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-03 07:34:53 +00:00
Code Issues Projects Releases Wiki Activity

Make setuid binaries a list

Browse Source 
Move the misc binaries that are allowed to setuid from the rule to its
own list. Makes it easier to add to the list.
This commit is contained in:
Mark Stemm
2017-08-09 10:09:33 -07:00
parent 2ebe9e06a8
commit 0ec46feef2
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
rules/falco_rules.yaml
View File

@@ -181,6 +181,9 @@
- list: userexec_binaries - list: userexec_binaries
items: [sudo, su] items: [sudo, su]
- list: known_setuid_binaries
items: [sshd, dbus-daemon-lau, ping, ping6, critical-stack-]
- list: user_mgmt_binaries - list: user_mgmt_binaries
items: [login_binaries, passwd_binaries, shadowutils_binaries] items: [login_binaries, passwd_binaries, shadowutils_binaries]
@@ -705,8 +708,7 @@
condition: > condition: >
evt.type=setuid and evt.dir=> and evt.type=setuid and evt.dir=> and
not user.name=root and not somebody_becoming_themself not user.name=root and not somebody_becoming_themself
and not proc.name in (userexec_binaries, mail_binaries, docker_binaries, and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries)
sshd, dbus-daemon-lau, ping, ping6, critical-stack-, Xvfb)
and not java_running_sdjagent and not java_running_sdjagent
output: > output: >
Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname