From 1c7fca95e4ff44832a24d3261104c604bbde9e82 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 30 Sep 2020 12:46:00 -0700 Subject: [PATCH] rule(Delete or rename shell history):fix warning Move the "and not" checks to the end of the rule so all event type checks are at the front. Also break into 3 macros to make the rule easier to read. This fixes https://github.com/falcosecurity/falco/issues/1418. Signed-off-by: Mark Stemm --- rules/falco_rules.yaml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index afb871e4..ac173f62 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2615,11 +2615,9 @@ WARNING tags: [process, mitre_persistence] -- rule: Delete or rename shell history - desc: Detect shell history deletion +- macro: modify_shell_history condition: > (modify and ( - not evt.arg.name startswith /var/lib/docker and ( evt.arg.name contains "bash_history" or evt.arg.name contains "zsh_history" or evt.arg.name contains "fish_read_history" or @@ -2631,13 +2629,23 @@ evt.arg.path contains "bash_history" or evt.arg.path contains "zsh_history" or evt.arg.path contains "fish_read_history" or - evt.arg.path endswith "fish_history"))) or + evt.arg.path endswith "fish_history")) + +- macro: truncate_shell_history + condition: > (open_write and ( - not fd.name startswith /var/lib/docker and ( fd.name contains "bash_history" or fd.name contains "zsh_history" or fd.name contains "fish_read_history" or - fd.name endswith "fish_history")) and evt.arg.flags contains "O_TRUNC") + fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC") + +- macro: var_lib_docker_filepath + condition: (evt.arg.name startswith /var/lib/docker or fd.name startswith /var/lib/docker) + +- rule: Delete or rename shell history + desc: Detect shell history deletion + condition: > + (modify_shell_history or truncate_shell_history) and not var_lib_docker_filepath output: > Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) priority: