rule(Delete or rename shell history):skip dockerfs

In some cases, when removing a container, dockerd will itself remove the entire overlay filesystem, including a shell history file: --- Shell history had been deleted or renamed (user=root type=unlinkat command=dockerd -H fd:// ... name=/var/lib/docker/overlay2/.../root/.bash_history .. --- To avoid these FPs, skip paths starting with /var/lib/docker. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-08-02 06:52:10 +00:00 · 2020-09-10 09:27:56 -07:00 · 2020-09-10 09:27:56 -07:00 · 331b2971be
commit 331b2971be
parent 558b18ea67
1 changed files with 4 additions and 2 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -2619,6 +2619,7 @@
  desc: Detect shell history deletion
  condition: >
    (modify and (
+      not evt.arg.name startswith /var/lib/docker and (
      evt.arg.name contains "bash_history" or
      evt.arg.name contains "zsh_history" or
      evt.arg.name contains "fish_read_history" or
@ -2630,12 +2631,13 @@
      evt.arg.path contains "bash_history" or
      evt.arg.path contains "zsh_history" or
      evt.arg.path contains "fish_read_history" or
-      evt.arg.path endswith "fish_history")) or
+      evt.arg.path endswith "fish_history"))) or
    (open_write and (
+      not fd.name startswith /var/lib/docker and (
      fd.name contains "bash_history" or
      fd.name contains "zsh_history" or
      fd.name contains "fish_read_history" or
-      fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
+      fd.name endswith "fish_history")) and evt.arg.flags contains "O_TRUNC")
  output: >
    Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
  priority: