From 331b2971be3a2b76795679281ef53a223d31b388 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 10 Sep 2020 09:27:56 -0700 Subject: [PATCH] rule(Delete or rename shell history):skip dockerfs In some cases, when removing a container, dockerd will itself remove the entire overlay filesystem, including a shell history file: --- Shell history had been deleted or renamed (user=root type=unlinkat command=dockerd -H fd:// ... name=/var/lib/docker/overlay2/.../root/.bash_history .. --- To avoid these FPs, skip paths starting with /var/lib/docker. Signed-off-by: Mark Stemm --- rules/falco_rules.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index da0078df..afb871e4 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2619,6 +2619,7 @@ desc: Detect shell history deletion condition: > (modify and ( + not evt.arg.name startswith /var/lib/docker and ( evt.arg.name contains "bash_history" or evt.arg.name contains "zsh_history" or evt.arg.name contains "fish_read_history" or @@ -2630,12 +2631,13 @@ evt.arg.path contains "bash_history" or evt.arg.path contains "zsh_history" or evt.arg.path contains "fish_read_history" or - evt.arg.path endswith "fish_history")) or + evt.arg.path endswith "fish_history"))) or (open_write and ( + not fd.name startswith /var/lib/docker and ( fd.name contains "bash_history" or fd.name contains "zsh_history" or fd.name contains "fish_read_history" or - fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC") + fd.name endswith "fish_history")) and evt.arg.flags contains "O_TRUNC") output: > Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) priority: