From f1aadef0542729ec72b1e1461ed0796b3a823ed4 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 21 Feb 2017 14:58:55 -0800 Subject: [PATCH] More changes to address FPs. - Sometimes systemd changes its process name to '(systemd)', probably for a forked daemon process. Add that version to login_binaries. - Add sv (part of runit) as a program that can write below /etc. - Allow all /dev/tty* files by moving /dev/tty from the list to a "startswith /dev/tty" condition. --- rules/falco_rules.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 3fba1462..165bbf03 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -76,7 +76,7 @@ # dpkg -L login | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," - list: login_binaries - items: [login, systemd, systemd-logind, su, nologin, faillog, lastlog, newgrp, sg] + items: [login, systemd, '"(systemd)"', systemd-logind, su, nologin, faillog, lastlog, newgrp, sg] # dpkg -L passwd | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," - list: passwd_binaries @@ -256,7 +256,7 @@ package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, - systemd-machine, debconf-show, rollerd, bind9.postinst) + systemd-machine, debconf-show, rollerd, bind9.postinst, sv) and not proc.pname in (sysdigcloud_binaries) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java) and not ansible_running_python @@ -469,7 +469,7 @@ tags: [host, users] - list: allowed_dev_files - items: [/dev/null, /dev/stdin, /dev/stdout, /dev/stderr, /dev/tty, /dev/random, /dev/urandom, /dev/console] + items: [/dev/null, /dev/stdin, /dev/stdout, /dev/stderr, /dev/random, /dev/urandom, /dev/console] # (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153) - rule: Create files below dev @@ -479,6 +479,7 @@ (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) and not proc.name in (dev_creation_binaries) and not fd.name in (allowed_dev_files) + and not fd.name startswith /dev/tty output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING tags: [filesystem]