github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-12 11:32:39 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(rules): cleanup redundant use of always_true macros

Browse Source 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
This commit is contained in:
Melissa Kilby 2022-08-22 00:09:49 -07:00 committed by poiana
parent 7387fffcef
commit 6c12cc655e
1 changed files with 1 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/falco_rules.yaml
View File

@ -2672,9 +2672,6 @@
WARNING WARNING
tags: [process, mitre_defense_evasion] tags: [process, mitre_defense_evasion]
- macro: consider_all_chmods
condition: (always_true)
- list: user_known_chmod_applications - list: user_known_chmod_applications
items: [hyperkube, kubelet, k3s-agent] items: [hyperkube, kubelet, k3s-agent]
@ -2690,7 +2687,7 @@
this means that the application will run with the privileges of the owning user or group respectively. this means that the application will run with the privileges of the owning user or group respectively.
Detect setuid or setgid bits set via chmod Detect setuid or setgid bits set via chmod
condition: > condition: >
consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
and not proc.name in (user_known_chmod_applications) and not proc.name in (user_known_chmod_applications)
and not exe_running_docker_save and not exe_running_docker_save
and not user_known_set_setuid_or_setgid_bit_conditions and not user_known_set_setuid_or_setgid_bit_conditions
@ -3023,7 +3020,6 @@
desc: New executable created in a container due to chmod desc: New executable created in a container due to chmod
condition: > condition: >
chmod and chmod and
consider_all_chmods and
container and container and
not runc_writing_exec_fifo and not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and not runc_writing_var_lib_docker and
@ -3124,16 +3120,12 @@
priority: WARNING priority: WARNING
tags: [container, cis, mitre_lateral_movement] tags: [container, cis, mitre_lateral_movement]
- macro: consider_userfaultfd_activities
condition: (always_true)
- list: user_known_userfaultfd_processes - list: user_known_userfaultfd_processes
items: [] items: []
- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process - rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
condition: > condition: >
consider_userfaultfd_activities and
evt.type = userfaultfd and evt.type = userfaultfd and
user.uid != 0 and user.uid != 0 and
(evt.rawres >= 0 or evt.res != -1) and (evt.rawres >= 0 or evt.res != -1) and