Allow package mgmt binaries to work in bin dirs.

A new macro package_mgmt_binaries includes dpkg and rpm. Those programs are allowed to create directories and modify files below binary directories. I'm not adding them to other trusted sets for now, though.
2025-08-02 06:52:10 +00:00 · 2016-05-14 21:57:57 -07:00 · 2016-05-14 21:57:57 -07:00 · 7436bc0952
commit 7436bc0952
parent 0a9a85d1da
1 changed files with 5 additions and 2 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -106,6 +106,9 @@
 - macro: server_binaries
  condition: http_server_binaries or db_server_binaries or docker_binaries or proc.name in (sshd)

+- macro: package_mgmt_binaries
+  condition: proc.name in (dpkg, rpm)
+
 # A canonical set of processes that run other programs with different
 # privileges or as a different user.
 - macro: userexec_binaries
@ -196,13 +199,13 @@

 - rule: modify_binary_dirs
  desc: an attempt to modify any file below a set of binary directories.
-  condition: modify and bin_dir_rename
+  condition: modify and bin_dir_rename and not package_mgmt_binaries
  output: "File below known binary directory renamed/removed (%user.name %proc.name %evt.type %evt.args %fd.name)"
  priority: WARNING

 - rule: mkdir_binary_dirs
  desc: an attempt to create a directory below a set of binary directories.
-  condition: mkdir and bin_dir_mkdir
+  condition: mkdir and bin_dir_mkdir and not package_mgmt_binaries
  output: "Directory below known binary directory created (%user.name %proc.name %evt.type %evt.args %fd.name)"
  priority: WARNING