mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-31 22:28:22 +00:00
rule(Update Package Repository): restrict files
Previously any write to a file called sources.list would match the access_repositories condition, even a file /usr/tmp/..../sources.list. Change the macro so the files in repository_files must be somewhere below any of repository_directories. Also allow programs spawned by package management programs to change these files, using package_mgmt_ancestor_procs. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
@@ -935,10 +935,12 @@
|
||||
items: [sources.list]
|
||||
|
||||
- list: repository_directories
|
||||
items: [/etc/apt/sources.list.d, /etc/yum.repos.d]
|
||||
items: [/etc/apt/sources.list.d, /etc/yum.repos.d, /etc/apt]
|
||||
|
||||
- macro: access_repositories
|
||||
condition: (fd.filename in (repository_files) or fd.directory in (repository_directories))
|
||||
condition: (fd.directory in (repository_directories) or
|
||||
(fd.name pmatch (repository_directories) and
|
||||
fd.filename in (repository_files)))
|
||||
|
||||
- macro: modify_repositories
|
||||
condition: (evt.arg.newpath pmatch (repository_directories))
|
||||
@@ -951,6 +953,7 @@
|
||||
condition: >
|
||||
((open_write and access_repositories) or (modify and modify_repositories))
|
||||
and not package_mgmt_procs
|
||||
and not package_mgmt_ancestor_procs
|
||||
and not exe_running_docker_save
|
||||
and not user_known_update_package_registry
|
||||
output: >
|
||||
|
Reference in New Issue
Block a user