From 7ae0ce1936a3e581047c65d31e4e5af17992fa49 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 27 Aug 2020 17:29:37 -0700 Subject: [PATCH] rule(Update Package Repository): restrict files Previously any write to a file called sources.list would match the access_repositories condition, even a file /usr/tmp/..../sources.list. Change the macro so the files in repository_files must be somewhere below any of repository_directories. Also allow programs spawned by package management programs to change these files, using package_mgmt_ancestor_procs. Signed-off-by: Mark Stemm --- rules/falco_rules.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 26a20af6..1a20bdb4 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -935,10 +935,12 @@ items: [sources.list] - list: repository_directories - items: [/etc/apt/sources.list.d, /etc/yum.repos.d] + items: [/etc/apt/sources.list.d, /etc/yum.repos.d, /etc/apt] - macro: access_repositories - condition: (fd.filename in (repository_files) or fd.directory in (repository_directories)) + condition: (fd.directory in (repository_directories) or + (fd.name pmatch (repository_directories) and + fd.filename in (repository_files))) - macro: modify_repositories condition: (evt.arg.newpath pmatch (repository_directories)) @@ -951,6 +953,7 @@ condition: > ((open_write and access_repositories) or (modify and modify_repositories)) and not package_mgmt_procs + and not package_mgmt_ancestor_procs and not exe_running_docker_save and not user_known_update_package_registry output: >