From 81e29c55ecd71c76047fbbc0576c5a2db36256d3 Mon Sep 17 00:00:00 2001 From: Nicolas Marier Date: Fri, 15 May 2020 10:57:59 -0400 Subject: [PATCH] rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro This macro will be useful because it will make it possible to filter out events with a higher degree of granularity than is currently possible for the `Set Setuid or Setgid bit` rule. For example, if some application is expected to set the setuid or the setgid bit under a specific condition, like if it's started with a specific command, then the `user_known_chmod_applications` list is not enough because we don't want to filter out _all_ events by this application, only specific ones. This macro allows that. Signed-off-by: Nicolas Marier --- rules/falco_rules.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 23f579d9..9f21fd0d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2516,6 +2516,12 @@ - list: user_known_chmod_applications items: [hyperkube, kubelet] +# This macro should be overridden in user rules as needed. This is useful if a given application +# should not be ignored alltogether with the user_known_chmod_applications list, but only in +# specific conditions. +- macro: user_known_set_setuid_or_setgid_bit_conditions + condition: (never_true) + - rule: Set Setuid or Setgid bit desc: > When the setuid or setgid bits are set for an application, @@ -2525,6 +2531,7 @@ consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") and not proc.name in (user_known_chmod_applications) and not exe_running_docker_save + and not user_known_set_setuid_or_setgid_bit_conditions output: > Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)