From 8e46db05c69f786e468019bf6487d8b67d753978 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 23 Aug 2017 16:37:38 -0700 Subject: [PATCH] More specific control of some /etc files Add more specific controls of files below /etc, allowing specific combinations of programs and files: - start-fluentd can write to /etc/fluent/fluent.conf - locales.postins can write to /etc/locale.gen --- rules/falco_rules.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1c368d38..a7bd4cfd 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -383,6 +383,12 @@ - list: safe_etc_dirs items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment] +- macro: fluentd_writing_fluentd_conf + condition: (proc.name=start-fluentd and fd.name=/etc/fluent/fluent.conf) + +- macro: locales_postinst_writing_locale_gen + condition: (proc.name=locales.postins and fd.name=/etc/locale.gen) + - macro: write_etc_common condition: > etc_dir and evt.dir = < and open_write @@ -398,9 +404,11 @@ qualys-cloud-ag) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) and not fd.name pmatch (safe_etc_dirs) - and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/local.gen) + and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) and not ansible_running_python and not python_running_denyhosts + and not fluentd_writing_fluentd_conf + and not locales_postinst_writing_locale_gen - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session