From 96b4ff0ee596294f3ccc1a5589a410fa0bdebee9 Mon Sep 17 00:00:00 2001 From: Mattia Pagnozzi Date: Sat, 14 Apr 2018 00:17:23 +0200 Subject: [PATCH] Fix/Expand "Modify bin dirs" rule (#353) * Also check evt.abspath in "Modify binary dirs" rule For unlinkat evt.arg[1] is not the path of the file/dir removed. * Monitor renameat too in "Modify binary dirs" rule --- rules/falco_rules.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index c9e0e18f..dee0a3f6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -23,7 +23,7 @@ condition: (proc.name!="") - macro: rename - condition: evt.type = rename + condition: evt.type in (rename, renameat) - macro: mkdir condition: evt.type = mkdir - macro: remove @@ -39,6 +39,13 @@ - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) +- macro: bin_dir_resolved + condition: > + (evt.abspath startswith /bin/ or + evt.abspath startswith /sbin/ or + evt.abspath startswith /usr/bin/ or + evt.abspath startswith /usr/sbin/) + - macro: bin_dir_mkdir condition: > (evt.arg[1] startswith /bin/ or @@ -926,7 +933,7 @@ - rule: Modify binary dirs desc: an attempt to modify any file below a set of binary directories. - condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save + condition: (bin_dir_rename or bin_dir_resolved) and modify and not package_mgmt_procs and not exe_running_docker_save output: > File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline operation=%evt.type file=%fd.name %evt.args)