Some more progress on rules

rules/base.txt

@@ -58,38 +58,39 @@ syslog: fd.name = /dev/log
 #######
 
 # Don't write to binary dirs
-write and bin_dir | Write to bin dir (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+write and bin_dir and evt.dir = > | %evt.time: Write to bin dir (%proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # Don't modify binary dirs
-modify and (bin_dir_rename or bin_dir_mkdir) | Modify bin dir (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+modify and (bin_dir_rename or bin_dir_mkdir) | %evt.time: Modify bin dir (%proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # Don't load shared objects coming from unexpected places
-read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | .so from wrong place (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | output.first_sequence(evt, "fd.filename", "shared_obj", "%evt.time: .so from unexpected dir (%proc.name %evt.dir %evt.type %evt.args %fd.name)")
 
 # Attempts to access things that shouldn't be
 # Disabled, somewhat noisy, need dupe suppression before enabling
-# evt.res = EACCES | EACCESS (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+# evt.res = EACCES | %evt.time: EACCESS (%proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # Let's assume this is a node running elasticsearch
-inbound and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1" | bad rip (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+inbound and fd.sockfamily = ip and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1" | %evt.time: bad rip (%proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # Only sysdig and docker can call setns
-syscall.type = setns and not proc.name in (docker, sysdig) | Unexpected setns (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+syscall.type = setns and not proc.name in (docker, sysdig) | %evt.time: Unexpected setns (%proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # Shells should only be run by cron or sshd
-proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | Unexpected shell (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+proc.name = bash and not proc.pname in (bash, sshd, cron, sudo, su, tmux) | %evt.time: Unexpected shell (%proc.name %evt.dir %evt.type %evt.args %fd.name)
 
-# Anything run by root
-evt.type != switch and user.name = root and proc.name != sshd and interactive | Interactive root (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+# Anything run interactively by root
+# evt.type != switch and user.name = root and proc.name != sshd and interactive | %evt.time: Interactive root (%proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # Chmod should only be run interactively (by a user)
-syscall.type = chmod and not interactive | non-interactive chmod (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+syscall.type = chmod and not interactive | %evt.time: non-interactive chmod (%proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # Shells in a container
-container and proc.name = bash | shell in a container (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+container and proc.name = bash | %evt.time: shell in a container (%proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # Network traffic to/from standard utils
-(fd.typechar = 4 or fd.typechar=6) and coreutils_binaries | network traffic to %proc.name (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
+fd.sockfamily = ip and coreutils_binaries | %evt.time: network traffic to %proc.name (%proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # SSH errors (failed logins, disconnects, ..)
 syslog and ssh_error_message and evt.dir = < | output.syslog(evt, "warning", "sshd: %proc.name %evt.arg.data")