From a52441dcaab03d104507142b72c672cd23122d17 Mon Sep 17 00:00:00 2001
From: Henri DF <henridf@gmail.com>
Date: Tue, 1 Mar 2016 20:10:52 -0800
Subject: [PATCH] Some updates to base rules file

---
 rules/base.txt | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/rules/base.txt b/rules/base.txt
index 678959bb..07c0c4fa 100644
--- a/rules/base.txt
+++ b/rules/base.txt
@@ -16,8 +16,8 @@ modify: rename or mkdir or remove
 terminal_file_fd: fd.name=/dev/ptmx or fd.directory=/dev/pts
 bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
 
-bin_dir_arg0: evt.arg[0] contains /bin or evt.arg[0] contains /sbin or evt.arg[0] contains /usr/bin or evt.arg[0] contains /usr/sbin
-bin_dir_arg1: evt.arg[1] contains /bin or evt.arg[1] contains /sbin or evt.arg[1] contains /usr/bin or evt.arg[1] contains /usr/sbin
+bin_dir_mkdir: evt.arg[0] contains /bin or evt.arg[0] contains /sbin or evt.arg[0] contains /usr/bin or evt.arg[0] contains /usr/sbin
+bin_dir_rename: evt.arg[1] contains /bin or evt.arg[1] contains /sbin or evt.arg[1] contains /usr/bin or evt.arg[1] contains /usr/sbin
 
 ubuntu_so_dirs: fd.directory contains /lib/x86_64-linux-gnu or fd.directory contains /usr/lib/x86_64-linux-gnu or fd.directory contains /usr/lib/sudo
 centos_so_dirs: fd.directory contains /lib64 or fd.directory contains /user/lib64 or fd.directory contains /usr/libexec
@@ -43,7 +43,6 @@ ssh_port: fd.lport=22
 
 # System
 modules: syscall.type in (delete_module, init_module)
-setns: syscall.type = setns
 container: container.id != host
 interactive: proc.aname=sshd
 
@@ -56,7 +55,7 @@ interactive: proc.aname=sshd
 write and bin_dir
 
 # Don't modify binary dirs
-modify and (bin_dir_arg0 or bin_dir_arg1)
+modify and (bin_dir_rename or bin_dir_mkdir)
 
 # Don't load shared objects coming from unexpected places
 read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs)
@@ -70,3 +69,17 @@ setns and proc.name != sysdig
 # Let's assume this is a node running elasticsearch
 inbound and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1"
 
+# Only sysdig and docker can call setns
+syscall.type = setns and not proc.name in (docker, sysdig)
+
+# Shells should only be run by cron or sshd
+proc.name = bash and not proc.pname in (bash, sshd, cron)
+
+# Anything run by root
+user.name = root
+
+# Chmod should only be run interactively (by a user)
+syscall.type = chmod and not interactive
+
+# Shells in a container
+container and proc.name = bash