Some updates to base rules file

2025-07-17 16:21:31 +00:00 · 2016-03-01 20:10:52 -08:00 · 2016-03-01 20:10:52 -08:00 · a52441dcaa
commit a52441dcaa
parent 8343d23c3f
1 changed files with 17 additions and 4 deletions
--- a/rules/base.txt
+++ b/rules/base.txt
@ -16,8 +16,8 @@ modify: rename or mkdir or remove
 terminal_file_fd: fd.name=/dev/ptmx or fd.directory=/dev/pts
 bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

-bin_dir_arg0: evt.arg[0] contains /bin or evt.arg[0] contains /sbin or evt.arg[0] contains /usr/bin or evt.arg[0] contains /usr/sbin
-bin_dir_arg1: evt.arg[1] contains /bin or evt.arg[1] contains /sbin or evt.arg[1] contains /usr/bin or evt.arg[1] contains /usr/sbin
+bin_dir_mkdir: evt.arg[0] contains /bin or evt.arg[0] contains /sbin or evt.arg[0] contains /usr/bin or evt.arg[0] contains /usr/sbin
+bin_dir_rename: evt.arg[1] contains /bin or evt.arg[1] contains /sbin or evt.arg[1] contains /usr/bin or evt.arg[1] contains /usr/sbin

 ubuntu_so_dirs: fd.directory contains /lib/x86_64-linux-gnu or fd.directory contains /usr/lib/x86_64-linux-gnu or fd.directory contains /usr/lib/sudo
 centos_so_dirs: fd.directory contains /lib64 or fd.directory contains /user/lib64 or fd.directory contains /usr/libexec
@ -43,7 +43,6 @@ ssh_port: fd.lport=22

 # System
 modules: syscall.type in (delete_module, init_module)
-setns: syscall.type = setns
 container: container.id != host
 interactive: proc.aname=sshd

@ -56,7 +55,7 @@ interactive: proc.aname=sshd
 write and bin_dir

 # Don't modify binary dirs
-modify and (bin_dir_arg0 or bin_dir_arg1)
+modify and (bin_dir_rename or bin_dir_mkdir)

 # Don't load shared objects coming from unexpected places
 read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs)
@ -70,3 +69,17 @@ setns and proc.name != sysdig
 # Let's assume this is a node running elasticsearch
 inbound and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1"

+# Only sysdig and docker can call setns
+syscall.type = setns and not proc.name in (docker, sysdig)
+
+# Shells should only be run by cron or sshd
+proc.name = bash and not proc.pname in (bash, sshd, cron)
+
+# Anything run by root
+user.name = root
+
+# Chmod should only be run interactively (by a user)
+syscall.type = chmod and not interactive
+
+# Shells in a container
+container and proc.name = bash