rule(macro bin_dir_rename): correct condition to catch all variants

Since `evt.arg[1]` does not work for all syscalls, switch to: - `evt.arg.path` for `rmdir` and `unlink` (used by `remove` macro) - `evt.arg.name` for `unlinkat` (used by `remove` macro) - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro) That ensures `Modify binary dirs` works properly. Note that we cannot yet use `renameat2` (not supported by sinsp, see https://github.com/draios/sysdig/issues/1603 ) Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
2025-09-18 16:07:21 +00:00 · 2020-06-04 15:46:27 +02:00
parent 74ca02d199
commit a5ce61f03f
1 changed files with 18 additions and 5 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -55,6 +55,7 @@
 - macro: proc_name_exists
  condition: (proc.name!="<NA>")

+# todo(leogr): we miss "renameat2", but it's not yet supported by sinsp
 - macro: rename
  condition: evt.type in (rename, renameat)
 - macro: mkdir
@@ -87,10 +88,22 @@

 - macro: bin_dir_rename
  condition: >
-    evt.arg[1] startswith /bin/ or
-    evt.arg[1] startswith /sbin/ or
-    evt.arg[1] startswith /usr/bin/ or
-    evt.arg[1] startswith /usr/sbin/
+     (evt.arg.path startswith /bin/ or
+     evt.arg.path startswith /sbin/ or
+     evt.arg.path startswith /usr/bin/ or
+     evt.arg.path startswith /usr/sbin/ or
+     evt.arg.name startswith /bin/ or
+     evt.arg.name startswith /sbin/ or
+     evt.arg.name startswith /usr/bin/ or
+     evt.arg.name startswith /usr/sbin/ or
+     evt.arg.oldpath startswith /bin/ or
+     evt.arg.oldpath startswith /sbin/ or
+     evt.arg.oldpath startswith /usr/bin/ or
+     evt.arg.oldpath startswith /usr/sbin/ or
+     evt.arg.newpath startswith /bin/ or
+     evt.arg.newpath startswith /sbin/ or
+     evt.arg.newpath startswith /usr/bin/ or
+     evt.arg.newpath startswith /usr/sbin/)

 - macro: etc_dir
  condition: fd.name startswith /etc/
@@ -1505,7 +1518,7 @@

 - rule: Modify binary dirs
  desc: an attempt to modify any file below a set of binary directories.
-  condition: (bin_dir_rename) and modify and not package_mgmt_procs and not exe_running_docker_save
+  condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save
  output: >
    File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
    pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository)