From a5ce61f03f0df2aa004371a26dc737931e716496 Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Thu, 4 Jun 2020 15:46:27 +0200
Subject: [PATCH] rule(macro bin_dir_rename): correct condition to catch all
 variants

Since `evt.arg[1]` does not work for all syscalls, switch to:
 - `evt.arg.path` for `rmdir` and `unlink` (used by `remove` macro)
 - `evt.arg.name` for `unlinkat` (used by `remove` macro)
 - `evt.arg.oldpath/newpath` for `rename` and `renameat` (used by `rename` macro)

That ensures `Modify binary dirs` works properly.

Note that we cannot yet use `renameat2` (not supported by sinsp, see https://github.com/draios/sysdig/issues/1603 )

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 rules/falco_rules.yaml | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 0a43b532..444732b8 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -55,6 +55,7 @@
 - macro: proc_name_exists
   condition: (proc.name!="<NA>")
 
+# todo(leogr): we miss "renameat2", but it's not yet supported by sinsp
 - macro: rename
   condition: evt.type in (rename, renameat)
 - macro: mkdir
@@ -87,10 +88,22 @@
 
 - macro: bin_dir_rename
   condition: >
-    evt.arg[1] startswith /bin/ or
-    evt.arg[1] startswith /sbin/ or
-    evt.arg[1] startswith /usr/bin/ or
-    evt.arg[1] startswith /usr/sbin/
+     (evt.arg.path startswith /bin/ or
+     evt.arg.path startswith /sbin/ or
+     evt.arg.path startswith /usr/bin/ or
+     evt.arg.path startswith /usr/sbin/ or
+     evt.arg.name startswith /bin/ or
+     evt.arg.name startswith /sbin/ or
+     evt.arg.name startswith /usr/bin/ or
+     evt.arg.name startswith /usr/sbin/ or
+     evt.arg.oldpath startswith /bin/ or
+     evt.arg.oldpath startswith /sbin/ or
+     evt.arg.oldpath startswith /usr/bin/ or
+     evt.arg.oldpath startswith /usr/sbin/ or
+     evt.arg.newpath startswith /bin/ or
+     evt.arg.newpath startswith /sbin/ or
+     evt.arg.newpath startswith /usr/bin/ or
+     evt.arg.newpath startswith /usr/sbin/)
 
 - macro: etc_dir
   condition: fd.name startswith /etc/
@@ -1505,7 +1518,7 @@
 
 - rule: Modify binary dirs
   desc: an attempt to modify any file below a set of binary directories.
-  condition: (bin_dir_rename) and modify and not package_mgmt_procs and not exe_running_docker_save
+  condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save
   output: >
     File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
     pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository)