From d989e9c2d54a349b20f950c42a98fde27aa2c32c Mon Sep 17 00:00:00 2001
From: Shay Berkovich <sberkovich@blackberry.com>
Date: Wed, 13 Oct 2021 10:41:52 +0300
Subject: [PATCH] new(rules): Create Hardlink Over Sensitive Files New rule to
 prevent hardlink bypass and symlink rule set to WARNING for consistency
 Signed-off-by: Shay Berkovich <sberkovich@blackberry.com> Co-authored-by:
 Meera Balsara <mbalsara@blackberry.com>

---
 rules/falco_rules.yaml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 89a1eae1..6953ecd3 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -68,6 +68,9 @@
 - macro: create_symlink
   condition: evt.type in (symlink, symlinkat) and evt.dir=<
 
+- macro: create_hardlink
+  condition: evt.type in (link, linkat) and evt.dir=<
+
 - macro: chmod
   condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<)
 
@@ -2696,7 +2699,17 @@
     (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
   output: >
     Symlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
-  priority: NOTICE
+  priority: WARNING
+  tags: [file, mitre_exfiltration]
+
+- rule: Create Hardlink Over Sensitive Files
+  desc: Detect hardlink created over sensitive files
+  condition: >
+    create_hardlink and
+    (evt.arg.oldpath in (sensitive_file_names))
+  output: >
+    Hardlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.oldpath linkpath=%evt.arg.newpath parent_process=%proc.pname)
+  priority: WARNING
   tags: [file, mitre_exfiltration]
 
 - list: miner_ports