From da6b0f16f147e71c57bfcc6aaaf80f24684000a2 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Fri, 5 Apr 2019 11:27:37 -0700
Subject: [PATCH] Rule updates 2019 04.v2 (#573)

* Also let dockerd-current setns()

* Add additional setns programs

Let oci-umount (https://github.com/containers/oci-umount) setns().

* Let Openscap RPM probes touch rpm db

Define a list openscap_rpm_binaries containing openscap probes related
to rpm and let those binaries touch the rpm database.

* Let oc write to more directories below /etc

Make the prefix more general, allowing any path below /etc/origin/node.
---
 rules/falco_rules.yaml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 40101338..2d579e1f 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -143,7 +143,7 @@
   items: [setup-backend, dragent, sdchecks]
 
 - list: docker_binaries
-  items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current]
+  items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current]
 
 - list: k8s_binaries
   items: [hyperkube, skydns, kube2sky, exechealthz, weave-net, loopback, bridge, openshift-sdn]
@@ -182,8 +182,11 @@
           repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
           abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb]
 
+- list: openscap_rpm_binaries
+  items: [probe_rpminfo, probe_rpmverify, probe_rpmverifyfile, probe_rpmverifypackage]
+
 - macro: rpm_procs
-  condition: proc.name in (rpm_binaries) or proc.name in (salt-minion)
+  condition: proc.name in (rpm_binaries, openscap_rpm_binaries) or proc.name in (salt-minion)
 
 - list: deb_binaries
   items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
@@ -901,7 +904,7 @@
   condition: (proc.name=prometheus-conf and fd.name startswith /etc/prometheus/config_out)
 
 - macro: openshift_writing_conf
-  condition: (proc.name=oc and fd.name=/etc/origin/node/node.kubeconfig)
+  condition: (proc.name=oc and fd.name startswith /etc/origin/node)
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
@@ -1236,7 +1239,8 @@
     as a part of creating a container) by calling setns.
   condition: >
     evt.type = setns
-    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter, calico)
+    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
+                          sysdig, nsenter, calico, oci-umount)
     and not proc.name in (user_known_change_thread_namespace_binaries)
     and not proc.name startswith "runc:"
     and not proc.pname in (sysdigcloud_binaries)