github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-15 07:22:05 +00:00
Code Issues Projects Releases Wiki Activity

fix(rules): make chmod rules enabled by default

Browse Source 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
This commit is contained in:
Lorenzo Fontana 2019-08-14 19:12:50 +00:00 committed by Lorenzo Fontana
parent 3ea98b05dd
commit e229cecbe1
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
rules/falco_rules.yaml
View File

@ -73,7 +73,7 @@
condition: evt.type in (symlink, symlinkat) and evt.dir=<
- macro: chmod
condition: evt.type in (chmod, fchmod, fchmodat)
condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<)
# File categories
- macro: bin_dir
@ -2412,14 +2412,17 @@
tag: [process, mitre_defense_evation]
- macro: consider_all_chmods
condition: (never_true)
condition: (always_true)
- list: user_known_chmod_applications
items: []
- rule: Set Setuid or Setgid bit
desc: >
When the setuid or setgid bits are set for an application,
this means that the application will run with the privileges of the owning user or group respectively.
Detect setuid or setgid bits set via chmod
condition: consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
condition: consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") and not proc.cmdline in (user_known_chmod_applications)
output: >
Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)