From e76c31b493081ee54d7bcae93a881b4e22e20854 Mon Sep 17 00:00:00 2001
From: Alessandro Brucato <alessandro.brucato@sysdig.com>
Date: Tue, 18 Oct 2022 12:05:55 +0200
Subject: [PATCH] Added PTRACE_SEIZE, PTRACE_POKETEXT, PTRACE_POKEDATA,
 PTRACE_SETREGS and whitelist macro

Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
---
 rules/falco_rules.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 789b7e48..2fbd9001 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3241,9 +3241,15 @@
   priority: WARNING
   tags: [filesystem, mitre_credential_access, mitre_discovery]
 
+- list: known_ptrace_binaries
+  items: []
+
+- marco: known_ptrace_procs
+  condition: (proc.name in (known_ptrace_binaries))
+
 - rule: PTRACE attached to process
   desc: "This rule detects an attempt to inject code into a process using PTRACE."
-  condition: evt.type=ptrace and evt.dir=> and evt.arg.request=11 and proc_name_exists
+  condition: evt.type=ptrace and evt.dir=> and evt.arg.request in (5, 6, 11, 20, 27) and proc_name_exists and not known_ptrace_procs
   output: Detected ptrace PTRACE_ATTACH attempt (proc.cmdline=%proc.cmdline container=%container.info evt.type=%evt.type evt.arg.request=%evt.arg.request proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginuid=%user.loginuid user.loginname=%user.loginname user.name=%user.name group.gid=%group.gid group.name=%group.name container.id=%container.id container.name=%container.name image=%container.image.repository)
   priority: WARNING
   tags: [process]
\ No newline at end of file