github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-15 15:32:04 +00:00
Code Issues Projects Releases Wiki Activity

More changes to address FPs.

Browse Source 
- Sometimes systemd changes its process name to '(systemd)', probably
   for a forked daemon process. Add that version to login_binaries.
 - Add sv (part of runit) as a program that can write below /etc.
 - Allow all /dev/tty* files by moving /dev/tty from the list to a
   "startswith /dev/tty" condition.
This commit is contained in:
Mark Stemm 2017-02-21 14:58:55 -08:00
parent 1c21b3bc8a
commit f1aadef054
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/falco_rules.yaml
View File

@ -76,7 +76,7 @@
# dpkg -L login | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," # dpkg -L login | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" ","
- list: login_binaries - list: login_binaries
items: [login, systemd, systemd-logind, su, nologin, faillog, lastlog, newgrp, sg] items: [login, systemd, '"(systemd)"', systemd-logind, su, nologin, faillog, lastlog, newgrp, sg]
# dpkg -L passwd | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," # dpkg -L passwd | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" ","
- list: passwd_binaries - list: passwd_binaries
@ -256,7 +256,7 @@
package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
ldconfig.real, ldconfig, confd, gpg, insserv, ldconfig.real, ldconfig, confd, gpg, insserv,
apparmor_parser, update-mime, tzdata.config, tzdata.postinst, apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
systemd-machine, debconf-show, rollerd, bind9.postinst) systemd-machine, debconf-show, rollerd, bind9.postinst, sv)
and not proc.pname in (sysdigcloud_binaries) and not proc.pname in (sysdigcloud_binaries)
and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java)
and not ansible_running_python and not ansible_running_python
@ -469,7 +469,7 @@
tags: [host, users] tags: [host, users]
- list: allowed_dev_files - list: allowed_dev_files
items: [/dev/null, /dev/stdin, /dev/stdout, /dev/stderr, /dev/tty, /dev/random, /dev/urandom, /dev/console] items: [/dev/null, /dev/stdin, /dev/stdout, /dev/stderr, /dev/random, /dev/urandom, /dev/console]
# (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153) # (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
- rule: Create files below dev - rule: Create files below dev
@ -479,6 +479,7 @@
(evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT))
and not proc.name in (dev_creation_binaries) and not proc.name in (dev_creation_binaries)
and not fd.name in (allowed_dev_files) and not fd.name in (allowed_dev_files)
and not fd.name startswith /dev/tty
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)" output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: WARNING priority: WARNING
tags: [filesystem] tags: [filesystem]