Add addl groups of binary programs.

Add some new groups of binary programs as macros and start using them in
the set of rules:

 - docker_binaries: docker and exe (which is a temporary process name
   for processes like docker-proxy)
 - http_server_binaries: httpd, nginx, and similar
 - db_server_binaries: mysql for now, we'll add more later
 - server_binaries: all of the above
 - userexec_binaries: sudo and su.

Start using these groups in the rules. Most of the time, changing from
the inline lists of processes to macros was a no-op. There are some
actual changes, though:

 - docker and exe are now allowed to read 'sensitive' files. They may
   not actually do so, but it's not really harmful.
 - lighttpd is now allowed to read 'sensitive' files, via inclusion in
   http_server_binaries.
 - su, lighttpd, and docker can now setuid.
 - http-foreground is included as a http server wrt non-port 80/443 ports.

I'm going to use these macros in some of the following rules.

This actually prevents detection of mysql reading sensitive files, which
is one of the demo scenarios (sql injection). I plan on adding this
detection back in the next commit.

rules/falco_rules.yaml

@@ -92,6 +92,23 @@
     groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv,
     newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vigr, vipw)
 
+- macro: docker_binaries
+  condition: proc.name in (docker, exe)
+
+- macro: http_server_binaries
+  condition: proc.name in (nginx, httpd, httpd-foregroun, lighttpd)
+
+- macro: db_server_binaries
+  condition: proc.name in (mysqld)
+
+- macro: server_binaries
+  condition: http_server_binaries or db_server_binaries or docker_binaries or proc.name in (sshd)
+
+# A canonical set of processes that run other programs with different
+# privileges or as a different user.
+- macro: userexec_binaries
+  condition: proc.name in (sudo, su)
+
 - macro: system_binaries
   condition: coreutils_binaries or adduser_binaries or login_binaries or passwd_binaries or shadowutils_binaries
 
@@ -147,7 +164,7 @@
   priority: WARNING
 
 # Don't read 'sensitive' files
-- condition: open_read and not proc.name in (sshd, sudo, su, iptables, ps, httpd-foregroun, httpd, nginx, systemd-logind, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash) and not_cron and sensitive_files
+- condition: open_read and not server_binaries and not userexec_binaries and not proc.name in (iptables, ps, systemd-logind, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash) and not_cron and sensitive_files
   output: "Read sensitive file (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
   priority: WARNING
 
@@ -211,9 +228,9 @@
   output: "sshd error (%proc.name %evt.arg.data)"
   priority: WARNING
 
-# Non-sudo setuid
-- condition: evt.type=setuid and not_cron and not proc.name in (sudo, sshd, exe, httpd-foregroun, httpd, nginx, mysqld)
-  output: "unexpected setuid call by non-sudo (%user.name %proc.name %evt.dir %evt.type %evt.args)"
+# setuid by a process that doesn't typically change uid (servers, sudo, su, etc.)
+- condition: evt.type=setuid and not_cron and not userexec_binaries and not server_binaries
+  output: "unexpected setuid call (%user.name %proc.name %proc.cwd %proc.aname[0] %proc.aname[1] %proc.aname[2] %proc.aname[3] %proc.pid %proc.ppid %evt.dir %evt.type %evt.args)"
   priority: WARNING
 
 # User management (su and sudo are ok)
@@ -458,11 +475,7 @@
   output: "Unexpected MySQL inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
   priority: WARNING
 
-# HTTP server
-- macro: http_server
-  condition: proc.name in (nginx, httpd, lighttpd)
-
-- condition: http_server and inbound and fd.sport != 80 and fd.sport != 443
+- condition: http_server_binaries and inbound and fd.sport != 80 and fd.sport != 443
   output: "Unexpected HTTP server inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
   priority: WARNING