Merge branch 'dev' into agent-master

Addl rule updates

.travis.yml

@@ -26,13 +26,6 @@ script:
     - set -e
     - export CC="gcc-4.8"
     - export CXX="g++-4.8"
-    - wget https://s3.amazonaws.com/download.draios.com/dependencies/cmake-3.3.2.tar.gz
-    - tar -xzf cmake-3.3.2.tar.gz
-    - cd cmake-3.3.2
-    - ./bootstrap --prefix=/usr
-    - make
-    - sudo make install
-    - cd ..
     - mkdir build
     - cd build
     - cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE -DDRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
+## v0.8.1
+
+Released 2017-10-10
+
+### Bug Fixes
+
+* Fix packaging to specify correct built-in config file [[#288](https://github.com/draios/falco/pull/288)]
+
 ## v0.8.0
 
 Released 2017-10-10

CMakeLists.txt

@@ -78,7 +78,7 @@ else()
         set(ZLIB_INCLUDE "${ZLIB_SRC}")
         set(ZLIB_LIB "${ZLIB_SRC}/libz.a")
         ExternalProject_Add(zlib
-		URL "http://download.draios.com/dependencies/zlib-1.2.8.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.8.tar.gz"
 		URL_MD5 "44d667c142d7cda120332623eab69f40"
 		CONFIGURE_COMMAND "./configure"
 		BUILD_COMMAND ${CMD_MAKE}
@@ -104,7 +104,7 @@ else()
         set(JQ_INCLUDE "${JQ_SRC}")
         set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
         ExternalProject_Add(jq
-                URL "http://download.draios.com/dependencies/jq-1.5.tar.gz"
+                URL "https://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
                 URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
                 CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
                 BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
@@ -134,7 +134,7 @@ else()
 	set(CURSES_LIBRARIES "${CURSES_BUNDLE_DIR}/lib/libncurses.a")
 	message(STATUS "Using bundled ncurses in '${CURSES_BUNDLE_DIR}'")
 	ExternalProject_Add(ncurses
-		URL "http://download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
 		URL_MD5 "32b8913312e738d707ae68da439ca1f4"
 		CONFIGURE_COMMAND ./configure --without-cxx --without-cxx-binding --without-ada --without-manpages --without-progs --without-tests --with-terminfo-dirs=/etc/terminfo:/lib/terminfo:/usr/share/terminfo
 		BUILD_COMMAND ${CMD_MAKE}
@@ -161,7 +161,7 @@ else()
 	set(B64_INCLUDE "${B64_SRC}/include")
 	set(B64_LIB "${B64_SRC}/src/libb64.a")
 	ExternalProject_Add(b64
-		URL "http://download.draios.com/dependencies/libb64-1.2.src.zip"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
 		URL_MD5 "a609809408327117e2c643bed91b76c5"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ${CMD_MAKE}
@@ -215,7 +215,7 @@ else()
 	message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
 
 	ExternalProject_Add(openssl
-		URL "http://download.draios.com/dependencies/openssl-1.0.2j.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2j.tar.gz"
 		URL_MD5 "96322138f0b69e61b7212bc53d5e912b"
 		CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
 		BUILD_COMMAND ${CMD_MAKE}
@@ -246,9 +246,9 @@ else()
 
 	ExternalProject_Add(curl
 		DEPENDS openssl
-		URL "http://download.draios.com/dependencies/curl-7.52.1.tar.bz2"
-		URL_MD5 "dd014df06ff1d12e173de86873f9f77a"
-		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.56.0.tar.bz2"
+		URL_MD5 "e0caf257103e0c77cee5be7e9ac66ca4"
+		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2 --disable-threaded-resolver
 		BUILD_COMMAND ${CMD_MAKE}
 		BUILD_IN_SOURCE 1
 		INSTALL_COMMAND "")
@@ -280,7 +280,7 @@ else()
 	set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
 	set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 	ExternalProject_Add(luajit
-		URL "http://download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
 		URL_MD5 "f14e9104be513913810cd59c8c658dc0"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ${CMD_MAKE}
@@ -310,7 +310,7 @@ else()
 	endif()
 	ExternalProject_Add(lpeg
 		DEPENDS ${LPEG_DEPENDENCIES}
-		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
 		URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
 		BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
 		BUILD_IN_SOURCE 1
@@ -345,7 +345,7 @@ else()
 	set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
 	message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 	ExternalProject_Add(libyaml
-		URL "http://download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
 		URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
 		BUILD_COMMAND ${CMD_MAKE}
 		BUILD_IN_SOURCE 1
@@ -381,7 +381,7 @@ else()
 	endif()
 	ExternalProject_Add(lyaml
 		DEPENDS ${LYAML_DEPENDENCIES}
-		URL "http://download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
                 URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
                 BUILD_COMMAND ${CMD_MAKE}
                 BUILD_IN_SOURCE 1
@@ -392,6 +392,8 @@ endif()
 install(FILES falco.yaml
 	DESTINATION "${FALCO_ETC_DIR}")
 
+add_subdirectory(rules)
+
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_subdirectory("${SYSDIG_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 endif()

README.md

@@ -2,7 +2,7 @@
 
 #### Latest release
 
-**v0.8.0**
+**v0.8.1**
 Read the [change log](https://github.com/draios/falco/blob/dev/CHANGELOG.md)
 
 Dev Branch: [![Build Status](https://travis-ci.org/draios/falco.svg?branch=dev)](https://travis-ci.org/draios/falco)<br />
@@ -33,7 +33,6 @@ Documentation
 
 Join the Community
 ---
-* Contact the [official mailing list](https://groups.google.com/forum/#!forum/falco) for support and to talk with other users.
 * Follow us on [Twitter](https://twitter.com/sysdig) for general falco and sysdig news.
 * This is our [blog](https://sysdig.com/blog/), where you can find the latest [falco](https://sysdig.com/blog/tag/falco/) posts.
 * Join our [Public Slack](https://slack.sysdig.com) channel for sysdig and falco announcements and discussions.

rules/falco_rules.yaml

@@ -56,6 +56,10 @@
 - macro: etc_dir
   condition: fd.name startswith /etc
 
+# This detects writes immediately below / or any write anywhere below /root
+- macro: root_dir
+  condition: (fd.directory=/ or fd.name startswith /root)
+
 - macro: ubuntu_so_dirs
   condition: >
     fd.name startswith /lib/x86_64-linux-gnu or
@@ -78,7 +82,7 @@
   items: [add-shell, remove-shell]
 
 - macro: shell_procs
-  condition: proc.name in (shell_binaries)
+  condition: (proc.name in (shell_binaries))
 
 - list: coreutils_binaries
   items: [
@@ -123,7 +127,7 @@
   items: [setup-backend, dragent, sdchecks]
 
 - list: docker_binaries
-  items: [docker, dockerd, exe, docker-compose, docker-entrypoi]
+  items: [docker, dockerd, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current]
 
 - list: k8s_binaries
   items: [hyperkube, skydns, kube2sky, exechealthz]
@@ -134,10 +138,19 @@
 # Utility/etc programs known to run on mesos slaves. Truncation
 # intentional.
 - list: mesos_slave_binaries
-  items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-slave, mesos-logrotate, mesos-fetcher, mesos-executor, 3dt]
+  items: [mesos-health-ch, mesos-docker-ex, mesos-agent, mesos-slave,
+          mesos-logrotate, mesos-fetcher, mesos-executor, 3dt,
+          mesos-journald-, '"1_scheduler"', '"2_scheduler"',
+          '"3_scheduler"', '"4_scheduler"']
 
 - list: phusion_passenger_binaries
-  items: [PassengerAgent]
+  items: [PassengerAgent, PassengerWatchd]
+
+# A bit longer to avoid the fairly generic my_init.
+- macro: parent_phusion_passenger_my_init
+  condition: >
+    (proc.pcmdline="my_init -u /sbin/my_init " or
+     proc.pcmdline="my_init -u /sbin/my_init")
 
 - list: chef_binaries
   items: [chef-client]
@@ -148,6 +161,15 @@
 - list: db_server_binaries
   items: [mysqld]
 
+- list: mysql_mgmt_binaries
+  items: [mysql_install_d, mysql_ssl_rsa_s]
+
+- list: postgres_mgmt_binaries
+  items: [pg_dumpall, pg_ctl]
+
+- list: db_mgmt_binaries
+  items: [mysql_mgmt_binaries, postgres_mgmt_binaries]
+
 - list: gitlab_binaries
   items: [gitlab-shell, gitlab-mon, gitlab-runner-b, git]
 
@@ -157,7 +179,8 @@
 # The explicit quotes are needed to avoid the - characters being
 # interpreted by the filter expression.
 - list: rpm_binaries
-  items: [dnf, rpm, rpmkey, yum, '"75-system-updat"']
+  items: [dnf, rpm, rpmkey, yum, '"75-system-updat"', rhsmcertd-worke, subscription-ma,
+          repoquery, rpmkeys]
 
 - macro: rpm_procs
   condition: proc.name in (rpm_binaries)
@@ -171,7 +194,7 @@
 # The truncated dpkg-preconfigu is intentional, process names are
 # truncated at the sysdig level.
 - list: package_mgmt_binaries
-  items: [rpm_binaries, deb_binaries, update-alternat, gem]
+  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip]
 
 - macro: package_mgmt_procs
   condition: proc.name in (package_mgmt_binaries)
@@ -185,16 +208,20 @@
 # A canonical set of processes that run other programs with different
 # privileges or as a different user.
 - list: userexec_binaries
-  items: [sudo, su]
+  items: [sudo, su, suexec]
 
 - list: known_setuid_binaries
-  items: [sshd, dbus-daemon-lau, ping, ping6, critical-stack-]
+  items: [
+    sshd, dbus-daemon-lau, ping, ping6, critical-stack-, pmmcli,
+    filemng, PassengerAgent, bwrap, osdetect, nginxmng, sw-engine-fpm,
+    start-stop-daem
+    ]
 
 - list: user_mgmt_binaries
   items: [login_binaries, passwd_binaries, shadowutils_binaries]
 
 - list: dev_creation_binaries
-  items: [blkid, rename_device, update_engine]
+  items: [blkid, rename_device, update_engine, sgdisk]
 
 - list: aide_wrapper_binaries
   items: [aide.wrapper, update-aide.con]
@@ -211,37 +238,42 @@
 - list: x2go_binaries
   items: [x2gosuspend-age, x2goagent]
 
-- list: xray_rabbitmq_binaries
-  items: ['"1_scheduler"', '"2_scheduler"', '"3_scheduler"', '"4_scheduler"']
-
 - list: nids_binaries
   items: [bro, broctl]
 
 - list: monitoring_binaries
-  items: [icinga2, nrpe, npcd, check_sar_perf., qualys-cloud-ag]
+  items: [icinga2, nrpe, npcd, check_sar_perf., qualys-cloud-ag, S99qualys-cloud, nagios]
 
 - macro: system_procs
   condition: proc.name in (coreutils_binaries, user_mgmt_binaries)
 
 - list: mail_binaries
-  items: [sendmail, sendmail-msp, postfix, procmail, exim4, pickup, showq, mailq]
+  items: [
+    sendmail, sendmail-msp, postfix, procmail, exim4,
+    pickup, showq, mailq, dovecot, imap-login, imap,
+    mailmng-core, pop3-login, dovecot-lda
+    ]
 
-- list: sendmail_config_binaries
+- list: mail_config_binaries
   items: [
     update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4,
-    update_db, update_mc, ssmtp.postinst, mailq
+    update_db, update_mc, ssmtp.postinst, mailq, postalias, postfix.config.,
+    postfix.config, postfix-script
     ]
 
 - list: make_binaries
-  items: [make, gmake, cmake]
+  items: [make, gmake, cmake, automake, autom4te, autoheader]
 
 - list: keepalived_binaries
   items: [keepalived]
 
+- list: sensitive_file_names
+  items: [/etc/shadow, /etc/sudoers, /etc/pam.conf]
+
 - macro: sensitive_files
   condition: >
     fd.name startswith /etc and
-    (fd.name in (/etc/shadow, /etc/sudoers, /etc/pam.conf)
+    (fd.name in (sensitive_file_names)
      or fd.directory in (/etc/sudoers.d, /etc/pam.d))
 
 # Indicates that the process is new. Currently detected using time
@@ -292,7 +324,7 @@
   condition: fd.name in (/dev/log, /run/systemd/journal/syslog)
 
 - list: cron_binaries
-  items: [anacron, cron, crond]
+  items: [anacron, cron, crond, crontab]
 
 # https://github.com/liske/needrestart
 - list: needrestart_binaries
@@ -302,6 +334,9 @@
 - list: sshkit_script_binaries
   items: [10_etc_sudoers., 10_passwd_group]
 
+- list: plesk_binaries
+  items: [sw-engine, sw-engine-fpm, sw-engine-kv, filemng, f2bmng]
+
 # System users that should never log into a system. Consider adding your own
 # service users (e.g. 'apache' or 'mysqld') here.
 - macro: system_users
@@ -319,12 +354,27 @@
 - macro: ansible_running_python
   condition: (proc.name in (python, pypy) and proc.cmdline contains ansible)
 
+- macro: parent_beam_running_python
+  condition: proc.pcmdline="python pipeline.py -c conf.json"
+
+- macro: parent_strongswan_running_starter
+  condition: proc.pcmdline="starter --daemon charon"
+
 - macro: python_running_denyhosts
   condition: >
     (proc.name=python and
     (proc.cmdline contains /usr/sbin/denyhosts or
      proc.cmdline contains /usr/local/bin/denyhosts.py))
 
+- macro: parent_python_running_localstack
+  condition: (proc.pcmdline startswith "python bin/localstack")
+
+- macro: parent_python_running_zookeeper
+  condition: (proc.pcmdline startswith "python /usr/local/bin/cub")
+
+- macro: parent_docker_start_script
+  condition: (proc.pcmdline="start.sh /opt/docker/conf/start.sh")
+
 - macro: parent_python_running_denyhosts
   condition: >
     (proc.pname=python and
@@ -344,8 +394,27 @@
     (proc.pname=java and proc.pcmdline contains jenkins.war
     or proc.pcmdline contains /tmp/slave.jar)
 
-- macro: jenkins_script_sh
-  condition: (proc.pcmdline startswith "script.sh -xe /var/jenkins_home")
+- macro: parent_java_running_maven
+  condition: >
+    (proc.pname=java and proc.pcmdline contains "-classpath /usr/share/maven/")
+
+- macro: parent_java_running_appdynamics
+  condition: >
+    (proc.pname=java and proc.pcmdline contains "-jar /opt/appdynamics/")
+
+- macro: python_running_es_curator
+  condition: (proc.pcmdline startswith "python -u run_cron.py" and
+              proc.cmdline startswith "sh -c /usr/bin/curator")
+
+- macro: parent_cpanm_running_perl
+  condition: (proc.pname=perl and proc.aname[2]=cpanm)
+
+- macro: ics_running_java
+  condition: (proc.pname=java and proc.aname[3] in (ics_start.sh,ics_stop.sh,ics_status.sh))
+
+- macro: jenkins_scripts
+  condition: (proc.pcmdline startswith "script.sh -xe /var/jenkins_home" or
+              proc.cmdline="bash /usr/local/bin/jenkins-slave")
 
 - macro: parent_java_running_echo
   condition: (proc.pname=java and proc.cmdline startswith "sh -c echo")
@@ -357,7 +426,7 @@
 # close enough to add here rather than create a separate macro.
 - macro: parent_scripting_running_builds
   condition: >
-    (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,node) and (
+    (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,ruby2.1,node,conda) and (
        proc.cmdline startswith "sh -c git" or
        proc.cmdline startswith "sh -c date" or
        proc.cmdline startswith "sh -c /usr/bin/g++" or
@@ -365,11 +434,21 @@
        proc.cmdline startswith "sh -c gcc" or
        proc.cmdline startswith "sh -c if type gcc" or
        proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or
+       proc.cmdline startswith "sh -c /var/www/edi/bin/sftp.sh" or
        proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or
-       proc.pcmdline startswith "node /opt/nodejs/bin/yarn"))
+       proc.cmdline startswith "sh -c make parent" or
+       proc.pcmdline startswith "node /opt/nodejs/bin/yarn" or
+       proc.pcmdline startswith "node /usr/local/bin/yarn" or
+       proc.pcmdline startswith "node /root/.config/yarn" or
+       proc.pcmdline startswith "node /opt/yarn/bin/yarn.js"))
+
+- macro: makefile_perl
+  condition: (proc.pcmdline startswith "perl Makefile.PL")
 
 - macro: parent_node_running_npm
-  condition: proc.pcmdline startswith "node /usr/local/bin/npm"
+  condition: (proc.pcmdline startswith "node /usr/local/bin/npm" or
+              proc.pcmdline startswith "node /usr/local/nodejs/bin/npm" or
+              proc.pcmdline startswith "node /opt/rh/rh-nodejs6/root/usr/bin/npm")
 
 - macro: parent_nginx_running_serf
   condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf")
@@ -382,11 +461,26 @@
 
 - macro: bundle_running_ruby
   condition: >
-    (proc.pname=ruby and (
+    ((proc.pname in (ruby,ruby2.1) or proc.pname contains ".rb") and (
      proc.aname[2]=bundle or
      proc.aname[3]=bundle or
      proc.aname[4]=bundle))
 
+- macro: assemble_running_php
+  condition: >
+    (proc.pname=php and (
+     proc.aname[2]=assemble or
+     proc.aname[3]=assemble or
+     proc.aname[4]=assemble))
+
+- macro: node_running_bitnami
+  condition: (proc.pname=node and
+                (proc.cmdline startswith "sh -c /opt/bitnami" or
+                 proc.cmdline startswith "sh -c bin/redis-server /opt/bitnami"))
+
+- macro: node_running_threatstack
+  condition: proc.pcmdline startswith "node /opt/threatstack/node_modules"
+
 # Qualys seems to run a variety of shell subprocesses, at various
 # levels. This checks at a few levels without the cost of a full
 # proc.aname, which traverses the full parent heirarchy.
@@ -397,9 +491,20 @@
      proc.aname[3]=qualys-cloud-ag or
      proc.aname[4]=qualys-cloud-ag)
 
+- macro: run_by_sumologic_securefiles
+  condition: >
+    ((proc.cmdline="usermod -a -G sumologic_collector" or
+      proc.cmdline="groupadd sumologic_collector") and
+     (proc.pname=secureFiles.sh and proc.aname[2]=java))
+
+- macro: run_by_yum
+  condition: ((proc.pname=sh and proc.aname[2]=yum) or
+              (proc.aname[2]=sh and proc.aname[3]=yum))
+
 # Chef is similar.
 - macro: run_by_chef
-  condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr)
+  condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or
+              proc.aname[2]=chef-client or proc.aname[3]=chef-client)
 
 - macro: run_by_adclient
   condition: (proc.aname[2]=adclient or proc.aname[3]=adclient or proc.aname[4]=adclient)
@@ -414,7 +519,19 @@
   condition: (proc.pname=perl and proc.aname[2]=h2o)
 
 - macro: run_by_passenger_agent
-  condition: (proc.pname=ruby and proc.aname[2]=PassengerAgent)
+  condition: ((proc.pname=ruby and proc.aname[2]=PassengerAgent) or
+              proc.pcmdline startswith "ruby /usr/share/passenger/helper-scripts/rack-preloader.rb" or
+              proc.pcmdline startswith "ruby /usr/local/bundle/bin/passenger")
+
+# Also handles running semi-indirectly via scl
+- macro: run_by_foreman
+  condition: >
+    (user.name=foreman and
+     (proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or
+     (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby)))
+
+- macro: run_by_openshift
+  condition: proc.aname[2]=es_seed_acl
 
 # As a part of kernel upgrades, dpkg will spawn a perl script with the
 # name linux-image-N.N. This macro matches that.
@@ -424,6 +541,49 @@
 - macro: java_running_sdjagent
   condition: proc.name=java and proc.cmdline contains sdjagent.jar
 
+- macro: parent_java_running_confluence
+  condition: (proc.pname=java and proc.pcmdline contains "-classpath /opt/atlassian/confluence")
+
+- macro: parent_java_running_tomcat
+  condition: (proc.pname=java and proc.pcmdline contains "-classpath /usr/local/tomcat")
+
+- macro: parent_java_running_install4j
+  condition: (proc.pname=java and proc.pcmdline contains "-classpath i4jruntime.jar")
+
+- macro: parent_java_running_endeca
+  condition: (proc.pname=java and proc.pcmdline contains "-classpath /opt/endeca/")
+
+- macro: python_mesos_healthcheck
+  condition: (proc.pcmdline startswith "python /mesoshealthcheck.py")
+
+- macro: parent_running_datastax
+  condition: ((proc.pname=java and proc.pcmdline contains "-jar datastax-agent") or
+              (proc.pcmdline startswith "nodetool /opt/dse/bin/"))
+
+- macro: parent_dovecot_running_auth
+  condition: (proc.pname=auth and proc.aname[2]=dovecot)
+
+- macro: parent_supervise_running_multilog
+  condition: (proc.name=multilog and proc.pname=supervise)
+
+- macro: parent_ruby_running_discourse
+  condition: (proc.pcmdline startswith "ruby /var/www/discourse/vendor/bundle/ruby")
+
+- macro: parent_ruby_running_pups
+  condition: (proc.pcmdline startswith "ruby /pups/bin/pups")
+
+- macro: pki_realm_writing_realms
+  condition: (proc.cmdline startswith "bash /usr/local/lib/pki/pki-realm" and fd.name startswith /etc/pki/realms)
+
+- macro: htpasswd_writing_passwd
+  condition: (proc.name=htpasswd and fd.name=/etc/nginx/.htpasswd)
+
+- macro: dmeventd_writing_lvm_archive
+  condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or
+                                      fd.name startswith /etc/lvm/backup))
+- macro: ovsdb_writing_openvswitch
+  condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch)
+
 ###############
 # General Rules
 ###############
@@ -447,7 +607,43 @@
   condition: (proc.name=qualys-cloud-ag and fd.name=/etc/qualys/cloud-agent/qagent-log.conf)
 
 - macro: git_writing_nssdb
-  condition: (proc.cmdline="git-remote-http origin" and fd.directory=/etc/pki/nssdb)
+  condition: (proc.name=git-remote-http and fd.directory=/etc/pki/nssdb)
+
+- macro: plesk_writing_keys
+  condition: (proc.name in (plesk_binaries) and fd.name startswith /etc/sw/keys)
+
+- macro: plesk_install_writing_apache_conf
+  condition: (proc.cmdline startswith "bash -hB /usr/lib/plesk-9.0/services/webserver.apache configure"
+              and fd.name="/etc/apache2/apache2.conf.tmp")
+
+- macro: plesk_running_mktemp
+  condition: (proc.name=mktemp and proc.aname[3] in (plesk_binaries))
+
+- macro: networkmanager_writing_resolv_conf
+  condition: proc.aname[2]=nm-dispatcher and fd.name=/etc/resolv.conf
+
+- macro: add_shell_writing_shells_tmp
+  condition: (proc.name=add-shell and fd.name=/etc/shells.tmp)
+
+- macro: duply_writing_exclude_files
+  condition: (proc.name=touch and proc.pcmdline startswith "bash /usr/bin/duply" and fd.name startswith "/etc/duply")
+
+- macro: xmlcatalog_writing_files
+  condition: (proc.name=update-xmlcatal and fd.directory=/etc/xml)
+
+- macro: datadog_writing_conf
+  condition: (proc.cmdline startswith "python /opt/datadog-agent"
+              and fd.name startswith "/etc/dd-agent")
+
+- macro: curl_writing_pki_db
+  condition: (proc.name=curl and fd.directory=/etc/pki/nssdb)
+
+- macro: haproxy_writing_conf
+  condition: ((proc.name=update-haproxy- or proc.pname=update-haproxy-)
+               and fd.name in (/etc/openvpn/client.map, /etc/haproxy/client.map-))
+
+- macro: java_writing_conf
+  condition: (proc.name=java and fd.name=/etc/.java/.systemPrefs/.system.lock)
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
@@ -468,7 +664,7 @@
     and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries,
                           package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
                           dev_creation_binaries, shell_mgmt_binaries,
-                          sendmail_config_binaries,
+                          mail_config_binaries,
                           sshkit_script_binaries,
                           ldconfig.real, ldconfig, confd, gpg, insserv,
                           apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
@@ -476,8 +672,9 @@
                           debconf-show, rollerd, bind9.postinst, sv,
                           gen_resolvconf., update-ca-certi, certbot, runsv,
                           qualys-cloud-ag, locales.postins, nomachine_binaries,
-                          adclient, certutil, crlutil)
-    and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins, sshkit_script_binaries)
+                          adclient, certutil, crlutil, pam-auth-update, parallels_insta,
+                          openshift-launc)
+    and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins)
     and not fd.name pmatch (safe_etc_dirs)
     and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
     and not ansible_running_python
@@ -488,11 +685,48 @@
     and not run_by_adclient
     and not qualys_writing_conf_files
     and not git_writing_nssdb
+    and not plesk_writing_keys
+    and not plesk_install_writing_apache_conf
+    and not plesk_running_mktemp
+    and not networkmanager_writing_resolv_conf
+    and not run_by_chef
+    and not add_shell_writing_shells_tmp
+    and not duply_writing_exclude_files
+    and not xmlcatalog_writing_files
+    and not parent_supervise_running_multilog
+    and not pki_realm_writing_realms
+    and not htpasswd_writing_passwd
+    and not dmeventd_writing_lvm_archive
+    and not ovsdb_writing_openvswitch
+    and not datadog_writing_conf
+    and not curl_writing_pki_db
+    and not haproxy_writing_conf
+    and not java_writing_conf
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc, not in a pipe installer session
   condition: write_etc_common and not proc.sname=fbash
-  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
+  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
+  priority: ERROR
+  tags: [filesystem]
+
+- list: known_root_files
+  items: [/root/.monit.state]
+
+- list: known_root_directories
+  items: [/root/.oracle_jre_usage, /root/.java/.userPrefs, /root/.ssh, /root/.cache]
+
+- macro: known_root_conditions
+  condition: (fd.name startswith /root/orcexec.)
+
+- rule: Write below root
+  desc: an attempt to write to any file directly below / or /root
+  condition: >
+    root_dir and evt.dir = < and open_write
+    and not fd.name in (known_root_files)
+    and not fd.directory in (known_root_directories)
+    and not known_root_conditions
+  output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name)"
   priority: ERROR
   tags: [filesystem]
 
@@ -507,7 +741,7 @@
   tags: [filesystem]
 
 - macro: cmp_cp_by_passwd
-  condition: proc.name in (cmp, cp) and proc.pname=passwd
+  condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)
 
 - rule: Read sensitive file trusted after startup
   desc: >
@@ -524,7 +758,8 @@
 - list: read_sensitive_file_binaries
   items: [
     iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
-    vsftpd, systemd, mysql_install_d, psql
+    vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
+    pam-auth-update, /usr/sbin/spamd, polkit-agent-he, lsattr, file
     ]
 
 # Add conditions to this macro (probably in a separate file,
@@ -548,7 +783,8 @@
     sensitive_files and open_read
     and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
      cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
-     vpn_binaries, sendmail_config_binaries, nomachine_binaries, sshkit_script_binaries)
+     vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries,
+     in.proftpd, mandb, salt-minion)
     and not cmp_cp_by_passwd
     and not ansible_running_python
     and not proc.cmdline contains /usr/bin/mandb
@@ -642,10 +878,15 @@
     logrotate, ansible, less, adduser, pycompile, py3compile,
     pyclean, py3clean, pip, pip2, ansible-playboo, man-db,
     init, pluto, mkinitramfs, unattended-upgr, watch, sysdig,
-    landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup,
-    npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d,
+    landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, erlexec,
+    npm, cloud-init, toybox, ceph, hhvm, certbot,
     serf, a2enmod, runsv, supervisord, varnishd, authconfig, tini,
-    timeout, updatedb.findut, mysql_ssl_rsa_s, adclient, systemd-udevd
+    timeout, updatedb.findut, adclient, systemd-udevd,
+    luajit, uwsgi, cfn-signal, apache_control_, beam.smp, paster, postfix-local,
+    nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info,
+    hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward,
+    parallels_insta, salt-minion, dnsmng, update-inetd, pum_worker, awstats_buildst,
+    tsvuln, 50plesk-daily, grubby, chkconfig, dracut-install, rhnsd, find, consul
     ]
 
 - rule: Run shell untrusted
@@ -659,24 +900,44 @@
                            monitoring_binaries, gitlab_binaries, mesos_slave_binaries,
                            keepalived_binaries,
                            needrestart_binaries, phusion_passenger_binaries, chef_binaries, nomachine_binaries,
-                           x2go_binaries)
+                           x2go_binaries, db_mgmt_binaries, plesk_binaries)
     and not parent_ansible_running_python
     and not parent_bro_running_python
     and not parent_python_running_denyhosts
     and not parent_python_running_sdchecks
     and not parent_linux_image_upgrade_script
     and not parent_java_running_jenkins
-    and not jenkins_script_sh
+    and not proc.cmdline in (known_shell_spawn_cmdlines)
+    and not jenkins_scripts
     and not parent_java_running_echo
     and not parent_scripting_running_builds
+    and not makefile_perl
     and not parent_Xvfb_running_xkbcomp
     and not parent_nginx_running_serf
     and not parent_node_running_npm
     and not parent_java_running_sbt
+    and not parent_beam_running_python
+    and not parent_strongswan_running_starter
     and not run_by_chef
     and not run_by_puppet
     and not run_by_adclient
     and not run_by_centrify
+    and not parent_dovecot_running_auth
+    and not run_by_foreman
+    and not run_by_openshift
+    and not parent_java_running_tomcat
+    and not parent_java_running_install4j
+    and not parent_java_running_endeca
+    and not parent_running_datastax
+    and not parent_java_running_appdynamics
+    and not parent_cpanm_running_perl
+    and not parent_ruby_running_discourse
+    and not parent_ruby_running_pups
+    and not assemble_running_php
+    and not node_running_bitnami
+    and not node_running_threatstack
+    and not parent_python_running_localstack
+    and not parent_python_running_zookeeper
   output: >
     Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
     cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
@@ -695,6 +956,15 @@
               container.image startswith gcr.io/google_containers/kube-proxy or
               container.image startswith calico/node)
 
+# Add conditions to this macro (probably in a separate file,
+# overwriting this macro) to specify additional containers that are
+# allowed to perform sensitive mounts.
+#
+# In this file, it just takes one of the images in trusted_containers
+# and repeats it.
+- macro: user_sensitive_mount_containers
+  condition: (container.image startswith sysdig/agent)
+
 # These containers are ones that are known to spawn lots of
 # shells. Generally, they are for systems where the container is used
 # as a packaging mechanism more than for a dedicated microservice.
@@ -706,12 +976,20 @@
 - rule: Launch Privileged Container
   desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.
   condition: evt.type=execve and proc.vpid=1 and container and container.privileged=true and not trusted_containers
-  output: Privileged container started (user=%user.name command=%proc.cmdline %container.info)
+  output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image)
   priority: INFO
   tags: [container, cis]
 
+# For now, only considering a full mount of /etc as
+# sensitive. Ideally, this would also consider all subdirectories
+# below /etc as well, but the globbing mechanism used by sysdig
+# doesn't allow exclusions of a full pattern, only single characters.
 - macro: sensitive_mount
-  condition: (container.mount.dest[/proc*] != "N/A")
+  condition: (container.mount.dest[/proc*] != "N/A" or
+              container.mount.dest[/var/run/docker.sock] != "N/A" or
+              container.mount.dest[/] != "N/A" or
+              container.mount.dest[/etc] != "N/A" or
+              container.mount.dest[/root*] != "N/A")
 
 # The steps libcontainer performs to set up the root program for a container are:
 # - clone + exec self to a program runc:[0:PARENT]
@@ -731,11 +1009,36 @@
   desc: >
     Detect the initial process started by a container that has a mount from a sensitive host directory
     (i.e. /proc). Exceptions are made for known trusted images.
-  condition: evt.type=execve and proc.vpid=1 and container and sensitive_mount and not trusted_containers
-  output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info)
+  condition: >
+    evt.type=execve and proc.vpid=1 and container
+    and sensitive_mount
+    and not trusted_containers
+    and not user_sensitive_mount_containers
+  output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image mounts=%container.mounts)
   priority: INFO
   tags: [container, cis]
 
+# In a local/user rules file, you could override this macro to
+# explicitly enumerate the container images that you want to run in
+# your environment. In this main falco rules file, there isn't any way
+# to know all the containers that can run, so any container is
+# alllowed, by using a filter that is guaranteed to evaluate to true
+# (the same proc.vpid=1 that's in the Launch Disallowed Container
+# rule). In the overridden macro, the condition would look something
+# like (container.image startswith vendor/container-1 or
+# container.image startswith vendor/container-2 or ...)
+
+- macro: allowed_containers
+  condition: (proc.vpid=1)
+
+- rule: Launch Disallowed Container
+  desc: >
+    Detect the initial process started by a container that is not in a list of allowed containers.
+  condition: evt.type=execve and proc.vpid=1 and container and not allowed_containers
+  output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image)
+  priority: WARNING
+  tags: [container]
+
 # Anything run interactively by root
 # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
 #  output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
@@ -753,6 +1056,7 @@
   condition: >
     spawned_process and container
     and shell_procs and proc.tty != 0
+    and not proc.cmdline in (known_shell_spawn_cmdlines)
   output: >
     A shell was spawned in a container with an attached terminal (user=%user.name %container.info
     shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)
@@ -763,37 +1067,56 @@
 # work with, and the container name is autogenerated, so there isn't
 # any stable aspect of the software to work with. In this case, we
 # fall back to allowing certain command lines.
-- list: known_container_shell_spawn_cmdlines
+
+- list: known_shell_spawn_cmdlines
   items: [
-    '"bash -c curl -f localhost:$API_PORT/admin/healthcheck"',
-    '"sh -c curl http://localhost:6060/debug/vars>/dev/null "',
-    '"sh -c curl http://localhost:6060/debug/vars>/dev/null"',
-    '"sh -c  curl http://localhost:6060/debug/vars>/dev/null"',
-    '"sh -c  curl http://localhost:6060/debug/vars>/dev/null "',
-    '"sh -c  pgrep java && exit 0 || exit 1 "',
     '"sh -c uname -p 2> /dev/null"',
     '"sh -c uname -s 2>&1"',
     '"sh -c uname -r 2>&1"',
     '"sh -c uname -v 2>&1"',
     '"sh -c uname -a 2>&1"',
     '"sh -c ruby -v 2>&1"',
-    '"sh -c  echo healthy "',
-    '"sh -c  echo alive "',
     '"sh -c getconf CLK_TCK"',
     '"sh -c getconf PAGESIZE"',
     '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"',
+    '"sh -c LANG=C /sbin/ldconfig -p 2>/dev/null"',
     '"sh -c /sbin/ldconfig -p 2>/dev/null"',
     '"sh -c stty -a 2>/dev/null"',
+    '"sh -c stty -a < /dev/tty"',
+    '"sh -c stty -g < /dev/tty"',
     '"sh -c node index.js"',
     '"sh -c node index"',
     '"sh -c node ./src/start.js"',
     '"sh -c node app.js"',
+    '"sh -c node -e \"require(''nan'')\""',
     '"sh -c node -e \"require(''nan'')\")"',
     '"sh -c node $NODE_DEBUG_OPTION index.js "',
     '"sh -c crontab -l 2"',
     '"sh -c lsb_release -a"',
+    '"sh -c lsb_release -is 2>/dev/null"',
     '"sh -c whoami"',
-    '"sh -c node_modules/.bin/bower-installer"'
+    '"sh -c node_modules/.bin/bower-installer"',
+    '"sh -c /bin/hostname -f 2> /dev/null"',
+    '"sh -c locale -a"',
+    '"sh -c  -t -i"',
+    '"sh -c openssl version"'
+    ]
+
+- list: known_container_shell_spawn_cmdlines
+  items: [
+    known_shell_spawn_cmdlines,
+    '"bash -c curl -f localhost:$API_PORT/admin/healthcheck"',
+    '"sh -c curl http://localhost:6060/debug/vars>/dev/null "',
+    '"sh -c curl http://localhost:6060/debug/vars>/dev/null"',
+    '"sh -c  curl http://localhost:6060/debug/vars>/dev/null"',
+    '"sh -c  curl http://localhost:6060/debug/vars>/dev/null "',
+    '"sh -c  pgrep java && exit 0 || exit 1 "',
+    '"sh -c  echo healthy "',
+    '"sh -c  echo alive "',
+    '"bash /opt/docker/bin/lar"',
+    '"bash /opt/docker/bin/irs"',
+    '"bash /opt/docker/bin/brs"',
+    '"bash /opt/docker/bin/hdi"'
     ]
 
 # This list allows for easy additions to the set of commands allowed
@@ -825,21 +1148,26 @@
     and not container_entrypoint
     and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries,
                            lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries,
+                           cron_binaries,
                            user_known_container_shell_spawn_binaries,
                            needrestart_binaries,
                            phusion_passenger_binaries,
                            chef_binaries,
                            nomachine_binaries,
                            x2go_binaries,
-                           xray_rabbitmq_binaries,
-                           monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron,
-                           erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf,
+                           db_mgmt_binaries,
+                           plesk_binaries,
+                           monitoring_binaries, gitlab_binaries, initdb, awk, falco, cron,
+                           erl_child_setup, erlexec, ceph, PM2, pycompile, py3compile, hhvm, npm, serf,
                            runsv, supervisord, varnishd, crond, logrotate, timeout, tini,
-                           xrdb, xfce4-session, weave, mysql_ssl_rsa_s, logdna-agent, bundle, configure)
+                           xrdb, xfce4-session, weave, logdna-agent, bundle, configure, luajit, nginx,
+                           beam.smp, paster, postfix-local, hawkular-metric, fluentd, x2gormforward,
+                           "[celeryd:", flock, nsrun, consul)
     and not trusted_containers
     and not shell_spawning_containers
     and not parent_java_running_echo
     and not parent_scripting_running_builds
+    and not makefile_perl
     and not parent_Xvfb_running_xkbcomp
     and not mysql_image_running_healthcheck
     and not parent_nginx_running_serf
@@ -850,8 +1178,30 @@
     and not run_by_h2o
     and not run_by_passenger_agent
     and not parent_java_running_jenkins
-    and not jenkins_script_sh
+    and not parent_java_running_maven
+    and not parent_java_running_appdynamics
+    and not python_running_es_curator
+    and not parent_beam_running_python
+    and not jenkins_scripts
     and not bundle_running_ruby
+    and not parent_dovecot_running_auth
+    and not parent_strongswan_running_starter
+    and not parent_phusion_passenger_my_init
+    and not parent_java_running_confluence
+    and not parent_java_running_tomcat
+    and not parent_java_running_install4j
+    and not parent_running_datastax
+    and not ics_running_java
+    and not parent_ruby_running_discourse
+    and not parent_ruby_running_pups
+    and not assemble_running_php
+    and not node_running_bitnami
+    and not node_running_threatstack
+    and not parent_python_running_localstack
+    and not parent_python_running_zookeeper
+    and not parent_docker_start_script
+    and not parent_java_running_endeca
+    and not python_mesos_healthcheck
   output: >
     Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image
     shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])
@@ -862,7 +1212,7 @@
 # systemd can listen on ports to launch things like sshd on demand
 - rule: System procs network activity
   desc: any network activity performed by system binaries that are not expected to send or receive any network traffic
-  condition: (fd.sockfamily = ip and system_procs) and (inbound or outbound) and not proc.name=systemd
+  condition: (fd.sockfamily = ip and system_procs) and (inbound or outbound) and not proc.name in (systemd, hostid)
   output: >
     Known system binary sent/received network traffic
     (user=%user.name command=%proc.cmdline connection=%fd.name)
@@ -891,9 +1241,8 @@
 # container but not on the host. (See
 # https://github.com/draios/sysdig/issues/954). So in that case, allow
 # a setuid.
-
-- macro: unknown_user_in_container
-  condition: (user.name="<NA>" and container)
+- macro: known_user_in_container
+  condition: (container and user.name != "N/A")
 
 # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
 - rule: Non sudo setuid
@@ -902,12 +1251,13 @@
     suing to itself are also excluded, as setuid calls typically involve dropping privileges.
   condition: >
     evt.type=setuid and evt.dir=>
-    and not unknown_user_in_container
+    and (known_user_in_container or not container)
     and not user.name=root and not somebody_becoming_themself
-    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries, nomachine_binaries)
+    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
+                          nomachine_binaries)
     and not java_running_sdjagent
   output: >
-    Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname
+    Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
     command=%proc.cmdline uid=%evt.arg.uid)
   priority: NOTICE
   tags: [users]
@@ -920,12 +1270,14 @@
     Some innocuous commandlines that don't actually change anything are excluded.
   condition: >
     spawned_process and proc.name in (user_mgmt_binaries) and
-    not proc.name in (su, sudo, lastlog) and not container and
+    not proc.name in (su, sudo, lastlog, nologin, unix_chkpwd) and not container and
     not proc.pname in (cron_binaries, systemd, run-parts) and
     not proc.cmdline startswith "passwd -S" and
     not proc.cmdline startswith "useradd -D" and
     not proc.cmdline startswith "systemd --version" and
-    not run_by_qualys
+    not run_by_qualys and
+    not run_by_sumologic_securefiles and
+    not run_by_yum
   output: >
     User management binary command run outside of container
     (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])

userspace/engine/CMakeLists.txt

@@ -27,5 +27,3 @@ install(DIRECTORY lua
 	DESTINATION "${FALCO_SHARE_DIR}"
 	FILES_MATCHING PATTERN *.lua)
 endif()
-
-add_subdirectory("${PROJECT_SOURCE_DIR}/../falco/rules" "${PROJECT_BINARY_DIR}/rules")

userspace/engine/falco_engine.cpp

@@ -154,6 +154,13 @@ uint16_t falco_engine::find_ruleset_id(const std::string &ruleset)
 	return it->second;
 }
 
+void falco_engine::evttypes_for_ruleset(std::vector<bool> &evttypes, const std::string &ruleset)
+{
+	uint16_t ruleset_id = find_ruleset_id(ruleset);
+
+	return m_evttype_filter->evttypes_for_ruleset(evttypes, ruleset_id);
+}
+
 unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev, uint16_t ruleset_id)
 {
 	if(should_drop_evt())

userspace/engine/falco_engine.h

@@ -85,6 +85,12 @@ public:
 	//
 	uint16_t find_ruleset_id(const std::string &ruleset);
 
+	//
+	// Given a ruleset, fill in a bitset containing the event
+	// types for which this ruleset can run.
+	//
+	void evttypes_for_ruleset(std::vector<bool> &evttypes, const std::string &ruleset);
+
 	//
 	// Given an event, check it against the set of rules in the
 	// engine and if a matching rule is found, return details on

userspace/falco/config_falco.h.in

@@ -5,7 +5,7 @@
 #define FALCO_LUA_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}/lua/"
 #define FALCO_SOURCE_DIR "${PROJECT_SOURCE_DIR}"
 #define FALCO_SOURCE_CONF_FILE "${PROJECT_SOURCE_DIR}/falco.yaml"
-#define FALCO_INSTALL_CONF_FILE "/etc/falco.yaml"
+#define FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml"
 #define FALCO_SOURCE_LUA_DIR "${PROJECT_SOURCE_DIR}/userspace/falco/lua/"
 
 #define PROBE_NAME "${PROBE_NAME}"