mirror of
https://github.com/falcosecurity/falco.git
synced 2026-04-05 11:32:17 +00:00
070667cad0
Update rules to reduce FPs after running against some real-world environments with and without containers. Summary of changes: - Too many processes read /etc/passwd--it's world-readable and a side-effect of getpwent. Switch to /etc/shadow instead. - Add a mail_binaries group. This wasn't directly used, but it may be handy for other rules and goes along with the changes in #54. - not_cron was the only macro expressing a negative, so switch it to be a positive 'cron'. Also add crond as a cron process. - add dragent to the set of programs that can call setns. - For the shell detection rules, change them to only look for the specific exec/clone event rather than all follow-on activity. Also allow docker to spawn shell scripts--this is required for entrypoints that use the shell instead of a direct exec. Also add a few additional programs that can spawn shells. - In containers, shells are allowed as long as the parent process is docker or bash. Like the outside of container case, only the initial clone/exec is detected. - Fix a typo Sytem -> System. - Change the chmod rule to only protect imporant/sensitive files. I saw lots of "regular" files being chmod()ed. - Change the setuid test to allow root to setuid to anything, rather than listing a bunch of programs run as root that drop privileges. - Allow running su/sudo in containers. Some containers add users from a base linux distribution before running.