rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro

This macro will be useful because it will make it possible to filter out events with a higher degree of granularity than is currently possible for the `Set Setuid or Setgid bit` rule. For example, if some application is expected to set the setuid or the setgid bit under a specific condition, like if it's started with a specific command, then the `user_known_chmod_applications` list is not enough because we don't want to filter out _all_ events by this application, only specific ones. This macro allows that. Signed-off-by: Nicolas Marier <nmarier@coveo.com>
falcosecurity · May 26, 2020 · 81e29c5 · 81e29c5
1 parent f186e5f
commit 81e29c5
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -2516,6 +2516,12 @@
 - list: user_known_chmod_applications
   items: [hyperkube, kubelet]
 
+# This macro should be overridden in user rules as needed. This is useful if a given application
+# should not be ignored alltogether with the user_known_chmod_applications list, but only in
+# specific conditions.
+- macro: user_known_set_setuid_or_setgid_bit_conditions
+  condition: (never_true)
+
 - rule: Set Setuid or Setgid bit
   desc: >
     When the setuid or setgid bits are set for an application,
@@ -2525,6 +2531,7 @@
     consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
     and not proc.name in (user_known_chmod_applications)
     and not exe_running_docker_save
+    and not user_known_set_setuid_or_setgid_bit_conditions
   output: >
     Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)