Allow user 'nobody' to setuid.

Allow the user nobody to setuid. This depends on the user nobody being set up in the first place to have no access, but that should be an ok assumption.
falcosecurity · Jun 15, 2017 · 9495668 · 9495668
1 parent fd43691
commit 9495668
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -518,8 +518,8 @@
 
 # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
 - rule: Non sudo setuid
-  desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges.
-  condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, docker_binaries, sshd, dbus-daemon-lau, ping, ping6, critical-stack-)
+  desc: an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody" are also excluded, as setuid calls typically involve dropping privileges.
+  condition: evt.type=setuid and evt.dir=> and not user.name in (nobody, root) and not proc.name in (userexec_binaries, mail_binaries, docker_binaries, sshd, dbus-daemon-lau, ping, ping6, critical-stack-)
   output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname command=%proc.cmdline uid=%evt.arg.uid)"
   priority: NOTICE
   tags: [users]