Remove old unused macros/lists

Remove old macros/lists that aren't being used by any current rules. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
falcosecurity · Oct 15, 2020 · affc0a1 · affc0a1
1 parent e1a3353
commit affc0a1
Showing 1 changed file with 0 additions and 93 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -179,15 +179,9 @@
 - list: db_server_binaries
   items: [mysqld, postgres, sqlplus]
 
-- list: mysql_mgmt_binaries
-  items: [mysql_install_d, mysql_ssl_rsa_s]
-
 - list: postgres_mgmt_binaries
   items: [pg_dumpall, pg_ctl, pg_lsclusters, pg_ctlcluster]
 
-- list: db_mgmt_binaries
-  items: [mysql_mgmt_binaries, postgres_mgmt_binaries]
-
 - list: nosql_server_binaries
   items: [couchdb, memcached, redis-server, rabbitmq-server, mongod]
 
@@ -576,90 +570,25 @@
 - macro: system_users
   condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)
 
-# These macros will be removed soon. Only keeping them to maintain
-# compatiblity with some widely used rules files.
-# Begin Deprecated
-- macro: parent_ansible_running_python
-  condition: (proc.pname in (python, pypy, python3) and proc.pcmdline contains ansible)
-
-- macro: parent_bro_running_python
-  condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl)
-
 - macro: parent_python_running_denyhosts
   condition: >
     (proc.cmdline startswith "denyhosts.py /usr/bin/denyhosts.py" or
      (proc.pname=python and
      (proc.pcmdline contains /usr/sbin/denyhosts or
       proc.pcmdline contains /usr/local/bin/denyhosts.py)))
 
-- macro: parent_linux_image_upgrade_script
-  condition: proc.pname startswith linux-image-
-
-- macro: parent_java_running_echo
-  condition: (proc.pname=java and proc.cmdline startswith "sh -c echo")
-
-- macro: parent_scripting_running_builds
-  condition: >
-    (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,ruby2.1,node,conda) and (
-       proc.cmdline startswith "sh -c git" or
-       proc.cmdline startswith "sh -c date" or
-       proc.cmdline startswith "sh -c /usr/bin/g++" or
-       proc.cmdline startswith "sh -c /usr/bin/gcc" or
-       proc.cmdline startswith "sh -c gcc" or
-       proc.cmdline startswith "sh -c if type gcc" or
-       proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or
-       proc.cmdline startswith "sh -c /var/www/edi/bin/sftp.sh" or
-       proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or
-       proc.cmdline startswith "sh -c make parent" or
-       proc.cmdline startswith "node /jenkins/tools" or
-       proc.cmdline startswith "sh -c '/usr/bin/node'" or
-       proc.cmdline startswith "sh -c stty -a |" or
-       proc.pcmdline startswith "node /opt/nodejs/bin/yarn" or
-       proc.pcmdline startswith "node /usr/local/bin/yarn" or
-       proc.pcmdline startswith "node /root/.config/yarn" or
-       proc.pcmdline startswith "node /opt/yarn/bin/yarn.js"))
-
-
 - macro: httpd_writing_ssl_conf
   condition: >
     (proc.pname=run-httpd and
      (proc.cmdline startswith "sed -ri" or proc.cmdline startswith "sed -i") and
      (fd.name startswith /etc/httpd/conf.d/ or fd.name startswith /etc/httpd/conf))
 
-- macro: parent_Xvfb_running_xkbcomp
-  condition: (proc.pname=Xvfb and proc.cmdline startswith 'sh -c "/usr/bin/xkbcomp"')
-
-- macro: parent_nginx_running_serf
-  condition: (proc.pname=nginx and proc.cmdline startswith "sh -c serf")
-
-- macro: parent_node_running_npm
-  condition: (proc.pcmdline startswith "node /usr/local/bin/npm" or
-              proc.pcmdline startswith "node /usr/local/nodejs/bin/npm" or
-              proc.pcmdline startswith "node /opt/rh/rh-nodejs6/root/usr/bin/npm")
-
-- macro: parent_java_running_sbt
-  condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar)
-
-- list: known_container_shell_spawn_cmdlines
-  items: []
-
-- list: known_shell_spawn_binaries
-  items: []
-
-## End Deprecated
-
 - macro: ansible_running_python
   condition: (proc.name in (python, pypy, python3) and proc.cmdline contains ansible)
 
 - macro: python_running_chef
   condition: (proc.name=python and (proc.cmdline contains yum-dump.py or proc.cmdline="python /usr/bin/chef-monitor.py"))
 
-- macro: python_running_denyhosts
-  condition: >
-    (proc.name=python and
-    (proc.cmdline contains /usr/sbin/denyhosts or
-     proc.cmdline contains /usr/local/bin/denyhosts.py))
-
 # Qualys seems to run a variety of shell subprocesses, at various
 # levels. This checks at a few levels without the cost of a full
 # proc.aname, which traverses the full parent heirarchy.
@@ -703,9 +632,6 @@
 - macro: run_by_centrify
   condition: (proc.aname[2]=centrify or proc.aname[3]=centrify or proc.aname[4]=centrify)
 
-- macro: run_by_puppet
-  condition: (proc.aname[2]=puppet or proc.aname[3]=puppet)
-
 # Also handles running semi-indirectly via scl
 - macro: run_by_foreman
   condition: >
@@ -1834,21 +1760,6 @@
     sematext_images
     ]
 
-# Add conditions to this macro (probably in a separate file,
-# overwriting this macro) to specify additional containers that are
-# allowed to run privileged
-#
-# In this file, it just takes one of the images in falco_privileged_images
-# and repeats it.
-- macro: user_privileged_containers
-  condition: (never_true)
-
-- list: rancher_images
-  items: [
-    rancher/network-manager, rancher/dns, rancher/agent,
-    rancher/lb-service-haproxy, rancher/metadata, rancher/healthcheck
-  ]
-
 # These container images are allowed to mount sensitive paths from the
 # host filesystem.
 - list: falco_sensitive_mount_images
@@ -2973,10 +2884,6 @@
 - macro: enabled_rule_network_only_subnet
   condition: (never_true)
 
-# Images that are allowed to have outbound traffic
-- list: images_allow_network_outside_subnet
-  items: []
-
 # Namespaces where the rule is enforce
 - list: namespace_scope_network_only_subnet
   items: []