fix(rules): make chmod rules enabled by default

Signed-off-by: Lorenzo Fontana <lo@linux.com>
falcosecurity · Aug 16, 2019 · e229cec · e229cec
1 parent 3ea98b0
commit e229cec
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -73,7 +73,7 @@
   condition: evt.type in (symlink, symlinkat) and evt.dir=<
 
 - macro: chmod
-  condition: evt.type in (chmod, fchmod, fchmodat)
+  condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<)
 
 # File categories
 - macro: bin_dir
@@ -2412,14 +2412,17 @@
   tag: [process, mitre_defense_evation]
 
 - macro: consider_all_chmods
-  condition: (never_true)
+  condition: (always_true)
+
+- list: user_known_chmod_applications
+  items: []
 
 - rule: Set Setuid or Setgid bit
   desc: >
     When the setuid or setgid bits are set for an application,
     this means that the application will run with the privileges of the owning user or group respectively.
     Detect setuid or setgid bits set via chmod
-  condition: consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
+  condition: consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") and not proc.cmdline in (user_known_chmod_applications)
   output: >
     Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)