From e229cecbe12af5ec4c4e7f67171f992ae55aadd1 Mon Sep 17 00:00:00 2001 From: Lorenzo Fontana Date: Wed, 14 Aug 2019 19:12:50 +0000 Subject: [PATCH] fix(rules): make chmod rules enabled by default Signed-off-by: Lorenzo Fontana --- rules/falco_rules.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index edc58b36994..7d137deb6fe 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -73,7 +73,7 @@ condition: evt.type in (symlink, symlinkat) and evt.dir=< - macro: chmod - condition: evt.type in (chmod, fchmod, fchmodat) + condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<) # File categories - macro: bin_dir @@ -2412,14 +2412,17 @@ tag: [process, mitre_defense_evation] - macro: consider_all_chmods - condition: (never_true) + condition: (always_true) + +- list: user_known_chmod_applications + items: [] - rule: Set Setuid or Setgid bit desc: > When the setuid or setgid bits are set for an application, this means that the application will run with the privileges of the owning user or group respectively. Detect setuid or setgid bits set via chmod - condition: consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") + condition: consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") and not proc.cmdline in (user_known_chmod_applications) output: > Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)