Another round of rule cleanups based on staging.

Another round of rule cleanups after running for a day on
staging. Notable changes:

- Some of the *_binaries macros that were based on dpkg -L accidentally
  contained directories in addition to end files. Trim those.

- Add systemd-logind as a login_binary.

- Add unix_chkpwd as a shadowutils_binary.

- Add parentheses around any macros that group items using or. I found
  this necessary when the macro is used in the middle of a list of and
  conditions.

- Break out system_binaries into a new subset user_mgmt_binaries
  containing login_, passwd_, and shadowutils_ binaries. That way you
  don't have to pull in all of system_binaries when looking for
  sensisitive files or user management activity.

- Rename fs-bash to fbash, thinking ahead to its more likely name.

rules/falco_rules.yaml

@@ -81,23 +81,24 @@
     chgrp, chmod, mktemp, cat, mknod, sync, ln, false, rm, mv, cp, echo,
     readlink, sleep, stty, mkdir, df, dir, rmdir, touch)
 
+# dpkg -L login | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" ","
 - macro: login_binaries
-  condition: proc.name in (bin, login, su, sbin, nologin, bin, faillog, lastlog, newgrp, sg)
+  condition: proc.name in (login, systemd-logind, su, nologin, faillog, lastlog, newgrp, sg)
 
-# dpkg -L passwd | grep bin | xargs -L 1 basename | tr "\\n" ","
+# dpkg -L passwd | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" ","
 - macro: passwd_binaries
   condition: >
-    proc.name in (sbin, shadowconfig, sbin, grpck, pwunconv, grpconv, pwck,
+    proc.name in (shadowconfig, grpck, pwunconv, grpconv, pwck,
     groupmod, vipw, pwconv, useradd, newusers, cppw, chpasswd, usermod,
-    groupadd, groupdel, grpunconv, chgpasswd, userdel, bin, chage, chsh,
+    groupadd, groupdel, grpunconv, chgpasswd, userdel, chage, chsh,
     gpasswd, chfn, expiry, passwd, vigr, cpgr)
 
-# repoquery -l shadow-utils | grep bin | xargs -L 1 basename | tr "\\n" ","
+# repoquery -l shadow-utils | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" ","
 - macro: shadowutils_binaries
   condition: >
     proc.name in (chage, gpasswd, lastlog, newgrp, sg, adduser, deluser, chpasswd,
     groupadd, groupdel, addgroup, delgroup, groupmems, groupmod, grpck, grpconv, grpunconv,
-    newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vigr, vipw)
+    newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vigr, vipw, unix_chkpwd)
 
 - macro: sysdigcloud_binaries
   condition: proc.name in (setup-backend, dragent)
@@ -118,24 +119,29 @@
   condition: proc.pname in (mysqld)
 
 - macro: server_binaries
-  condition: http_server_binaries or db_server_binaries or docker_binaries or proc.name in (sshd)
+  condition: (http_server_binaries or db_server_binaries or docker_binaries or proc.name in (sshd))
 
+# The truncated dpkg-preconfigu is intentional, process names are
+# truncated at the sysdig level.
 - macro: package_mgmt_binaries
-  condition: proc.name in (dpkg, rpm, yum)
+  condition: proc.name in (dpkg, dpkg-preconfigu, rpm, yum)
 
 # A canonical set of processes that run other programs with different
 # privileges or as a different user.
 - macro: userexec_binaries
   condition: proc.name in (sudo, su)
 
+- macro: user_mgmt_binaries
+  condition: (login_binaries or passwd_binaries or shadowutils_binaries)
+
 - macro: system_binaries
-  condition: coreutils_binaries or login_binaries or passwd_binaries or shadowutils_binaries
+  condition: (coreutils_binaries or user_mgmt_binaries)
 
 - macro: mail_binaries
   condition: proc.name in (sendmail, sendmail-msp, postfix, procmail)
 
 - macro: sensitive_files
-  condition: fd.name contains /etc/shadow or fd.name = /etc/sudoers or fd.directory = /etc/sudoers.d or fd.directory = /etc/pam.d or fd.name = /etc/pam.conf
+  condition: (fd.name contains /etc/shadow or fd.name = /etc/sudoers or fd.directory = /etc/sudoers.d or fd.directory = /etc/pam.d or fd.name = /etc/pam.conf)
 
 # Indicates that the process is new. Currently detected using time
 # since process was started, using a threshold of 5 seconds.
@@ -144,7 +150,7 @@
 
 # Network
 - macro: inbound
-  condition: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)
+  condition: ((syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<))
 
 # Currently sendto is an ignored syscall, otherwise this could also check for (syscall.type=sendto and evt.dir=>)
 - macro: outbound
@@ -155,15 +161,15 @@
 
 # Ssh
 - macro: ssh_error_message
-  condition: evt.arg.data contains "Invalid user" or evt.arg.data contains "preauth" or evt.arg.data contains "Failed password"
+  condition: (evt.arg.data contains "Invalid user" or evt.arg.data contains "preauth" or evt.arg.data contains "Failed password")
 
 # System
 - macro: modules
   condition: syscall.type in (delete_module, init_module)
 - macro: container
   condition: container.id != host
 - macro: interactive
-  condition: (proc.aname=sshd and proc.name != sshd) or proc.name=systemd-logind
+  condition: ((proc.aname=sshd and proc.name != sshd) or proc.name=systemd-logind)
 - macro: syslog
   condition: fd.name in (/dev/log, /run/systemd/journal/syslog)
 - macro: cron
@@ -195,7 +201,7 @@
 
 - rule: read_sensitive_file_untrusted
   desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.
-  condition: open_read and not server_binaries and not userexec_binaries and not proc.name in (iptables, ps, systemd-logind, login, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash) and not cron and sensitive_files
+  condition: open_read and not user_mgmt_binaries and not userexec_binaries and not proc.name in (iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, bash, sshd) and not cron and sensitive_files
   output: "Sensitive file opened for reading by non-trusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
   priority: WARNING
 
@@ -247,7 +253,7 @@
 
 - rule: run_shell_untrusted
   desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries.
-  condition: not container and proc.name = bash and spawned_process and proc.pname exists and not parent_cron and not proc.pname in (bash, sshd, sudo, docker, su, tmux, screen, emacs, systemd, login, flock, fs-bash, nginx, monit, supervisord, dragent)
+  condition: not container and proc.name = bash and spawned_process and proc.pname exists and not parent_cron and not proc.pname in (bash, sshd, sudo, docker, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent)
   output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
   priority: WARNING
 
@@ -293,7 +299,7 @@
 
 - rule: user_mgmt_binaries
   desc: activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup.
-  condition: spawned_process and not proc.name in (su, sudo) and not container and (login_binaries or passwd_binaries or shadowutils_binaries) and not proc.pname in (systemd)
+  condition: spawned_process and not proc.name in (su, sudo) and not container and user_mgmt_binaries and not parent_cron and not proc.pname in (systemd, run-parts)
   output: "User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname)"
   priority: WARNING
 
@@ -304,17 +310,17 @@
   output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
   priority: WARNING
 
-# fs-bash is a restricted version of bash suitable for use in curl <curl> | sh installers.
+# fbash is a small shell script that runs bash, and is suitable for use in curl <curl> | fbash installers.
 - rule: installer_bash_starts_network_server
-  desc: an attempt by any program that is a child of fs-bash to start listening for network connections
-  condition: evt.type=listen and proc.aname=fs-bash
-  output: "Unexpected listen call by a child process of fs-bash (command=%proc.cmdline)"
+  desc: an attempt by any program that is a child of fbash to start listening for network connections
+  condition: evt.type=listen and proc.aname=fbash
+  output: "Unexpected listen call by a child process of fbash (command=%proc.cmdline)"
   priority: WARNING
 
 - rule: installer_bash_starts_session
-  desc: an attempt by any program that is a child of fs-bash to start a new session (process group)
-  condition: evt.type=setsid and proc.aname=fs-bash
-  output: "Unexpected setsid call by a child process of fs-bash (command=%proc.cmdline)"
+  desc: an attempt by any program that is a child of fbash to start a new session (process group)
+  condition: evt.type=setsid and proc.aname=fbash
+  output: "Unexpected setsid call by a child process of fbash (command=%proc.cmdline)"
   priority: WARNING
 
 ###########################