From 44ff6b7cba1f45d4a22915f057f3be0ae4e36032 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 31 May 2016 17:41:08 -0700 Subject: [PATCH] Update fbash rules to use proc.sname. Update fbash rules to use proc.sname instead of proc.aname and to rely on sessions instead of process ancestors. I also wanted to add details on the address/port being listened to but that's blocked on https://github.com/draios/falco/issues/86. Along with this change, there are new positive trace files installer-bash-starts-network-server.scap and installer-bash-starts-session.scap that test these updated rules. --- rules/falco_rules.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1d451af9..8ba8452c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -312,15 +312,15 @@ # fbash is a small shell script that runs bash, and is suitable for use in curl | fbash installers. - rule: installer_bash_starts_network_server - desc: an attempt by any program that is a child of fbash to start listening for network connections - condition: evt.type=listen and proc.aname=fbash - output: "Unexpected listen call by a child process of fbash (command=%proc.cmdline)" + desc: an attempt by any program that is in a session led by fbash to start listening for network connections + condition: evt.type=listen and proc.sname=fbash + output: "Unexpected listen call by a process in a fbash session (command=%proc.cmdline)" priority: WARNING - rule: installer_bash_starts_session - desc: an attempt by any program that is a child of fbash to start a new session (process group) - condition: evt.type=setsid and proc.aname=fbash - output: "Unexpected setsid call by a child process of fbash (command=%proc.cmdline)" + desc: an attempt by any program that is in a session led by fbash to start a new session + condition: evt.type=setsid and proc.sname=fbash + output: "Unexpected setsid call by a process in fbash session (command=%proc.cmdline)" priority: WARNING ###########################