alpine-overlay/kubezero/falco/rules.patch

61 lines
2.9 KiB
Diff
Raw Normal View History

--- falco_rules.yaml 2023-07-05 11:42:09.732973942 +0000
+++ zdt_falco_rules.yaml 2023-07-05 13:30:14.184038126 +0000
@@ -270,7 +270,7 @@
# A canonical set of processes that run other programs with different
# privileges or as a different user.
- list: userexec_binaries
- items: [sudo, su, suexec, critical-stack, dzdo]
+ items: [doas, sudo, su, suexec, critical-stack, dzdo]
- list: known_setuid_binaries
items: [
@@ -2298,27 +2298,28 @@
- macro: user_known_non_sudo_setuid_conditions
condition: user.name=root
+# Disabled for now due to buysbox noise
# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
-- rule: Non sudo setuid
- desc: >
- an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
- suing to itself are also excluded, as setuid calls typically involve dropping privileges.
- condition: >
- evt.type=setuid and evt.dir=>
- and (known_user_in_container or not container)
- and not (user.name=root or user.uid=0)
- and not somebody_becoming_themselves
- and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
- nomachine_binaries)
- and not proc.name startswith "runc:"
- and not java_running_sdjagent
- and not nrpe_becoming_nagios
- and not user_known_non_sudo_setuid_conditions
- output: >
- Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
- command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
- priority: NOTICE
- tags: [host, container, users, mitre_privilege_escalation, T1548.001]
+#- rule: Non sudo setuid
+# desc: >
+# an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
+# suing to itself are also excluded, as setuid calls typically involve dropping privileges.
+# condition: >
+# evt.type=setuid and evt.dir=>
+# and (known_user_in_container or not container)
+# and not (user.name=root or user.uid=0)
+# and not somebody_becoming_themselves
+# and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
+# nomachine_binaries)
+# and not proc.name startswith "runc:"
+# and not java_running_sdjagent
+# and not nrpe_becoming_nagios
+# and not user_known_non_sudo_setuid_conditions
+# output: >
+# Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
+# command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
+# priority: NOTICE
+# tags: [host, container, users, mitre_privilege_escalation, T1548.001]
- macro: user_known_user_management_activities
condition: (never_true)