alpine-overlay/kubezero/falco/rules.patch

--- falco_rules.yaml	2023-07-05 11:42:09.732973942 +0000
+++ zdt_falco_rules.yaml	2023-07-05 13:30:14.184038126 +0000
@@ -270,7 +270,7 @@
 # A canonical set of processes that run other programs with different
 # privileges or as a different user.
 - list: userexec_binaries
-  items: [sudo, su, suexec, critical-stack, dzdo]
+  items: [doas, sudo, su, suexec, critical-stack, dzdo]
 
 - list: known_setuid_binaries
   items: [
@@ -2298,27 +2298,28 @@
 - macro: user_known_non_sudo_setuid_conditions
   condition: user.name=root
 
+# Disabled for now due to buysbox noise 
 # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
-- rule: Non sudo setuid
-  desc: >
-    an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
-    suing to itself are also excluded, as setuid calls typically involve dropping privileges.
-  condition: >
-    evt.type=setuid and evt.dir=>
-    and (known_user_in_container or not container)
-    and not (user.name=root or user.uid=0)
-    and not somebody_becoming_themselves
-    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
-                          nomachine_binaries)
-    and not proc.name startswith "runc:"
-    and not java_running_sdjagent
-    and not nrpe_becoming_nagios
-    and not user_known_non_sudo_setuid_conditions
-  output: >
-    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
-    command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
-  priority: NOTICE
-  tags: [host, container, users, mitre_privilege_escalation, T1548.001]
+#- rule: Non sudo setuid
+#  desc: >
+#    an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
+#    suing to itself are also excluded, as setuid calls typically involve dropping privileges.
+#  condition: >
+#    evt.type=setuid and evt.dir=>
+#    and (known_user_in_container or not container)
+#    and not (user.name=root or user.uid=0)
+#    and not somebody_becoming_themselves
+#    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
+#                          nomachine_binaries)
+#    and not proc.name startswith "runc:"
+#    and not java_running_sdjagent
+#    and not nrpe_becoming_nagios
+#    and not user_known_non_sudo_setuid_conditions
+#  output: >
+#    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
+#    command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
+#  priority: NOTICE
+#  tags: [host, container, users, mitre_privilege_escalation, T1548.001]
 
 - macro: user_known_user_management_activities
   condition: (never_true)
feat: build falco dynamically, dedicated falco-kernel package for quick kernel updates 2023-07-31 18:19:31 +00:00			`--- falco_rules.yaml 2023-07-05 11:42:09.732973942 +0000`
			`+++ zdt_falco_rules.yaml 2023-07-05 13:30:14.184038126 +0000`
			`@@ -270,7 +270,7 @@`
			`# A canonical set of processes that run other programs with different`
			`# privileges or as a different user.`
			`- list: userexec_binaries`
			`- items: [sudo, su, suexec, critical-stack, dzdo]`
			`+ items: [doas, sudo, su, suexec, critical-stack, dzdo]`

			`- list: known_setuid_binaries`
			`items: [`
			`@@ -2298,27 +2298,28 @@`
			`- macro: user_known_non_sudo_setuid_conditions`
			`condition: user.name=root`

			`+# Disabled for now due to buysbox noise`
			`# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs`
			`-- rule: Non sudo setuid`
			`- desc: >`
			`- an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"`
			`- suing to itself are also excluded, as setuid calls typically involve dropping privileges.`
			`- condition: >`
			`- evt.type=setuid and evt.dir=>`
			`- and (known_user_in_container or not container)`
			`- and not (user.name=root or user.uid=0)`
			`- and not somebody_becoming_themselves`
			`- and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,`
			`- nomachine_binaries)`
			`- and not proc.name startswith "runc:"`
			`- and not java_running_sdjagent`
			`- and not nrpe_becoming_nagios`
			`- and not user_known_non_sudo_setuid_conditions`
			`- output: >`
			`- Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname`
			`- command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)`
			`- priority: NOTICE`
			`- tags: [host, container, users, mitre_privilege_escalation, T1548.001]`
			`+#- rule: Non sudo setuid`
			`+# desc: >`
			`+# an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"`
			`+# suing to itself are also excluded, as setuid calls typically involve dropping privileges.`
			`+# condition: >`
			`+# evt.type=setuid and evt.dir=>`
			`+# and (known_user_in_container or not container)`
			`+# and not (user.name=root or user.uid=0)`
			`+# and not somebody_becoming_themselves`
			`+# and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,`
			`+# nomachine_binaries)`
			`+# and not proc.name startswith "runc:"`
			`+# and not java_running_sdjagent`
			`+# and not nrpe_becoming_nagios`
			`+# and not user_known_non_sudo_setuid_conditions`
			`+# output: >`
			`+# Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname`
			`+# command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)`
			`+# priority: NOTICE`
			`+# tags: [host, container, users, mitre_privilege_escalation, T1548.001]`

			`- macro: user_known_user_management_activities`
			`condition: (never_true)`