2023-11-07 16:31:20 +00:00
|
|
|
--- falco_rules.yaml 2023-11-07 16:26:40.171716913 +0000
|
|
|
|
|
+++ zdt_falco_rules.yaml 2023-11-07 16:30:24.912804117 +0000
|
|
|
|
|
@@ -171,7 +171,7 @@
|
2023-07-31 18:19:31 +00:00
|
|
|
# A canonical set of processes that run other programs with different
|
|
|
|
|
# privileges or as a different user.
|
|
|
|
|
- list: userexec_binaries
|
|
|
|
|
- items: [sudo, su, suexec, critical-stack, dzdo]
|
|
|
|
|
+ items: [doas, sudo, su, suexec, critical-stack, dzdo]
|
|
|
|
|
|
2023-11-07 16:31:20 +00:00
|
|
|
- list: user_mgmt_binaries
|
|
|
|
|
items: [login_binaries, passwd_binaries, shadowutils_binaries]
|
|
|
|
|
@@ -200,7 +200,7 @@
|
|
|
|
|
]
|
2023-07-31 18:19:31 +00:00
|
|
|
|
2023-11-07 16:31:20 +00:00
|
|
|
- list: sensitive_file_names
|
|
|
|
|
- items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
|
|
|
|
|
+ items: [/etc/shadow, /etc/doas.d/doas.conf, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
|
2023-07-31 18:19:31 +00:00
|
|
|
|
2023-11-07 16:31:20 +00:00
|
|
|
- list: sensitive_directory_names
|
|
|
|
|
items: [/, /etc, /etc/, /root, /root/]
|
|
|
|
|
@@ -208,7 +208,7 @@
|
|
|
|
|
- macro: sensitive_files
|
|
|
|
|
condition: >
|
|
|
|
|
((fd.name startswith /etc and fd.name in (sensitive_file_names)) or
|
|
|
|
|
- fd.directory in (/etc/sudoers.d, /etc/pam.d))
|
|
|
|
|
+ fd.directory in (/etc/sudoers.d, /etc/pam.d, /etc/doas.d))
|
|
|
|
|
|
|
|
|
|
# Indicates that the process is new. Currently detected using time
|
|
|
|
|
# since process was started, using a threshold of 5 seconds.
|
