alpine-overlay/kubezero/falco/rules.patch

--- falco_rules.yaml.orig	2025-01-29 18:47:38.918577192 +0000
+++ falco_rules.yaml	2025-01-29 18:47:21.505145109 +0000
@@ -172,7 +172,7 @@
 # A canonical set of processes that run other programs with different
 # privileges or as a different user.
 - list: userexec_binaries
-  items: [sudo, su, suexec, critical-stack, dzdo]
+  items: [doas, sudo, su, suexec, critical-stack, dzdo]
 
 - list: user_mgmt_binaries
   items: [login_binaries, passwd_binaries, shadowutils_binaries]
@@ -201,7 +201,7 @@
     ]
 
 - list: sensitive_file_names
-  items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
+  items: [/etc/shadow, /etc/doas.d/doas.conf, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
 
 - list: sensitive_directory_names
   items: [/, /etc, /etc/, /root, /root/]
@@ -209,7 +209,7 @@
 - macro: sensitive_files
   condition: >
     (fd.name in (sensitive_file_names) or
-      fd.directory in (/etc/sudoers.d, /etc/pam.d))
+      fd.directory in (/etc/sudoers.d, /etc/pam.d, /etc/doas.d))
 
 # Indicates that the process is new. Currently detected using time
 # since process was started, using a threshold of 5 seconds.
@@ -362,7 +362,7 @@
 
 - list: read_sensitive_file_binaries
   items: [
-    iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
+    iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, sshd-session,
     vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
     pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
     scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd
feat: falco version bump, make BPF work again 2025-02-05 12:32:29 +00:00			`--- falco_rules.yaml.orig 2025-01-29 18:47:38.918577192 +0000`
			`+++ falco_rules.yaml 2025-01-29 18:47:21.505145109 +0000`
			`@@ -172,7 +172,7 @@`
feat: build falco dynamically, dedicated falco-kernel package for quick kernel updates 2023-07-31 18:19:31 +00:00			`# A canonical set of processes that run other programs with different`
			`# privileges or as a different user.`
			`- list: userexec_binaries`
			`- items: [sudo, su, suexec, critical-stack, dzdo]`
			`+ items: [doas, sudo, su, suexec, critical-stack, dzdo]`
feat: falco version bump, make BPF work again 2025-02-05 12:32:29 +00:00
falco version bump 2023-11-07 16:31:20 +00:00			`- list: user_mgmt_binaries`
			`items: [login_binaries, passwd_binaries, shadowutils_binaries]`
feat: falco version bump, make BPF work again 2025-02-05 12:32:29 +00:00			`@@ -201,7 +201,7 @@`
falco version bump 2023-11-07 16:31:20 +00:00			`]`
feat: falco version bump, make BPF work again 2025-02-05 12:32:29 +00:00
falco version bump 2023-11-07 16:31:20 +00:00			`- list: sensitive_file_names`
			`- items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]`
			`+ items: [/etc/shadow, /etc/doas.d/doas.conf, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]`
feat: falco version bump, make BPF work again 2025-02-05 12:32:29 +00:00
falco version bump 2023-11-07 16:31:20 +00:00			`- list: sensitive_directory_names`
			`items: [/, /etc, /etc/, /root, /root/]`
feat: falco version bump, make BPF work again 2025-02-05 12:32:29 +00:00			`@@ -209,7 +209,7 @@`
falco version bump 2023-11-07 16:31:20 +00:00			`- macro: sensitive_files`
			`condition: >`
feat: all things KubeZero v1.30 2024-10-25 16:22:11 +00:00			`(fd.name in (sensitive_file_names) or`
falco version bump 2023-11-07 16:31:20 +00:00			`- fd.directory in (/etc/sudoers.d, /etc/pam.d))`
			`+ fd.directory in (/etc/sudoers.d, /etc/pam.d, /etc/doas.d))`
feat: falco version bump, make BPF work again 2025-02-05 12:32:29 +00:00
falco version bump 2023-11-07 16:31:20 +00:00			`# Indicates that the process is new. Currently detected using time`
			`# since process was started, using a threshold of 5 seconds.`
feat: falco version bump, make BPF work again 2025-02-05 12:32:29 +00:00			`@@ -362,7 +362,7 @@`

			`- list: read_sensitive_file_binaries`
			`items: [`
			`- iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,`
			`+ iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, sshd-session,`
			`vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,`
			`pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,`
			`scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd`