61 lines
2.9 KiB
Diff
61 lines
2.9 KiB
Diff
--- falco_rules.yaml 2023-07-05 11:42:09.732973942 +0000
|
|
+++ zdt_falco_rules.yaml 2023-07-05 13:30:14.184038126 +0000
|
|
@@ -270,7 +270,7 @@
|
|
# A canonical set of processes that run other programs with different
|
|
# privileges or as a different user.
|
|
- list: userexec_binaries
|
|
- items: [sudo, su, suexec, critical-stack, dzdo]
|
|
+ items: [doas, sudo, su, suexec, critical-stack, dzdo]
|
|
|
|
- list: known_setuid_binaries
|
|
items: [
|
|
@@ -2298,27 +2298,28 @@
|
|
- macro: user_known_non_sudo_setuid_conditions
|
|
condition: user.name=root
|
|
|
|
+# Disabled for now due to buysbox noise
|
|
# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
|
|
-- rule: Non sudo setuid
|
|
- desc: >
|
|
- an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
|
|
- suing to itself are also excluded, as setuid calls typically involve dropping privileges.
|
|
- condition: >
|
|
- evt.type=setuid and evt.dir=>
|
|
- and (known_user_in_container or not container)
|
|
- and not (user.name=root or user.uid=0)
|
|
- and not somebody_becoming_themselves
|
|
- and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
|
|
- nomachine_binaries)
|
|
- and not proc.name startswith "runc:"
|
|
- and not java_running_sdjagent
|
|
- and not nrpe_becoming_nagios
|
|
- and not user_known_non_sudo_setuid_conditions
|
|
- output: >
|
|
- Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
|
|
- command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
|
|
- priority: NOTICE
|
|
- tags: [host, container, users, mitre_privilege_escalation, T1548.001]
|
|
+#- rule: Non sudo setuid
|
|
+# desc: >
|
|
+# an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
|
|
+# suing to itself are also excluded, as setuid calls typically involve dropping privileges.
|
|
+# condition: >
|
|
+# evt.type=setuid and evt.dir=>
|
|
+# and (known_user_in_container or not container)
|
|
+# and not (user.name=root or user.uid=0)
|
|
+# and not somebody_becoming_themselves
|
|
+# and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
|
|
+# nomachine_binaries)
|
|
+# and not proc.name startswith "runc:"
|
|
+# and not java_running_sdjagent
|
|
+# and not nrpe_becoming_nagios
|
|
+# and not user_known_non_sudo_setuid_conditions
|
|
+# output: >
|
|
+# Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
|
|
+# command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
|
|
+# priority: NOTICE
|
|
+# tags: [host, container, users, mitre_privilege_escalation, T1548.001]
|
|
|
|
- macro: user_known_user_management_activities
|
|
condition: (never_true)
|