Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Also check evt.abspath in "Modify binary dirs" rule
Browse files Browse the repository at this point in the history
For unlinkat evt.arg[1] is not the path of the file/dir removed.
mattpag committed Apr 12, 2018
1 parent 5c58da2 commit 83af068
Showing 1 changed file with 8 additions and 1 deletion.
9 changes: 8 additions & 1 deletion rules/falco_rules.yaml
Original file line number Diff line number Diff line change
@@ -39,6 +39,13 @@
- macro: bin_dir
condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

- macro: bin_dir_resolved
condition: >
(evt.abspath startswith /bin/ or
evt.abspath startswith /sbin/ or
evt.abspath startswith /usr/bin/ or
evt.abspath startswith /usr/sbin/)
- macro: bin_dir_mkdir
condition: >
(evt.arg[1] startswith /bin/ or
@@ -926,7 +933,7 @@

- rule: Modify binary dirs
desc: an attempt to modify any file below a set of binary directories.
condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save
condition: (bin_dir_rename or bin_dir_resolved) and modify and not package_mgmt_procs and not exe_running_docker_save
output: >
File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
operation=%evt.type file=%fd.name %evt.args)

0 comments on commit 83af068

Please sign in to comment.