diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 3fba1462956..165bbf0365a 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -76,7 +76,7 @@ # dpkg -L login | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," - list: login_binaries - items: [login, systemd, systemd-logind, su, nologin, faillog, lastlog, newgrp, sg] + items: [login, systemd, '"(systemd)"', systemd-logind, su, nologin, faillog, lastlog, newgrp, sg] # dpkg -L passwd | grep bin | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs -L 1 basename | tr "\\n" "," - list: passwd_binaries @@ -256,7 +256,7 @@ package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, ldconfig.real, ldconfig, confd, gpg, insserv, apparmor_parser, update-mime, tzdata.config, tzdata.postinst, - systemd-machine, debconf-show, rollerd, bind9.postinst) + systemd-machine, debconf-show, rollerd, bind9.postinst, sv) and not proc.pname in (sysdigcloud_binaries) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java) and not ansible_running_python @@ -469,7 +469,7 @@ tags: [host, users] - list: allowed_dev_files - items: [/dev/null, /dev/stdin, /dev/stdout, /dev/stderr, /dev/tty, /dev/random, /dev/urandom, /dev/console] + items: [/dev/null, /dev/stdin, /dev/stdout, /dev/stderr, /dev/random, /dev/urandom, /dev/console] # (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153) - rule: Create files below dev @@ -479,6 +479,7 @@ (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) and not proc.name in (dev_creation_binaries) and not fd.name in (allowed_dev_files) + and not fd.name startswith /dev/tty output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING tags: [filesystem]