From e04ac08fac5adb72ee71bc63382a67f051990061 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 2 Aug 2016 14:26:42 -0700 Subject: [PATCH] More perf-related rule updates. In modify_binary_dirs, move the bin_dir_rename check before modify, which is just a bunch of evt.type checks and is handled by evttype filters. Change create_files_below_dev to put the directory check first. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 272c1e21943..791e9b77fde 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -230,7 +230,7 @@ - rule: modify_binary_dirs desc: an attempt to modify any file below a set of binary directories. - condition: modify and bin_dir_rename and not package_mgmt_procs + condition: bin_dir_rename and modify and not package_mgmt_procs output: "File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline operation=%evt.type file=%fd.name %evt.args)" priority: WARNING @@ -317,7 +317,7 @@ # (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153) - rule: create_files_below_dev desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev. - condition: (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) and proc.name != blkid and fd.directory = /dev and not fd.name in (/dev/null,/dev/stdin,/dev/stdout,/dev/stderr,/dev/tty) + condition: fd.directory = /dev and (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) and proc.name != blkid and not fd.name in (/dev/null,/dev/stdin,/dev/stdout,/dev/stderr,/dev/tty) output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING