From 5ad584f2001f306bc07b73b145f2634df1c30f3b Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Fri, 26 Apr 2024 12:03:36 +0200 Subject: [PATCH] fix: add `` check Signed-off-by: Andrea Terzolo --- rules/falco-incubating_rules.yaml | 4 ++-- rules/falco-sandbox_rules.yaml | 26 +++++++++++++------------- rules/falco_rules.yaml | 3 ++- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index a97dc6f9..cef71723 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -63,7 +63,7 @@ # on the identity of the process performing an action such as opening # a file, etc., we require that the process name be known. - macro: proc_name_exists - condition: (proc.name!="") + condition: (not proc.name in ("","N/A")) - macro: rename condition: (evt.type in (rename, renameat, renameat2)) @@ -769,7 +769,7 @@ # https://github.com/draios/sysdig/issues/954). So in that case, allow # a setuid. - macro: known_user_in_container - condition: (container and user.name != "N/A") + condition: (container and not user.name in ("","N/A")) # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml index d5903087..dd0e44fb 100644 --- a/rules/falco-sandbox_rules.yaml +++ b/rules/falco-sandbox_rules.yaml @@ -68,7 +68,7 @@ # on the identity of the process performing an action such as opening # a file, etc., we require that the process name be known. - macro: proc_name_exists - condition: (proc.name!="") + condition: (not proc.name in ("","N/A")) - macro: rename condition: (evt.type in (rename, renameat, renameat2)) @@ -1247,18 +1247,18 @@ # below /etc as well, but the globbing mechanism # doesn't allow exclusions of a full pattern, only single characters. - macro: sensitive_mount - condition: (container.mount.dest[/proc*] != "N/A" or - container.mount.dest[/var/run/docker.sock] != "N/A" or - container.mount.dest[/var/run/crio/crio.sock] != "N/A" or - container.mount.dest[/run/containerd/containerd.sock] != "N/A" or - container.mount.dest[/var/lib/kubelet] != "N/A" or - container.mount.dest[/var/lib/kubelet/pki] != "N/A" or - container.mount.dest[/] != "N/A" or - container.mount.dest[/home/admin] != "N/A" or - container.mount.dest[/etc] != "N/A" or - container.mount.dest[/etc/kubernetes] != "N/A" or - container.mount.dest[/etc/kubernetes/manifests] != "N/A" or - container.mount.dest[/root*] != "N/A") + condition: (not container.mount.dest[/proc*] in ("","N/A") or + not container.mount.dest[/var/run/docker.sock] in ("","N/A") or + not container.mount.dest[/var/run/crio/crio.sock] in ("","N/A") or + not container.mount.dest[/run/containerd/containerd.sock] in ("","N/A") or + not container.mount.dest[/var/lib/kubelet] in ("","N/A") or + not container.mount.dest[/var/lib/kubelet/pki] in ("","N/A") or + not container.mount.dest[/] in ("","N/A") or + not container.mount.dest[/home/admin] in ("","N/A") or + not container.mount.dest[/etc] in ("","N/A") or + not container.mount.dest[/etc/kubernetes] in ("","N/A") or + not container.mount.dest[/etc/kubernetes/manifests] in ("","N/A") or + not container.mount.dest[/root*] in ("","N/A")) - rule: Launch Sensitive Mount Container desc: > diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 723c6f7a..2211dda6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -74,8 +74,9 @@ # the process name may be missing. For some rules that really depend # on the identity of the process performing an action such as opening # a file, etc., we require that the process name be known. +# TODO: At the moment we keep the `N/A` variant for compatibility with old scap-files - macro: proc_name_exists - condition: (proc.name!="") + condition: (not proc.name in ("","N/A")) - macro: spawned_process condition: (evt.type in (execve, execveat) and evt.dir=<)