fix: make sure that when deleting shell history the system call is ta…

…ken into account Signed-off-by: Lorenzo Fontana <lo@linux.com>
falcosecurity · Aug 5, 2019 · 0a4e58d · 0a4e58d
1 parent 94d89ea
commit 0a4e58d
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -2381,13 +2381,15 @@
     WARNING
   tags: [process, mitre_persistence]
 
-- rule: Delete Bash History
-  desc: Detect bash history deletion
+- rule: Delete or rename shell history
+  desc: Detect shell history deletion
   condition: >
-    ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
-     (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
+    modify and evt.arg[1] contains "bash_history" or
+    modify and evt.arg[1] contains "zsh_history" or
+    modify and evt.arg[1] contains "fish_read_history" or
+    modify and evt.arg[1] contains "fish_history"
   output: >
-    Bash history has been deleted (user=%user.name command=%proc.cmdline file=%fd.name %container.info)
+    Shell history has been deleted or renamed (user=%user.name command=%proc.cmdline file=%evt.arg[1] %container.info)
   priority:
     WARNING
   tag: [process, mitre_defense_evation]