Make cron/chmod policies opt-in

They have enough legitimate uses that we shouldn't run by default.
falcosecurity · Apr 12, 2019 · 6dcbd4a · 6dcbd4a
1 parent aeb618c
commit 6dcbd4a
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -343,9 +343,13 @@
     WARNING
   tag: [file, mitre_persistence]
 
+- macro: consider_all_cron_jobs
+  condition: (never_true)
+
 - rule: Schedule Cron Jobs
   desc: Detect cron jobs scheduled
   condition: >
+    consider_all_cron_jobs and
     ((open_write and fd.name startswith /etc/cron) or
      (spawned_process and proc.name = "crontab"))
   output: >
@@ -2006,12 +2010,15 @@
     WARNING
   tag: [process, mitre_defense_evation]
 
+- macro: consider_all_chmods
+  condition: (never_true)
+
 - rule: Set Setuid or Setgid bit
   desc: >
     When the setuid or setgid bits are set for an application,
     this means that the application will run with the privileges of the owning user or group respectively.
     Detect setuid or setgid bits set via chmod
-  condition: spawned_process and proc.name = "chmod" and (proc.args contains "+s" or proc.args contains "4777")
+  condition: consider_all_chmods and spawned_process and proc.name = "chmod" and (proc.args contains "+s" or proc.args contains "4777")
   output: >
     Setuid or setgid bit is set via chmod (user=%user.name command=%proc.cmdline
     container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)