From 7305886c195d2dad1654bbd86f68994a54fba894 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Mon, 22 Aug 2022 00:09:49 -0700 Subject: [PATCH] cleanup(rules): cleanup redundant use of always_true macros Signed-off-by: Melissa Kilby --- rules/falco_rules.yaml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 68d9536079f..28163c92f71 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2648,9 +2648,6 @@ WARNING tags: [process, mitre_defense_evasion] -- macro: consider_all_chmods - condition: (always_true) - - list: user_known_chmod_applications items: [hyperkube, kubelet, k3s-agent] @@ -2666,7 +2663,7 @@ this means that the application will run with the privileges of the owning user or group respectively. Detect setuid or setgid bits set via chmod condition: > - consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") + chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") and not proc.name in (user_known_chmod_applications) and not exe_running_docker_save and not user_known_set_setuid_or_setgid_bit_conditions @@ -2999,7 +2996,6 @@ desc: New executable created in a container due to chmod condition: > chmod and - consider_all_chmods and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and @@ -3100,16 +3096,12 @@ priority: WARNING tags: [container, cis, mitre_lateral_movement] -- macro: consider_userfaultfd_activities - condition: (always_true) - - list: user_known_userfaultfd_processes items: [] - rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs condition: > - consider_userfaultfd_activities and evt.type = userfaultfd and user.uid != 0 and (evt.rawres >= 0 or evt.res != -1) and