Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rule(macro modify_shell_history, truncate_shell_history): avoid false positives from .zsh_history.new and .LOCK files #1832

Merged
merged 3 commits into from
Feb 11, 2022
Merged

rule(macro modify_shell_history, truncate_shell_history): avoid false positives from .zsh_history.new and .LOCK files #1832

merged 3 commits into from
Feb 11, 2022

Conversation

m4wh6k
Copy link
Contributor

@m4wh6k m4wh6k commented Jan 1, 2022
edited by leogr
Loading

Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com

/kind bug
/kind rule-update
/area rules

What this PR does / why we need it:
The default macros modify_shell_history and truncate_shell_history match on .zsh_history.new and .zsh_history.LOCK files, which are temporary files created while using zsh. This causes rules using these macros to produce false positives. This PR changes the macros to use endswith rather than contains, which makes it work in the expected way.

Example false-positive:

"output":"15:06:46.088446909: Warning Shell history had been deleted or renamed (user=m4wh6k user_loginuid=1000 type=unlink command=zsh fd.name=<NA> name=<NA> path=/home/m4wh6k/.zsh_history.LOCK oldpath=<NA> host (id=host))","priority":"Warning","rule":"Delete or rename shell history","source":"syscall","tags":["mitre_defense_evasion","process"],"time":"2021-12-31T23:06:46.088446909Z", "output_fields": {"container.id":"host","container.name":"host","evt.arg.name":null,"evt.arg.oldpath":null,"evt.arg.path":"/home/m4wh6k/.zsh_history.LOCK","evt.time":1640992006088446909,"evt.type":"unlink","fd.name":null,"proc.cmdline":"zsh","user.loginuid":1000,"user.name":"m4wh6k"}}

Which issue(s) this PR fixes:
n/a

Does this PR introduce a user-facing change?:

rule(macro: modify_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files
rule(macro: truncate_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files

@m4wh6k
fix(macro modify_shell_history): avoid false positives from .zsh_hist…
c670cda 
…ory.new and .LOCK files

Signed-off-by: m4wh6k <m4wh6k@users.noreply.github.com>
@poiana poiana requested review from leodido and mfdii January 1, 2022 02:05
@poiana
Copy link
Contributor

poiana commented Jan 1, 2022

Welcome @m4wh6k! It looks like this is your first PR to falcosecurity/falco 🎉

@m4wh6k
fix(macro truncate_shell_history): avoid false positives from .zsh_hi…
e0af431 
…story.new and .LOCK files

Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
@m4wh6k
rule(macro modify_shell_history): Fix missing s on endswith
67b48ac 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
@m4wh6k m4wh6k changed the title fix(macro modify_shell_history, truncate_shell_history): avoid false positives from .zsh_history.new and .LOCK files rule(macro modify_shell_history, truncate_shell_history): avoid false positives from .zsh_history.new and .LOCK files Jan 1, 2022
@leogr leogr requested a review from Kaizhe January 10, 2022 09:59
@leogr
Copy link
Member

leogr commented Jan 28, 2022

/milestone 0.32.0

@poiana poiana added this to the 0.32.0 milestone Jan 28, 2022
@Kaizhe
Copy link
Contributor

Kaizhe commented Feb 11, 2022

@m4wh6k thanks for the contribution!

@Kaizhe
Copy link
Contributor

Kaizhe commented Feb 11, 2022

/lgtm

@poiana poiana added the lgtm label Feb 11, 2022
@poiana
Copy link
Contributor

poiana commented Feb 11, 2022

LGTM label has been added.

Git tree hash: 37b5756bb5703a5f11531a1851b1781c79db6293

leogr
leogr approved these changes Feb 11, 2022
View reviewed changes
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented Feb 11, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Kaizhe, leogr, m4wh6k

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit f49a95f into falcosecurity:master Feb 11, 2022
@jasondellaluce jasondellaluce modified the milestones: 0.32.0, 0.31.1 Mar 7, 2022
@m4wh6k m4wh6k deleted the patch-1 branch March 19, 2022 20:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr leogr approved these changes

@Kaizhe Kaizhe Kaizhe approved these changes

@leodido leodido Awaiting requested review from leodido

@mfdii mfdii Awaiting requested review from mfdii

Assignees

@Kaizhe Kaizhe

@leogr leogr

Labels
approved area/rules dco-signoff: yes kind/bug kind/rule-update lgtm release-note size/XS
Projects
None yet
Milestone
0.31.1
Development

Successfully merging this pull request may close these issues.
5 participants
@m4wh6k @poiana @leogr @Kaizhe @jasondellaluce