From e3740d440d2693b8ce4d1c3fb5f7ccc31b9230dd Mon Sep 17 00:00:00 2001 From: Lorenzo Fontana Date: Mon, 5 Aug 2019 16:53:12 +0000 Subject: [PATCH] fix: make sure that when deleting shell history the system call is taken into account Signed-off-by: Lorenzo Fontana --- rules/falco_rules.yaml | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index c78e62f3d14..48f4dcc8814 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2381,13 +2381,29 @@ WARNING tags: [process, mitre_persistence] -- rule: Delete Bash History - desc: Detect bash history deletion - condition: > - ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or - (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC")) +- rule: Delete or rename shell history + desc: Detect shell history deletion + condition: > + (modify and ( + evt.arg.name contains "bash_history" or + evt.arg.name contains "zsh_history" or + evt.arg.name contains "fish_read_history" or + evt.arg.name endswith "fish_history" or + evt.arg.oldpath contains "bash_history" or + evt.arg.oldpath contains "zsh_history" or + evt.arg.oldpath contains "fish_read_history" or + evt.arg.oldpath endswith "fish_history" or + evt.arg.path contains "bash_history" or + evt.arg.path contains "zsh_history" or + evt.arg.path contains "fish_read_history" or + evt.arg.path endswith "fish_history")) or + (open_write and ( + fd.name contains "bash_history" or + fd.name contains "zsh_history" or + fd.name contains "fish_read_history" or + fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC") output: > - Bash history has been deleted (user=%user.name command=%proc.cmdline file=%fd.name %container.info) + Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) priority: WARNING tag: [process, mitre_defense_evation]