Skip to content

Commit

Permalink
fix: add <NA> check
Browse files Browse the repository at this point in the history
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
  • Loading branch information
Andreagit97 authored and poiana committed Apr 30, 2024
1 parent e65f251 commit 5ad584f
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 16 deletions.
4 changes: 2 additions & 2 deletions rules/falco-incubating_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
# on the identity of the process performing an action such as opening
# a file, etc., we require that the process name be known.
- macro: proc_name_exists
condition: (proc.name!="<NA>")
condition: (not proc.name in ("<NA>","N/A"))

- macro: rename
condition: (evt.type in (rename, renameat, renameat2))
Expand Down Expand Up @@ -769,7 +769,7 @@
# https://github.com/draios/sysdig/issues/954). So in that case, allow
# a setuid.
- macro: known_user_in_container
condition: (container and user.name != "N/A")
condition: (container and not user.name in ("<NA>","N/A"))

# Add conditions to this macro (probably in a separate file,
# overwriting this macro) to allow for specific combinations of
Expand Down
26 changes: 13 additions & 13 deletions rules/falco-sandbox_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@
# on the identity of the process performing an action such as opening
# a file, etc., we require that the process name be known.
- macro: proc_name_exists
condition: (proc.name!="<NA>")
condition: (not proc.name in ("<NA>","N/A"))

- macro: rename
condition: (evt.type in (rename, renameat, renameat2))
Expand Down Expand Up @@ -1247,18 +1247,18 @@
# below /etc as well, but the globbing mechanism
# doesn't allow exclusions of a full pattern, only single characters.
- macro: sensitive_mount
condition: (container.mount.dest[/proc*] != "N/A" or
container.mount.dest[/var/run/docker.sock] != "N/A" or
container.mount.dest[/var/run/crio/crio.sock] != "N/A" or
container.mount.dest[/run/containerd/containerd.sock] != "N/A" or
container.mount.dest[/var/lib/kubelet] != "N/A" or
container.mount.dest[/var/lib/kubelet/pki] != "N/A" or
container.mount.dest[/] != "N/A" or
container.mount.dest[/home/admin] != "N/A" or
container.mount.dest[/etc] != "N/A" or
container.mount.dest[/etc/kubernetes] != "N/A" or
container.mount.dest[/etc/kubernetes/manifests] != "N/A" or
container.mount.dest[/root*] != "N/A")
condition: (not container.mount.dest[/proc*] in ("<NA>","N/A") or
not container.mount.dest[/var/run/docker.sock] in ("<NA>","N/A") or
not container.mount.dest[/var/run/crio/crio.sock] in ("<NA>","N/A") or
not container.mount.dest[/run/containerd/containerd.sock] in ("<NA>","N/A") or
not container.mount.dest[/var/lib/kubelet] in ("<NA>","N/A") or
not container.mount.dest[/var/lib/kubelet/pki] in ("<NA>","N/A") or
not container.mount.dest[/] in ("<NA>","N/A") or
not container.mount.dest[/home/admin] in ("<NA>","N/A") or
not container.mount.dest[/etc] in ("<NA>","N/A") or
not container.mount.dest[/etc/kubernetes] in ("<NA>","N/A") or
not container.mount.dest[/etc/kubernetes/manifests] in ("<NA>","N/A") or
not container.mount.dest[/root*] in ("<NA>","N/A"))

- rule: Launch Sensitive Mount Container
desc: >
Expand Down
3 changes: 2 additions & 1 deletion rules/falco_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,9 @@
# the process name may be missing. For some rules that really depend
# on the identity of the process performing an action such as opening
# a file, etc., we require that the process name be known.
# TODO: At the moment we keep the `N/A` variant for compatibility with old scap-files
- macro: proc_name_exists
condition: (proc.name!="<NA>")
condition: (not proc.name in ("<NA>","N/A"))

- macro: spawned_process
condition: (evt.type in (execve, execveat) and evt.dir=<)
Expand Down

0 comments on commit 5ad584f

Please sign in to comment.