diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index a97dc6f9..cef71723 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -63,7 +63,7 @@ # on the identity of the process performing an action such as opening # a file, etc., we require that the process name be known. - macro: proc_name_exists - condition: (proc.name!="") + condition: (not proc.name in ("","N/A")) - macro: rename condition: (evt.type in (rename, renameat, renameat2)) @@ -769,7 +769,7 @@ # https://github.com/draios/sysdig/issues/954). So in that case, allow # a setuid. - macro: known_user_in_container - condition: (container and user.name != "N/A") + condition: (container and not user.name in ("","N/A")) # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml index d5903087..dd0e44fb 100644 --- a/rules/falco-sandbox_rules.yaml +++ b/rules/falco-sandbox_rules.yaml @@ -68,7 +68,7 @@ # on the identity of the process performing an action such as opening # a file, etc., we require that the process name be known. - macro: proc_name_exists - condition: (proc.name!="") + condition: (not proc.name in ("","N/A")) - macro: rename condition: (evt.type in (rename, renameat, renameat2)) @@ -1247,18 +1247,18 @@ # below /etc as well, but the globbing mechanism # doesn't allow exclusions of a full pattern, only single characters. - macro: sensitive_mount - condition: (container.mount.dest[/proc*] != "N/A" or - container.mount.dest[/var/run/docker.sock] != "N/A" or - container.mount.dest[/var/run/crio/crio.sock] != "N/A" or - container.mount.dest[/run/containerd/containerd.sock] != "N/A" or - container.mount.dest[/var/lib/kubelet] != "N/A" or - container.mount.dest[/var/lib/kubelet/pki] != "N/A" or - container.mount.dest[/] != "N/A" or - container.mount.dest[/home/admin] != "N/A" or - container.mount.dest[/etc] != "N/A" or - container.mount.dest[/etc/kubernetes] != "N/A" or - container.mount.dest[/etc/kubernetes/manifests] != "N/A" or - container.mount.dest[/root*] != "N/A") + condition: (not container.mount.dest[/proc*] in ("","N/A") or + not container.mount.dest[/var/run/docker.sock] in ("","N/A") or + not container.mount.dest[/var/run/crio/crio.sock] in ("","N/A") or + not container.mount.dest[/run/containerd/containerd.sock] in ("","N/A") or + not container.mount.dest[/var/lib/kubelet] in ("","N/A") or + not container.mount.dest[/var/lib/kubelet/pki] in ("","N/A") or + not container.mount.dest[/] in ("","N/A") or + not container.mount.dest[/home/admin] in ("","N/A") or + not container.mount.dest[/etc] in ("","N/A") or + not container.mount.dest[/etc/kubernetes] in ("","N/A") or + not container.mount.dest[/etc/kubernetes/manifests] in ("","N/A") or + not container.mount.dest[/root*] in ("","N/A")) - rule: Launch Sensitive Mount Container desc: > diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 723c6f7a..2211dda6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -74,8 +74,9 @@ # the process name may be missing. For some rules that really depend # on the identity of the process performing an action such as opening # a file, etc., we require that the process name be known. +# TODO: At the moment we keep the `N/A` variant for compatibility with old scap-files - macro: proc_name_exists - condition: (proc.name!="") + condition: (not proc.name in ("","N/A")) - macro: spawned_process condition: (evt.type in (execve, execveat) and evt.dir=<)