From 93b4fc267f03b32be9f1bd5094a675b8a7b6fc0c Mon Sep 17 00:00:00 2001 From: Ben Date: Sun, 23 Feb 2025 21:02:25 +0200 Subject: [PATCH 1/3] Add ignored comms for /etc/shadow access Signed-off-by: Ben --- .../r0010_unexpected_sensitive_file_access.go | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go index 0f48a0f3..30854546 100644 --- a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go +++ b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go @@ -48,6 +48,37 @@ func CreateRuleR0010UnexpectedSensitiveFileAccess() *R0010UnexpectedSensitiveFil } } +var legitimateProcessNames = []string{ + "systemd", + "sudo", + "passwd", + "chpasswd", + "useradd", + "usermod", + "chage", + "sshd", + "login", + "su", + "groupadd", + "groupmod", + "dpkg", + "rpm", + "ansible", + "puppet-agent", + "chef-client", + "vipw", + "pwck", + "grpck", + "nscd", + "cron", + "crond", + "pam", + "snap", + "apk", + "yum", + "dnf", +} + func (rule *R0010UnexpectedSensitiveFileAccess) SetParameters(parameters map[string]interface{}) { rule.BaseRule.SetParameters(parameters) @@ -108,6 +139,12 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve return nil } + for _, processName := range legitimateProcessNames { + if processName == openEvent.Comm { + return nil + } + } + if objCache != nil { for _, open := range appProfileOpenList.Opens { if dynamicpathdetector.CompareDynamic(open.Path, openEvent.FullPath) { From 5c67c178d19960632ecedb82275ec03959c43357 Mon Sep 17 00:00:00 2001 From: Ben Date: Sun, 23 Feb 2025 21:08:40 +0200 Subject: [PATCH 2/3] Checking it only if running without profile Signed-off-by: Ben --- .../v1/r0010_unexpected_sensitive_file_access.go | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go index 30854546..94fe3acb 100644 --- a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go +++ b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go @@ -133,18 +133,19 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve if err != nil { return nil } + } else { + // Running without application profile, to avoid false positives check if the process name is legitimate + for _, processName := range legitimateProcessNames { + if processName == openEvent.Comm { + return nil + } + } } if !utils.IsSensitivePath(openEvent.FullPath, rule.additionalPaths) { return nil } - for _, processName := range legitimateProcessNames { - if processName == openEvent.Comm { - return nil - } - } - if objCache != nil { for _, open := range appProfileOpenList.Opens { if dynamicpathdetector.CompareDynamic(open.Path, openEvent.FullPath) { From c92fdb075b5aba4f7b375090e745c57fcc8d1caf Mon Sep 17 00:00:00 2001 From: Ben Date: Sun, 23 Feb 2025 23:13:18 +0200 Subject: [PATCH 3/3] Fixing malicious source Signed-off-by: Ben --- .../v1/r1000_exec_from_malicious_source.go | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go index e84f724d..d46aec84 100644 --- a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go +++ b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go @@ -49,7 +49,21 @@ func (rule *R1000ExecFromMaliciousSource) ID() string { return R1000ID } -func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, _ objectcache.ObjectCache) ruleengine.RuleFailure { +var whitelistedProcessesForMaliciousSource = []string{ + "systemd", + "docker", + "containerd", + "snap-confine", + "nginx", + "apache2", + "bash", + "dash", + "sh", + "perl", + "supervisord", +} + +func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { if eventType != utils.ExecveEventType { return nil } @@ -61,6 +75,16 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType var maliciousExecPathPrefixes = []string{ "/dev/shm", + "/proc/self/fd", + } + + if objCache == nil { + // Running without object cache, to avoid false positives check if the process name is legitimate + for _, processName := range whitelistedProcessesForMaliciousSource { + if processName == execEvent.Comm { + return nil + } + } } execPath := GetExecFullPathFromEvent(execEvent)