Merge pull request #490 from kubescape/fix/ignore-comms-for-sensitive…

…-access Add ignored comms for /etc/shadow access
kubescape · Feb 23, 2025 · 257dc64 · 257dc64
2 parents 6d8e3ab + c92fdb0
commit 257dc64
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 1 deletion.
diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go
@@ -48,6 +48,37 @@ func CreateRuleR0010UnexpectedSensitiveFileAccess() *R0010UnexpectedSensitiveFil
 	}
 }
 
+var legitimateProcessNames = []string{
+	"systemd",
+	"sudo",
+	"passwd",
+	"chpasswd",
+	"useradd",
+	"usermod",
+	"chage",
+	"sshd",
+	"login",
+	"su",
+	"groupadd",
+	"groupmod",
+	"dpkg",
+	"rpm",
+	"ansible",
+	"puppet-agent",
+	"chef-client",
+	"vipw",
+	"pwck",
+	"grpck",
+	"nscd",
+	"cron",
+	"crond",
+	"pam",
+	"snap",
+	"apk",
+	"yum",
+	"dnf",
+}
+
 func (rule *R0010UnexpectedSensitiveFileAccess) SetParameters(parameters map[string]interface{}) {
 	rule.BaseRule.SetParameters(parameters)
 
@@ -102,6 +133,13 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve
 		if err != nil {
 			return nil
 		}
+	} else {
+		// Running without application profile, to avoid false positives check if the process name is legitimate
+		for _, processName := range legitimateProcessNames {
+			if processName == openEvent.Comm {
+				return nil
+			}
+		}
 	}
 
 	if !utils.IsSensitivePath(openEvent.FullPath, rule.additionalPaths) {

diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go
@@ -49,7 +49,21 @@ func (rule *R1000ExecFromMaliciousSource) ID() string {
 	return R1000ID
 }
 
-func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, _ objectcache.ObjectCache) ruleengine.RuleFailure {
+var whitelistedProcessesForMaliciousSource = []string{
+	"systemd",
+	"docker",
+	"containerd",
+	"snap-confine",
+	"nginx",
+	"apache2",
+	"bash",
+	"dash",
+	"sh",
+	"perl",
+	"supervisord",
+}
+
+func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure {
 	if eventType != utils.ExecveEventType {
 		return nil
 	}
@@ -61,6 +75,16 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType
 
 	var maliciousExecPathPrefixes = []string{
 		"/dev/shm",
+		"/proc/self/fd",
+	}
+
+	if objCache == nil {
+		// Running without object cache, to avoid false positives check if the process name is legitimate
+		for _, processName := range whitelistedProcessesForMaliciousSource {
+			if processName == execEvent.Comm {
+				return nil
+			}
+		}
 	}
 
 	execPath := GetExecFullPathFromEvent(execEvent)