enhance: add Nix wrappers whitelist for auditd-sus-exec (#1205)

* enhance: add Nix wrappers whitelist for auditd-sus-exec * enhancement: run index workflow manually --------- Co-authored-by: Laurence <[email protected]>
crowdsecurity · Jan 2, 2025 · 5fdee84 · 5fdee84
1 parent 1640d0d
commit 5fdee84
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/.index.json b/.index.json
@@ -10415,6 +10415,22 @@
   }
  },
  "postoverflows": {
+  "crowdsecurity/auditd-nix-wrappers-whitelist-process": {
+   "path": "postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.yaml",
+   "stage": "s01-whitelist",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "9d0f701440ee0660eef69638e9279dc0137c00a8afb152abaabcfe7e351ee4a5",
+     "deprecated": false
+    }
+   },
+   "long_description": "IyBOaXggd3JhcHBlcnMgd2hpdGVsaXN0IHByb2Nlc3MKCldpdGggdGhlIE5peCBwYWNrYWdlIG1hbmFnZXIsIGNlcnRhaW4gZXhlY3V0YWJsZXMgYXJlIHdyYXBwZWQsIG1lYW5pbmcgdGhlIGV4ZWN1dGFibGUgaW4gYFBBVEhgIGlzIGp1c3QgYSBzeW1saW5rIHRvIGFuIGV4ZWN1dGFibGUgbmFtZWQgaW4gdGhlIGZvbGxvd2luZyB3YXkgYC9uaXgvc3RvcmUvPGhhc2g+L2Jpbi8uPHByb2dyYW0+LXdyYXBwZWRgLiBUaGlzIHdpbGwgdHJpZ2dlciB0aGUgc3VzcGljaW91cyBwcm9jZXNzIGRldGVjdGlvbiBiZWNhdXNlIHRoZSBuYW1lIG9mIHRoZSBiaW5hcnkgc3RhcnRzIHdpdGggYSBgLmAgY2hhcmFjdGVyLgoKVGhpcyBwb3N0b3ZlcmZsb3cgd2lsbCB3aGl0ZWxpc3QgcHJvY2Vzc2VzIHRoYXQgZm9sbG93IHRoZSBgLjxwcm9ncmFtPi13cmFwcGVkYCBwYXR0ZXJuIGlmIHRoZXkgYXJlIGV4ZWN1dGVkIGZyb20gYC9uaXgvc3RvcmVgLgo=",
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtbml4LXdyYXBwZXJzLXdoaXRlbGlzdC1wcm9jZXNzCmRlc2NyaXB0aW9uOiAiV2hpdGVsaXN0IHdyYXBwZWQgYmluYXJpZXMgaW4gdGhlIE5peCBzdG9yZSIKd2hpdGVsaXN0OgogIHJlYXNvbjogIk5peCB3cmFwcGVkIGJpbmFyaWVzIgogIGV4cHJlc3Npb246CiAgICAtIHwKICAgICAgZXZ0Lk92ZXJmbG93LkFsZXJ0LkdldFNjZW5hcmlvKCkgPT0gJ2Nyb3dkc2VjdXJpdHkvYXVkaXRkLXN1cy1leGVjJyAmJiBhbGwoZXZ0Lk92ZXJmbG93LkFsZXJ0LkV2ZW50cywgey5HZXRNZXRhKCdleGUnKSBtYXRjaGVzICdeXFwvbml4XFwvc3RvcmVcXC9bXlxcL10rXFwvYmluXFwvXFwuW15cXC9dKy13cmFwcGVkJCd9KQo=",
+   "description": "Whitelist wrapped binaries in the Nix store",
+   "author": "crowdsecurity",
+   "labels": null
+  },
   "crowdsecurity/auditd-nvm-whitelist-process": {
    "path": "postoverflows/s01-whitelist/crowdsecurity/auditd-nvm-whitelist-process.yaml",
    "stage": "s01-whitelist",

diff --git a/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.md b/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.md
@@ -0,0 +1,5 @@
+# Nix wrappers whitelist process
+
+With the Nix package manager, certain executables are wrapped, meaning the executable in `PATH` is just a symlink to an executable named in the following way `/nix/store/<hash>/bin/.<program>-wrapped`. This will trigger the suspicious process detection because the name of the binary starts with a `.` character.
+
+This postoverflow will whitelist processes that follow the `.<program>-wrapped` pattern if they are executed from `/nix/store`.
diff --git a/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.yaml b/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.yaml
@@ -0,0 +1,7 @@
+name: crowdsecurity/auditd-nix-wrappers-whitelist-process
+description: "Whitelist wrapped binaries in the Nix store"
+whitelist:
+  reason: "Nix wrapped binaries"
+  expression:
+    - |
+      evt.Overflow.Alert.GetScenario() == 'crowdsecurity/auditd-sus-exec' && all(evt.Overflow.Alert.Events, {.GetMeta('exe') matches '^\\/nix\\/store\\/[^\\/]+\\/bin\\/\\.[^\\/]+-wrapped$'})