diff --git a/.index.json b/.index.json index cafd947502a..2411681a379 100644 --- a/.index.json +++ b/.index.json @@ -10415,6 +10415,22 @@ } }, "postoverflows": { + "crowdsecurity/auditd-nix-wrappers-whitelist-process": { + "path": "postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.yaml", + "stage": "s01-whitelist", + "version": "0.1", + "versions": { + "0.1": { + "digest": "9d0f701440ee0660eef69638e9279dc0137c00a8afb152abaabcfe7e351ee4a5", + "deprecated": false + } + }, + "long_description": "IyBOaXggd3JhcHBlcnMgd2hpdGVsaXN0IHByb2Nlc3MKCldpdGggdGhlIE5peCBwYWNrYWdlIG1hbmFnZXIsIGNlcnRhaW4gZXhlY3V0YWJsZXMgYXJlIHdyYXBwZWQsIG1lYW5pbmcgdGhlIGV4ZWN1dGFibGUgaW4gYFBBVEhgIGlzIGp1c3QgYSBzeW1saW5rIHRvIGFuIGV4ZWN1dGFibGUgbmFtZWQgaW4gdGhlIGZvbGxvd2luZyB3YXkgYC9uaXgvc3RvcmUvPGhhc2g+L2Jpbi8uPHByb2dyYW0+LXdyYXBwZWRgLiBUaGlzIHdpbGwgdHJpZ2dlciB0aGUgc3VzcGljaW91cyBwcm9jZXNzIGRldGVjdGlvbiBiZWNhdXNlIHRoZSBuYW1lIG9mIHRoZSBiaW5hcnkgc3RhcnRzIHdpdGggYSBgLmAgY2hhcmFjdGVyLgoKVGhpcyBwb3N0b3ZlcmZsb3cgd2lsbCB3aGl0ZWxpc3QgcHJvY2Vzc2VzIHRoYXQgZm9sbG93IHRoZSBgLjxwcm9ncmFtPi13cmFwcGVkYCBwYXR0ZXJuIGlmIHRoZXkgYXJlIGV4ZWN1dGVkIGZyb20gYC9uaXgvc3RvcmVgLgo=", + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hdWRpdGQtbml4LXdyYXBwZXJzLXdoaXRlbGlzdC1wcm9jZXNzCmRlc2NyaXB0aW9uOiAiV2hpdGVsaXN0IHdyYXBwZWQgYmluYXJpZXMgaW4gdGhlIE5peCBzdG9yZSIKd2hpdGVsaXN0OgogIHJlYXNvbjogIk5peCB3cmFwcGVkIGJpbmFyaWVzIgogIGV4cHJlc3Npb246CiAgICAtIHwKICAgICAgZXZ0Lk92ZXJmbG93LkFsZXJ0LkdldFNjZW5hcmlvKCkgPT0gJ2Nyb3dkc2VjdXJpdHkvYXVkaXRkLXN1cy1leGVjJyAmJiBhbGwoZXZ0Lk92ZXJmbG93LkFsZXJ0LkV2ZW50cywgey5HZXRNZXRhKCdleGUnKSBtYXRjaGVzICdeXFwvbml4XFwvc3RvcmVcXC9bXlxcL10rXFwvYmluXFwvXFwuW15cXC9dKy13cmFwcGVkJCd9KQo=", + "description": "Whitelist wrapped binaries in the Nix store", + "author": "crowdsecurity", + "labels": null + }, "crowdsecurity/auditd-nvm-whitelist-process": { "path": "postoverflows/s01-whitelist/crowdsecurity/auditd-nvm-whitelist-process.yaml", "stage": "s01-whitelist", diff --git a/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.md b/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.md new file mode 100644 index 00000000000..a327055f40e --- /dev/null +++ b/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.md @@ -0,0 +1,5 @@ +# Nix wrappers whitelist process + +With the Nix package manager, certain executables are wrapped, meaning the executable in `PATH` is just a symlink to an executable named in the following way `/nix/store//bin/.-wrapped`. This will trigger the suspicious process detection because the name of the binary starts with a `.` character. + +This postoverflow will whitelist processes that follow the `.-wrapped` pattern if they are executed from `/nix/store`. diff --git a/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.yaml b/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.yaml new file mode 100644 index 00000000000..eaa88ed93db --- /dev/null +++ b/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.yaml @@ -0,0 +1,7 @@ +name: crowdsecurity/auditd-nix-wrappers-whitelist-process +description: "Whitelist wrapped binaries in the Nix store" +whitelist: + reason: "Nix wrapped binaries" + expression: + - | + evt.Overflow.Alert.GetScenario() == 'crowdsecurity/auditd-sus-exec' && all(evt.Overflow.Alert.Events, {.GetMeta('exe') matches '^\\/nix\\/store\\/[^\\/]+\\/bin\\/\\.[^\\/]+-wrapped$'})