Add separate rule for mkstemp paths in /dev/shm (#302)

* Dynamically set dev_shm_hidden severity for byobu edge case Signed-off-by: egibs <[email protected]> * Address PR comments Signed-off-by: egibs <[email protected]> * Avoid only matching hidden paths Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>
chainguard-dev · Jul 1, 2024 · 00154bf · 00154bf
1 parent 9b43139
commit 00154bf
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/bincapz.go b/bincapz.go
@@ -48,6 +48,7 @@ func parseRisk(s string) int {
 		"3":        3,
 		"high":     3,
 		"4":        4,
+		"crit":     4,
 		"critical": 4,
 	}
 	return levels[strings.ToLower(s)]

diff --git a/pkg/report/report.go b/pkg/report/report.go
@@ -182,6 +182,7 @@ func behaviorRisk(ns string, rule string, tags []string) int {
 	for _, tag := range tags {
 		if r, ok := levels[tag]; ok {
 			risk = r
+			break
 		}
 	}
 

diff --git a/rules/ref/path/dev-shm.yara b/rules/ref/path/dev-shm.yara
@@ -15,7 +15,7 @@ rule dev_shm_file : high {
     hash_2023_BPFDoor_8b9d = "8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6"
     hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f"
   strings:
-    $ref = /\/dev\/shm\/[\%\w\.]{2,64}/
+    $ref = /\/dev\/shm\/[\%\w\.\-\/]{2,64}/
   condition:
     any of them
 }
@@ -27,7 +27,7 @@ rule dev_shm_sh : critical {
     hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed"
     hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f"
   strings:
-    $ref = /\/dev\/shm\/[%\w\.\-\/]{0,64}\.sh/
+    $ref = /\/dev\/shm\/[\%\w\.\-\/]{0,64}\.sh/
   condition:
     any of them
 }
@@ -39,7 +39,17 @@ rule dev_shm_hidden : critical {
     hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8"
     hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97"
   strings:
-    $dev_shm = /\/dev\/shm\/\.[%\w\.\-\/]{0,64}/
+    $dev_shm = /\/dev\/shm\/\.[\%\w\.\-\/]{0,64}/
+    $ignore_mkstemp = /\/dev\/shm\/[%\w\.\-\/]{0,64}X{6}/
+  condition:
+    $dev_shm and not $ignore_mkstemp
+}
+
+rule dev_shm_mkstemp : medium {
+  meta:
+    description = "mkstemp path reference within /dev/shm (world writeable)"
+  strings:
+    $ignore_mkstemp = /\/dev\/shm\/[\%\w\.\-\/]{0,64}X{6}/
   condition:
     any of them
 }
-Original file line number
+Diff line change
@@ Expand Up @@
     	for _, tag := range tags {
     		if r, ok := levels[tag]; ok {
     			risk = r
+    			break
     		}
     	}
@@ Expand Down @@