Skip to content

fix: FPs on docker images #5780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
marius-benthin wants to merge 7 commits into
base: master
Choose a base branch
from
Open

fix: FPs on docker images #5780

marius-benthin wants to merge 7 commits into from
+133 −7

Conversation

@marius-benthin
Copy link

@marius-benthin marius-benthin commented Nov 28, 2025

Summary of the Pull Request

Fixes false positives on official Docker images:

  • golang
  • postgres
  • python
  • redis
  • ruby

Changelog

fix: Cron Pathes - filter legit cron filepathes

Example Log Event

/etc/cron.daily/apt
/etc/cron.daily/dpkg
/etc/cron.daily/passwd
/etc/crontabs/root
/etc/crontab

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Review Needed The PR requires review Linux Pull request add/update linux related rules labels Nov 28, 2025
nasbench
nasbench reviewed Nov 28, 2025
View reviewed changes
@nasbench nasbench added this to the Sigma-January-Release milestone Nov 28, 2025
nasbench
nasbench reviewed Nov 28, 2025
View reviewed changes
Copy link
Member

@nasbench nasbench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marius-benthin these are not comment targeted towards you. But are more targeted towards me and other maintainers. For potential improvements. Ofc feel free to take them and improve if you have time.

@nasbench nasbench self-assigned this Nov 28, 2025
@phantinuss
Copy link
Collaborator

phantinuss commented Nov 28, 2025
edited
Loading

Do your things @nasbench. I'll give the rule a tweak afterwards to increase coverage (more include paths) but also add the default cron jobs as filters for the distributions that I have lying around.

Copilot AI reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes false positives in the Linux cron file detection rule by adding filters for legitimate cron file creation on official Docker images (golang, postgres, python, redis, ruby). The rule has been enhanced with comprehensive filtering logic and improved documentation.

Key changes:

  • Added extensive filters for package managers, containers, configuration management tools, and system services
  • Added specific filters for legitimate cron files commonly found in Docker images
  • Enhanced rule description with investigation guidance and false positive reduction recommendations

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@phantinuss phantinuss self-requested a review December 8, 2025 09:32
nasbench
nasbench reviewed Dec 10, 2025
View reviewed changes
rules/linux/file_event/file_event_lnx_persistence_cron_files.yml
Comment on lines +43 to +156
filter_optional_package_managers:
Image:
- '/bin/dpkg'
- '/usr/bin/dpkg'
- '/bin/microdnf'
- '/usr/bin/microdnf'
- '/bin/rpm'
- '/usr/bin/rpm'
- '/bin/yum'
- '/usr/bin/yum'
- '/bin/dnf'
- '/usr/bin/dnf'
- '/bin/dnf-automatic'
- '/usr/bin/dnf-automatic'
- '/bin/pacman'
- '/usr/bin/pacman'
- '/usr/bin/dpkg-divert'
- '/bin/dpkg-divert'
- '/sbin/apk'
- '/usr/sbin/apk'
- '/usr/local/sbin/apk'
- '/usr/bin/apt'
- '/usr/sbin/pacman'
- '/usr/bin/pamac-daemon'
- '/bin/pamac-daemon'
filter_optional_containers:
Image:
- '/bin/dockerd'
- '/usr/bin/dockerd'
- '/usr/sbin/dockerd'
- '/usr/local/bin/dockerd'
- '/bin/snapd'
- '/usr/bin/snapd'
- '/bin/podman'
- '/usr/bin/podman'
- '/kaniko/kaniko-executor'
filter_optional_config_management:
Image:
- '/usr/bin/puppet'
- '/bin/puppet'
- '/opt/puppetlabs/puppet/bin/puppet'
- '/opt/puppetlabs/puppet/bin/ruby'
- '/usr/bin/chef-client'
- '/bin/chef-client'
filter_optional_cloud_agents:
Image:
- '/opt/elasticbeanstalk/bin/platform-engine'
- '/usr/bin/pvedaemon'
filter_optional_system_services:
Image:
- '/usr/libexec/platform-python'
- '/usr/lib/systemd/systemd'
- '/usr/sbin/anacron'
filter_optional_security_tools:
Image:
- '/opt/imunify360/venv/bin/python3'
- '/opt/eset/efs/lib/utild'
filter_optional_cpanel:
Image:
- '/bin/autossl_check'
- '/usr/bin/autossl_check'
filter_optional_special_paths:
Image|startswith:
- '/nix/store/'
- '/var/lib/dpkg/'
- '/tmp/vmis.'
- '/snap/'
- '/dev/fd/'
- '/usr/libexec/platform-python'
- '/var/lib/waagent/Microsoft'
filter_optional_special_files:
TargetFilename|contains:
- '/var/spool/cron/crontabs/tmp.'
- '/etc/cron.d/jumpcloud-updater'
filter_optional_extensions:
TargetFilename|endswith:
- '.swp'
- '.swpx'
- '.swx'
- '.dpkg-remove'
- '.dpkg-new'
filter_optional_legit_cron:
# Note: FPs on docker images: golang, postgres, python, redis, ruby
TargetFilename:
- '/etc/cron.daily/apt'
- '/etc/cron.daily/dpkg'
- '/etc/cron.daily/passwd'
- '/etc/crontabs/root'
filter_optional_automation_tools:
Image|endswith:
- '/executor'
- '/cf-agent'
- '/schedd'
filter_optional_system_agents:
Image|endswith:
- '/droplet-agent.postinst'
- '/jumpcloud-agent'
- '/crio'
filter_optional_security_processes:
Image|endswith:
- '/imunify-notifier'
- '/utild'
filter_optional_package_operations:
Image|endswith: '/dnf_install'
filter_optional_editor_temp:
Image|endswith: '/sed'
TargetFilename|startswith: 'sed'
filter_optional_perl_temp:
Image|endswith: '/perl'
TargetFilename|startswith: 'e2scrub_all.tmp'
filter_optional_vi_backup:
Image|endswith:
- '/vi'
- '/vim'
Copy link
Member

@nasbench nasbench Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is all not needed. The purpose is to know when a cron file is created. Hence FP filters should be left to only system level procs

nasbench
nasbench reviewed Dec 10, 2025
View reviewed changes
rules/linux/file_event/file_event_lnx_persistence_cron_files.yml
@@ -1,12 +1,21 @@
title: Persistence Via Cron Files
title: Creation of New Cron Files
Copy link
Member

@nasbench nasbench Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: Creation of New Cron Files
title: New Cron File Created

@nasbench nasbench dismissed swachchhanda000’s stale review December 10, 2025 11:20

Changes were requested

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench left review comments

Copilot code review Copilot Copilot left review comments

@swachchhanda000 swachchhanda000 swachchhanda000 left review comments

@phantinuss phantinuss Awaiting requested review from phantinuss

At least 2 approving reviews are required to merge this pull request.

Assignees

@nasbench nasbench

Labels

Linux Pull request add/update linux related rules Review Needed The PR requires review Rules

Projects

None yet

Milestone

Sigma-January-Release

Development

Successfully merging this pull request may close these issues.

4 participants

@marius-benthin @phantinuss @nasbench @swachchhanda000