github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-10 10:32:23 +00:00
Code Issues Projects Releases Wiki Activity

Add additional details for some rules

Browse Source 
Helps diagnose FPs.
This commit is contained in:
Mark Stemm 2017-11-03 16:01:38 -07:00
parent 3edfc6ba8e
commit 0020b05624
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -643,7 +643,7 @@
- rule: Write below etc - rule: Write below etc
desc: an attempt to write to any file below /etc, not in a pipe installer session desc: an attempt to write to any file below /etc, not in a pipe installer session
condition: write_etc_common and not proc.sname=fbash condition: write_etc_common and not proc.sname=fbash
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])" output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name name=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
priority: ERROR priority: ERROR
tags: [filesystem] tags: [filesystem]
@ -1166,7 +1166,7 @@
nomachine_binaries) nomachine_binaries)
and not java_running_sdjagent and not java_running_sdjagent
output: > output: >
Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
command=%proc.cmdline uid=%evt.arg.uid) command=%proc.cmdline uid=%evt.arg.uid)
priority: NOTICE priority: NOTICE
tags: [users] tags: [users]