From 00dd3c47c062839b983f65e6480fd8c47e4f5367 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 19 Sep 2017 16:54:48 -0700 Subject: [PATCH] Allow systemd --version as a "user mgmt binary" systemd --version might be run in some unusual containerized environments, so exclude it. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8b9fb5b0..24c47d3f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -824,7 +824,8 @@ not proc.name in (su, sudo, lastlog) and not container and not proc.pname in (cron_binaries, systemd, run-parts) and not proc.cmdline startswith "passwd -S" and - not proc.cmdline startswith "useradd -D" + not proc.cmdline startswith "useradd -D" and + not proc.cmdline startswith "systemd --version" output: > User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])