github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 00:22:15 +00:00
Code Issues Projects Releases Wiki Activity

Allow systemd --version as a "user mgmt binary"

Browse Source 
systemd --version might be run in some unusual containerized
environments, so exclude it.
This commit is contained in:
Mark Stemm 2017-09-19 16:54:48 -07:00
parent 7c8a85158a
commit 00dd3c47c0
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/falco_rules.yaml
View File

@ -824,7 +824,8 @@
not proc.name in (su, sudo, lastlog) and not container and not proc.name in (su, sudo, lastlog) and not container and
not proc.pname in (cron_binaries, systemd, run-parts) and not proc.pname in (cron_binaries, systemd, run-parts) and
not proc.cmdline startswith "passwd -S" and not proc.cmdline startswith "passwd -S" and
not proc.cmdline startswith "useradd -D" not proc.cmdline startswith "useradd -D" and
not proc.cmdline startswith "systemd --version"
output: > output: >
User management binary command run outside of container User management binary command run outside of container
(user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])