rule(macro chage_list): create new macro chage_list as execption in rule Usermgmt binaries

Signed-off-by: kaizhe <derek0405@gmail.com>
2025-06-29 16:17:32 +00:00 · 2020-11-05 16:23:11 -08:00 · 2020-11-05 16:23:11 -08:00 · 0852a88a16
commit 0852a88a16
parent cea9c6a377
1 changed files with 4 additions and 0 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -2319,6 +2319,9 @@
 - macro: user_known_user_management_activities
  condition: (never_true)

+- macro: chage_list
+  condition: (proc.name=chage and (proc.cmdline contains "-l" or proc.cmdline contains "--list"))
+
 - rule: User mgmt binaries
  desc: >
    activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
@ -2337,6 +2340,7 @@
    not run_by_yum and
    not run_by_ms_oms and
    not run_by_google_accounts_daemon and
+    not chage_list and
    not user_known_user_management_activities
  output: >
    User management binary command run outside of container