From 0852a88a1685a3214b0ef8a108897a2efc091e5f Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Thu, 5 Nov 2020 16:23:11 -0800
Subject: [PATCH] rule(macro chage_list): create new macro chage_list as
 execption in rule Usermgmt binaries

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index e02059fb..da1c8b7e 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2319,6 +2319,9 @@
 - macro: user_known_user_management_activities
   condition: (never_true)
 
+- macro: chage_list
+  condition: (proc.name=chage and (proc.cmdline contains "-l" or proc.cmdline contains "--list"))
+
 - rule: User mgmt binaries
   desc: >
     activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
@@ -2337,6 +2340,7 @@
     not run_by_yum and
     not run_by_ms_oms and
     not run_by_google_accounts_daemon and
+    not chage_list and
     not user_known_user_management_activities
   output: >
     User management binary command run outside of container