github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 16:42:14 +00:00
Code Issues Projects Releases Wiki Activity

rule(macro chage_list): create new macro chage_list as execption in rule Usermgmt binaries

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2020-11-05 16:23:11 -08:00 committed by poiana
parent cea9c6a377
commit 0852a88a16
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -2319,6 +2319,9 @@
- macro: user_known_user_management_activities - macro: user_known_user_management_activities
condition: (never_true) condition: (never_true)
- macro: chage_list
condition: (proc.name=chage and (proc.cmdline contains "-l" or proc.cmdline contains "--list"))
- rule: User mgmt binaries - rule: User mgmt binaries
desc: > desc: >
activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
@ -2337,6 +2340,7 @@
not run_by_yum and not run_by_yum and
not run_by_ms_oms and not run_by_ms_oms and
not run_by_google_accounts_daemon and not run_by_google_accounts_daemon and
not chage_list and
not user_known_user_management_activities not user_known_user_management_activities
output: > output: >
User management binary command run outside of container User management binary command run outside of container