Let yum indirectly run user mgmt binaries

They run shells that run the user binaries, at various levels in the process heirarchy.
2025-08-01 14:37:49 +00:00 · 2017-11-07 11:01:23 -08:00 · 2017-11-07 11:01:23 -08:00 · 0867245b73
commit 0867245b73
parent 82377348ce
1 changed files with 6 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -494,6 +494,10 @@
      proc.cmdline="groupadd sumologic_collector") and
     (proc.pname=secureFiles.sh and proc.aname[2]=java))

+- macro: run_by_yum
+  condition: ((proc.pname=sh and proc.aname[2]=yum) or
+              (proc.aname[2]=sh and proc.aname[3]=yum))
+
 # Chef is similar.
 - macro: run_by_chef
  condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or
@ -1214,7 +1218,8 @@
    not proc.cmdline startswith "useradd -D" and
    not proc.cmdline startswith "systemd --version" and
    not run_by_qualys and
-    not run_by_sumologic_securefiles
+    not run_by_sumologic_securefiles and
+    not run_by_yum
  output: >
    User management binary command run outside of container
    (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])