Let avinetworks supervisor write some ssh cfg

Sample Falco alert: ``` File below /etc opened for writing (user=root command=se_supervisor.p /opt/avi/scripts/se_supervisor.py -d parent=systemd pcmdline=systemd file=/etc/ssh/ssh_monitor_config_10.24.249.200 program=se_supervisor.p gparent=docker-containe ggparent=docker-con... ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-07-01 09:02:18 +00:00 · 2020-01-30 17:00:32 -08:00 · 2020-01-30 17:00:32 -08:00 · 0d74f3938d
commit 0d74f3938d
parent e5f06e399f
1 changed files with 8 additions and 0 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -1159,6 +1159,13 @@
 - macro: mcafee_writing_cma_d
  condition: (proc.name=macompatsvc and fd.directory=/etc/cma.d)

+- macro: avinetworks_supervisor_writing_ssh
+  condition: >
+    (proc.cmdline="se_supervisor.p /opt/avi/scripts/se_supervisor.py -d" and
+      (fd.name startswith /etc/ssh/known_host_ or
+       fd.name startswith /etc/ssh/ssh_monitor_config_ or
+       fd.name startswith /etc/ssh/ssh_config_))
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@ -1277,6 +1284,7 @@
    and not user_known_write_below_etc_activities
    and not automount_using_mtab
    and not mcafee_writing_cma_d
+    and not avinetworks_supervisor_writing_ssh

 - rule: Write below etc
  desc: an attempt to write to any file below /etc