From 0fcd01f98d42f1ef54fda7d40652b65e8041745c Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 9 Oct 2017 10:37:33 -0700 Subject: [PATCH] Let git modify nssdb Let git-remote-http modify files below the nssdb. --- rules/falco_rules.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6c7d8562..c9545125 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -444,7 +444,10 @@ condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf)) - macro: qualys_writing_conf_files - condition: proc.name=qualys-cloud-ag and fd.name=/etc/qualys/cloud-agent/qagent-log.conf + condition: (proc.name=qualys-cloud-ag and fd.name=/etc/qualys/cloud-agent/qagent-log.conf) + +- macro: git_writing_nssdb + condition: (proc.cmdline="git-remote-http origin" and fd.directory=/etc/pki/nssdb) # Add conditions to this macro (probably in a separate file, # overwriting this macro) to allow for specific combinations of @@ -484,6 +487,7 @@ and not run_by_centrify and not run_by_adclient and not qualys_writing_conf_files + and not git_writing_nssdb - rule: Write below etc desc: an attempt to write to any file below /etc, not in a pipe installer session