github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-28 02:41:31 +00:00
Code Issues Projects Releases Wiki Activity

Make safe etc directories a list.

Browse Source 
This way it can more easily be modified/added to.
This commit is contained in:
Mark Stemm 2017-08-21 17:30:27 -07:00
parent cb7dab61e8
commit 12de2e4119
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/falco_rules.yaml
View File

@ -377,6 +377,9 @@
priority: ERROR priority: ERROR
tags: [filesystem] tags: [filesystem]
- list: safe_etc_dirs
items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment]
- macro: write_etc_common - macro: write_etc_common
condition: > condition: >
etc_dir and evt.dir = < and open_write etc_dir and evt.dir = < and open_write
@ -391,8 +394,7 @@
gen_resolvconf., update-ca-certi, certbot, runsv, gen_resolvconf., update-ca-certi, certbot, runsv,
qualys-cloud-ag) qualys-cloud-ag)
and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries)
and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, and not fd.directory in (safe_etc_dirs)
/etc/nginx/conf.d, /etc/container_environment)
and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json)
and not ansible_running_python and not ansible_running_python
and not python_running_denyhosts and not python_running_denyhosts