github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-13 14:34:33 +00:00
Code Issues Projects Releases Wiki Activity

rule(Write below etc): whitelist automount writing under /etc

Browse Source 
This commit allows automount to write under /etc/mtab without flagging
it as an error.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
This commit is contained in:
Nicolas Marier 2019-12-05 09:47:23 -05:00 committed by Leo Di Donato
parent 559b7e1bb1
commit 13931ab5d7
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -1153,6 +1153,9 @@
- macro: etcd_manager_updating_dns
condition: (container and proc.name=etcd-manager and fd.name=/etc/hosts)
- macro: automount_using_mtab
condition: (proc.pname = automount and fd.name startswith /etc/mtab)
# Add conditions to this macro (probably in a separate file,
# overwriting this macro) to allow for specific combinations of
# programs writing below specific directories below
@ -1269,6 +1272,7 @@
and not jboss_in_container_writing_passwd
and not etcd_manager_updating_dns
and not user_known_write_below_etc_activities
and not automount_using_mtab
- rule: Write below etc
desc: an attempt to write to any file below /etc