github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 07:37:32 +00:00
Code Issues Projects Releases Wiki Activity

add rule Read environment variable from /proc files

Browse Source 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
This commit is contained in:
Hi120ki 2022-09-06 17:58:35 +09:00 committed by poiana
parent 2d5fc0b647
commit 16dca8f905
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
rules/falco_rules.yaml
View File

@ -3218,3 +3218,21 @@
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.
- list: proc_environ_file_names
items: [/proc/self/environ, /proc/1/environ]
- macro: proc_environ_files
condition: >
fd.name in (proc_environ_file_names)
- rule: Read environment variable from /proc files
desc: An attempt to read process environment variables from /proc files
condition: >
container and open_read and proc_environ_files
enabled: true
output: >
Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name
command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
priority: WARNING
tags: [filesystem, mitre_credential_access, mitre_discovery]