github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-11 02:52:54 +00:00
Code Issues Projects Releases Wiki Activity

fix(rules): correct root_dir macro to avoid unwanted matching

Browse Source 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
This commit is contained in:
Leonardo Grasso 2020-06-24 15:38:30 +02:00 committed by poiana
parent 298ba29c88
commit 1859552834
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -110,7 +110,7 @@
# This detects writes immediately below / or any write anywhere below /root # This detects writes immediately below / or any write anywhere below /root
- macro: root_dir - macro: root_dir
condition: ((fd.directory=/ or fd.name startswith /root) and fd.name contains "/") condition: ((fd.directory=/ or fd.name startswith /root/) and fd.name contains "/")
- list: shell_binaries - list: shell_binaries
items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash] items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]