github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-19 17:14:26 +00:00
Code Issues Projects Releases Wiki Activity

Add more logging on process ancestors.

Browse Source 
Try to find the root process that might be spawning shells/reading
sensitive files.
This commit is contained in:
Mark Stemm
2017-08-22 14:07:54 -07:00
parent 689c02666f
commit 3202704950
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@@ -451,7 +451,7 @@
and not proc.cmdline contains /usr/bin/mandb and not proc.cmdline contains /usr/bin/mandb
output: > output: >
Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name
command=%proc.cmdline file=%fd.name) command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2])
priority: WARNING priority: WARNING
tags: [filesystem] tags: [filesystem]
@@ -763,7 +763,7 @@
not proc.cmdline startswith "passwd -S" not proc.cmdline startswith "passwd -S"
output: > output: >
User management binary command run outside of container User management binary command run outside of container
(user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2]) (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])
priority: NOTICE priority: NOTICE
tags: [host, users] tags: [host, users]