github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-01 14:47:00 +00:00
Code Issues Projects Releases Wiki Activity

Let curl write below the pki db

Browse Source 
Seems to do these writes on redhat?
This commit is contained in:
Mark Stemm
2017-11-09 14:11:36 -08:00
parent e3ef7a2ed4
commit 326fb2998a
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@@ -629,6 +629,9 @@
condition: (proc.cmdline startswith "python /opt/datadog-agent" condition: (proc.cmdline startswith "python /opt/datadog-agent"
and fd.name startswith "/etc/dd-agent") and fd.name startswith "/etc/dd-agent")
- macro: curl_writing_pki_db
condition: (proc.name=curl and fd.directory=/etc/pki/nssdb)
# Add conditions to this macro (probably in a separate file, # Add conditions to this macro (probably in a separate file,
# overwriting this macro) to allow for specific combinations of # overwriting this macro) to allow for specific combinations of
# programs writing below specific directories below # programs writing below specific directories below
@@ -683,6 +686,7 @@
and not dmeventd_writing_lvm_archive and not dmeventd_writing_lvm_archive
and not ovsdb_writing_openvswitch and not ovsdb_writing_openvswitch
and not datadog_writing_conf and not datadog_writing_conf
and not curl_writing_pki_db
- rule: Write below etc - rule: Write below etc
desc: an attempt to write to any file below /etc, not in a pipe installer session desc: an attempt to write to any file below /etc, not in a pipe installer session