github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-01-25 14:54:04 +00:00
Code Issues Projects Releases Wiki Activity

Added new macro user_known_remote_file_copy_activities

Browse Source 
Signed-off-by: Marc-Olivier Bouchard <mobouchard@coveo.com>
This commit is contained in:
Marc-Olivier Bouchard
2020-10-07 08:05:52 -04:00
committed by poiana
parent 3418ed64aa
commit 39e6d21449
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@@ -2731,7 +2731,7 @@
# Users should overwrite this macro to specify conditions under which a
# Custom condition for use of remote file copy tool in container
- macro: user_known_remote_file_copy_tools_in_container_conditions
- macro: user_known_remote_file_copy_activities
condition: (never_true)
- rule: Launch Remote File Copy Tools in Container
@@ -2740,7 +2740,7 @@
spawned_process
and container
and remote_file_copy_procs
and not user_known_remote_file_copy_tools_in_container_conditions
and not user_known_remote_file_copy_activities
output: >
Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)