github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-06 11:26:44 +00:00
Code Issues Projects Releases Wiki Activity

+ Add the user_known_change_thread_namespace_binaries list to simplify "Change thread namespace" rule tweaks (#324)

Browse Source 
sysdig-CLA-1.0-signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
This commit is contained in:
Jean-Philippe Lachance 2018-02-20 11:53:25 -05:00 committed by Mark Stemm
parent 414c9a0eed
commit 52e8c16903
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/falco_rules.yaml
View File

@ -1020,6 +1020,12 @@
# syscall=%evt.type args=%evt.args) # syscall=%evt.type args=%evt.args)
# priority: INFO # priority: INFO
# This list allows for easy additions to the set of commands allowed
# to change thread namespace without having to copy and override the
# entire change thread namespace rule.
- list: user_known_change_thread_namespace_binaries
items: []
- rule: Change thread namespace - rule: Change thread namespace
desc: > desc: >
an attempt to change a program/thread\'s namespace (commonly done an attempt to change a program/thread\'s namespace (commonly done
@ -1027,6 +1033,7 @@
condition: > condition: >
evt.type = setns evt.type = setns
and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter) and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
and not proc.name in (user_known_change_thread_namespace_binaries)
and not proc.name startswith "runc:" and not proc.name startswith "runc:"
and not proc.pname in (sysdigcloud_binaries) and not proc.pname in (sysdigcloud_binaries)
and not java_running_sdjagent and not java_running_sdjagent