github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-17 13:47:14 +00:00
Code Issues Projects Releases Wiki Activity

add macro user_read_sensitive_file_containers

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2020-07-23 16:22:48 -07:00 committed by poiana
parent 6bb0bba68a
commit 571f8a28e7
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/falco_rules.yaml
View File

@ -1458,6 +1458,11 @@
- macro: user_read_sensitive_file_conditions - macro: user_read_sensitive_file_conditions
condition: cmp_cp_by_passwd condition: cmp_cp_by_passwd
- macro: user_read_sensitive_file_containers
condition: (container and
(container.image.repository endswith "sysdig/agent") or
(container.image.repository endswith "sysdig/agent-slim"))
- rule: Read sensitive file untrusted - rule: Read sensitive file untrusted
desc: > desc: >
an attempt to read any sensitive file (e.g. files containing user/password/authentication an attempt to read any sensitive file (e.g. files containing user/password/authentication
@ -1482,7 +1487,7 @@
and not perl_running_centrifydc and not perl_running_centrifydc
and not runuser_reading_pam and not runuser_reading_pam
and not user_known_read_sensitive_files_activities and not user_known_read_sensitive_files_activities
and not (container and user_trusted_containers) and not user_read_sensitive_file_containers
output: > output: >
Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository) command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)