github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 16:17:32 +00:00
Code Issues Projects Releases Wiki Activity

Let adclient write below etc.

Browse Source
This commit is contained in:
Mark Stemm 2017-09-25 08:45:16 -07:00
parent c3c171c7e5
commit 6540a856fa
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -384,7 +384,7 @@
condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr)
- macro: run_by_adclient
condition: (proc.aname[2]=adclient or proc.aname[3]=adclient)
condition: (proc.aname[2]=adclient or proc.aname[3]=adclient or proc.aname[4]=adclient)
- macro: run_by_centrify
condition: (proc.aname[2]=centrify or proc.aname[3]=centrify or proc.aname[4]=centrify)
@ -445,6 +445,7 @@
package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
dev_creation_binaries, shell_mgmt_binaries,
sendmail_config_binaries,
sshkit_script_binaries,
ldconfig.real, ldconfig, confd, gpg, insserv,
apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
systemd, systemd-machine, systemd-sysuser,
@ -460,6 +461,7 @@
and not fluentd_writing_conf_files
and not user_known_write_etc_conditions
and not run_by_centrify
and not run_by_adclient
- rule: Write below etc
desc: an attempt to write to any file below /etc, not in a pipe installer session