github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-31 06:01:52 +00:00
Code Issues Projects Releases Wiki Activity

Allow innocuous user management commands

Browse Source 
Allow innocuous user management command lines like "passwd -S" (show
status for account).
This commit is contained in:
Mark Stemm 2017-08-22 14:05:21 -07:00
parent 12de2e4119
commit 689c02666f
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -755,10 +755,12 @@
activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
Activity in containers is also excluded--some containers create custom users on top
of a base linux distribution at startup.
Some innocuous commandlines that don't actually change anything are excluded.
condition: >
spawned_process and proc.name in (user_mgmt_binaries) and
not proc.name in (su, sudo) and not container and
not proc.pname in (cron_binaries, systemd, run-parts)
not proc.pname in (cron_binaries, systemd, run-parts) and
not proc.cmdline startswith "passwd -S"
output: >
User management binary command run outside of container
(user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2])