From 689c02666f9bca5975412e7104a32c49ded3fe59 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 22 Aug 2017 14:05:21 -0700 Subject: [PATCH] Allow innocuous user management commands Allow innocuous user management command lines like "passwd -S" (show status for account). --- rules/falco_rules.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 10fff3f3..a44d7142 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -755,10 +755,12 @@ activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup. + Some innocuous commandlines that don't actually change anything are excluded. condition: > spawned_process and proc.name in (user_mgmt_binaries) and not proc.name in (su, sudo) and not container and - not proc.pname in (cron_binaries, systemd, run-parts) + not proc.pname in (cron_binaries, systemd, run-parts) and + not proc.cmdline startswith "passwd -S" output: > User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2])