github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-11 11:02:08 +00:00
Code Issues Projects Releases Wiki Activity

Allow innocuous user management commands

Browse Source 
Allow innocuous user management command lines like "passwd -S" (show
status for account).
This commit is contained in:
Mark Stemm 2017-08-22 14:05:21 -07:00
parent 12de2e4119
commit 689c02666f
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -755,10 +755,12 @@
activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
Activity in containers is also excluded--some containers create custom users on top Activity in containers is also excluded--some containers create custom users on top
of a base linux distribution at startup. of a base linux distribution at startup.
Some innocuous commandlines that don't actually change anything are excluded.
condition: > condition: >
spawned_process and proc.name in (user_mgmt_binaries) and spawned_process and proc.name in (user_mgmt_binaries) and
not proc.name in (su, sudo) and not container and not proc.name in (su, sudo) and not container and
not proc.pname in (cron_binaries, systemd, run-parts) not proc.pname in (cron_binaries, systemd, run-parts) and
not proc.cmdline startswith "passwd -S"
output: > output: >
User management binary command run outside of container User management binary command run outside of container
(user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2]) (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2])