github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-13 14:34:33 +00:00
Code Issues Projects Releases Wiki Activity

Add shell management programs.

Browse Source 
add-shell and remove-shell are programs that remove shells from
/etc/shells. They are allowed to write to files below /etc.
This commit is contained in:
Mark Stemm 2017-07-05 14:08:05 -07:00
parent 7ac49a2f99
commit 68d29fc906
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -74,6 +74,9 @@
- list: shell_binaries - list: shell_binaries
items: [bash, csh, ksh, sh, tcsh, zsh, dash] items: [bash, csh, ksh, sh, tcsh, zsh, dash]
- list: shell_mgmt_binaries
items: [add-shell, remove-shell]
- macro: shell_procs - macro: shell_procs
condition: proc.name in (shell_binaries) condition: proc.name in (shell_binaries)
@ -332,7 +335,7 @@
etc_dir and evt.dir = < and open_write etc_dir and evt.dir = < and open_write
and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries, and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries,
package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
dev_creation_binaries, dev_creation_binaries, shell_mgmt_binaries,
ldconfig.real, ldconfig, confd, gpg, insserv, ldconfig.real, ldconfig, confd, gpg, insserv,
apparmor_parser, update-mime, tzdata.config, tzdata.postinst, apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
systemd-machine, debconf-show, rollerd, bind9.postinst, sv, systemd-machine, debconf-show, rollerd, bind9.postinst, sv,