github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-07 19:59:25 +00:00
Code Issues Projects Releases Wiki Activity

rules update(Read sensitive file untrusted): add trusted images into whitelist

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2020-07-23 13:57:55 -07:00 committed by poiana
parent f1a42cf259
commit 6bb0bba68a
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
rules/falco_rules.yaml
View File

@ -1482,6 +1482,7 @@
and not perl_running_centrifydc and not perl_running_centrifydc
and not runuser_reading_pam and not runuser_reading_pam
and not user_known_read_sensitive_files_activities and not user_known_read_sensitive_files_activities
and not (container and user_trusted_containers)
output: > output: >
Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository) command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)