github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 08:32:12 +00:00
Code Issues Projects Releases Wiki Activity

rule(macro bin_dir_mkdir): correct condition to catch mkdirat case

Browse Source 
Since the dir's path is found:
-  in `evt.arg[1]` for `mkdir`
-  but in `evt.arg[2]` for `mkdirat`
switch to `evt.arg.path` to catch both.
That ensures `Mkdir binary dirs` works properly.

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
This commit is contained in:
Leonardo Grasso 2020-06-04 10:33:24 +02:00 committed by poiana
parent 3bfd94fefd
commit 74ca02d199
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
rules/falco_rules.yaml
View File

@ -80,10 +80,10 @@
- macro: bin_dir_mkdir
condition: >
(evt.arg[1] startswith /bin/ or
evt.arg[1] startswith /sbin/ or
evt.arg[1] startswith /usr/bin/ or
evt.arg[1] startswith /usr/sbin/)
(evt.arg.path startswith /bin/ or
evt.arg.path startswith /sbin/ or
evt.arg.path startswith /usr/bin/ or
evt.arg.path startswith /usr/sbin/)
- macro: bin_dir_rename
condition: >