github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-15 07:22:05 +00:00
Code Issues Projects Releases Wiki Activity

! Exclude exe_running_docker_save in the "Set Setuid or Setgid bit" rule

Browse Source 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
This commit is contained in:
Jean-Philippe Lachance 2019-12-02 16:53:17 -05:00 committed by Lorenzo Fontana
parent c736a843a0
commit 79cb75dcd1
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -2443,7 +2443,10 @@
When the setuid or setgid bits are set for an application, When the setuid or setgid bits are set for an application,
this means that the application will run with the privileges of the owning user or group respectively. this means that the application will run with the privileges of the owning user or group respectively.
Detect setuid or setgid bits set via chmod Detect setuid or setgid bits set via chmod
condition: consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") and not proc.name in (user_known_chmod_applications) condition: >
consider_all_chmods and chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
and not proc.name in (user_known_chmod_applications)
and not exe_running_docker_save
output: > output: >
Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)