github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-27 18:40:22 +00:00
Code Issues Projects Releases Wiki Activity

Also allow sysdig agent to setuid.

Browse Source 
It was already allowed to change namespaces.
This commit is contained in:
Mark Stemm 2017-06-28 11:38:14 -07:00
parent e6006e3787
commit 7ac49a2f99
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
rules/falco_rules.yaml
View File

@ -636,6 +636,7 @@
not user.name=root and not somebody_becoming_themself not user.name=root and not somebody_becoming_themself
and not proc.name in (userexec_binaries, mail_binaries, docker_binaries, and not proc.name in (userexec_binaries, mail_binaries, docker_binaries,
sshd, dbus-daemon-lau, ping, ping6, critical-stack-) sshd, dbus-daemon-lau, ping, ping6, critical-stack-)
and not java_running_sdjagent
output: > output: >
Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname
command=%proc.cmdline uid=%evt.arg.uid) command=%proc.cmdline uid=%evt.arg.uid)