github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-19 09:06:48 +00:00
Code Issues Projects Releases Wiki Activity

rule(Write below etc): add calco exceptions

Browse Source 
Add several calico images and command line programs that end up writing
below /etc/calico.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2020-08-27 17:33:05 -07:00 committed by poiana
parent 7ae0ce1936
commit 7effc02c60
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -1183,7 +1183,10 @@
- macro: calico_writing_conf
condition: >
(proc.name = calico-node and fd.name startswith /etc/calico)
(((proc.name = calico-node) or
(container.image.repository=gcr.io/projectcalico-org/node and proc.name in (start_runit, cp)) or
(container.image.repository=gcr.io/projectcalico-org/cni and proc.name=sed))
and fd.name startswith /etc/calico)
- macro: prometheus_conf_writing_conf
condition: (proc.name=prometheus-conf and fd.name startswith /etc/prometheus/config_out)