github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-30 03:33:09 +00:00
Code Issues Projects Releases Wiki Activity

rule(Create Hidden Files or Directories): Exclude exe_running_docker_save

Browse Source 
Signed-off-by: James Barlow <james.barlow@finbourne.com>
This commit is contained in:
James Barlow 2020-09-08 17:24:53 +01:00 committed by poiana
parent c2a05b3e64
commit 7f33b08634
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
rules/falco_rules.yaml
View File

@ -2730,6 +2730,7 @@
(open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories))) and (open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories))) and
consider_hidden_file_creation and consider_hidden_file_creation and
not user_known_create_hidden_file_activities not user_known_create_hidden_file_activities
and not exe_running_docker_save
output: > output: >
Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)