github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-03 18:06:44 +00:00
Code Issues Projects Releases Wiki Activity

rule(maco write_etc_common): Fix false-positive of sssd updating /etc/krb5.keytab

Browse Source 
Signed-off-by: Mac Chaffee <me@macchaffee.com>
This commit is contained in:
Mac Chaffee 2021-12-16 16:05:50 -05:00 committed by poiana
parent ff21544186
commit 8a3a4c4d57
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -775,6 +775,9 @@
- macro: centrify_writing_krb - macro: centrify_writing_krb
condition: (proc.name in (adjoin,addns) and fd.name startswith /etc/krb5) condition: (proc.name in (adjoin,addns) and fd.name startswith /etc/krb5)
- macro: sssd_writing_krb
condition: (proc.name=adcli and proc.aname[2]=sssd and fd.name startswith /etc/krb5)
- macro: cockpit_writing_conf - macro: cockpit_writing_conf
condition: > condition: >
((proc.pname=cockpit-kube-la or proc.aname[2]=cockpit-kube-la) ((proc.pname=cockpit-kube-la or proc.aname[2]=cockpit-kube-la)
@ -1218,6 +1221,7 @@
and not nginx_writing_certs and not nginx_writing_certs
and not chef_client_writing_conf and not chef_client_writing_conf
and not centrify_writing_krb and not centrify_writing_krb
and not sssd_writing_krb
and not cockpit_writing_conf and not cockpit_writing_conf
and not ipsec_writing_conf and not ipsec_writing_conf
and not httpd_writing_ssl_conf and not httpd_writing_ssl_conf
@ -3123,4 +3127,3 @@
# Application rules have moved to application_rules.yaml. Please look # Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to # there if you want to enable them by adding to
# falco_rules.local.yaml. # falco_rules.local.yaml.