From 598cbbe5e7e5ca96ab894806eb4b1dec60f0abc3 Mon Sep 17 00:00:00 2001 From: Daniel Kerwin Date: Mon, 4 Sep 2017 22:02:30 +0200 Subject: [PATCH] Add keepalived to list oh shell spawning binaries. sysdig-CLA-1.0-signed-off-by: Daniel Kerwin --- rules/falco_rules.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 0ea85f1e..1cc7aad0 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -205,6 +205,9 @@ - list: make_binaries items: [make, gmake, cmake] +- list: keepalived_binaries + items: [keepalived] + - macro: sensitive_files condition: > fd.name startswith /etc and @@ -484,7 +487,7 @@ and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, make_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries, - monitoring_binaries, gitlab_binaries, mesos_slave_binaries) + monitoring_binaries, gitlab_binaries, mesos_slave_binaries, keepalived_binaries) and not parent_ansible_running_python and not parent_bro_running_python and not parent_python_running_denyhosts