Add scripts possibly run by sshkit

Some general management scripts, possibly run by sshkit (need to check).
2025-08-22 08:06:10 +00:00 · 2017-09-25 07:44:15 -07:00 · 2017-09-25 07:44:15 -07:00 · 96992d7ac3
commit 96992d7ac3
parent a22099c8c3
1 changed files with 6 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -295,6 +295,10 @@
 - list: needrestart_binaries
  items: [needrestart, 10-dpkg, 20-rpm, 30-pacman]

+# Possible scripts run by sshkit
+- list: sshkit_script_binaries
+  items: [10_etc_sudoers., 10_passwd_group]
+
 # System users that should never log into a system. Consider adding your own
 # service users (e.g. 'apache' or 'mysqld') here.
 - macro: system_users
@ -438,6 +442,7 @@
                          package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
                          dev_creation_binaries, shell_mgmt_binaries,
                          sendmail_config_binaries,
+                          sshkit_script_binaries,
                          ldconfig.real, ldconfig, confd, gpg, insserv,
                          apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
                          systemd, systemd-machine, systemd-sysuser,
@ -511,7 +516,7 @@
    sensitive_files and open_read
    and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
     cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
-     vpn_binaries, sendmail_config_binaries, nomachine_binaries)
+     vpn_binaries, sendmail_config_binaries, nomachine_binaries, sshkit_script_binaries)
    and not cmp_cp_by_passwd
    and not ansible_running_python
    and not proc.cmdline contains /usr/bin/mandb