github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-20 09:27:47 +00:00
Code Issues Projects Releases Wiki Activity

chore(rules): imporve name of the list for userfaultfd exceptions

Browse Source 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leonardo Di Donato
2021-06-17 13:24:52 +00:00
committed by poiana
parent 9ff8099501
commit 98ce88f7ef
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@@ -3059,7 +3059,7 @@
- macro: consider_userfaultfd_activities - macro: consider_userfaultfd_activities
condition: (always_true) condition: (always_true)
- list: user_known_userfaultfd_activities - list: user_known_userfaultfd_processes
items: [] items: []
- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process - rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
@@ -3069,7 +3069,7 @@
evt.type = userfaultfd and evt.type = userfaultfd and
user.uid != 0 and user.uid != 0 and
(evt.rawres >= 0 or evt.res != -1) and (evt.rawres >= 0 or evt.res != -1) and
not proc.name in (user_known_userfaultfd_activities) not proc.name in (user_known_userfaultfd_processes)
output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid process=%proc.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid process=%proc.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
priority: CRITICAL priority: CRITICAL
tags: [syscall, mitre_defense_evasion] tags: [syscall, mitre_defense_evasion]