github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-09 10:07:57 +00:00
Code Issues Projects Releases Wiki Activity

rules update:

Browse Source 
Add trusted_logging_images macro for rule Clear Log Hisotry as exception

Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2019-07-22 16:19:18 -07:00 committed by Leo Di Donato
parent 4b2ea32eac
commit 9ab718c100
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -2341,12 +2341,16 @@
- macro: allowed_clear_log_files - macro: allowed_clear_log_files
condition: (never_true) condition: (never_true)
- macro: trusted_logging_images
condition: (container.image.repository endswith "splunk/fluentd-hec")
- rule: Clear Log Activities - rule: Clear Log Activities
desc: Detect clearing of critical log files desc: Detect clearing of critical log files
condition: > condition: >
open_write and open_write and
access_log_files and access_log_files and
evt.arg.flags contains "O_TRUNC" and evt.arg.flags contains "O_TRUNC" and
not trusted_logging_images and
not allowed_clear_log_files not allowed_clear_log_files
output: > output: >
Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)