rule(Read sensitive file untrusted):google_oslogin

Related to https://github.com/GoogleCloudPlatform/guest-oslogin, full cmdline is google_oslogin_control. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-06-28 15:47:25 +00:00 · 2020-08-27 17:36:36 -07:00 · 2020-08-27 17:36:36 -07:00 · 9b3adc1373
commit 9b3adc1373
parent fb5e13c694
1 changed files with 3 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -1492,7 +1492,9 @@
    and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
     cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
     vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries,
-     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries)
+     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries,
+     google_oslogin_
+     )
    and not cmp_cp_by_passwd
    and not ansible_running_python
    and not proc.cmdline contains /usr/bin/mandb