From 9b3adc1373bdb7e960db7fd6496f07ae78f57d23 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@gmail.com>
Date: Thu, 27 Aug 2020 17:36:36 -0700
Subject: [PATCH] rule(Read sensitive file untrusted):google_oslogin

Related to https://github.com/GoogleCloudPlatform/guest-oslogin, full
cmdline is google_oslogin_control.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
---
 rules/falco_rules.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index a9da9ea0..f23b0ff1 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1492,7 +1492,9 @@
     and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
      cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
      vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries,
-     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries)
+     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries,
+     google_oslogin_
+     )
     and not cmp_cp_by_passwd
     and not ansible_running_python
     and not proc.cmdline contains /usr/bin/mandb