github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-01 17:12:21 +00:00
Code Issues Projects Releases Wiki Activity

rules update: add back rule Delete Bash History for backport compatibility

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2019-09-26 17:36:05 -07:00 committed by Leo Di Donato
parent b2a57f376e
commit a43ae037a9
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/falco_rules.yaml
View File

@ -2415,6 +2415,13 @@
WARNING
tag: [process, mitre_defense_evation]
# This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
- rule: Delete Bash History
desc: Detect bash history deletion
condition: >
((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
(open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
- macro: consider_all_chmods
condition: (always_true)