add allowlist

Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2025-06-25 22:32:07 +00:00 · 2022-09-09 09:47:54 +09:00 · 2022-09-09 09:47:54 +09:00 · a83d38c6d7
commit a83d38c6d7
parent 86c3a9cd69
1 changed files with 4 additions and 0 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -3219,10 +3219,14 @@
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.

+- list: known_binaries_to_read_environment_variables_from_proc_files
+  items: [scsi_id]
+
 - rule: Read environment variable from /proc files
  desc: An attempt to read process environment variables from /proc files
  condition: >
    container and open_read and (fd.name glob /proc/*/environ)
+    and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files)
  enabled: true
  output: >
    Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name