github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-02 17:42:18 +00:00
Code Issues Projects Releases Wiki Activity

Adding DNF as non-alerting for RPM and package management

Browse Source 
falco-CLA-1.0-signed-off-by: Daniel Cross <daniel.cross@rea-group.com>
This commit is contained in:
Daniel Cross 2016-12-02 11:52:08 +11:00
parent b3c691e920
commit a8662c60da
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -116,7 +116,7 @@
# The truncated dpkg-preconfigu is intentional, process names are # The truncated dpkg-preconfigu is intentional, process names are
# truncated at the sysdig level. # truncated at the sysdig level.
- list: package_mgmt_binaries - list: package_mgmt_binaries
items: [dpkg, dpkg-preconfigu, rpm, rpmkey, yum, frontend] items: [dpkg, dpkg-preconfigu, dnf, rpm, rpmkey, yum, frontend]
- macro: package_mgmt_procs - macro: package_mgmt_procs
condition: proc.name in (package_mgmt_binaries) condition: proc.name in (package_mgmt_binaries)
@ -236,7 +236,7 @@
# Only let rpm-related programs write to the rpm database # Only let rpm-related programs write to the rpm database
- rule: Write below rpm database - rule: Write below rpm database
desc: an attempt to write to the rpm database by any non-rpm related program desc: an attempt to write to the rpm database by any non-rpm related program
condition: fd.name startswith /var/lib/rpm and open_write and not proc.name in (rpm,rpmkey,yum) condition: fd.name startswith /var/lib/rpm and open_write and not proc.name in (dnf,rpm,rpmkey,yum)
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)" output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)"
priority: WARNING priority: WARNING