github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-31 06:10:45 +00:00
Code Issues Projects Releases Wiki Activity

rules update(Change thread namespace and Set Setuid or Setgid bit): disable by default

Browse Source 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
This commit is contained in:
Kaizhe Huang
2021-04-27 23:51:07 -07:00
committed by poiana
parent c60fac9e34
commit ad82f66be3
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@@ -1565,6 +1565,7 @@
and not calico_node and not calico_node
and not weaveworks_scope and not weaveworks_scope
and not user_known_change_thread_namespace_activities and not user_known_change_thread_namespace_activities
enabled: false
output: > output: >
Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag) parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
@@ -2641,6 +2642,7 @@
and not proc.name in (user_known_chmod_applications) and not proc.name in (user_known_chmod_applications)
and not exe_running_docker_save and not exe_running_docker_save
and not user_known_set_setuid_or_setgid_bit_conditions and not user_known_set_setuid_or_setgid_bit_conditions
enabled: false
output: > output: >
Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)