github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-29 19:23:16 +00:00
Code Issues Projects Releases Wiki Activity

put open_read in the beginning of the rule

Browse Source 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
This commit is contained in:
Hi120ki 2022-09-15 09:56:20 +09:00 committed by poiana
parent 36a08aee13
commit af4524491d
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -3225,7 +3225,7 @@
- rule: Read environment variable from /proc files - rule: Read environment variable from /proc files
desc: An attempt to read process environment variables from /proc files desc: An attempt to read process environment variables from /proc files
condition: > condition: >
container and open_read and (fd.name glob /proc/*/environ) open_read and container and (fd.name glob /proc/*/environ)
and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files) and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files)
output: > output: >
Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name