github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-01 17:12:21 +00:00
Code Issues Projects Releases Wiki Activity

Move user_known_ingress_remote_file_copy_activities to outside condition

Browse Source 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
This commit is contained in:
Erick Cheng 2021-11-19 09:55:48 +01:00 committed by poiana
parent 66df790b9d
commit b0565794f5
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -3109,9 +3109,8 @@
condition: >
spawned_process and
container and
((ingress_remote_file_copy_procs and
not user_known_ingress_remote_file_copy_activities) or
(curl_download))
(ingress_remote_file_copy_procs or curl_download) and
not user_known_ingress_remote_file_copy_activities
output: >
Ingress remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)