github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-26 14:52:20 +00:00
Code Issues Projects Releases Wiki Activity

rule update(Non sudo setuid): check user id as well in case user name info is not available

Browse Source 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
This commit is contained in:
Kaizhe Huang 2021-06-03 22:18:38 -07:00 committed by poiana
parent 684a5d85ff
commit b268d4d6c3
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -2235,7 +2235,7 @@
condition: > condition: >
evt.type=setuid and evt.dir=> evt.type=setuid and evt.dir=>
and (known_user_in_container or not container) and (known_user_in_container or not container)
and not user.name=root and not (user.name=root or user.uid=0)
and not somebody_becoming_themself and not somebody_becoming_themself
and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries, and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
nomachine_binaries) nomachine_binaries)