github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 08:07:24 +00:00
Code Issues Projects Releases Wiki Activity

rule(macro user_known_write_below_binary_dir_activities): Create the macro

Browse Source 
This macro is useful to allow binaries to be installed under certain
circumstances. For example, it may be fine to install a binary during a
build in a ci/cd pipeline.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
This commit is contained in:
Nicolas Marier 2020-06-11 15:08:28 -04:00 committed by poiana
parent d2f0ad7c07
commit b69bde6bd4
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/falco_rules.yaml
View File

@ -942,6 +942,12 @@
NOTICE NOTICE
tags: [filesystem, mitre_persistence] tags: [filesystem, mitre_persistence]
# Users should overwrite this macro to specify conditions under which a
# write under the binary dir is ignored. For example, it may be okay to
# install a binary in the context of a ci/cd build.
- macro: user_known_write_below_binary_dir_activities
condition: (never_true)
- rule: Write below binary dir - rule: Write below binary dir
desc: an attempt to write to any file below a set of binary directories desc: an attempt to write to any file below a set of binary directories
condition: > condition: >
@ -950,6 +956,7 @@
and not exe_running_docker_save and not exe_running_docker_save
and not python_running_get_pip and not python_running_get_pip
and not python_running_ms_oms and not python_running_ms_oms
and not user_known_write_below_binary_dir_activities
output: > output: >
File below a known binary directory opened for writing (user=%user.name File below a known binary directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)