github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-13 06:24:29 +00:00
Code Issues Projects Releases Wiki Activity

update(rules): disable drift detection rules by default

Browse Source 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
This commit is contained in:
Leonardo Grasso 2020-07-15 11:55:36 +02:00 committed by poiana
parent 32bae35de2
commit bca98e0419
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/falco_rules.yaml
View File

@ -2915,9 +2915,10 @@
# Two things to pay attention to:
# 1) In most cases, 'docker cp' will not be identified, but the assumption is that if an attacker gained access to the container runtime daemon, they are already privileged
# 2) Drift rules will be noisy in environments in which containers are built (e.g. docker build)
# These two rules are not enabled by default. Use `never_true` in macro condition to enable them.
- macro: user_known_container_drift_activities
condition: (never_true)
condition: (always_true)
- rule: Container Drift Detected (chmod)
desc: New executable created in a container due to chmod