github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-01-25 14:54:04 +00:00
Code Issues Projects Releases Wiki Activity

Fix for Write below root error triggering on GKE

Browse Source 
GKE regularly calls /exec.fifo from both a system level, and within
individual falco pods.  As is this triggers errors multiple times every
hour.  This change adds /exec.fifo to the expected files below root that
will be called.

Signed-off-by: Jonathan McGowan <jonnymcgow7@gmail.com>
This commit is contained in:
Jonathan McGowan
2019-07-26 16:30:05 -07:00
committed by Leo Di Donato
parent 46b1a3c841
commit bcf83057fa
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@@ -1265,7 +1265,7 @@
- list: known_root_files
items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
/root/.viminfo.tmp, /root/.lesshst, /root/.bzr.log, /root/.gitconfig.lock, /root/.babel.json, /root/.localstack,
/root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd, /root/.wget-hsts, /health]
/root/.node_repl_history, /root/.mongorc.js, /root/.dbshell, /root/.augeas/history, /root/.rnd, /root/.wget-hsts, /health, /exec.fifo]
- list: known_root_directories
items: [/root/.oracle_jre_usage, /root/.ssh, /root/.subversion, /root/.nami]