github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-18 16:07:21 +00:00
Code Issues Projects Releases Wiki Activity

rule(macro multipath_writing_conf): create and use the macro

Browse Source 
`multipath`, which is run by `systemd-udevd`, writes to
`/etc/multipath/wwids`, `/etc/multipath/bindings` and a few other paths
under `/etc/multipath` as part of its normal operation.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
This commit is contained in:
Nicolas Marier
2020-11-05 11:12:44 -05:00
committed by poiana
parent f5c1e7c165
commit c055f02dd0
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@@ -1213,6 +1213,9 @@
fd.name startswith /etc/ssh/ssh_monitor_config_ or
fd.name startswith /etc/ssh/ssh_config_))
- macro: multipath_writing_conf
condition: (proc.name = multipath and fd.name startswith /etc/multipath/)
# Add conditions to this macro (probably in a separate file,
# overwriting this macro) to allow for specific combinations of
# programs writing below specific directories below
@@ -1333,6 +1336,7 @@
and not automount_using_mtab
and not mcafee_writing_cma_d
and not avinetworks_supervisor_writing_ssh
and not multipath_writing_conf
- rule: Write below etc
desc: an attempt to write to any file below /etc