github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-09 02:29:36 +00:00
Code Issues Projects Releases Wiki Activity

Let ovsdb-server write below /etc/openvswitch

Browse Source
This commit is contained in:
Mark Stemm
2017-11-08 13:39:20 -08:00
parent 27df0ad29b
commit c1de3dfe7a
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
rules/falco_rules.yaml
View File

@@ -575,6 +575,8 @@
- macro: dmeventd_writing_lvm_archive - macro: dmeventd_writing_lvm_archive
condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or
fd.name startswith /etc/lvm/backup)) fd.name startswith /etc/lvm/backup))
- macro: ovsdb_writing_openvswitch
condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch)
############### ###############
# General Rules # General Rules
@@ -675,6 +677,7 @@
and not pki_realm_writing_realms and not pki_realm_writing_realms
and not htpasswd_writing_passwd and not htpasswd_writing_passwd
and not dmeventd_writing_lvm_archive and not dmeventd_writing_lvm_archive
and not ovsdb_writing_openvswitch
- rule: Write below etc - rule: Write below etc
desc: an attempt to write to any file below /etc, not in a pipe installer session desc: an attempt to write to any file below /etc, not in a pipe installer session