github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-19 17:16:53 +00:00
Code Issues Projects Releases Wiki Activity

rule update: update image check from rancher_write_conf macro (#648)

Browse Source 
* rule update: remove image check from rancher_write_conf macro

* remove healthcheck from rancher_writing_conf

* add image check for healthcheck

* add image check

* update nginx_writing_conf macro
This commit is contained in:
Kaizhe Huang 2019-06-05 22:08:11 -07:00 committed by GitHub
parent 68211daffa
commit cd32cceff8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
rules/falco_rules.yaml
View File

@ -815,7 +815,7 @@
condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom))
- macro: nginx_writing_conf
condition: (proc.name in (nginx,nginx-ingress-c,nginx-ingress) and fd.name startswith /etc/nginx)
condition: (proc.name in (nginx,nginx-ingress-c,nginx-ingress) and (fd.name startswith /etc/nginx or fd.name startswith /etc/ingress-controller))
- macro: nginx_writing_certs
condition: >
@ -1040,11 +1040,13 @@
and fd.name startswith "/etc/dd-agent")
- macro: rancher_writing_conf
condition: (container.image.repository in (rancher_images)
and proc.name in (lb-controller,rancher-dns,healthcheck,rancher-metadat)
and (fd.name startswith "/etc/haproxy" or
fd.name startswith "/etc/rancher-dns")
)
condition: (((proc.name=healthcheck and container.image.repository contains "rancher/healthcheck") or
(proc.name=lb-controller and container.image.repository contains "rancher/lb-service-haproxy") or
(proc.name=rancher-dns and container.image.repository contains "rancher/dns")) and
(fd.name startswith "/etc/haproxy" or fd.name startswith "/etc/rancher-dns"))
- macro: rancher_writing_root
condition: (proc.name=rancher-metadat and container.image.repository contains "rancher/metadata" and fd.name startswith "/answers.json")
- macro: jboss_in_container_writing_passwd
condition: >
@ -1312,6 +1314,7 @@
and not cassandra_writing_state
and not galley_writing_state
and not calico_writing_state
and not rancher_writing_root
and not known_root_conditions
and not user_known_write_root_conditions
output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"