github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-01 17:12:21 +00:00
Code Issues Projects Releases Wiki Activity

Change level for sshkit binaries.

Browse Source 
It's actually the programs spawned by sshkit scripts that modify files
below /etc.
This commit is contained in:
Mark Stemm 2017-09-25 08:17:54 -07:00
parent cff8ca428a
commit cf5397f701
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/falco_rules.yaml
View File

@ -442,7 +442,6 @@
package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
dev_creation_binaries, shell_mgmt_binaries, dev_creation_binaries, shell_mgmt_binaries,
sendmail_config_binaries, sendmail_config_binaries,
sshkit_script_binaries,
ldconfig.real, ldconfig, confd, gpg, insserv, ldconfig.real, ldconfig, confd, gpg, insserv,
apparmor_parser, update-mime, tzdata.config, tzdata.postinst, apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
systemd, systemd-machine, systemd-sysuser, systemd, systemd-machine, systemd-sysuser,
@ -450,7 +449,7 @@
gen_resolvconf., update-ca-certi, certbot, runsv, gen_resolvconf., update-ca-certi, certbot, runsv,
qualys-cloud-ag, locales.postins, nomachine_binaries, qualys-cloud-ag, locales.postins, nomachine_binaries,
adclient, certutil) adclient, certutil)
and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins) and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries, hddtemp.postins, sshkit_script_binaries)
and not fd.name pmatch (safe_etc_dirs) and not fd.name pmatch (safe_etc_dirs)
and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc) and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
and not ansible_running_python and not ansible_running_python