github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-30 21:25:06 +00:00
Code Issues Projects Releases Wiki Activity

Let locales.postins write below /etc

Browse Source 
locales.postins also writes intermediate files below /etc/ so just it
write generally.
This commit is contained in:
Mark Stemm 2017-08-23 16:46:10 -07:00
parent aaa294abd1
commit d21fb408d4
1 changed files with 1 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/falco_rules.yaml
View File

@ -387,9 +387,6 @@
- macro: fluentd_writing_fluentd_conf
condition: (proc.name=start-fluentd and fd.name=/etc/fluent/fluent.conf)
- macro: locales_postinst_writing_locale_gen
condition: (proc.name=locales.postins and fd.name=/etc/locale.gen)
- macro: write_etc_common
condition: >
etc_dir and evt.dir = < and open_write
@ -402,14 +399,13 @@
systemd, systemd-machine, systemd-sysuser,
debconf-show, rollerd, bind9.postinst, sv,
gen_resolvconf., update-ca-certi, certbot, runsv,
qualys-cloud-ag)
qualys-cloud-ag, locales.postins)
and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries)
and not fd.name pmatch (safe_etc_dirs)
and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json)
and not ansible_running_python
and not python_running_denyhosts
and not fluentd_writing_fluentd_conf
and not locales_postinst_writing_locale_gen
- rule: Write below etc
desc: an attempt to write to any file below /etc, not in a pipe installer session