github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-21 11:29:26 +00:00
Code Issues Projects Releases Wiki Activity

Adding user.loginuid to the default falco rules in any place user.name exists

Browse Source 
This update will provide information as to which process uid intitiated the event.  This is really important for processes that are started
by a different user name.

Signed-off-by: Chuck Schweizer <chuck.schweizer.lvk2@statefarm.com>
This commit is contained in:
Chuck Schweizer
2020-08-25 13:17:35 -05:00
committed by poiana
parent 0a4d60c22b
commit d678be5579
2 changed files with 55 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
test/rules/detect_connect_using_in.yaml
View File

@@ -18,5 +18,5 @@
desc: Detect any connect to the localhost network, using fd.net and the in operator
condition: evt.type=connect and fd.net in ("127.0.0.1/24")
output: Program connected to localhost network
(user=%user.name command=%proc.cmdline connection=%fd.name)
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name)
priority: INFO