github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-03 07:34:53 +00:00
Code Issues Projects Releases Wiki Activity

Rule fixes for dragent.

Browse Source 
Make sure falco doesn't detect the things draios-agent does as
suspicious. It's possible that you might run open source falco alongside
sysdig cloud.

App checks spawned by sysdig cloud binaries might also change namespace,
so also allow children of sysdigcloud binaries to call setns.
This commit is contained in:
Mark Stemm
2016-10-24 13:22:33 -07:00
parent 4189bb72da
commit da61134463
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
rules/falco_rules.yaml
View File

@@ -96,7 +96,7 @@
] ]
- list: sysdigcloud_binaries - list: sysdigcloud_binaries
items: [setup-backend, dragent] items: [setup-backend, dragent, sdchecks]
- list: docker_binaries - list: docker_binaries
items: [docker, dockerd, exe] items: [docker, dockerd, exe]
@@ -276,8 +276,8 @@
- rule: Change thread namespace - rule: Change thread namespace
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
condition: evt.type = setns and not proc.name in (docker_binaries, k8s_binaries, sysdig, dragent, nsenter) condition: evt.type = setns and not proc.name in (docker_binaries, k8s_binaries, sysdigcloud_binaries, sysdig, nsenter) and not proc.pname in (sysdigcloud_binaries)
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline %container.info)" output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline parent=%proc.pname %container.info)"
priority: WARNING priority: WARNING
- rule: Run shell untrusted - rule: Run shell untrusted