github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-25 17:38:53 +00:00
Code Issues Projects Releases Wiki Activity

rule update: fix missing entries

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2019-09-27 12:00:18 -07:00 committed by Leo Di Donato
parent a43ae037a9
commit e81decac13
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -2421,6 +2421,11 @@
condition: > condition: >
((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
(open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC")) (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
output: >
Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
priority:
WARNING
tag: [process, mitre_defense_evation]
- macro: consider_all_chmods - macro: consider_all_chmods
condition: (always_true) condition: (always_true)