github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-01 22:58:12 +00:00
Code Issues Projects Releases Wiki Activity

Add more ancestors

Browse Source 
Add more ancestors for several rules. Sometimes shells spawn the program
reading the sensitive file, etc.
This commit is contained in:
Mark Stemm
2017-08-09 10:10:41 -07:00
parent 0ec46feef2
commit ef9e045a40
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@@ -411,7 +411,7 @@
condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd"
output: > output: >
Sensitive file opened for reading by trusted program after startup (user=%user.name Sensitive file opened for reading by trusted program after startup (user=%user.name
command=%proc.cmdline parent=%proc.pname file=%fd.name) command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2]
priority: WARNING priority: WARNING
tags: [filesystem] tags: [filesystem]
@@ -727,7 +727,7 @@
not proc.pname in (cron_binaries, systemd, run-parts) not proc.pname in (cron_binaries, systemd, run-parts)
output: > output: >
User management binary command run outside of container User management binary command run outside of container
(user=%user.name command=%proc.cmdline parent=%proc.pname) (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2])
priority: NOTICE priority: NOTICE
tags: [host, users] tags: [host, users]