github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-01 17:12:21 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #243 from draios/falco-fps

Browse Source 
Address some setns FPs.
This commit is contained in:
Mark Stemm 2017-05-24 13:18:08 -07:00 committed by GitHub
commit f426c4292d
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -241,6 +241,9 @@
- macro: parent_linux_image_upgrade_script - macro: parent_linux_image_upgrade_script
condition: proc.pname startswith linux-image- condition: proc.pname startswith linux-image-
- macro: java_running_sdjagent
condition: proc.name=java and proc.cmdline contains sdjagent.jar
############### ###############
# General Rules # General Rules
############### ###############
@ -355,7 +358,9 @@
condition: > condition: >
evt.type = setns evt.type = setns
and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter) and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
and not proc.name startswith "runc:"
and not proc.pname in (sysdigcloud_binaries) and not proc.pname in (sysdigcloud_binaries)
and not java_running_sdjagent
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline parent=%proc.pname %container.info)" output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline parent=%proc.pname %container.info)"
priority: WARNING priority: WARNING
tags: [process] tags: [process]