github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-01 22:47:46 +00:00
Code Issues Projects Releases Wiki Activity

Let vpn binaries write below /etc.

Browse Source 
They will modify things like dns servers, etc.
This commit is contained in:
Mark Stemm 2017-07-05 14:22:38 -07:00
parent e1293a7eca
commit f6b3068259
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -193,6 +193,9 @@
- list: hids_binaries
items: [aide]
- list: vpn_binaries
items: [openvpn]
- list: nids_binaries
items: [bro, broctl]
@ -387,7 +390,7 @@
condition: >
sensitive_files and open_read
and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries)
cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, vpn_binaries)
and not cmp_cp_by_passwd
and not ansible_running_python
and not proc.cmdline contains /usr/bin/mandb