github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-06 19:29:09 +00:00
Code Issues Projects Releases Wiki Activity

Exclude exe_running_docker_save in the "Update Package Repository" rule

Browse Source 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
This commit is contained in:
Jean-Philippe Lachance 2019-12-03 12:06:55 -05:00 committed by Leo Di Donato
parent df7a356e1d
commit f97a33d40a
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/falco_rules.yaml
View File

@ -920,9 +920,11 @@
- rule: Update Package Repository - rule: Update Package Repository
desc: Detect package repositories get updated desc: Detect package repositories get updated
condition: > condition: >
((open_write and access_repositories) or (modify and modify_repositories)) and not package_mgmt_procs ((open_write and access_repositories) or (modify and modify_repositories))
and not package_mgmt_procs
and not exe_running_docker_save
output: > output: >
Repository files get updated (user=%user.name command=%proc.cmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository) Repository files get updated (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
priority: priority:
NOTICE NOTICE
tags: [filesystem, mitre_persistence] tags: [filesystem, mitre_persistence]