github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-05 19:06:44 +00:00
Code Issues Projects Releases Wiki Activity

Exclude exe_running_docker_save in the "Update Package Repository" rule

Browse Source 
Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
This commit is contained in:
Jean-Philippe Lachance 2019-12-03 12:06:55 -05:00 committed by Leo Di Donato
parent df7a356e1d
commit f97a33d40a
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/falco_rules.yaml
View File

@ -920,9 +920,11 @@
- rule: Update Package Repository
desc: Detect package repositories get updated
condition: >
((open_write and access_repositories) or (modify and modify_repositories)) and not package_mgmt_procs
((open_write and access_repositories) or (modify and modify_repositories))
and not package_mgmt_procs
and not exe_running_docker_save
output: >
Repository files get updated (user=%user.name command=%proc.cmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
Repository files get updated (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
priority:
NOTICE
tags: [filesystem, mitre_persistence]