github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 23:57:29 +00:00
Code Issues Projects Releases Wiki Activity

Rule fixes for dragent.

Browse Source 
Make sure falco doesn't detect the things draios-agent does as
suspicious. It's possible that you might run open source falco alongside
sysdig cloud.

App checks spawned by sysdig cloud binaries might also change namespace,
so also allow children of sysdigcloud binaries to call setns.
This commit is contained in:
Mark Stemm 2016-10-24 13:22:33 -07:00
parent 0211a94f60
commit f98ec60c88
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/falco_rules.yaml
View File

@ -96,7 +96,7 @@
]
- list: sysdigcloud_binaries
items: [setup-backend, dragent]
items: [setup-backend, dragent, sdchecks]
- list: docker_binaries
items: [docker, dockerd, exe]
@ -276,8 +276,8 @@
- rule: Change thread namespace
desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
condition: evt.type = setns and not proc.name in (docker_binaries, k8s_binaries, sysdig, dragent, nsenter)
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline %container.info)"
condition: evt.type = setns and not proc.name in (docker_binaries, k8s_binaries, sysdigcloud_binaries, sysdig, nsenter) and not proc.pname in (sysdigcloud_binaries)
output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline parent=%proc.pname %container.info)"
priority: WARNING
- rule: Run shell untrusted