Add "dsc_host" as a MS OMS program

Sample Falco alert: ``` File below /etc opened for writing (user=<NA> command=dsc_host /opt/dsc/output PerformRequiredConfigurationChecks 1 parent=python pcmdline=python /opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py file=/etc/opt/omi/conf/omsconfig/con... ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-07-01 09:02:18 +00:00 · 2020-01-30 16:58:18 -08:00 · 2020-01-30 16:58:18 -08:00 · fa3e48ca1a
commit fa3e48ca1a
parent bf0cdb7c38
1 changed files with 1 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -744,7 +744,7 @@

 - macro: ms_oms_writing_conf
  condition: >
-    ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor)
+    ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor,dsc_host)
       or proc.pname in (ms_oms_binaries)
       or proc.aname[2] in (ms_oms_binaries))
     and (fd.name startswith /etc/opt/omi or fd.name startswith /etc/opt/microsoft/omsagent))