From fa3e48ca1a42c28d25654c9075d09f6c1dc83c5a Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 30 Jan 2020 16:58:18 -0800 Subject: [PATCH] Add "dsc_host" as a MS OMS program Sample Falco alert: ``` File below /etc opened for writing (user= command=dsc_host /opt/dsc/output PerformRequiredConfigurationChecks 1 parent=python pcmdline=python /opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py file=/etc/opt/omi/conf/omsconfig/con... ``` Signed-off-by: Mark Stemm --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 75a33f15..2e58e904 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -744,7 +744,7 @@ - macro: ms_oms_writing_conf condition: > - ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor) + ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor,dsc_host) or proc.pname in (ms_oms_binaries) or proc.aname[2] in (ms_oms_binaries)) and (fd.name startswith /etc/opt/omi or fd.name startswith /etc/opt/microsoft/omsagent))