github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-01 14:47:00 +00:00
Code Issues Projects Releases Wiki Activity

spelling: command lines

Browse Source 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
This commit is contained in:
Josh Soref
2022-02-24 01:47:58 -05:00
committed by poiana
parent ae56a10932
commit fa7fab525f
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@@ -2255,7 +2255,7 @@
activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
Activity in containers is also excluded--some containers create custom users on top Activity in containers is also excluded--some containers create custom users on top
of a base linux distribution at startup. of a base linux distribution at startup.
Some innocuous commandlines that don't actually change anything are excluded. Some innocuous command lines that don't actually change anything are excluded.
condition: > condition: >
spawned_process and proc.name in (user_mgmt_binaries) and spawned_process and proc.name in (user_mgmt_binaries) and
not proc.name in (su, sudo, lastlog, nologin, unix_chkpwd) and not container and not proc.name in (su, sudo, lastlog, nologin, unix_chkpwd) and not container and