github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-27 10:28:54 +00:00
Code Issues Projects Releases Wiki Activity

rule(Write below root): add mysqlsh

Browse Source 
Let mysqlsh write below /root/.mysqlsh.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2020-08-27 17:33:42 -07:00 committed by poiana
parent 7effc02c60
commit fb5e13c694
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -1406,6 +1406,9 @@
- macro: runc_writing_var_lib_docker
condition: (proc.cmdline="runc:[1:CHILD] init" and evt.arg.filename startswith /var/lib/docker)
- macro: mysqlsh_writing_state
condition: (proc.name=mysqlsh and fd.directory=/root/.mysqlsh)
- rule: Write below root
desc: an attempt to write to any file directly below / or /root
condition: >
@ -1426,6 +1429,7 @@
and not calico_writing_state
and not rancher_writing_root
and not runc_writing_exec_fifo
and not mysqlsh_writing_state
and not known_root_conditions
and not user_known_write_root_conditions
and not user_known_write_below_root_activities