github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-19 08:54:47 +00:00
Code Issues Projects Releases Wiki Activity

More user management exclusions.

Browse Source 
Exclude lastlog and useradd -D as they don't change anything.
This commit is contained in:
Mark Stemm
2017-08-22 14:18:32 -07:00
parent e88c9ec8e3
commit fbfd540ad2
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@@ -758,9 +758,10 @@
Some innocuous commandlines that don't actually change anything are excluded.
condition: >
spawned_process and proc.name in (user_mgmt_binaries) and
not proc.name in (su, sudo) and not container and
not proc.name in (su, sudo, lastlog) and not container and
not proc.pname in (cron_binaries, systemd, run-parts) and
not proc.cmdline startswith "passwd -S"
not proc.cmdline startswith "passwd -S" and
not proc.cmdline startswith "useradd -D"
output: >
User management binary command run outside of container
(user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])