mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
343e694ca4
Add back detection for mysql and sensitive files that was removed in the previous commit. A new macro proc_is_new adds a condition on how long a process has been running. A new rule triggers if the process is not new and tries to open a sensitive file. This handles cases like mysql, where it *does* read /etc/passwd on startup but shouldn't really open it afterward.