mirror of
				https://github.com/falcosecurity/falco.git
				synced 2025-10-21 19:44:57 +00:00 
			
		
		
		
	Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com> Signed-off-by: Lorenzo Fontana <lo@linux.com>
		
			
				
	
	
		
			34 lines
		
	
	
		
			960 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			34 lines
		
	
	
		
			960 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
| #
 | |
| # Copyright (C) 2019 The Falco Authors.
 | |
| #
 | |
| #
 | |
| # Licensed under the Apache License, Version 2.0 (the "License");
 | |
| # you may not use this file except in compliance with the License.
 | |
| # You may obtain a copy of the License at
 | |
| #
 | |
| #     http://www.apache.org/licenses/LICENSE-2.0
 | |
| #
 | |
| # Unless required by applicable law or agreed to in writing, software
 | |
| # distributed under the License is distributed on an "AS IS" BASIS,
 | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| # See the License for the specific language governing permissions and
 | |
| # limitations under the License.
 | |
| #
 | |
| 
 | |
| - required_engine_version: 9999999
 | |
| 
 | |
| - list: cat_binaries
 | |
|   items: [cat]
 | |
| 
 | |
| - list: cat_capable_binaries
 | |
|   items: [cat_binaries]
 | |
| 
 | |
| - macro: is_cat
 | |
|   condition: proc.name in (cat_capable_binaries)
 | |
| 
 | |
| - rule: open_from_cat
 | |
|   desc: A process named cat does an open
 | |
|   condition: evt.type=open and is_cat
 | |
|   output: "An open was seen (command=%proc.cmdline)"
 | |
|   priority: WARNING
 |