mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 03:49:36 +00:00
a2011c37a0
Make changes to rules to improve performance and reduce FPs: - Rely on https://github.com/draios/sysdig/pull/610 that allows specifying an open/openat for reading/writing without having to search through all the flags individually. - For a two-item list (open, openat), and thinking ahead to https://github.com/draios/sysdig/pull/624, check the event type individually instead of as a set membership test, which is a bit faster. - Switch to consistently using evt.type instead of syscall.type. - Move positive tests like etc_dir, bin_dir, sensitive_files, proc.sname, etc., which are most likely to not succeed, to the beginning of rules, so they have a greater chance to cause the rest of the rule to be skipped, which saves time. - Using exim as a mail program--exim also can suid to root. - add a new macro for ssl management binaries and allow them to write below /etc and read sensitive files. - add a new macro for dhcp client binaries and allow them to write below /etc. - Add exe (docker-related program) as a program that can set a namespace using setns. - Don't count /dev/tty as an important file under /dev.