mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
f64ea7def5
Add some new groups of binary programs as macros and start using them in the set of rules: - docker_binaries: docker and exe (which is a temporary process name for processes like docker-proxy) - http_server_binaries: httpd, nginx, and similar - db_server_binaries: mysql for now, we'll add more later - server_binaries: all of the above - userexec_binaries: sudo and su. Start using these groups in the rules. Most of the time, changing from the inline lists of processes to macros was a no-op. There are some actual changes, though: - docker and exe are now allowed to read 'sensitive' files. They may not actually do so, but it's not really harmful. - lighttpd is now allowed to read 'sensitive' files, via inclusion in http_server_binaries. - su, lighttpd, and docker can now setuid. - http-foreground is included as a http server wrt non-port 80/443 ports. I'm going to use these macros in some of the following rules. This actually prevents detection of mysql reading sensitive files, which is one of the demo scenarios (sql injection). I plan on adding this detection back in the next commit.