mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-28 13:47:50 +00:00
c23229263c
Make changes to falco_rules.yaml to make sure they work on the demo scenarios without too many false positives. The specific changes are: - Add /etc/ld.so.cache as an allowed shared library to open. - Comment out the shared library check for now--there are lots of locations below /usr/lib for things like python, perl, etc and I want to get a fuller categorization first. - Add a few additional parent processes that can spawn shells, write sensitive files, and call setuid. Also allow bash shells with no parent to spawn shells. We may want to disallow this but I suspect a better place to detect is the parent-less bash shell becoming a session leader. - Add rules for fs-bash (falco-safe bash), which is used in the curl <url> | bash installer demo. The idea is that fs-bash has restrictions on what it and child proceses can do. - Add trailing '/' characters to path names in bin_dir_* so paths like /tmp/binary don't accidentally match '/bin' Note that as process names are truncated to 15 characters, long process names like 'httpd-foregroun' are intentionally truncated.