systemd can listen on network ports.

Systemd can listen on network ports to launch daemons on demand, so allow it to perform network activity.
falcosecurity · Jun 8, 2017 · 26d2f17 · 26d2f17
1 parent 8cbaccc
commit 26d2f17
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -490,9 +490,10 @@
   tags: [container, shell]
 
 # sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
+# systemd can listen on ports to launch things like sshd on demand
 - rule: System procs network activity
   desc: any network activity performed by system binaries that are not expected to send or receive any network traffic
-  condition: (fd.sockfamily = ip and system_procs) and (inbound or outbound)
+  condition: (fd.sockfamily = ip and system_procs) and (inbound or outbound) and not proc.name=systemd
   output: "Known system binary sent/received network traffic (user=%user.name command=%proc.cmdline connection=%fd.name)"
   priority: NOTICE
   tags: [network]