Skip to content

Commit

Permalink
Handle dbus-daemon-launch-helper.
Browse files Browse the repository at this point in the history 
It starts dbus-daemon. Process names are truncated, though, so use
dbus-daemon-lau.
  • Loading branch information
@mstemm
mstemm committed Aug 10, 2016
1 parent 12391ee commit 39ae768
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -304,7 +304,7 @@
# sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
- rule: non_sudo_setuid
desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges.
condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, sshd)
condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, sshd, dbus-daemon-lau)
output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name command=%proc.cmdline uid=%evt.arg.uid)"
priority: WARNING

Expand Down

0 comments on commit 39ae768

Please sign in to comment.