Skip to content

Commit

Permalink
rule(maco write_etc_common): Fix false-positive of sssd updating /etc…
Browse files Browse the repository at this point in the history 
…/krb5.keytab

Signed-off-by: Mac Chaffee <me@macchaffee.com>
  • Loading branch information
@mac-chaffee @poiana
mac-chaffee authored and poiana committed Feb 11, 2022
1 parent ff21544 commit 8a3a4c4
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -775,6 +775,9 @@
- macro: centrify_writing_krb
condition: (proc.name in (adjoin,addns) and fd.name startswith /etc/krb5)

- macro: sssd_writing_krb
condition: (proc.name=adcli and proc.aname[2]=sssd and fd.name startswith /etc/krb5)

- macro: cockpit_writing_conf
condition: >
((proc.pname=cockpit-kube-la or proc.aname[2]=cockpit-kube-la)
Expand Down Expand Up @@ -1218,6 +1221,7 @@
and not nginx_writing_certs
and not chef_client_writing_conf
and not centrify_writing_krb
and not sssd_writing_krb
and not cockpit_writing_conf
and not ipsec_writing_conf
and not httpd_writing_ssl_conf
Expand Down Expand Up @@ -3123,4 +3127,3 @@
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.

0 comments on commit 8a3a4c4

Please sign in to comment.