Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alerts for mkdir should include mkdirat #337

Closed
jmcarp opened this issue Mar 19, 2018 · 2 comments
Closed

Alerts for mkdir should include mkdirat #337

jmcarp opened this issue Mar 19, 2018 · 2 comments
Assignees
@Kaizhe
Labels
kind/bug

Comments

@jmcarp
Copy link
Contributor

jmcarp commented Mar 19, 2018

In experimenting with falco, we noticed that the write_binary_dir rule works with python's os.mkdir but not golang's os.Mkdir. @wjwoodson did some sleuthing and found that python's mkdir uses the mkdir syscall, but golang's uses mkdirat. It would be helpful if rules based on mkdir checked for both syscalls to avoid false negatives.
This was referenced Jun 5, 2018
Closed
Closed
@leodido
Copy link
Member

leodido commented Jun 11, 2019

Asking help to my rules magician friend @Kaizhe !

@leodido
Copy link
Member

leodido commented Jun 11, 2019

/triage support

@Kaizhe Kaizhe self-assigned this Jun 12, 2019
Kaizhe added a commit that referenced this issue Jun 12, 2019
@Kaizhe
rule update:
0ce9dea 
1. Extend macro mkdir with syscall mkdirat (#337)
2. add placeholder for whitelist in rule Clear Log Activities (#632)
@Kaizhe Kaizhe mentioned this issue Jun 12, 2019
Merged
Kaizhe added a commit that referenced this issue Jun 13, 2019
@Kaizhe
rule update:
5e97004 
1. Extend macro mkdir with syscall mkdirat (#337)
2. add placeholder for whitelist in rule Clear Log Activities (#632)
Kaizhe added a commit that referenced this issue Jun 13, 2019
@Kaizhe
rule update:
f0e752a 
1. Extend macro mkdir with syscall mkdirat (#337)
2. add placeholder for whitelist in rule Clear Log Activities (#632)

Signed-off-by: kaizhe <derek0405@gmail.com>

add docker.io/ to the trusted images list

Signed-off-by: kaizhe <derek0405@gmail.com>

rule update: add container.id and image in the rule output except those rules with "not container" in condition

Signed-off-by: kaizhe <derek0405@gmail.com>

Remove empty line

Signed-off-by: Kaizhe Huang<derek0405@gmail.com>
poiana pushed a commit that referenced this issue Jun 13, 2019
@Kaizhe @poiana
rule update:
cfaa52f 
1. Extend macro mkdir with syscall mkdirat (#337)
2. add placeholder for whitelist in rule Clear Log Activities (#632)

Signed-off-by: kaizhe <derek0405@gmail.com>

add docker.io/ to the trusted images list

Signed-off-by: kaizhe <derek0405@gmail.com>

rule update: add container.id and image in the rule output except those rules with "not container" in condition

Signed-off-by: kaizhe <derek0405@gmail.com>

Remove empty line

Signed-off-by: Kaizhe Huang<derek0405@gmail.com>
@leodido leodido closed this as completed Jun 19, 2019
@leogr leogr mentioned this issue Jun 4, 2020
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kaizhe Kaizhe

Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@leodido @Kaizhe @jmcarp @mfdii @poiana