-
Notifications
You must be signed in to change notification settings - Fork 886
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alerts for mkdir should include mkdirat #337
Labels
Comments
This was referenced Jun 5, 2018
Asking help to my rules magician friend @Kaizhe ! |
/triage support |
Kaizhe
added a commit
that referenced
this issue
Jun 13, 2019
1. Extend macro mkdir with syscall mkdirat (#337) 2. add placeholder for whitelist in rule Clear Log Activities (#632) Signed-off-by: kaizhe <derek0405@gmail.com> add docker.io/ to the trusted images list Signed-off-by: kaizhe <derek0405@gmail.com> rule update: add container.id and image in the rule output except those rules with "not container" in condition Signed-off-by: kaizhe <derek0405@gmail.com> Remove empty line Signed-off-by: Kaizhe Huang<derek0405@gmail.com>
poiana
pushed a commit
that referenced
this issue
Jun 13, 2019
1. Extend macro mkdir with syscall mkdirat (#337) 2. add placeholder for whitelist in rule Clear Log Activities (#632) Signed-off-by: kaizhe <derek0405@gmail.com> add docker.io/ to the trusted images list Signed-off-by: kaizhe <derek0405@gmail.com> rule update: add container.id and image in the rule output except those rules with "not container" in condition Signed-off-by: kaizhe <derek0405@gmail.com> Remove empty line Signed-off-by: Kaizhe Huang<derek0405@gmail.com>
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In experimenting with falco, we noticed that the
write_binary_dir
rule works with python'sos.mkdir
but not golang'sos.Mkdir
. @wjwoodson did some sleuthing and found that python'smkdir
uses themkdir
syscall, but golang's usesmkdirat
. It would be helpful if rules based onmkdir
checked for both syscalls to avoid false negatives.The text was updated successfully, but these errors were encountered: