-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address rules fps #1028
Address rules fps #1028
Commits on Jan 31, 2020
-
Add "dsc_host" as a MS OMS program
Sample Falco alert: ``` File below /etc opened for writing (user=<NA> command=dsc_host /opt/dsc/output PerformRequiredConfigurationChecks 1 parent=python pcmdline=python /opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py file=/etc/opt/omi/conf/omsconfig/con... ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for f01ffc3 - Browse repository at this point
Copy the full SHA f01ffc3View commit details -
Let mcafee write to /etc/cma.d
Sample Falco alert: ``` File below /etc opened for writing (user=root command=macompatsvc self_start parent=macompatsvc pcmdline=macompatsvc self_start file=/etc/cma.d/lpc.conf program=macompatsvc gparent=macompatsvc ggparent=systemd gggparent=<NA> CID1 image=<NA>) ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 315206d - Browse repository at this point
Copy the full SHA 315206dView commit details -
Let avinetworks supervisor write some ssh cfg
Sample Falco alert: ``` File below /etc opened for writing (user=root command=se_supervisor.p /opt/avi/scripts/se_supervisor.py -d parent=systemd pcmdline=systemd file=/etc/ssh/ssh_monitor_config_10.24.249.200 program=se_supervisor.p gparent=docker-containe ggparent=docker-con... ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 8ddcaba - Browse repository at this point
Copy the full SHA 8ddcabaView commit details
Commits on Feb 1, 2020
-
Alow writes to /etc/pki from openshift secrets dir
Sample falco alert: ``` File below /etc opened for writing (user=root command=cp /run/secrets/kubernetes.io/serviceaccount/ca.crt /etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node image\nunset KUB... ``` The exception is conditioned on containers. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 683738f - Browse repository at this point
Copy the full SHA 683738fView commit details -
Sample Falco alert: ``` File below / or /root opened for writing (user=<NA> command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo program=runc:[1:CHILD] CID1 image=<NA>) ``` This github issue provides some context: opencontainers/runc#1698 Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for cc105eb - Browse repository at this point
Copy the full SHA cc105ebView commit details -
Let cilium-cni change namespaces
Sample Falco alert: ``` Namespace change (setns) by unexpected program (user=root command=cilium-cni parent=cilium-cni host CID2 CID1 image=<NA>) ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 527d700 - Browse repository at this point
Copy the full SHA 527d700View commit details -
Sample Falco alert: ``` Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor gparent=puma ggparent=runsv aname[4]=ru... ``` https://github.com/puma/puma says it is "A Ruby/Rack web server built for concurrency". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for c7cb49c - Browse repository at this point
Copy the full SHA c7cb49cView commit details