Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Puppet write below /etc and new user_known_x macros! #563

Merged
merged 1 commit into from Mar 15, 2019

Conversation

Projects
None yet
2 participants
@JPLachance
Copy link
Contributor

commented Mar 14, 2019

Greetings!

Falco is currently whitelisting multiple processes to write below /etc and Puppet was not one of them. Adding Puppet to the list of allowed proc.name will remove multiple false positives.

On top of that, I added the user_known_write_root_conditions and the user_known_non_sudo_setuid_conditions macros, so users can add their own condition without overriding the official Falco rules file.

Changes:

  • Add "puppet" in the list of known proc.name writing below etc because Puppet often manages configurations
  • Add the user_known_write_root_conditions macro to allow custom conditions in the "Write below root" rule
  • Add the user_known_non_sudo_setuid_conditions to allow custom conditions in the "Non sudo setuid" rule

falco-CLA-1.0-contributing-entity: Coveo Solutions Inc.
falco-CLA-1.0-signed-off-by: Jean-Philippe Lachance jplachance@coveo.com

+ Add "puppet" in the list of known proc.name writing below etc becau…
…se Puppet often manages configurations

+ Add the user_known_write_root_conditions macro to allow custom conditions in the "Write below root" rule
+ Add the user_known_non_sudo_setuid_conditions to allow custom conditions in the "Non sudo setuid" rule

falco-CLA-1.0-contributing-entity: Coveo Solutions Inc.
falco-CLA-1.0-signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
@mstemm

This comment has been minimized.

Copy link
Contributor

commented Mar 15, 2019

Thanks again for the changes!

@mstemm mstemm merged commit d366092 into falcosecurity:dev Mar 15, 2019

1 check passed

Travis CI - Pull Request Build Passed
Details

@JPLachance JPLachance deleted the JPLachance:falco-rules-tweaks branch Mar 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.