alpine-overlay/kubezero/falco/rules.patch

30 lines
1.1 KiB
Diff
Raw Permalink Normal View History

2023-11-07 16:31:20 +00:00
--- falco_rules.yaml 2023-11-07 16:26:40.171716913 +0000
+++ zdt_falco_rules.yaml 2023-11-07 16:30:24.912804117 +0000
@@ -171,7 +171,7 @@
# A canonical set of processes that run other programs with different
# privileges or as a different user.
- list: userexec_binaries
- items: [sudo, su, suexec, critical-stack, dzdo]
+ items: [doas, sudo, su, suexec, critical-stack, dzdo]
2024-10-25 16:22:11 +00:00
2023-11-07 16:31:20 +00:00
- list: user_mgmt_binaries
items: [login_binaries, passwd_binaries, shadowutils_binaries]
@@ -200,7 +200,7 @@
]
2024-10-25 16:22:11 +00:00
2023-11-07 16:31:20 +00:00
- list: sensitive_file_names
- items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
+ items: [/etc/shadow, /etc/doas.d/doas.conf, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
2024-10-25 16:22:11 +00:00
2023-11-07 16:31:20 +00:00
- list: sensitive_directory_names
items: [/, /etc, /etc/, /root, /root/]
@@ -208,7 +208,7 @@
- macro: sensitive_files
condition: >
2024-10-25 16:22:11 +00:00
(fd.name in (sensitive_file_names) or
2023-11-07 16:31:20 +00:00
- fd.directory in (/etc/sudoers.d, /etc/pam.d))
+ fd.directory in (/etc/sudoers.d, /etc/pam.d, /etc/doas.d))
2024-10-25 16:22:11 +00:00
2023-11-07 16:31:20 +00:00
# Indicates that the process is new. Currently detected using time
# since process was started, using a threshold of 5 seconds.