Skip to content

Commit

Permalink
rule(macro multipath_writing_conf): create and use the macro
Browse files Browse the repository at this point in the history 
`multipath`, which is run by `systemd-udevd`, writes to
`/etc/multipath/wwids`, `/etc/multipath/bindings` and a few other paths
under `/etc/multipath` as part of its normal operation.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
  • Loading branch information
@marier-nico @poiana
marier-nico authored and poiana committed Nov 6, 2020
1 parent f5c1e7c commit c055f02
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1213,6 +1213,9 @@
fd.name startswith /etc/ssh/ssh_monitor_config_ or
fd.name startswith /etc/ssh/ssh_config_))
- macro: multipath_writing_conf
condition: (proc.name = multipath and fd.name startswith /etc/multipath/)

# Add conditions to this macro (probably in a separate file,
# overwriting this macro) to allow for specific combinations of
# programs writing below specific directories below
Expand Down Expand Up @@ -1333,6 +1336,7 @@
and not automount_using_mtab
and not mcafee_writing_cma_d
and not avinetworks_supervisor_writing_ssh
and not multipath_writing_conf
- rule: Write below etc
desc: an attempt to write to any file below /etc
Expand Down

0 comments on commit c055f02

Please sign in to comment.