darryk10
darryk10
Hi @incertum, I totally agre with tags `container` and `host`. In addition AFAIK you can also load rules based on tags so you may want to use the `host` ruleset...
Thanks @hi120ki . will test this broadly now that the new falco release is out. Thanks
Hi @hi120ki, This is a good point actually. For sure detecting we have a few advantages on detecting directly the syscall instead of the `proc.name` and I agree with the...
Hi, after a period of tests for sure detecting the syscall mount might bring some advantages as you mentioned. On the other end the approach to have `spawned_process` permit to...
I'm also wondering if we could expand the `/etc/passwd` use case with more broad "Sensitive files" which can includes also other files attackers might want to read (ssh keys, sudoers...
Hi @incertum, really good summary and I really like the condition you came up with. I agree with the `fd.nameraw glob *../*../*` in (1) and (3). Nothing to add in...
> Tweaked it a bit, proposing that it could be even simpler - just look for `/etc` any file. Also suspecting `glob` is a more expensive filter, `fd.nameraw contains "../"...
Hi @wcc526 Thanks for your PR :) For sure it's addressing a specific security use case which is great even though it's related to a 3+ years old vulnerability which...
@leogr I'll rework that and open a new PR :)