sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

fix: FPs on docker images

Open marius-benthin opened this issue 1 month ago • 1 comments

Summary of the Pull Request

Fixes false positives on official Docker images:

  • golang
  • postgres
  • python
  • redis
  • ruby

Changelog

fix: Cron Pathes - filter legit cron filepathes

Example Log Event

/etc/cron.daily/apt
/etc/cron.daily/dpkg
/etc/cron.daily/passwd
/etc/crontabs/root
/etc/crontab

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

marius-benthin avatar Nov 28 '25 10:11 marius-benthin

Do your things @nasbench. I'll give the rule a tweak afterwards to increase coverage (more include paths) but also add the default cron jobs as filters for the distributions that I have lying around.

phantinuss avatar Nov 28 '25 12:11 phantinuss