-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow exe_running_docker_save in the "Create Hidden Files or Directories" and "Mkdir binary dirs" rules #1386
Conversation
Welcome @jhwbarlow! It looks like this is your first PR to falcosecurity/falco 🎉 |
/assign @mstemm |
/cc @Kaizhe |
@jhwbarlow , thank you for the PR. I need couple things from this PR, can you please provide more detail about:
Thanks a lot! Kaizhe |
Hi @Kaizhe
The "Mkdir binary rules" can be triggered with a Dockerfile like so: FROM alpine
RUN mkdir /usr/bin/james-was-here
CMD sleep 99d Results in:
For the other rule, I wasn't able to provoke an alert as it is at |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
/cc @Kaizhe |
/lgtm |
LGTM label has been added. Git tree hash: 9fa199ad9e4a5300c67e126c9eaca6b47fa2db6f
|
/close |
@leogr: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen |
@leogr: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Signed-off-by: James Barlow <james.barlow@finbourne.com>
…save Signed-off-by: James Barlow <james.barlow@finbourne.com>
LGTM label has been added. Git tree hash: 738b8c0309d722f92a65f61b48118d4b9b397dba
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, Kaizhe, leodido, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Updated the release notes to follow our requirements for the release. |
What type of PR is this?
/kind bug
/kind rule-update
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
Adds exe_running_docker_save as an exception to the "Create Hidden Files or Directories" and "Mkdir binary dirs" rules, as these rules can be triggerred when a container is created. This brings these rules in line with similar rules which already contain this exception.
Does this PR introduce a user-facing change?:
Yes.