Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
put open_read in the beginning of the rule
Browse files Browse the repository at this point in the history
Signed-off-by: Hi120ki <[email protected]>
hi120ki committed Sep 15, 2022

Verified

This commit was signed with the committer’s verified signature.
1 parent 6a46b0f commit 40ecf54
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rules/falco_rules.yaml
Original file line number Diff line number Diff line change
@@ -3209,7 +3209,7 @@
- rule: Read environment variable from /proc files
desc: An attempt to read process environment variables from /proc files
condition: >
container and open_read and (fd.name glob /proc/*/environ)
open_read and container and (fd.name glob /proc/*/environ)
and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files)
output: >
Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name

0 comments on commit 40ecf54

Please sign in to comment.