Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delete or rename shell history: .ash_history #1605

Closed
mike-stewart opened this issue Apr 7, 2021 · 9 comments · Fixed by #1956
Closed

Delete or rename shell history: .ash_history #1605

mike-stewart opened this issue Apr 7, 2021 · 9 comments · Fixed by #1956
Labels
kind/bug

Comments

@mike-stewart
Copy link
Contributor

Describe the bug

The "Delete or rename shell history" rule detects changes to bash, zsh, and fish history files, but does not detect changes to .ash_history. The ash_history file is common for alpine containers, so it might be a good one to include.

https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml#L2612-L2623

How to reproduce it

Delete or truncate the .ash_history file in an alpine container.

Expected behaviour

Falco would alert for the "Delete or rename shell history" rule.

Environment

  • Falco version: 0.27.0
  • System info:
  • Cloud provider or hardware configuration:
  • OS: Alpine container running on Amazon Linux nodes
  • Kernel:
  • Installation method: Falco running as a daemonset in Kubernetes

Additional context
@poiana
Copy link
Contributor

poiana commented Jul 7, 2021

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@poiana
Copy link
Contributor

poiana commented Aug 11, 2021

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

@mike-stewart
Copy link
Contributor Author

/remove-lifecycle rotten

@poiana
Copy link
Contributor

poiana commented Nov 9, 2021

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@mike-stewart
Copy link
Contributor Author

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Feb 7, 2022

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@mike-stewart
Copy link
Contributor Author

/remove-lifecycle stale

@bdashrad bdashrad mentioned this issue Mar 23, 2022
Merged
@poiana
Copy link
Contributor

poiana commented May 9, 2022

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@mike-stewart
Copy link
Contributor Author

/remove-lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Delete or rename shell history: .ash_history bdashrad/falco
2 participants
@mike-stewart @poiana