Skip to content

Commit

Permalink
chore(rules): imporve name of the list for userfaultfd exceptions
Browse files Browse the repository at this point in the history 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
  • Loading branch information
@leodido @poiana
leodido authored and poiana committed Jun 23, 2021
1 parent 9ff8099 commit 98ce88f
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3059,7 +3059,7 @@
- macro: consider_userfaultfd_activities
condition: (always_true)

- list: user_known_userfaultfd_activities
- list: user_known_userfaultfd_processes
items: []

- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
Expand All @@ -3069,7 +3069,7 @@
evt.type = userfaultfd and
user.uid != 0 and
(evt.rawres >= 0 or evt.res != -1) and
not proc.name in (user_known_userfaultfd_activities)
not proc.name in (user_known_userfaultfd_processes)
output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid process=%proc.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
priority: CRITICAL
tags: [syscall, mitre_defense_evasion]
Expand Down

0 comments on commit 98ce88f

Please sign in to comment.