Add filesize condition to linux_multi_persist rule

chainguard-dev / malcontent

#supply #chain #attack #detection

Apache License 2.0

446 stars 31 forks source link

Add filesize condition to linux_multi_persist rule #515

Closed egibs closed 1 month ago

egibs commented 1 month ago

Follow-up for: https://github.com/wolfi-dev/os/pull/30457

This PR initially added a Gitaly override rule for linux_persist_multi but now adds a filesize < 20MB condition which will automatically ignore larger files (gitaly was ~270-280MB).

egibs commented 1 month ago

Looks good. I also wonder if the original rule should be guarded by a file size. IMHO, any Linux binary over 10-20MB is unlikely to be a persistence dropper.

Good point. I'll rework the PR to add the filesize limit which will make the override moot.