Closed VVX7 closed 2 months ago
Motivation
Use of relative paths breaks rules that match paths via the starswith operator. For example, Execution from /dev/shm.
starswith
Execution from /dev/shm
Feature
Falco should resolve relative paths.
Alternatives
Accept the performance cost and use a contains operator in the rule.
contains
Additional context
I picked up Falco a few days ago and started poking at rules. Here's my blog post that discusses ways to bypass the Execution from /dev/shm rule.
https://vvx7.io/posts/2024/04/falco-detecting-linux-fileless-malware-execution/
Motivation
Use of relative paths breaks rules that match paths via the
starswithoperator. For example,Execution from /dev/shm.Feature
Falco should resolve relative paths.
Alternatives
Accept the performance cost and use a
containsoperator in the rule.Additional context
I picked up Falco a few days ago and started poking at rules. Here's my blog post that discusses ways to bypass the
Execution from /dev/shmrule.https://vvx7.io/posts/2024/04/falco-detecting-linux-fileless-malware-execution/