auditd-whitelisted-process Postoverflow

« auditd-whitelisted-process »
v0.2 by crowdsecurity
Postoverflow

Whitelist some process that are false-positives prone

Installation

cscli postoverflows install crowdsecurity/auditd-whitelisted-process

YAML Configuration

1name: crowdsecurity/auditd-whitelisted-process
2description: "Whitelist some process that are false-positives prone"
3whitelist:
4  reason: "package managers"
5  expression: 
6    - "all(evt.Overflow.Alert.Events, {.GetMeta('parent_progname') in ['/usr/bin/dpkg', '/usr/bin/dnf']})"
7

Hub configuration

« auditd-whitelisted-process »v0.2 by crowdsecurityPostoverflow

« auditd-whitelisted-process »
v0.2 by crowdsecurity
Postoverflow