Checking it only if running without profile

Signed-off-by: Ben <[email protected]>
kubescape · Feb 23, 2025 · 5c67c17 · 5c67c17
1 parent 93b4fc2
commit 5c67c17
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go
@@ -133,18 +133,19 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve
 		if err != nil {
 			return nil
 		}
+	} else {
+		// Running without application profile, to avoid false positives check if the process name is legitimate
+		for _, processName := range legitimateProcessNames {
+			if processName == openEvent.Comm {
+				return nil
+			}
+		}
 	}
 
 	if !utils.IsSensitivePath(openEvent.FullPath, rule.additionalPaths) {
 		return nil
 	}
 
-	for _, processName := range legitimateProcessNames {
-		if processName == openEvent.Comm {
-			return nil
-		}
-	}
-
 	if objCache != nil {
 		for _, open := range appProfileOpenList.Opens {
 			if dynamicpathdetector.CompareDynamic(open.Path, openEvent.FullPath) {