Add ignored comms for /etc/shadow access

Signed-off-by: Ben <[email protected]>
kubescape · Feb 23, 2025 · 93b4fc2 · 93b4fc2
1 parent 6d8e3ab
commit 93b4fc2
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go
@@ -48,6 +48,37 @@ func CreateRuleR0010UnexpectedSensitiveFileAccess() *R0010UnexpectedSensitiveFil
 	}
 }
 
+var legitimateProcessNames = []string{
+	"systemd",
+	"sudo",
+	"passwd",
+	"chpasswd",
+	"useradd",
+	"usermod",
+	"chage",
+	"sshd",
+	"login",
+	"su",
+	"groupadd",
+	"groupmod",
+	"dpkg",
+	"rpm",
+	"ansible",
+	"puppet-agent",
+	"chef-client",
+	"vipw",
+	"pwck",
+	"grpck",
+	"nscd",
+	"cron",
+	"crond",
+	"pam",
+	"snap",
+	"apk",
+	"yum",
+	"dnf",
+}
+
 func (rule *R0010UnexpectedSensitiveFileAccess) SetParameters(parameters map[string]interface{}) {
 	rule.BaseRule.SetParameters(parameters)
 
@@ -108,6 +139,12 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve
 		return nil
 	}
 
+	for _, processName := range legitimateProcessNames {
+		if processName == openEvent.Comm {
+			return nil
+		}
+	}
+
 	if objCache != nil {
 		for _, open := range appProfileOpenList.Opens {
 			if dynamicpathdetector.CompareDynamic(open.Path, openEvent.FullPath) {