From 151d1e67c594db415f94005ba0ba4315bf483877 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 14:11:01 -0700 Subject: [PATCH] Add an additional scripting-running-command combo Add an additional combination of scripting language like php/python/etc + a specific command line to parent_scripting_running_builds. --- rules/falco_rules.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 108ff2df..f46c41b5 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -340,16 +340,19 @@ - macro: parent_java_running_sbt condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar) +# The crxlsx is a bit different than the other build-like things, but +# close enough to add here rather than create a separate macro. - macro: parent_scripting_running_builds condition: > - (proc.pname in (php,php5-fpm,python,ruby,ruby2.3,node) and ( + (proc.pname in (php,php5-fpm,php-fpm7.1,python,ruby,ruby2.3,node) and ( proc.cmdline startswith "sh -c git" or proc.cmdline startswith "sh -c date" or proc.cmdline startswith "sh -c /usr/bin/g++" or proc.cmdline startswith "sh -c /usr/bin/gcc" or proc.cmdline startswith "sh -c gcc" or proc.cmdline startswith "sh -c if type gcc" or - proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git")) + proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or + proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx")) - macro: parent_node_running_npm condition: proc.pcmdline startswith "node /usr/local/bin/npm"