From 1cdacc1494f68507bc00c8d8fe83a575e1af6fa5 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 08:58:09 -0700 Subject: [PATCH] Add macro to easily augment shell rule Add a macro user_shell_container_exclusions that allows a second rules file to easily extend the shelll in container rule without overriding the entire rule. Also add an exclusion node_running_edi_dynamodb which can be used for that macro. --- rules/falco_rules.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 17876ee6..5c8bec46 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -687,6 +687,17 @@ - list: user_known_container_shell_spawn_binaries items: [] +# This macro allows for easy additions to the set of commands allowed +# to run shells in containers without having to override the entire +# rule. Its default value is an expression that always is false, which +# becomes true when the "not ..." in the rule is applied. +- macro: user_shell_container_exclusions + condition: (evt.num=0) + +# Temporarily adding as an example +- macro: node_running_edi_dynamodb + condition: proc.pname=node and proc.pcmdline contains /var/www/edi/process.js + - rule: Run shell in container desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded. condition: > @@ -712,6 +723,8 @@ and not parent_nginx_running_serf and not proc.cmdline in (known_container_shell_spawn_cmdlines) and not parent_node_running_npm + and not user_shell_container_exclusions + and not node_running_edi_dynamodb output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline)