mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-14 15:04:37 +00:00
Add macro to easily augment shell rule
Add a macro user_shell_container_exclusions that allows a second rules file to easily extend the shelll in container rule without overriding the entire rule. Also add an exclusion node_running_edi_dynamodb which can be used for that macro.
This commit is contained in:
parent
ca9e1ebfef
commit
1cdacc1494
@ -687,6 +687,17 @@
|
|||||||
- list: user_known_container_shell_spawn_binaries
|
- list: user_known_container_shell_spawn_binaries
|
||||||
items: []
|
items: []
|
||||||
|
|
||||||
|
# This macro allows for easy additions to the set of commands allowed
|
||||||
|
# to run shells in containers without having to override the entire
|
||||||
|
# rule. Its default value is an expression that always is false, which
|
||||||
|
# becomes true when the "not ..." in the rule is applied.
|
||||||
|
- macro: user_shell_container_exclusions
|
||||||
|
condition: (evt.num=0)
|
||||||
|
|
||||||
|
# Temporarily adding as an example
|
||||||
|
- macro: node_running_edi_dynamodb
|
||||||
|
condition: proc.pname=node and proc.pcmdline contains /var/www/edi/process.js
|
||||||
|
|
||||||
- rule: Run shell in container
|
- rule: Run shell in container
|
||||||
desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
|
desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
|
||||||
condition: >
|
condition: >
|
||||||
@ -712,6 +723,8 @@
|
|||||||
and not parent_nginx_running_serf
|
and not parent_nginx_running_serf
|
||||||
and not proc.cmdline in (known_container_shell_spawn_cmdlines)
|
and not proc.cmdline in (known_container_shell_spawn_cmdlines)
|
||||||
and not parent_node_running_npm
|
and not parent_node_running_npm
|
||||||
|
and not user_shell_container_exclusions
|
||||||
|
and not node_running_edi_dynamodb
|
||||||
output: >
|
output: >
|
||||||
Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image
|
Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image
|
||||||
shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline)
|
shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline)
|
||||||
|
Loading…
Reference in New Issue
Block a user