From 1f008d6c39e2557cabc48cf619f64dd3a339bf70 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 11 Aug 2017 15:40:31 -0700 Subject: [PATCH] Let needrestart run shells. https://github.com/liske/needrestart --- rules/falco_rules.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9033a007..5df23e56 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -279,6 +279,10 @@ - list: cron_binaries items: [anacron, cron, crond] +# https://github.com/liske/needrestart +- list: needrestart_binaries + items: [needrestart, 10-dpkg, 20-rpm, 30-pacman] + # System users that should never log into a system. Consider adding your own # service users (e.g. 'apache' or 'mysqld') here. - macro: system_users @@ -533,7 +537,7 @@ and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, make_binaries, known_shell_spawn_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries, - monitoring_binaries, gitlab_binaries, mesos_slave_binaries, keepalived_binaries) + monitoring_binaries, gitlab_binaries, mesos_slave_binaries, keepalived_binaries, needrestart_binaries) and not parent_ansible_running_python and not parent_bro_running_python and not parent_python_running_denyhosts @@ -668,6 +672,7 @@ and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, user_known_container_shell_spawn_binaries, + needrestart_binaries, monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm, npm, mysql_install_d, serf, runsv, supervisord, varnishd, crond)