mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-27 02:19:05 +00:00
Don't alert on falco program notifications.
Falco itself spawns a shell when using program notifications, so add falco to the set of trusted programs. (Also add some other programs like make, awk, configure, that are run while building).
This commit is contained in:
parent
da77df142f
commit
24c21307d0
@ -270,7 +270,7 @@
|
||||
|
||||
- rule: Run shell untrusted
|
||||
desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries.
|
||||
condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, sshd, sudo, docker_binaries, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent, aws, initdb, docker-compose)
|
||||
condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, sshd, sudo, docker_binaries, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent, aws, initdb, docker-compose, make, configure, awk, falco)
|
||||
output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
|
||||
priority: WARNING
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user