From 24c21307d0e6a98ad10a08460836eb0e494b986b Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 23 Aug 2016 14:12:28 -0700 Subject: [PATCH] Don't alert on falco program notifications. Falco itself spawns a shell when using program notifications, so add falco to the set of trusted programs. (Also add some other programs like make, awk, configure, that are run while building). --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index dd387498..bea8769d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -270,7 +270,7 @@ - rule: Run shell untrusted desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries. - condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, sshd, sudo, docker_binaries, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent, aws, initdb, docker-compose) + condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, sshd, sudo, docker_binaries, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent, aws, initdb, docker-compose, make, configure, awk, falco) output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING