Let docker start script spawn shells

2025-07-16 15:51:55 +00:00 · 2017-11-07 11:14:50 -08:00 · 2017-11-07 11:14:50 -08:00 · 24fb84df60
commit 24fb84df60
parent 7550683862
1 changed files with 4 additions and 0 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -373,6 +373,9 @@
 - macro: parent_python_running_zookeeper
  condition: (proc.pcmdline startswith "python /usr/local/bin/cub")

+- macro: parent_docker_start_script
+  condition: (proc.pcmdline="start.sh /opt/docker/conf/start.sh")
+
 - macro: parent_python_running_denyhosts
  condition: >
    (proc.pname=python and
@ -1150,6 +1153,7 @@
    and not node_running_threatstack
    and not parent_python_running_localstack
    and not parent_python_running_zookeeper
+    and not parent_docker_start_script
  output: >
    Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image
    shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])