Update fbash rules to use proc.sname.

Update fbash rules to use proc.sname instead of proc.aname and to rely on sessions instead of process ancestors. I also wanted to add details on the address/port being listened to but that's blocked on https://github.com/draios/falco/issues/86. Along with this change, there are new positive trace files installer-bash-starts-network-server.scap and installer-bash-starts-session.scap that test these updated rules.
2025-07-12 05:58:26 +00:00 · 2016-05-31 17:41:08 -07:00 · 2016-05-31 17:41:08 -07:00 · 31c87c295a
commit 31c87c295a
parent e9cdd46838
1 changed files with 6 additions and 6 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -312,15 +312,15 @@

 # fbash is a small shell script that runs bash, and is suitable for use in curl <curl> | fbash installers.
 - rule: installer_bash_starts_network_server
-  desc: an attempt by any program that is a child of fbash to start listening for network connections
-  condition: evt.type=listen and proc.aname=fbash
-  output: "Unexpected listen call by a child process of fbash (command=%proc.cmdline)"
+  desc: an attempt by any program that is in a session led by fbash to start listening for network connections
+  condition: evt.type=listen and proc.sname=fbash
+  output: "Unexpected listen call by a process in a fbash session (command=%proc.cmdline)"
  priority: WARNING

 - rule: installer_bash_starts_session
-  desc: an attempt by any program that is a child of fbash to start a new session (process group)
-  condition: evt.type=setsid and proc.aname=fbash
-  output: "Unexpected setsid call by a child process of fbash (command=%proc.cmdline)"
+  desc: an attempt by any program that is in a session led by fbash to start a new session
+  condition: evt.type=setsid and proc.sname=fbash
+  output: "Unexpected setsid call by a process in fbash session (command=%proc.cmdline)"
  priority: WARNING

 ###########################