From 33a28cc17308fd83eac4722843402ec5b9837059 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 5 Oct 2017 08:54:35 -0700 Subject: [PATCH] Let node running yarn spawn shells. --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 7ddb872f..b7c48c60 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -365,7 +365,8 @@ proc.cmdline startswith "sh -c gcc" or proc.cmdline startswith "sh -c if type gcc" or proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or - proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx")) + proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or + proc.pcmdline="node /opt/nodejs/bin/yarn")) - macro: parent_node_running_npm condition: proc.pcmdline startswith "node /usr/local/bin/npm"