github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-21 18:01:58 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #220 from dkerwin/add_gitlab_binaries

Browse Source 
Add support for gitlab omnibus containers/pod
This commit is contained in:
Mark Stemm 2017-03-06 11:13:28 -08:00 committed by GitHub
commit 353defe362
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -113,6 +113,9 @@
- list: db_server_binaries - list: db_server_binaries
items: [mysqld] items: [mysqld]
- list: gitlab_binaries
items: [gitlab-shell, git]
- macro: server_procs - macro: server_procs
condition: proc.name in (http_server_binaries, db_server_binaries, docker_binaries, sshd) condition: proc.name in (http_server_binaries, db_server_binaries, docker_binaries, sshd)
@ -430,7 +433,7 @@
and shell_procs and shell_procs
and proc.pname exists and proc.pname exists
and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, lxd_binaries, aide_wrapper_binaries, nids_binaries, and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, lxd_binaries, aide_wrapper_binaries, nids_binaries,
monitoring_binaries, initdb, pg_ctl, awk, apache2, falco, cron) monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, apache2, falco, cron)
and not trusted_containers and not trusted_containers
output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
priority: WARNING priority: WARNING