Let puma reactor spawn shells

Sample Falco alert: ``` Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor gparent=puma ggparent=runsv aname[4]=ru... ``` https://github.com/puma/puma says it is "A Ruby/Rack web server built for concurrency". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-06-30 16:42:14 +00:00 · 2020-01-30 17:11:25 -08:00 · 2020-01-30 17:11:25 -08:00 · 3693b16c91
commit 3693b16c91
parent 48a0f512fb
1 changed files with 2 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -1685,7 +1685,8 @@
                           mesos_shell_binaries,
                           erl_child_setup, exechealthz,
                           PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
-                           lb-controller, nvidia-installe, runsv, statsite, erlexec)
+                           lb-controller, nvidia-installe, runsv, statsite, erlexec, calico-node,
+                           "puma reactor")
    and not proc.cmdline in (known_shell_spawn_cmdlines)
    and not proc.aname in (unicorn_launche)
    and not consul_running_net_scripts