From 42167e53cc8c31ce34c9f1ff3f9262f0bb73633e Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 24 Aug 2017 10:23:31 -0700 Subject: [PATCH] Let chef write below etc. New macro run_by_chef is similar to run_by_qualys in that it looks in various places in the process heirarchy. Use that macro to allow writes below etc. Will probably add in more places soon. --- rules/falco_rules.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 6cc93508..b5361e33 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -369,6 +369,10 @@ - macro: run_by_qualys condition: (proc.pname=qualys-cloud-ag or proc.aname[2]=qualys-cloud-ag or proc.aname[3]=qualys-cloud-ag) +# Chef is similar. +- macro: run_by_chef + condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr) + # As a part of kernel upgrades, dpkg will spawn a perl script with the # name linux-image-N.N. This macro matches that. - macro: parent_linux_image_upgrade_script @@ -583,6 +587,7 @@ and not parent_nginx_running_serf and not parent_node_running_npm and not parent_java_running_sbt + and not run_by_chef output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]) @@ -738,7 +743,7 @@ and not node_running_edi_dynamodb output: > Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image - shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline) + shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) priority: NOTICE tags: [container, shell]