github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-22 12:27:10 +00:00
Code Issues Projects Releases Wiki Activity

Let java running sbt spawn shells

Browse Source 
New macro parent_java_running_sbt looks for java running sbt
code (https://github.com/sbt/sbt), and use that macro to allow shells.
This commit is contained in:
Mark Stemm
2017-08-24 10:22:27 -07:00
parent 64a014c356
commit 4e7fcf3f88
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@@ -337,6 +337,9 @@
- macro: parent_java_running_echo - macro: parent_java_running_echo
condition: (proc.pname=java and proc.cmdline startswith "sh -c echo") condition: (proc.pname=java and proc.cmdline startswith "sh -c echo")
- macro: parent_java_running_sbt
condition: (proc.pname=java and proc.pcmdline contains sbt-launch.jar)
- macro: parent_scripting_running_builds - macro: parent_scripting_running_builds
condition: > condition: >
(proc.pname in (php,php5-fpm,python,ruby,ruby2.3,node) and ( (proc.pname in (php,php5-fpm,python,ruby,ruby2.3,node) and (
@@ -579,6 +582,7 @@
and not parent_Xvfb_running_xkbcomp and not parent_Xvfb_running_xkbcomp
and not parent_nginx_running_serf and not parent_nginx_running_serf
and not parent_node_running_npm and not parent_node_running_npm
and not parent_java_running_sbt
output: > output: >
Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]) cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3])