github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-05 19:06:44 +00:00
Code Issues Projects Releases Wiki Activity

Add support for gitlab omnibus containers/pod

Browse Source 
(https://docs.gitlab.com/omnibus/README.html).

sysdig-CLA-1.0-signed-off-by: Daniel Kerwin <daniel@linuxaddicted.de>
This commit is contained in:
Daniel Kerwin 2017-03-06 17:20:13 +01:00
parent 561c388dab
commit 537565d27a
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -113,6 +113,9 @@
- list: db_server_binaries - list: db_server_binaries
items: [mysqld] items: [mysqld]
- list: gitlab_binaries
items: [gitlab-shell, git]
- macro: server_procs - macro: server_procs
condition: proc.name in (http_server_binaries, db_server_binaries, docker_binaries, sshd) condition: proc.name in (http_server_binaries, db_server_binaries, docker_binaries, sshd)
@ -430,7 +433,7 @@
and shell_procs and shell_procs
and proc.pname exists and proc.pname exists
and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, lxd_binaries, aide_wrapper_binaries, nids_binaries, and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, lxd_binaries, aide_wrapper_binaries, nids_binaries,
monitoring_binaries, initdb, pg_ctl, awk, apache2, falco, cron) monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, apache2, falco, cron)
and not trusted_containers and not trusted_containers
output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
priority: WARNING priority: WARNING