Decrease terminal shell in container to debug

From notice. That way the two main shell-related policies are both at debug.
2025-09-14 22:12:11 +00:00 · 2017-09-13 17:13:11 -07:00
parent d0650688d5
commit 7c8a85158a
1 changed files with 1 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -766,7 +766,7 @@
  output: >
    Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image
    shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])
-  priority: NOTICE
+  priority: DEBUG
  tags: [container, shell]

 # sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets