github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-11 19:12:12 +00:00
Code Issues Projects Releases Wiki Activity

Decrease terminal shell in container to debug

Browse Source 
From notice. That way the two main shell-related policies are both at
debug.
This commit is contained in:
Mark Stemm 2017-09-13 17:13:11 -07:00
parent d0650688d5
commit 7c8a85158a
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -766,7 +766,7 @@
output: > output: >
Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image
shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])
priority: NOTICE priority: DEBUG
tags: [container, shell] tags: [container, shell]
# sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets # sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets