github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 16:42:14 +00:00
Code Issues Projects Releases Wiki Activity

Don't allow apache2 to spawn shells in containers

Browse Source 
This ensures that interpreted php,perl,etc code run by apache won't be
able to spawn shells, either.

This fixes https://github.com/draios/falco/issues/231.
This commit is contained in:
Mark Stemm 2017-04-06 15:24:21 -07:00
parent 0cabeddf49
commit 955e1d78b1
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -433,7 +433,7 @@
and shell_procs and shell_procs
and proc.pname exists and proc.pname exists
and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, lxd_binaries, aide_wrapper_binaries, nids_binaries, and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, lxd_binaries, aide_wrapper_binaries, nids_binaries,
monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, apache2, falco, cron, erl_child_setup) monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron, erl_child_setup)
and not trusted_containers and not trusted_containers
output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
priority: WARNING priority: WARNING