From 9ed1ff5f26a58d048139601d773b834ee9c4b1c7 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 3 Nov 2017 16:00:03 -0700 Subject: [PATCH] Add additional shell spawning cmdlines/progs --- rules/falco_rules.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index dfb46bd1..57cc6bbe 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -431,6 +431,7 @@ proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git" or proc.cmdline startswith "sh -c /var/www/edi/bin/sftp.sh" or proc.cmdline startswith "sh -c /usr/src/app/crxlsx/bin/linux/crxlsx" or + proc.cmdline startswith "sh -c make parent" or proc.pcmdline startswith "node /opt/nodejs/bin/yarn" or proc.pcmdline startswith "node /root/.config/yarn" or proc.pcmdline startswith "node /opt/yarn/bin/yarn.js")) @@ -813,7 +814,7 @@ luajit, uwsgi, cfn-signal, apache_control_, beam.smp, paster, postfix-local, nginx_control, mailmng-service, web_statistic_e, statistics_coll, install-info, hawkular-metric, rhsmcertd-worke, parted, amuled, fluentd, x2gormforward, - parallels_insta, salt-minion + parallels_insta, salt-minion, dnsmng, update-inetd, pum_worker, awstats_buildst ] - rule: Run shell untrusted @@ -1005,10 +1006,12 @@ '"sh -c node index"', '"sh -c node ./src/start.js"', '"sh -c node app.js"', + '"sh -c node -e \"require(''nan'')\""', '"sh -c node -e \"require(''nan'')\")"', '"sh -c node $NODE_DEBUG_OPTION index.js "', '"sh -c crontab -l 2"', '"sh -c lsb_release -a"', + '"sh -c lsb_release -is 2>/dev/null"', '"sh -c whoami"', '"sh -c node_modules/.bin/bower-installer"', '"sh -c /bin/hostname -f 2> /dev/null"',