github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-06 16:54:01 +00:00
Code Issues Projects Releases Wiki Activity

Let adclient spawn shells.

Browse Source 
It's not direct, hence the run_by_adclient macro.
This commit is contained in:
Mark Stemm 2017-09-25 07:42:53 -07:00
parent 0e009fc89a
commit a22099c8c3
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -379,6 +379,9 @@
- macro: run_by_chef - macro: run_by_chef
condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr) condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr)
- macro: run_by_adclient
condition: (proc.aname[2]=adclient or proc.aname[3]=adclient)
- macro: run_by_puppet - macro: run_by_puppet
condition: (proc.aname[2]=puppet or proc.aname[3]=puppet) condition: (proc.aname[2]=puppet or proc.aname[3]=puppet)
@ -634,6 +637,7 @@
and not parent_java_running_sbt and not parent_java_running_sbt
and not run_by_chef and not run_by_chef
and not run_by_puppet and not run_by_puppet
and not run_by_adclient
output: > output: >
Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]) cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3])