From aaa294abd1643f19037d30bcfb580cd271574595 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 23 Aug 2017 16:45:44 -0700 Subject: [PATCH] Add additional build-like shells This time node running git commands. --- rules/falco_rules.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a7bd4cfd..8c0dc0f2 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -339,13 +339,14 @@ - macro: parent_scripting_running_builds condition: > - (proc.pname in (php,php5-fpm,python,ruby,ruby2.3) and ( + (proc.pname in (php,php5-fpm,python,ruby,ruby2.3,node) and ( proc.cmdline startswith "sh -c git" or proc.cmdline startswith "sh -c date" or proc.cmdline startswith "sh -c /usr/bin/g++" or proc.cmdline startswith "sh -c /usr/bin/gcc" or proc.cmdline startswith "sh -c gcc" or - proc.cmdline startswith "sh -c if type gcc")) + proc.cmdline startswith "sh -c if type gcc" or + proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git")) - macro: parent_node_running_npm condition: proc.pcmdline startswith "node /usr/local/bin/npm"