github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-07 03:39:01 +00:00
Code Issues Projects Releases Wiki Activity

Add additional build-like shells

Browse Source 
This time node running git commands.
This commit is contained in:
Mark Stemm 2017-08-23 16:45:44 -07:00
parent 8e46db05c6
commit aaa294abd1
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -339,13 +339,14 @@
- macro: parent_scripting_running_builds
condition: >
(proc.pname in (php,php5-fpm,python,ruby,ruby2.3) and (
(proc.pname in (php,php5-fpm,python,ruby,ruby2.3,node) and (
proc.cmdline startswith "sh -c git" or
proc.cmdline startswith "sh -c date" or
proc.cmdline startswith "sh -c /usr/bin/g++" or
proc.cmdline startswith "sh -c /usr/bin/gcc" or
proc.cmdline startswith "sh -c gcc" or
proc.cmdline startswith "sh -c if type gcc"))
proc.cmdline startswith "sh -c if type gcc" or
proc.cmdline startswith "sh -c cd '/var/www/edi/';LC_ALL=en_US.UTF-8 git"))
- macro: parent_node_running_npm
condition: proc.pcmdline startswith "node /usr/local/bin/npm"