github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-01 06:29:47 +00:00
Code Issues Projects Releases Wiki Activity

Add more debugging for shells

Browse Source 
Used to track down deeper chains of shells for things like ansible, chef.
This commit is contained in:
Mark Stemm 2017-08-23 16:50:58 -07:00
parent 608d4e234f
commit ac70325522
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -573,7 +573,7 @@
and not parent_node_running_npm
output: >
Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
cmdline=%proc.cmdline pcmdline=%proc.pcmdline)
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3])
priority: DEBUG
tags: [host, shell]