From af564f17a613f5dc86c0fd3241eb0950de29d00c Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 1 Dec 2017 12:30:04 -0800 Subject: [PATCH] Add ability to override shell spawning binaries (#304) Rename user_known_container_shell_spawn_binaries to user_known_shell_spawn_binaries (the container distinction doesn't exist any longer) and add it as an exception for run shell untrusted. That way others can easily exclude shell spawning programs in a second rules file. --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 5c35fd6b..d7ce1395 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1070,7 +1070,7 @@ and shell_procs and proc.pname exists and protected_shell_spawner - and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, + and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries, erl_child_setup, exechealthz, PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf, lb-controller, nvidia-installe, runsv, statsite) @@ -1287,7 +1287,7 @@ # and override the entire run shell in container macro. Once # https://github.com/draios/falco/issues/255 is fixed this will be a # bit easier, as someone could append of any of the existing lists. -- list: user_known_container_shell_spawn_binaries +- list: user_known_shell_spawn_binaries items: [] # This macro allows for easy additions to the set of commands allowed