mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-06 11:26:44 +00:00
Add ability to override shell spawning binaries (#304)
Rename user_known_container_shell_spawn_binaries to user_known_shell_spawn_binaries (the container distinction doesn't exist any longer) and add it as an exception for run shell untrusted. That way others can easily exclude shell spawning programs in a second rules file.
This commit is contained in:
Mark Stemm
GitHub
parent
d6d975e28c
commit
af564f17a6
@ -1070,7 +1070,7 @@
|
|||||||
and shell_procs
|
and shell_procs
|
||||||
and proc.pname exists
|
and proc.pname exists
|
||||||
and protected_shell_spawner
|
and protected_shell_spawner
|
||||||
and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries,
|
and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries,
|
||||||
erl_child_setup, exechealthz,
|
erl_child_setup, exechealthz,
|
||||||
PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
|
PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
|
||||||
lb-controller, nvidia-installe, runsv, statsite)
|
lb-controller, nvidia-installe, runsv, statsite)
|
||||||
@ -1287,7 +1287,7 @@
|
|||||||
# and override the entire run shell in container macro. Once
|
# and override the entire run shell in container macro. Once
|
||||||
# https://github.com/draios/falco/issues/255 is fixed this will be a
|
# https://github.com/draios/falco/issues/255 is fixed this will be a
|
||||||
# bit easier, as someone could append of any of the existing lists.
|
# bit easier, as someone could append of any of the existing lists.
|
||||||
- list: user_known_container_shell_spawn_binaries
|
- list: user_known_shell_spawn_binaries
|
||||||
items: []
|
items: []
|
||||||
|
|
||||||
# This macro allows for easy additions to the set of commands allowed
|
# This macro allows for easy additions to the set of commands allowed
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user