Also let terminal shells run innocuous cmdlines

The terminal shell in container rule has always been less permissive than the other shell rules, mostly because we expect terminal-attached shells to be less common. However, they might run innocuous commands, especially from scripting languages like python. So allow the innocuous commands to run.
2025-06-30 08:32:12 +00:00 · 2017-11-09 14:13:04 -08:00 · 2017-11-09 14:13:04 -08:00 · b0bc00224c
commit b0bc00224c
parent 2f4b39ae6f
1 changed files with 1 additions and 0 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -1040,6 +1040,7 @@
  condition: >
    spawned_process and container
    and shell_procs and proc.tty != 0
+    and not proc.cmdline in (known_shell_spawn_cmdlines)
  output: >
    A shell was spawned in a container with an attached terminal (user=%user.name %container.info
    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)