github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-01 09:02:18 +00:00
Code Issues Projects Releases Wiki Activity

Also let terminal shells run innocuous cmdlines

Browse Source 
The terminal shell in container rule has always been less permissive
than the other shell rules, mostly because we expect terminal-attached
shells to be less common. However, they might run innocuous commands,
especially from scripting languages like python. So allow the innocuous
commands to run.
This commit is contained in:
Mark Stemm 2017-11-09 14:13:04 -08:00
parent 2f4b39ae6f
commit b0bc00224c
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
rules/falco_rules.yaml
View File

@ -1040,6 +1040,7 @@
condition: > condition: >
spawned_process and container spawned_process and container
and shell_procs and proc.tty != 0 and shell_procs and proc.tty != 0
and not proc.cmdline in (known_shell_spawn_cmdlines)
output: > output: >
A shell was spawned in a container with an attached terminal (user=%user.name %container.info A shell was spawned in a container with an attached terminal (user=%user.name %container.info
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty) shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)