github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 08:32:12 +00:00
Code Issues Projects Releases Wiki Activity

Let python running zookeeper spawn shells

Browse Source
This commit is contained in:
Mark Stemm 2017-11-07 10:59:40 -08:00
parent 83c309a6c0
commit fbb5451fd9
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -370,6 +370,9 @@
- macro: parent_python_running_localstack - macro: parent_python_running_localstack
condition: (proc.pcmdline startswith "python bin/localstack") condition: (proc.pcmdline startswith "python bin/localstack")
- macro: parent_python_running_zookeeper
condition: (proc.pcmdline startswith "python /usr/local/bin/cub")
- macro: parent_python_running_denyhosts - macro: parent_python_running_denyhosts
condition: > condition: >
(proc.pname=python and (proc.pname=python and
@ -881,6 +884,7 @@
and not node_running_bitnami and not node_running_bitnami
and not node_running_threatstack and not node_running_threatstack
and not parent_python_running_localstack and not parent_python_running_localstack
and not parent_python_running_zookeeper
output: > output: >
Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
@ -1129,6 +1133,7 @@
and not node_running_bitnami and not node_running_bitnami
and not node_running_threatstack and not node_running_threatstack
and not parent_python_running_localstack and not parent_python_running_localstack
and not parent_python_running_zookeeper
output: > output: >
Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image Shell spawned in a container other than entrypoint (user=%user.name %container.info image=%container.image
shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3]) shell=%proc.name pcmdline=%proc.pcmdline cmdline=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])