github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-15 23:36:19 +00:00
Code Issues Projects Releases Wiki Activity

Allow puppet to run shells.

Browse Source 
Similar model as chef/qualsys/etc.
This commit is contained in:
Mark Stemm 2017-09-21 08:31:43 -07:00
parent 2bc9d35d37
commit fefb8ba614
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -379,6 +379,9 @@
- macro: run_by_chef
condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr)
- macro: run_by_puppet
condition: (proc.aname[2]=puppet or proc.aname[3]=puppet)
- macro: run_by_h2o
condition: (proc.pname=perl and proc.aname[2]=h2o)
@ -616,6 +619,7 @@
and not parent_node_running_npm
and not parent_java_running_sbt
and not run_by_chef
and not run_by_puppet
output: >
Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3])