From fefb8ba61408055b6759e0075dee363e46b4bc92 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 21 Sep 2017 08:31:43 -0700 Subject: [PATCH] Allow puppet to run shells. Similar model as chef/qualsys/etc. --- rules/falco_rules.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 0d96c832..ab813f3a 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -379,6 +379,9 @@ - macro: run_by_chef condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr) +- macro: run_by_puppet + condition: (proc.aname[2]=puppet or proc.aname[3]=puppet) + - macro: run_by_h2o condition: (proc.pname=perl and proc.aname[2]=h2o) @@ -616,6 +619,7 @@ and not parent_node_running_npm and not parent_java_running_sbt and not run_by_chef + and not run_by_puppet output: > Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3])