mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 03:49:36 +00:00
31c87c295a
Update fbash rules to use proc.sname instead of proc.aname and to rely on sessions instead of process ancestors. I also wanted to add details on the address/port being listened to but that's blocked on https://github.com/draios/falco/issues/86. Along with this change, there are new positive trace files installer-bash-starts-network-server.scap and installer-bash-starts-session.scap that test these updated rules.