mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 03:49:36 +00:00
3283ca1e5d
For rules where evt.args had useful information but too much information, add back specific values that have just the useful argument from the event: - spawned shells contain the commandline--it's the exit half of the exec event so the current commandline is what was exec()d to. - setuid contains the uid being switched to. While I was testing these, I had a couple of other fixes: - In the spawn shells rule, only track execve events so you don't catch clone() events that precede an exec. - in spawn_process only consider the exit half of the exec event.