mirror of
https://github.com/falcosecurity/falco.git
synced 2026-04-02 18:12:15 +00:00
139ee56af7
Adding docker-compose based example of man-in-the-middle attack against installation scripts and how it can be detected using sysdig falco. The docker-compose environment starts a good web server, compromised nginx installation, evil web server, and a copy of sysdig falco. The README walks through the process of compromising a client by using curl http://localhost/get-software.sh | bash and detecting the compromise using ./fbash. The fbash program included in this example fixes https://github.com/draios/falco/issues/46.
16 lines
409 B
Bash
Executable File
16 lines
409 B
Bash
Executable File
#!/bin/bash
|
|
|
|
SID=`ps --no-heading -o sess --pid $$`
|
|
|
|
if [ $SID -ne $$ ]; then
|
|
# Not currently a session leader? Run a copy of ourself in a new
|
|
# session, with copies of stdin/stdout/stderr.
|
|
setsid $0 $@ < /dev/stdin 1> /dev/stdout 2> /dev/stderr &
|
|
FBASH=$!
|
|
trap "kill $FBASH; exit" SIGINT SIGTERM
|
|
wait $FBASH
|
|
else
|
|
# Just evaluate the commands (from stdin)
|
|
source /dev/stdin
|
|
fi
|