Don't trigger on shells spawning shells

We'll detect the first shell and not any other shells it spawns.
falcosecurity · Nov 27, 2017 · a0786c7 · a0786c7
1 parent e1cb9d2
commit a0786c7
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -1070,7 +1070,8 @@
     and shell_procs
     and proc.pname exists
     and protected_shell_spawner
-    and not proc.pname in (gitlab_binaries, cron_binaries, erl_child_setup, exechealthz,
+    and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries,
+                           erl_child_setup, exechealthz,
                            PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
                            lb-controller, nvidia-installe, runsv, statsite)
     and not proc.cmdline in (known_shell_spawn_cmdlines)