From c7cb49cdba65f5f50905a9c23d922c894b66d4cf Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 30 Jan 2020 17:11:25 -0800 Subject: [PATCH] Let puma reactor spawn shells Sample Falco alert: ``` Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor gparent=puma ggparent=runsv aname[4]=ru... ``` https://github.com/puma/puma says it is "A Ruby/Rack web server built for concurrency". Signed-off-by: Mark Stemm --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index beae1603931..04ac475d958 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1685,7 +1685,8 @@ mesos_shell_binaries, erl_child_setup, exechealthz, PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf, - lb-controller, nvidia-installe, runsv, statsite, erlexec) + lb-controller, nvidia-installe, runsv, statsite, erlexec, calico-node, + "puma reactor") and not proc.cmdline in (known_shell_spawn_cmdlines) and not proc.aname in (unicorn_launche) and not consul_running_net_scripts