From 9f2edb10a00176a5342dc1ccd7abfc445d0cd4bb Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 14 Oct 2016 16:51:41 -0700 Subject: [PATCH] Allow falco to spawn shells in containers. Falco is allowed to spawn shells in containers as a part of its program output method. --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 7f670f3e71e..f480b3b2fc6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -314,7 +314,7 @@ - rule: Run shell in container desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded. - condition: spawned_process and container and shell_procs and proc.pname exists and not proc.pname in (shell_binaries, docker_binaries, initdb, pg_ctl, awk, apache2) + condition: spawned_process and container and shell_procs and proc.pname exists and not proc.pname in (shell_binaries, docker_binaries, initdb, pg_ctl, awk, apache2, falco) output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING