Let puma reactor spawn shells

Sample Falco alert: ``` Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor gparent=puma ggparent=runsv aname[4]=ru... ``` https://github.com/puma/puma says it is "A Ruby/Rack web server built for concurrency". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
falcosecurity · Feb 3, 2020 · 3693b16 · 3693b16
1 parent 48a0f51
commit 3693b16
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -1685,7 +1685,8 @@
                            mesos_shell_binaries,
                            erl_child_setup, exechealthz,
                            PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
-                           lb-controller, nvidia-installe, runsv, statsite, erlexec)
+                           lb-controller, nvidia-installe, runsv, statsite, erlexec, calico-node,
+                           "puma reactor")
     and not proc.cmdline in (known_shell_spawn_cmdlines)
     and not proc.aname in (unicorn_launche)
     and not consul_running_net_scripts