Update fbash rules to use proc.sname.

Update fbash rules to use proc.sname instead of proc.aname and to rely on sessions instead of process ancestors. I also wanted to add details on the address/port being listened to but that's blocked on falcosecurity/falco#86. Along with this change, there are new positive trace files installer-bash-starts-network-server.scap and installer-bash-starts-session.scap that test these updated rules.
falcosecurity · Jun 1, 2016 · 44ff6b7 · 44ff6b7
1 parent 81546ad
commit 44ff6b7
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -312,15 +312,15 @@
 
 # fbash is a small shell script that runs bash, and is suitable for use in curl <curl> | fbash installers.
 - rule: installer_bash_starts_network_server
-  desc: an attempt by any program that is a child of fbash to start listening for network connections
-  condition: evt.type=listen and proc.aname=fbash
-  output: "Unexpected listen call by a child process of fbash (command=%proc.cmdline)"
+  desc: an attempt by any program that is in a session led by fbash to start listening for network connections
+  condition: evt.type=listen and proc.sname=fbash
+  output: "Unexpected listen call by a process in a fbash session (command=%proc.cmdline)"
   priority: WARNING
 
 - rule: installer_bash_starts_session
-  desc: an attempt by any program that is a child of fbash to start a new session (process group)
-  condition: evt.type=setsid and proc.aname=fbash
-  output: "Unexpected setsid call by a child process of fbash (command=%proc.cmdline)"
+  desc: an attempt by any program that is in a session led by fbash to start a new session
+  condition: evt.type=setsid and proc.sname=fbash
+  output: "Unexpected setsid call by a process in fbash session (command=%proc.cmdline)"
   priority: WARNING
 
 ###########################