How to catch an ouppuit of a process or a command

Question

I'm trying to write a rule where the condition depends on the output of a script.sh. I had tried several approaches, but I did not have success.

Searching in your documentation but didn´t find anything that help me. I tried several evt or proc, but neither of them given me any info.

In fact, this is the rule with I'm trying to see how I can find a workaround:

- rule: FIM Custom rule
  desc: Testing rule
  condition: access_log_files and (evt.type=close)
  output: Test result (proc_name=%proc.name command=%proc.cmdline evt_type=%evt.type evt.args =%evt.args syslog_.facility_str=%syslog.facility.str syslog_message=%syslog.message)
  priority: WARNING

Consider please that I´m running Falco on Docker with the last image.

When I execute in the Ubuntu host the command logger test, I recievedin the stdout of the docker falco container this message:

{"hostname":"dc95654c63c3","output":"01:21:29.759239580: Warning Test result (proc_name=python3 command=python3 /usr/lib/ubuntu-advantage/timer.py evt_type=close evt.args =res=0 syslog_.facility_str= syslog_message=)","priority":"Warning","rule":"FIM Custom rule","source":"syscall","tags":[],"time":"2022-12-17T01:21:29.759239580Z", "output_fields": {"evt.args":"res=0 ","evt.time":1671240089759239580,"evt.type":"close","proc.cmdline":"python3 /usr/lib/ubuntu-advantage/timer.py","proc.name":"python3","syslog.facility.str":null,"syslog.message":null}}

So please tell me what I can do.

Thanks

How to catch an ouppuit of a process or a command

Answers (1)

Related Questions