update(rules): improve output of fileless exec rule following style g…

…uide Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> Signed-off-by: Lorenzo Susini <49318629+loresuso@users.noreply.github.com>
falcosecurity · Sep 14, 2023 · 2bea0de · 2bea0de
1 parent 5d1a451
commit 2bea0de
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
@@ -1228,7 +1228,7 @@
     spawned_process
     and proc.is_exe_from_memfd=true
     and not known_memfd_execution_processes
-  output: > 
+  output: Fileless execution via memfd_create (container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
     Detected fileless execution via memfd_create (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id
     image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags
     proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res)