From 632fe4bf376da29c85fc33cf746044519d327989 Mon Sep 17 00:00:00 2001 From: Thomas Baag Date: Wed, 16 Jul 2025 19:44:58 +0200 Subject: [PATCH] process.parent.command operand added --- daemon/rule/operator.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/daemon/rule/operator.go b/daemon/rule/operator.go index 67dc1a6161..21c7a4b827 100644 --- a/daemon/rule/operator.go +++ b/daemon/rule/operator.go @@ -42,6 +42,7 @@ const ( OpProcessID = Operand("process.id") OpProcessPath = Operand("process.path") OpProcessParentPath = Operand("process.parent.path") + OpProcessParentCmd = Operand("process.parent.command") OpProcessCmd = Operand("process.command") OpProcessEnvPrefix = Operand("process.env.") OpProcessEnvPrefixLen = 12 @@ -341,6 +342,15 @@ func (o *Operator) Match(con *conman.Connection, hasChecksums bool) bool { } } return false + } else if o.Operand == OpProcessParentCmd { + p := con.Process + for pp := p.Parent; pp != nil; pp = pp.Parent { + pp.ReadCmdline() + if o.cb(strings.Join(pp.Args, " ")) { + return true + } + } + return false } else if o.Operand == OpProcessCmd { return o.cb(strings.Join(con.Process.Args, " ")) } else if o.Operand == OpDstHost && con.DstHost != "" {