← Library
splApache-2.0from splunk/security_content

Linux Auditd AI CLI Permission Override Activated

This detection identifies when an AI command-line tool is launched in an unsafe mode that bypasses normal safety checks and user approvals. For instance, running claude --dangerously-skip-permissions skips all safety restrictions, allowing the tool to operate freely, while gemini --yolo automatically approves all actions without prompting the user. These modes, often called permission overrides or YOLO mode, let the AI execute commands, modify files, or perform tasks without confirmation. Detecting their use is important to prevent unintended or potentially harmful operations.

Quality
27
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml
`linux_auditd` (proctitle = "*gemini*" AND proctitle IN ("*--yolo*", "*-y *")) OR
(proctitle = "*claude*" AND proctitle= "*--dangerously-skip-permissions*")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
  BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `linux_auditd_ai_cli_permission_override_activated_filter`