github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 08:07:24 +00:00
Code Issues Projects Releases Wiki Activity

rule(macro exe_running_docker_save): add new cmdline

Browse Source 
While using Falco, I noticed we were getting many events that were
virtually identical to those that were previously filtered out by the
`exexe_running_docker_save` macro, but where the `cmdline` was something
like `exe /var/run/docker/netns/cc5c7b9bb110 all false`. I believe this
is caused by the use of docker-in-docker.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>
This commit is contained in:
Nicolas Marier 2020-05-15 16:08:27 -04:00 committed by poiana
parent dbd86234ad
commit 0272b94bb1
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/falco_rules.yaml
View File

@ -861,7 +861,8 @@
- macro: exe_running_docker_save - macro: exe_running_docker_save
condition: > condition: >
proc.name = "exe" proc.name = "exe"
and proc.cmdline contains "/var/lib/docker" and (proc.cmdline contains "/var/lib/docker"
or proc.cmdline contains "/var/run/docker")
and proc.pname in (dockerd, docker) and proc.pname in (dockerd, docker)
# Ideally we'd have a length check here as well but sysdig # Ideally we'd have a length check here as well but sysdig