mirror of
https://github.com/falcosecurity/falco.git
synced 2025-06-27 15:17:50 +00:00
revert and create new known macro
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
This commit is contained in:
Hi120ki
poiana
parent
d6b5789b7a
commit
30b56d2960
@ -3105,11 +3105,14 @@
|
||||
- macro: mount_info
|
||||
condition: (proc.args="" or proc.args intersects ("-V", "-l", "-h"))
|
||||
|
||||
- macro: user_known_mount_in_privileged_containers
|
||||
- macro: known_gke_mount_in_privileged_containers
|
||||
condition:
|
||||
(k8s.ns.name = kube-system
|
||||
and container.image.repository = gke.gcr.io/gcp-compute-persistent-disk-csi-driver)
|
||||
|
||||
- macro: user_known_mount_in_privileged_containers
|
||||
condition: (never_true)
|
||||
|
||||
- rule: Mount Launched in Privileged Container
|
||||
desc: Detect file system mount happened inside a privileged container which might lead to container escape.
|
||||
condition: >
|
||||
@ -3117,6 +3120,7 @@
|
||||
and container.privileged=true
|
||||
and proc.name=mount
|
||||
and not mount_info
|
||||
and not known_gke_mount_in_privileged_containers
|
||||
and not user_known_mount_in_privileged_containers
|
||||
output: Mount was executed inside a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
|
||||
priority: WARNING
|
||||
|
||||
Loading…
Reference in New Issue
Block a user