github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-11 02:52:54 +00:00
Code Issues Projects Releases Wiki Activity

Let cilium-cni change namespaces

Browse Source 
Sample Falco alert:

```
Namespace change (setns) by unexpected program (user=root
command=cilium-cni parent=cilium-cni host CID2 CID1 image=<NA>)
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2020-01-30 17:09:25 -08:00 committed by poiana
parent 01c9d8ba31
commit 48a0f512fb
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -1546,7 +1546,7 @@
condition: > condition: >
evt.type = setns evt.type = setns
and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
sysdig, nsenter, calico, oci-umount, network_plugin_binaries) sysdig, nsenter, calico, oci-umount, cilium-cni, network_plugin_binaries)
and not proc.name in (user_known_change_thread_namespace_binaries) and not proc.name in (user_known_change_thread_namespace_binaries)
and not proc.name startswith "runc" and not proc.name startswith "runc"
and not proc.cmdline startswith "containerd" and not proc.cmdline startswith "containerd"