github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-11 02:52:54 +00:00
Code Issues Projects Releases Wiki Activity

Added rule to detect k8s client tool in container

Browse Source 
The rule detects the execution of the k8s client tool in a container and
logs it with WARNING priority.

Signed-off-by: David de Torres <detorres.david@gmail.com>
This commit is contained in:
David de Torres 2019-11-07 01:42:10 +01:00 committed by Lorenzo Fontana
parent ae7924cc41
commit 98becedebb
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/falco_rules.yaml
View File

@ -2599,3 +2599,9 @@
# there if you want to enable them by adding to # there if you want to enable them by adding to
# falco_rules.local.yaml. # falco_rules.local.yaml.
- rule: The docker client is executed in a container
desc: Detect a k8s client tool executed inside a container
condition: spawned_process and container and proc.name in (k8s_client_binaries)
output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
priority: WARNING
tags: [container, mitre_execution]