new(rule): excessively capable containers

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com> Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com> Co-authored-by: Kaizhe Huang <khuang@aurora.tech>
2025-08-30 21:25:06 +00:00 · 2022-03-30 13:29:20 +00:00 · 2022-03-30 13:29:20 +00:00 · 9fb9215dbf
commit 9fb9215dbf
parent 3a6274ab36
1 changed files with 26 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -1815,7 +1815,7 @@
          registry.access.redhat.com/sematext/agent,
          registry.access.redhat.com/sematext/logagent]

-# These container images are allowed to run with --privileged
+# These container images are allowed to run with --privileged and full set of capabilities
 - list: falco_privileged_images
  items: [
    docker.io/calico/node,
@ -1903,6 +1903,31 @@
  priority: INFO
  tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]

+# These capabilities were used in the past to escape from containers
+- macro: excessively_capable_container
+  condition: >
+    (thread.cap_permitted contains CAP_SYS_ADMIN
+    or thread.cap_permitted contains CAP_SYS_MODULE
+    or thread.cap_permitted contains CAP_SYS_RAWIO
+    or thread.cap_permitted contains CAP_SYS_PTRACE
+    or thread.cap_permitted contains CAP_SYS_BOOT
+    or thread.cap_permitted contains CAP_SYSLOG
+    or thread.cap_permitted contains CAP_DAC_READ_SEARCH
+    or thread.cap_permitted contains CAP_NET_ADMIN
+    or thread.cap_permitted contains CAP_BPF)
+
+- rule: Launch Excessively Capable Container
+  desc: Detect container started with a powerful set of capabilities. Exceptions are made for known trusted images. 
+  condition: >
+    container_started and container
+    and excessively_capable_container
+    and not falco_privileged_containers
+    and not user_privileged_containers
+  output: Excessively capable container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag cap_permitted=%thread.cap_permitted)
+  priority: INFO
+  tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
+
+
 # For now, only considering a full mount of /etc as
 # sensitive. Ideally, this would also consider all subdirectories
 # below /etc as well, but the globbing mechanism