From b58f76b26857fdf4bfb9a6ce780e6a324611d2aa Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Sat, 20 Mar 2021 17:13:13 -0700 Subject: [PATCH] rule (Debugfs Launched in Privileged Container and Mount Launched in Privileged Container): create Signed-off-by: Kaizhe Huang --- rules/falco_rules.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 0a188867..276e1d74 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3150,6 +3150,30 @@ priority: CRITICAL tags: [filesystem, mitre_privilege_escalation] +- rule: Debugfs Launched in Privileged Container + desc: Detect file system debugger debugfs launched inside a privilegd container which might lead to container escape. + condition: > + spawned_process and container + and container.privileged=true + and proc.name=debugfs + output: Debugfs launched started in a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + priority: WARNING + tags: [container, cis, mitre_lateral_movement] + +- macro: mount_info + condition: (proc.args="" or proc.args intersects ("-V", "-l", "-h")) + +- rule: Mount Launched in Privileged Container + desc: Detect file system mount happened inside a privilegd container which might lead to container escape. + condition: > + spawned_process and container + and container.privileged=true + and proc.name=mount + and not mount_info + output: Mount was executed inside a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + priority: WARNING + tags: [container, cis, mitre_lateral_movement] + # Application rules have moved to application_rules.yaml. Please look # there if you want to enable them by adding to # falco_rules.local.yaml.