From c844eb9ef3775ec146515e29da608c10360a3857 Mon Sep 17 00:00:00 2001 From: Stefano Date: Fri, 2 Sep 2022 15:00:27 +0200 Subject: [PATCH] Added rule to detect CVE-2019-5736 Co-authored-by: wcc526 Signed-off-by: darryk10 --- rules/falco_rules.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 84593854..ebcd6583 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3199,6 +3199,21 @@ priority: CRITICAL tags: [mitre_initial_access] +- list: docker_binaries + items: [dockerd, containerd-shim, "runc:[1:CHILD]", pause] + +- macro: docker_procs + condition: proc.name in (docker_binaries) + +- rule: Modify Container Entrypoint + desc: This rule detect an attempt to write on container entrypoint symlink (/proc/self/exe). Possible CVE-2019-5736 Container Breakout exploitation attempt. + condition: > + open_write and container and (fd.name=/proc/self/exe or fd.name startswith /proc/self/fd/) and not docker_procs and not proc.cmdline = "runc:[1:CHILD] init" + output: > + Detect Potential Container Breakout Exploit (CVE-2019-5736) (user=%user.name process=%proc.name file=%fd.name cmdline=%proc.cmdline %container.info) + priority: WARNING + tags: [container, filesystem, mitre_initial_access] + # Application rules have moved to application_rules.yaml. Please look # there if you want to enable them by adding to # falco_rules.local.yaml.