github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-27 07:07:23 +00:00
Code Issues Projects Releases Wiki Activity

Added rule to detect CVE-2019-5736

Browse Source 
Co-authored-by: wcc526 <wcc526@gmail.com>
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
This commit is contained in:
Stefano 2022-09-02 15:00:27 +02:00 committed by poiana
parent b71eb7e6ed
commit c844eb9ef3
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
rules/falco_rules.yaml
View File

@ -3199,6 +3199,21 @@
priority: CRITICAL
tags: [mitre_initial_access]
- list: docker_binaries
items: [dockerd, containerd-shim, "runc:[1:CHILD]", pause]
- macro: docker_procs
condition: proc.name in (docker_binaries)
- rule: Modify Container Entrypoint
desc: This rule detect an attempt to write on container entrypoint symlink (/proc/self/exe). Possible CVE-2019-5736 Container Breakout exploitation attempt.
condition: >
open_write and container and (fd.name=/proc/self/exe or fd.name startswith /proc/self/fd/) and not docker_procs and not proc.cmdline = "runc:[1:CHILD] init"
output: >
Detect Potential Container Breakout Exploit (CVE-2019-5736) (user=%user.name process=%proc.name file=%fd.name cmdline=%proc.cmdline %container.info)
priority: WARNING
tags: [container, filesystem, mitre_initial_access]
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.