github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 07:37:32 +00:00
Code Issues Projects Releases Wiki Activity

adding lkm rule

Browse Source 
Signed-off-by: divious1 <josehelps@gmail.com>
This commit is contained in:
divious1 2020-11-05 22:08:20 -05:00 committed by poiana
parent c055f02dd0
commit cea9c6a377
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/falco_rules.yaml
View File

@ -3046,6 +3046,16 @@
priority: WARNING
tags: [network]
- list: white_listed_modules
items: []
- rule: Linux Kernel Module Injection Detected
desc: Detect kernel module was injected (from container).
condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules)
output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args)
priority: WARNING
tags: [process]
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.