github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-18 07:51:12 +00:00
Code Issues Projects Releases Wiki Activity

update(rules): add macro for dup syscalls

Browse Source 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
This commit is contained in:
Aldo Lacuku
2022-06-20 15:03:19 +02:00
committed by poiana
parent 07b4d5a47a
commit d90421387f
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@@ -2983,9 +2983,12 @@
- macro: user_known_stand_streams_redirect_activities
condition: (never_true)
- macro: dup
condition: evt.type in (dup, dup2, dup3)
- rule: Redirect STDOUT/STDIN to Network Connection in Container
desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
condition: evt.type in (dup, dup2, dup3) and container and evt.rawres in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
condition: dup and container and evt.rawres in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
output: >
Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
priority: WARNING