rule(macro user_expected_terminal_shell_in_container_conditions): create the macro

A macro like this is useful because configuration management software may need to run containers with an attached terminal to perform some of its duties, and users may want to ignore this behavior. Signed-off-by: Nicolas Marier <nmarier@coveo.com>
2025-08-01 22:47:46 +00:00 · 2020-04-20 11:05:36 -04:00 · 2020-04-20 11:05:36 -04:00 · dbd86234ad
commit dbd86234ad
parent b69bde6bd4
1 changed files with 6 additions and 0 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -1952,12 +1952,18 @@
  priority: INFO
  tags: [users, mitre_remote_access_tools]

+# In some cases, a shell is expected to be run in a container. For example, configuration
+# management software may do this, which is expected.
+- macro: user_expected_terminal_shell_in_container_conditions
+  condition: (never_true)
+
 - rule: Terminal shell in container
  desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
  condition: >
    spawned_process and container
    and shell_procs and proc.tty != 0
    and container_entrypoint
+    and not user_expected_terminal_shell_in_container_conditions
  output: >
    A shell was spawned in a container with an attached terminal (user=%user.name %container.info
    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)