mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-24 17:08:52 +00:00
Add rule for shell with terminal in container.
Add a new falco rule "Terminal shell in container" that looks for shells spawned in a container with an attached terminal. This is similar to the existing "Run shell in container" rule, but doesn't have as many exceptions as we expect this to be even less rare.
This commit is contained in:
parent
a86e3fc748
commit
e88612a1af
@ -426,6 +426,15 @@
|
||||
priority: WARNING
|
||||
tags: [users]
|
||||
|
||||
- rule: Terminal shell in container
|
||||
desc: A shell was spawned by a program in a container with an attached terminal.
|
||||
condition: >
|
||||
spawned_process and container
|
||||
and shell_procs and proc.tty != 0
|
||||
output: "A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)"
|
||||
priority: WARNING
|
||||
tags: [container, shell]
|
||||
|
||||
- rule: Run shell in container
|
||||
desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
|
||||
condition: >
|
||||
|
Loading…
Reference in New Issue
Block a user