github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-04 10:26:40 +00:00
Code Issues Projects Releases Wiki Activity

Added list k8s_client_binaries

Browse Source 
Added accidentally deleted lines for the list of k8s client binaries.

Signed-off-by: David de Torres <detorres.david@gmail.com>
This commit is contained in:
David de Torres 2019-11-07 07:48:34 +01:00 committed by Lorenzo Fontana
parent 98becedebb
commit ed767561ac
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
rules/falco_rules.yaml
View File

@ -2595,13 +2595,16 @@
priority: CRITICAL
tags: [process, mitre_execution]
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.
- list: k8s_client_binaries
items: [docker, kubectl, crictl]
- rule: The docker client is executed in a container
desc: Detect a k8s client tool executed inside a container
condition: spawned_process and container and proc.name in (k8s_client_binaries)
output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
priority: WARNING
tags: [container, mitre_execution]
tags: [container, mitre_execution]
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.