From ed767561ac79e94e3407b9e9624c94f19d3640f6 Mon Sep 17 00:00:00 2001 From: David de Torres <48695803+daviddetorres@users.noreply.github.com> Date: Thu, 7 Nov 2019 07:48:34 +0100 Subject: [PATCH] Added list k8s_client_binaries Added accidentally deleted lines for the list of k8s client binaries. Signed-off-by: David de Torres --- rules/falco_rules.yaml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index ce2290d0..0b85b39e 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2595,13 +2595,16 @@ priority: CRITICAL tags: [process, mitre_execution] -# Application rules have moved to application_rules.yaml. Please look -# there if you want to enable them by adding to -# falco_rules.local.yaml. - +- list: k8s_client_binaries + items: [docker, kubectl, crictl] + - rule: The docker client is executed in a container desc: Detect a k8s client tool executed inside a container condition: spawned_process and container and proc.name in (k8s_client_binaries) output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)" priority: WARNING - tags: [container, mitre_execution] \ No newline at end of file + tags: [container, mitre_execution] + +# Application rules have moved to application_rules.yaml. Please look +# there if you want to enable them by adding to +# falco_rules.local.yaml.