mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 11:29:26 +00:00
18 lines
455 B
Plaintext
18 lines
455 B
Plaintext
# A very simple config for introductory purpose. Not for the real-world!
|
|
|
|
|
|
# Binary directories
|
|
bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
|
|
|
|
# Core binaries
|
|
core_binaries: proc.name in (ls, mkdir, cat, less, ps)
|
|
|
|
# Network traffic to/from standard utility
|
|
(fd.typechar = 4 or fd.typechar=6) and core_binaries
|
|
|
|
# System binary is modified
|
|
evt.type = write and bin_dir
|
|
|
|
# Shell running in container
|
|
container.id != host and proc.name = bash
|