mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 03:49:36 +00:00
bed5993500
When we are trying to run an image with negative policy result from Anchore, Falco will alert us.
26 lines
939 B
Python
26 lines
939 B
Python
import string
|
|
|
|
FALCO_RULE_TEMPLATE = string.Template('''
|
|
- macro: anchore_stop_policy_evaluation_containers
|
|
condition: container.image.id in ($images)
|
|
|
|
- rule: Run Anchore Containers with Stop Policy Evaluation
|
|
desc: Detect containers which does not receive a positive Policy Evaluation from Anchore Engine.
|
|
|
|
condition: evt.type=execve and proc.vpid=1 and container and anchore_stop_policy_evaluation_containers
|
|
output: A stop policy evaluation container from anchore has started (%container.info image=%container.image)
|
|
priority: INFO
|
|
tags: [container]
|
|
''')
|
|
|
|
|
|
class CreateFalcoRuleFromAnchoreStopPolicyResults:
|
|
def __init__(self, anchore_client):
|
|
self._anchore_client = anchore_client
|
|
|
|
def run(self):
|
|
images = self._anchore_client.get_images_with_policy_result('stop')
|
|
|
|
images = ['"{}"'.format(image) for image in images]
|
|
return FALCO_RULE_TEMPLATE.substitute(images=', '.join(images))
|