mirror of
https://github.com/falcosecurity/falco.git
synced 2026-01-30 06:00:00 +00:00
edce729bd9
Review the priorities used by each rule and try to use a consistent set that uses more of the possible priorities. The general guidelines I used were: - If a rule is related to a write of state (i.e. filesystem, etc.), its priority is ERROR. - If a rule is related to an unauthorized read of state (i.e. reading sensitive filees, etc.), its priority is WARNING. - If a rule is related to unexpected behavior (spawning an unexpected shell in a container, opening an unexpected network connection, etc.), its priority is NOTICE. - If a rule is related to behaving against good practices (unexpected privileged containers, containers with sensitive mounts, running interactive commands as root), its priority is INFO. One exception is that the most FP-prone rule (Run shell untrusted) has a priority of DEBUG.