mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 11:29:26 +00:00
17 lines
921 B
YAML
17 lines
921 B
YAML
# A very simple config for introductory purpose. Not for the real-world!
|
|
|
|
# Network traffic to/from standard system utilities
|
|
# These utils never communicate on the network - if they do, that is a strong indication
|
|
# that something is wrong (rootkit?)
|
|
# Note that the full rule lists all ~150 binaries from coreutils; this example only has a few.
|
|
- condition: (fd.typechar = 4 or fd.typechar = 6) and proc.name in (ls, mkdir, cat, less, ps)
|
|
output: "%evt.time: %proc.name network with %fd.l4proto"
|
|
|
|
# System binary is modified or new file is written to standard binary dirs
|
|
- condition: evt.type = open and fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
|
|
output: "%evt.time: System binary modified (file '%fd.filename' written by process %proc.name)"
|
|
|
|
# Shell running in container
|
|
- condition: container.id != host and proc.name = bash
|
|
output: "%evt.time: Shell running in container (%proc.name, %container.id)"
|