From d876da5e9b5d1533c5e9c89ab37cc7215c021634 Mon Sep 17 00:00:00 2001 From: Sarapuce Date: Fri, 29 Dec 2023 16:21:37 +0100 Subject: [PATCH] feat(rule): simple rule --- nsenter.yaml | 9 --------- rules/nsenter.yaml | 2 ++ 2 files changed, 2 insertions(+), 9 deletions(-) delete mode 100644 nsenter.yaml create mode 100644 rules/nsenter.yaml diff --git a/nsenter.yaml b/nsenter.yaml deleted file mode 100644 index 6b51030..0000000 --- a/nsenter.yaml +++ /dev/null @@ -1,9 +0,0 @@ -- macro: container - condition: container.id != host - -- rule: Detect nsenter in a container - desc: You shouldn't run nsenter in a container - condition: container and proc.name = bash - output: > - nsenter executed in container container.id - priority: ERROR diff --git a/rules/nsenter.yaml b/rules/nsenter.yaml new file mode 100644 index 0000000..d8fa1ce --- /dev/null +++ b/rules/nsenter.yaml @@ -0,0 +1,2 @@ +- list: falco_binaries + items: [falcoctl]