update: add list of known drop and execute containers

Signed-off-by: Lorenzo Susini <[email protected]>

rules/falco_rules.yaml

@@ -490,12 +490,22 @@
     WARNING
   tags: [host, container, filesystem, mitre_discovery, T1546.004]
 
+# List of allowed container images that are known to execute binaries not part of their base image.
+# Users can use this list to better tune the rule below (i.e reducing false positives) by considering their workloads, 
+# since this requires application specific knowledge.
+- list: known_drop_and_execute_containers
+  items: []
+
 - rule: Drop and execute new binary in container
   desc:
     Detect if an executable not belonging to the base image of a container is being executed.
     The drop and execute pattern can be observed very often after an attacker gained an initial foothold.
     is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem.
-  condition: spawned_process and container and proc.is_exe_upper_layer=true
+  condition: >
+    spawned_process
+    and container
+    and proc.is_exe_upper_layer=true 
+    and not container.image.repository in (known_drop_and_execute_containers)
   output: > 
     Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id
     image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags