new(rules): introduce rule to detect drop and execute pattern in cont… #20
Conversation
|
@loresuso: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
loresuso
changed the title
|
I am putting this on wip because it still needs some more testing. |
There was a problem hiding this comment.
@loresuso it goes without saying what a game changer this rule is. Knocking out an entire class of vulnerabilities in one simple rule is 🔥 !!! And our journey won't end here 😉 .
Also thanks for adding limitations into the desc, as also bind mounts wouldn't be on the upper layer.
loresuso
force-pushed
the
new/rules-exe-upper-layer
branch
2 times, most recently
from
3d93fa8 to
1f2643a
Compare
loresuso
changed the title
rules/falco_rules.yaml
Outdated
| Detect if an executable not belonging to the base image of a container is being executed. | ||
| The drop and execute pattern can be observed very often after an attacker gained an initial foothold. | ||
| is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem. | ||
| condition: spawned_process and container and proc.is_exe_upper_layer=true |
| The drop and execute pattern can be observed very often after an attacker gained an initial foothold. | ||
| is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem. | ||
| condition: spawned_process and container and proc.is_exe_upper_layer=true | ||
| output: > |
There was a problem hiding this comment.
I think the output is a bit too much.
There was a problem hiding this comment.
What would you drop from here?
…ainers Signed-off-by: Lorenzo Susini <[email protected]>
loresuso
force-pushed
the
new/rules-exe-upper-layer
branch
from
1f2643a to
4019073
Compare
Signed-off-by: Lorenzo Susini <[email protected]>
loresuso
force-pushed
the
new/rules-exe-upper-layer
branch
from
e9d9627 to
e0e74cb
Compare
Signed-off-by: Lorenzo Susini <[email protected]>
|
LGTM label has been added. Git tree hash: 32c04abde9da8e38f80376bca3bab474e86b7081
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, loresuso The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
This is an incredibly feat @loresuso ! Nice work! |
… new binary in container` Rule was contributed by Lorenzo Susini in #20. Co-authored-by: Lorenzo Susini <[email protected]> Signed-off-by: Jason Dellaluce <[email protected]>
… new binary in container` Rule was contributed by Lorenzo Susini in #20. Co-authored-by: Lorenzo Susini <[email protected]> Signed-off-by: Jason Dellaluce <[email protected]>
… new binary in container` Rule was contributed by Lorenzo Susini in #20. Co-authored-by: Lorenzo Susini <[email protected]> Signed-off-by: Jason Dellaluce <[email protected]>
… new binary in container` Rule was contributed by Lorenzo Susini in #20. Co-authored-by: Lorenzo Susini <[email protected]> Signed-off-by: Jason Dellaluce <[email protected]>
…ainers
Signed-off-by: Lorenzo Susini [email protected]
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
Moving the discussion here from falcosecurity/falco#2306
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: