feat(attack1): add rule to detect nsenter

padok-team · Jan 5, 2024 · 649fca2 · 649fca2
1 parent 3408ae6
commit 649fca2
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/.github/workflows/release.yaml → .github/workflows/attack1.yaml b/.github/workflows/release.yaml → .github/workflows/attack1.yaml
@@ -1,5 +1,9 @@
-name: Release Rulesfile
-on: push
+name: Release Rulesfile for scenario 1
+on: 
+  push:
+    branches:
+      - feat/attack1
+
 jobs:
 
   Release-Rulesfile:
@@ -11,7 +15,7 @@ jobs:
       packages: write
 
     env:
-      RULESET_FILE: custom_falco_rules.yaml
+      RULESET_FILE: custom_rules1.yaml
       # Used to setup Auth and OCI artifact location
       OCI_REGISTRY: ghcr.io
       # Assuming we are in the main branch, our OCI artifact will

diff --git a/custom_falco_rules.yaml b/custom_falco_rules.yaml
diff --git a/custom_rules1.yaml b/custom_rules1.yaml
@@ -0,0 +1,11 @@
+- macro: container
+  condition: container.id != host
+
+- macro: spawned_process
+  condition: evt.type = execve and evt.dir=<
+
+- rule: run_nsenter
+  desc: nsenter is executed in a container
+  condition: container and proc.name = nsenter and spawned_process and proc.pname exists and not proc.pname in (bash, docker)
+  output: "nsenter used in container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
+  priority: WARNING