From 649fca2bce63dccab36a33ccc9fac881bb9ee4f2 Mon Sep 17 00:00:00 2001
From: Sarapuce <alexandreh@padok.fr>
Date: Fri, 5 Jan 2024 16:10:50 +0100
Subject: [PATCH] feat(attack1): add rule to detect nsenter

---
 .github/workflows/{release.yaml => attack1.yaml} | 10 +++++++---
 custom_falco_rules.yaml                          |  2 --
 custom_rules1.yaml                               | 11 +++++++++++
 3 files changed, 18 insertions(+), 5 deletions(-)
 rename .github/workflows/{release.yaml => attack1.yaml} (92%)
 delete mode 100644 custom_falco_rules.yaml
 create mode 100644 custom_rules1.yaml

diff --git a/.github/workflows/release.yaml b/.github/workflows/attack1.yaml
similarity index 92%
rename from .github/workflows/release.yaml
rename to .github/workflows/attack1.yaml
index 7dedb0d..5003fff 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/attack1.yaml
@@ -1,5 +1,9 @@
-name: Release Rulesfile
-on: push
+name: Release Rulesfile for scenario 1
+on: 
+  push:
+    branches:
+      - feat/attack1
+
 jobs:
 
   Release-Rulesfile:
@@ -11,7 +15,7 @@ jobs:
       packages: write
     
     env:
-      RULESET_FILE: custom_falco_rules.yaml
+      RULESET_FILE: custom_rules1.yaml
       # Used to setup Auth and OCI artifact location
       OCI_REGISTRY: ghcr.io
       # Assuming we are in the main branch, our OCI artifact will
diff --git a/custom_falco_rules.yaml b/custom_falco_rules.yaml
deleted file mode 100644
index d8fa1ce..0000000
--- a/custom_falco_rules.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-- list: falco_binaries
-  items: [falcoctl]
diff --git a/custom_rules1.yaml b/custom_rules1.yaml
new file mode 100644
index 0000000..f05f960
--- /dev/null
+++ b/custom_rules1.yaml
@@ -0,0 +1,11 @@
+- macro: container
+  condition: container.id != host
+
+- macro: spawned_process
+  condition: evt.type = execve and evt.dir=<
+
+- rule: run_nsenter
+  desc: nsenter is executed in a container
+  condition: container and proc.name = nsenter and spawned_process and proc.pname exists and not proc.pname in (bash, docker)
+  output: "nsenter used in container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
+  priority: WARNING