feat(attack1): add rule to detect nsenter

padok-team · Jan 5, 2024 · a19f96f · a19f96f
1 parent 3408ae6
commit a19f96f
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 6 deletions.
diff --git a/.github/workflows/release.yaml → .github/workflows/attack1.yaml b/.github/workflows/release.yaml → .github/workflows/attack1.yaml
@@ -1,5 +1,9 @@
-name: Release Rulesfile
-on: push
+name: Release Rulesfile for scenario 1
+on: 
+  push:
+    branches:
+      - feat/attack1
+
 jobs:
 
   Release-Rulesfile:
@@ -11,13 +15,13 @@ jobs:
       packages: write
 
     env:
-      RULESET_FILE: custom_falco_rules.yaml
+      RULESET_FILE: custom_rules1.yaml
       # Used to setup Auth and OCI artifact location
       OCI_REGISTRY: ghcr.io
       # Assuming we are in the main branch, our OCI artifact will
       # look something like ghcr.io/user/repo/custom-rules:main
       OCI_ARTIFACT_NAME: custom-rules
-      OCI_ARTIFACT_VERSION: ${{ github.ref_name }}
+      OCI_ARTIFACT_VERSION: attack1
 
     steps:
       - name: Checkout Falcoctl Repo

diff --git a/custom_falco_rules.yaml b/custom_falco_rules.yaml
diff --git a/custom_rules1.yaml b/custom_rules1.yaml
@@ -0,0 +1,11 @@
+- macro: container
+  condition: container.id != host
+
+- macro: spawned_process
+  condition: evt.type = execve and evt.dir=<
+
+- rule: run_nsenter
+  desc: nsenter is executed in a container
+  condition: container and proc.name = nsenter and spawned_process and proc.pname exists and not proc.pname in (bash, docker)
+  output: "nsenter used in container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
+  priority: WARNING