Skip to content

Commit

Permalink
Changed field in thread.cap_effective
Browse files Browse the repository at this point in the history 
Signed-off-by: darryk10 <[email protected]>
Co-authored-by: Lorenzo Susini <[email protected]>
  • Loading branch information
@darryk10 @poiana
darryk10 authored and poiana committed May 12, 2022
1 parent c3bcf60 commit 3e60318
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3169,7 +3169,7 @@
- rule: Detect release_agent File Container Escapes
desc: "This rule detect an attempt to exploit a container escape using release_agent file. By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container"
condition:
open_write and container and fd.name endswith release_agent and (user.uid=0 or thread.cap_permitted contains CAP_DAC_OVERRIDE) and thread.cap_effective contains CAP_SYS_ADMIN
open_write and container and fd.name endswith release_agent and (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and thread.cap_effective contains CAP_SYS_ADMIN
output:
"Detect an attempt to exploit a container escape using release_agent file (user=%user.name user_loginuid=%user.loginuid filename=%fd.name %container.info image=%container.image.repository:%container.image.tag cap_effective=%thread.cap_effective)"
priority: CRITICAL
Expand Down

0 comments on commit 3e60318

Please sign in to comment.