mstemm · October 25, 2016 20:14
diff --git a/Falco 0.4.0 Sample Rules b/Falco 0.4.0 Sample Rules
 - rule: File Open by Privileged Container
  desc: Any open by a privileged container. Exceptions are made for known trusted images.
  condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
  output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
  priority: WARNING

 - macro: sensitive_mount
  condition: (container.mount.dest[/proc*] != "N/A")

 - rule: Sensitive Mount by Container
  desc: Any open by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images.
  condition: (open_read or open_write) and container and sensitive_mount and not trusted_containers
  output: File opened for read/write by container mounting sensitive directory (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
  priority: WARNING
	- rule: File Open by Privileged Container
	desc: Any open by a privileged container. Exceptions are made for known trusted images.
	condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
	output: File opened for read/write by non-privileged container (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
	priority: WARNING

	- macro: sensitive_mount
	condition: (container.mount.dest[/proc*] != "N/A")

	- rule: Sensitive Mount by Container
	desc: Any open by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images.
	condition: (open_read or open_write) and container and sensitive_mount and not trusted_containers
	output: File opened for read/write by container mounting sensitive directory (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
	priority: WARNING