Created
March 23, 2020 18:09
-
-
Save vicenteherrera/8f9a4dada31fc1c4bb1da72c089525c8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - rule: Change thread namespace | |
| desc: > | |
| an attempt to change a program/thread\'s namespace (commonly done | |
| as a part of creating a container) by calling setns. | |
| condition: > | |
| evt.type = setns | |
| and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, | |
| sysdig, nsenter, calico, oci-umount, network_plugin_binaries) | |
| and not proc.name in (user_known_change_thread_namespace_binaries) | |
| and not proc.name startswith "runc" | |
| and not proc.cmdline startswith "containerd" | |
| and not proc.pname in (sysdigcloud_binaries) | |
| and not python_running_sdchecks | |
| and not java_running_sdjagent | |
| and not kubelet_running_loopback | |
| and not rancher_agent | |
| and not rancher_network_manager | |
| and not calico_node | |
| and not weaveworks_scope | |
| and not user_known_change_thread_namespace_activities | |
| output: > | |
| Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline | |
| parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository) | |
| priority: NOTICE | |
| tags: [process] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment