Merge pull request #242 from draios/container-shell-with-tty

Add rule for shell with terminal in container.
falcosecurity · May 24, 2017 · 277d8ab · 277d8ab
2 parents 697d718 + e88612a
commit 277d8ab
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -426,6 +426,15 @@
   priority: WARNING
   tags: [users]
 
+- rule: Terminal shell in container
+  desc: A shell was spawned by a program in a container with an attached terminal.
+  condition: >
+    spawned_process and container
+    and shell_procs and proc.tty != 0
+  output: "A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)"
+  priority: WARNING
+  tags: [container, shell]
+
 - rule: Run shell in container
   desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
   condition: >