Skip to content

Commit

Permalink
adding lkm rule
Browse files Browse the repository at this point in the history 
Signed-off-by: divious1 <josehelps@gmail.com>
  • Loading branch information
@josehelps @poiana
josehelps authored and poiana committed Nov 6, 2020
1 parent c055f02 commit cea9c6a
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3046,6 +3046,16 @@
priority: WARNING
tags: [network]

- list: white_listed_modules
items: []

- rule: Linux Kernel Module Injection Detected
desc: Detect kernel module was injected (from container).
condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules)
output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args)
priority: WARNING
tags: [process]

# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.

0 comments on commit cea9c6a

Please sign in to comment.