From cea9c6a377f19b52226e6368cd5280dc9a0d0fa6 Mon Sep 17 00:00:00 2001
From: divious1 <josehelps@gmail.com>
Date: Thu, 5 Nov 2020 22:08:20 -0500
Subject: [PATCH] adding lkm rule

Signed-off-by: divious1 <josehelps@gmail.com>
---
 rules/falco_rules.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 5af10931d1a..e02059fb252 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3046,6 +3046,16 @@
   priority: WARNING
   tags: [network]
 
+- list: white_listed_modules
+  items: []
+    
+- rule: Linux Kernel Module Injection Detected
+  desc: Detect kernel module was injected (from container).
+  condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules)
+  output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args)
+  priority: WARNING
+  tags: [process]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.