From e88612a1af30af34421cfeb7f6b6a4650de28e86 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 23 May 2017 13:37:44 -0700
Subject: [PATCH] Add rule for shell with terminal in container.

Add a new falco rule "Terminal shell in container" that looks for shells
spawned in a container with an attached terminal. This is similar to the
existing "Run shell in container" rule, but doesn't have as many
exceptions as we expect this to be even less rare.
---
 rules/falco_rules.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 4301eb5a313..c4024f3b7f8 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -426,6 +426,15 @@
   priority: WARNING
   tags: [users]
 
+- rule: Terminal shell in container
+  desc: A shell was spawned by a program in a container with an attached terminal.
+  condition: >
+    spawned_process and container
+    and shell_procs and proc.tty != 0
+  output: "A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)"
+  priority: WARNING
+  tags: [container, shell]
+
 - rule: Run shell in container
   desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
   condition: >