Added rule to detect k8s client tool in container

The rule detects the execution of the k8s client tool in a container and logs it with WARNING priority. Signed-off-by: David de Torres <[email protected]>
falcosecurity · Nov 8, 2019 · 98beced · 98beced
1 parent ae7924c
commit 98beced
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -2599,3 +2599,9 @@
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.
 
+- rule: The docker client is executed in a container
+  desc: Detect a k8s client tool executed inside a container
+  condition: spawned_process and container and proc.name in (k8s_client_binaries)
+  output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
+  priority: WARNING
+  tags: [container, mitre_execution]