Skip to content

Commit

Permalink
chore(rules): Add more generic container rules
Browse files Browse the repository at this point in the history 
Common ways to escape the container:

* chroot
* loading kernel modules
  • Loading branch information
@vadorovsky @banditopazzo
vadorovsky authored and banditopazzo committed Feb 27, 2024
1 parent ce642cd commit 301b786
Showing 1 changed file with 18 additions and 0 deletions.
18 changes: 18 additions & 0 deletions rules/container-rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,21 @@
)
)
)
- name: Chroot in container
type: Exec
condition: |
header.container.is_some() AND payload.filename ENDS_WITH "/chroot"
- name: Linux kernel module injection in container
type: Exec
condition: |
header.container.is_some() AND
payload.filename ENDS_WITH "/modprobe" AND NOT
payload.argv CONTAINS "-r"
- name: Reading kernel logs in container
type: Exec
condition: |
header.container.is_some() AND
payload.filename ENDS_WITH "/dmesg"

0 comments on commit 301b786

Please sign in to comment.