From df31fad450f3417f1ead73d603c5aacb228ffaa0 Mon Sep 17 00:00:00 2001
From: Sarapuce <alexandreh@padok.fr>
Date: Fri, 5 Jan 2024 16:10:50 +0100
Subject: [PATCH] feat(attack1): add rule to detect nsenter

---
 .github/workflows/release.yaml |  8 ++++++--
 custom_falco_rules.yaml        |  2 --
 custom_rules1.yaml             | 11 +++++++++++
 3 files changed, 17 insertions(+), 4 deletions(-)
 delete mode 100644 custom_falco_rules.yaml
 create mode 100644 custom_rules1.yaml

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 7dedb0d..af467b2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,5 +1,9 @@
-name: Release Rulesfile
-on: push
+name: Release Rulesfile for scenario 1
+on: 
+  push:
+    branches:
+      - feat/attack1
+
 jobs:
 
   Release-Rulesfile:
diff --git a/custom_falco_rules.yaml b/custom_falco_rules.yaml
deleted file mode 100644
index d8fa1ce..0000000
--- a/custom_falco_rules.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-- list: falco_binaries
-  items: [falcoctl]
diff --git a/custom_rules1.yaml b/custom_rules1.yaml
new file mode 100644
index 0000000..f05f960
--- /dev/null
+++ b/custom_rules1.yaml
@@ -0,0 +1,11 @@
+- macro: container
+  condition: container.id != host
+
+- macro: spawned_process
+  condition: evt.type = execve and evt.dir=<
+
+- rule: run_nsenter
+  desc: nsenter is executed in a container
+  condition: container and proc.name = nsenter and spawned_process and proc.pname exists and not proc.pname in (bash, docker)
+  output: "nsenter used in container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
+  priority: WARNING