The following Falco rule will detect the affected container runtimes trying to change the directory to a proc file descriptor, which isn’t normal activity. This rule should be considered experimental and can be used in OSS Falco and Sysdig Secure as a custom rule.
- rule: Suspicious Chdir Event Detected
desc: Detects a process changing a directory using a proc-based file descriptor.
condition: >
evt.type=chdir and evt.dir=< and evt.rawres=0 and evt.arg.path startswith "/proc/self/fd/"
output: >
Suspicious Chdir event detected, executed by process %proc.name with cmdline %proc.cmdline under user %user.name (details=%evt.args proc.cmdline=%proc.cmdline evt.type=%evt.type evt.res=%evt.res fd=%evt.arg.fd nstype=%evt.arg.nstype proc.pid=%proc.pid proc.cwd=%proc.cwd proc.pname=%proc.pname proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.name=%user.name user.loginuid=%user.loginuid user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: WARNING
tags: [host, container]Code language: HTML, XML (xml)Conclusion
The four vulnerabilities discovered by Snyk could enable supply chain attacks against Docker and Kubernetes.
If an attacker gains access to the Dockerfile, either through public or private repositories, they can exploit these vulnerabilities to either gain write access to the host OS or cause a denial of service against the host itself. Users, especially Developers, could be a target since Docker is a vulnerable application that may give attackers access to their workstations and gain a foothold on your network.
We recommend upgrading your Docker and Kubernetes software as quickly as possible due to their high severity. While vulnerability management is ongoing, the Falco rules provided in this article can provide detection in case any of the vulnerabilities are exploited.
The post Test code block appeared first on Sysdig.
Article Link: Test code block – Sysdig