Goal
Add custom Falco rules detecting ptrace injection, capability escalation, and process hollowing.
Tasks
- Rule: detect ptrace() calls between containers
- Rule: detect CAP_SYS_ADMIN or CAP_NET_ADMIN capability grants
- Rule: detect /proc/*/mem writes (process injection)
- Rule: detect LD_PRELOAD manipulation
- Rule: detect cgroups escape attempts
- Add all rules to security/falco/custom-rules.yaml
- Test each rule fires correctly
Acceptance criteria
- All 5 rules fire on simulated attacks
- Rules don't fire on legitimate operations
- MITRE tags assigned to each rule
Goal
Add custom Falco rules detecting ptrace injection, capability escalation, and process hollowing.
Tasks
Acceptance criteria