Container executables drift detection

[omerazr]

Motivation

Container drift means changes that break the immutability of images. A subset of such changes are executables created in a container during runtime. Detecting such behavior can help flag critical security issues related to RCEs.

Feature

There are a limited set of options to create an executable in a system. By adding Falco rules to detect this behavior, we can alert users about suspicious activity. This will include adding two new Falco rules that uses a newly added sysdig filter - "is_open_exec" -https://github.com/draios/sysdig/pull/1638

Alternatives

By listing all executables in an image, one can create an apparmor profile to prevent such a change in runtime. As always, applications do behave in unexpected ways, so detecting such execution and tuning an apparmor profile will be a better workflow.

Additional context

https://www.openshift.com/blog/configuration-drift-prevention-in-openshift-resource-locker-operator

[fntlnz]

I like the idea behind this, thanks @omer-sd

[leodido]

/close

[poiana]

@leodido: Closing this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/1248#issuecomment-647433587): >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[jpriebe]

Word of warning: don't use this feature on a kubernetes node if you are running CI/CD pipelines in pods (e.g. gitlab-runner) -- your pod will pull down source code and execute scripts, and falcon will kill processes. You will lose hours of your life trying to understand what is wrong with your pipeline runners.