Test code block

The following Falco rule will detect the affected container runtimes trying to change the directory to a proc file descriptor, which isn’t normal activity.  This rule should be considered experimental and can be used in OSS Falco and Sysdig Secure as a custom rule.

- rule: Suspicious Chdir Event Detected
  desc: Detects a process changing a directory using a proc-based file descriptor.  
  condition: >
    evt.type=chdir and evt.dir=< and evt.rawres=0 and evt.arg.path startswith "/proc/self/fd/" 
  output: >
    Suspicious Chdir event detected, executed …

block can change changing code container detect directory event falco file isn normal oss proc process sysdig sysdig secure test