The question # 4 (falco) the grading fails. Following is content of my /etc/falco/falco_rules.local.yaml file, not sure what I am missing, can you please advise
- rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container with an attached terminal. condition: >
spawned_process and container
and shell_procs and proc.tty != 0
and container_entrypoint
and not user_expected_terminal_shell_in_container_conditions
output: >
%evt.datetime.s,%user.uid,%container.id,%container.image.repository
priority: ALERT tags: [container, shell, mitre_execution]