update: add macro known_drop_and_execute_activities

Signed-off-by: Sean Doughty <[email protected]>

rules/falco_rules.yaml

@@ -1168,6 +1168,9 @@
 - list: known_drop_and_execute_containers
   items: []
 
+- macro: known_drop_and_execute_activities
+  condition: (never_true)
+
 - rule: Drop and execute new binary in container
   desc: >
     Detect if an executable not belonging to the base image of a container is being executed.
@@ -1183,6 +1186,7 @@
     and container
     and proc.is_exe_upper_layer=true 
     and not container.image.repository in (known_drop_and_execute_containers)
+    and not known_drop_and_execute_activities
   output: Executing binary not part of base image (proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2] proc_exe_ino_ctime=%proc.exe_ino.ctime proc_exe_ino_mtime=%proc.exe_ino.mtime proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: CRITICAL
   tags: [maturity_stable, container, process, mitre_persistence, TA0003, PCI_DSS_11.5.1]