docs(OWNERS): add `ekoops` as approver

Signed-off-by: Leonardo Di Giovanna <41296180+ekoops@users.noreply.github.com>

.github/FALCO_VERSIONS

@@ -1 +1,4 @@
 master
+0.41.2
+0.41.1
+0.41.0

.github/workflows/pages.yaml

@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5
+        uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v5
 
       - name: Generate updated inventory
         run: |

.github/workflows/release.yaml

@@ -58,7 +58,7 @@ jobs:
 
       # Create a signature of the rules artifact as OCI artifact
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.8.2
+        uses: sigstore/cosign-installer@v3.9.0
 
       - name: Login with cosign
         run: cosign login $OCI_REGISTRY --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }}

OWNERS

@@ -5,7 +5,7 @@ approvers:
   - fededp
   - andreagit97
   - lucaguerra
-  - incertum
+  - ekoops
 reviewers:
   - leodido
   - kaizhe
@@ -13,3 +13,4 @@ reviewers:
   - loresuso
 emeritus_approvers:
   - kaizhe
+  - incertum

rules/falco-incubating_rules.yaml

@@ -296,9 +296,7 @@
 
 - macro: container_started
   condition: >
-    ((evt.type = container or
+     (spawned_process and proc.vpid=1 and container)
-     (spawned_process and proc.vpid=1)) and
-     container.image.repository != incomplete)
 
 - list: cron_binaries
   items: [anacron, cron, crond, crontab]
@@ -610,7 +608,6 @@
     seen as more suspicious, prompting a closer inspection.
   condition: >
     container_started 
-    and container
     and container.privileged=true
     and not falco_privileged_containers
     and not user_privileged_containers
@@ -640,7 +637,6 @@
     raise suspicion, prompting closer scrutiny.
   condition: >
     container_started 
-    and container
     and excessively_capable_container
     and not falco_privileged_containers
     and not user_privileged_containers

rules/falco-sandbox_rules.yaml

@@ -327,9 +327,7 @@
 
 - macro: container_started
   condition: >
-    ((evt.type = container or
+    (spawned_process and proc.vpid=1 and container)
-     (spawned_process and proc.vpid=1)) and
-     container.image.repository != incomplete)
 
 # Possible scripts run by sshkit
 - list: sshkit_script_binaries
@@ -1265,7 +1263,6 @@
     varies based on your environment.
   condition: >
     container_started 
-    and container
     and sensitive_mount
     and not falco_sensitive_mount_containers
     and not user_sensitive_mount_containers
@@ -1292,7 +1289,6 @@
     this can be challenging to manage.
   condition: > 
     container_started 
-    and container 
     and not allowed_containers
   output: Container started and not in allowed list | evt_type=%evt.type user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
   priority: WARNING

rules/falco_rules.yaml

@@ -363,7 +363,8 @@
     iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
     vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
     pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
-    scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd
+    scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd,
+    sshd-session
     ]
 
 # Add conditions to this macro (probably in a separate file,