feat(rules): detect container shell spawn for MITRE T1059

[JayKnowSo]

Adds detection rule for shell processes spawned inside containers by non-shell parent processes — a common indicator of container escape attempts and command injection exploitation.

MITRE ATT&CK: T1059 - Command and Scripting Interpreter
Tags: container, shell, mitre_execution

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[poiana]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: JayKnowSo
Once this PR has been reviewed and has the lgtm label, please assign loresuso for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• rules/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[poiana]

Welcome @JayKnowSo! It looks like this is your first PR to falcosecurity/rules 🎉

[leogr]

Hey @JayKnowSo

Can you sign-off your commit, please? 🙏

[JayKnowSo]

All four addressed.
Cleaned the output fields — dropped image= and args=, added exe_flags per the spawned_process convention.
Anchored the stop args with startswith and put leading spaces on the daemon names. Caught the same pattern on the iptables -F flag — first position and mid-args both covered now.
Dropped network from the tags. Rule never touches a socket — shouldn't have been there.
Also squared away the DCO signoff on both commits — apologies for missing that.
Pushed. Thanks for the welcome and the patience.

[JayKnowSo]

CI failures appear to be GitHub Actions infrastructure issues — internal server errors on action archive downloads and a 403 on the repo access. Not related to the rule changes. Happy to re-run once the CI stabilizes.

[JayKnowSo]

No yamllint violations in the code added by this PR. The 53 errors in
falco_rules.yaml and 67 in falco-incubating_rules.yaml are pre-existing
and not introduced by these changes.

Happy to open a separate chore PR to fix the line-length violations across
the affected rule files if that would help unblock the merge pipeline.