search

falcosecurity / event-generator

Generate a variety of suspect actions that are detected by Falco rulesets
Apache License 2.0
94 stars 40 forks source link

Add an event for default rule "Basic Interactive Reconnaissance" #145

Closed GLVSKiriti closed 1 week ago

GLVSKiriti commented 8 months ago

Motivation To add an event for default rule "Basic Interactive Reconnaissance" as mentioned here

Feature

Alternatives

Additional context

GLVSKiriti commented 8 months ago

/assign

GLVSKiriti commented 8 months ago

@FedeDP @leogr KIndly clarify my doubt! To generate this event conditions required are

    spawned_process 
    and recon_binaries_procs 
    and proc.tty != 0 
    and proc.is_vpgid_leader=true
proc.is_vpgid_leader: 
 'true' if this process is the leader of the virtual process group, proc.vpgid == proc.vpid. For host 
 processes vpgid and vpid reflect pgid and pid. Can help to distinguish if the process was 'directly' 
 executed for instance in a tty (similar to bash history logging, is_vpgid_leader would be 'true') or
 executed as descendent process in the same process group which for example is the case when 
 subprocesses are spawned from a script (is_vpgid_leader would be 'false').

as mentioned in documentation proc.is_vpgid_leader will be true only if we enter command manually and it will be false when we execute a command by running a script or code.

Is there a way to implement this event in Go code, or is it not feasible?

poiana commented 5 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

leogr commented 5 months ago

/remove-lifecycle stale

leogr commented 5 months ago

/remove-lifecycle stale

poiana commented 2 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana commented 1 month ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana commented 1 week ago

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana commented 1 week ago

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/event-generator/issues/145#issuecomment-2481141001): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.