Open Speeddymon opened 8 months ago
@Andreagit97 @Speeddymon I love to work on this feature. Please assign this feature to me.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
@rashim27us I think you can make a fork of the project, and then write your code and open a PR; no need to have the issue assigned to you. I look forward to seeing this implemented :) Thank you in advance!
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Motivation
I was reading https://www.bleepingcomputer.com/news/security/cracked-macos-apps-drain-wallets-using-scripts-fetched-from-dns-records/ just now and a thought occurred to me, as well as a few more while typing this out.
Feature
See above
Alternatives
Matching based on IP or name only, and you have to know the domains ahead of time in order to add them to a rule that notifies based on a list of domains, or you have to know all of the domains you talk to in order to add them to a rule that notifies based on NOT matching a list of domains, and the event has to be triggered by something already; it's not possible to match based on just the DNS lookup itself happening.
Additional context
I want to treat DNS as if DNS can't be trusted. A quick google didn't reveal any promising results for how to implement DNSSEC in a container context as a client, so I honestly think this isn't something that could be fixed at the container level. So in my mind, that means that DNS in a container should not be trusted period. Therefore, DNS lookups themselves need to generate an event in Falco that the rules can match. The default ruleset doesn't necessarily need to enable this new type of rule for all users right off the bat, which would allow time for testing and refinement over a few releases of anything implemented towards closing this issue.