Closed incertum closed 11 months ago
Comparing 5ae68d21f7d08d87066106fca7a1943e9b632fbc
with latest tag falco-rules-1.0.1
Major changes:
Redirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforePatch changes:
Disallowed SSH Connection
has more tags than beforeUnexpected outbound connection destination
has more tags than beforeUnexpected inbound connection source
has more tags than beforeRead Shell Configuration File
has more tags than beforeSchedule Cron Jobs
has more tags than beforeRead ssh information
has more tags than beforeChange thread namespace
has more tags than beforeTerminal shell in container
changed its output fieldsTerminal shell in container
has more tags than beforeProgram run with disallowed http proxy env
has more tags than beforeInterpreted procs inbound network activity
has more tags than beforeInterpreted procs outbound network activity
has more tags than beforeUnexpected UDP Traffic
has more tags than beforeContact EC2 Instance Metadata Service From Container
has more tags than beforeContact cloud metadata service from container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSet Setuid or Setgid bit
has more tags than beforeCreate Hidden Files or Directories
has more tags than beforeDetect outbound connections to common miner pool ports
has more tags than beforeNetwork Connection outside Local Subnet
has more tags than beforeOutbound or Inbound Traffic not to Authorized Server Process and Port
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeContainer Drift Detected (chmod)
has more tags than beforeContainer Drift Detected (open+create)
has more tags than beforeOutbound Connection to C2 Servers
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeContainer Run as Root User
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforeJava Process Class File Download
has more tags than beforeModify Container Entrypoint
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than before[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: incertum, LucaGuerra
The full list of commands accepted by this bot can be found here.
The pull request process is described here
LGTM label has been added.
What type of PR is this?
/kind cleanup
/kind documentation
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
Second round of initially tagging rules w/ maturity_stable.
@LucaGuerra @loresuso @jasondellaluce
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: