cleanup(rules): initial tagging of sandbox or incubating rules round5

[incertum]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

What this PR does / why we need it:

Initially tag remaining rules either w/ sandbox or incubating maturity. Final initial pass, will be re-balanced and corrected as needed after each rule has been tagged alongside general improvements to rules conditions, descriptions or output fields consistency changes that will follow.

@LucaGuerra

@leogr after this one we will conform to the new guidelines when changing tags!

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[github-actions[bot]]

Rules files suggestions

falco_rules.yaml

Comparing 8b80815779bf2e8345c0ea596fdd138de5800797 with latest tag falco-rules-1.0.1

Major changes:

• Rule Directory traversal monitored file read has less tags than before
• Rule Read sensitive file trusted after startup has less tags than before
• Rule Read sensitive file untrusted has less tags than before
• Rule Launch Privileged Container has less tags than before
• Rule Launch Excessively Capable Container has less tags than before
• Rule Launch Sensitive Mount Container has less tags than before
• Rule System procs network activity has less tags than before
• Rule User mgmt binaries has less tags than before
• Rule Unexpected K8s NodePort Connection has been disabled at default
• Rule Launch Suspicious Network Tool in Container has less tags than before
• Rule Launch Suspicious Network Tool on Host has less tags than before
• Rule Remove Bulk Data from Disk has less tags than before
• Rule Create Symlink Over Sensitive Files has less tags than before
• Rule Create Hardlink Over Sensitive Files has less tags than before
• Rule Packet socket created in container has less tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
• Rule Linux Kernel Module Injection Detected has less tags than before
• Rule Debugfs Launched in Privileged Container has less tags than before
• Rule Detect release_agent File Container Escapes has less tags than before
• Rule Read environment variable from /proc files has less tags than before
• Rule PTRACE attached to process has less tags than before
• Rule Execution from /dev/shm has less tags than before

Patch changes:

• Rule Disallowed SSH Connection has more tags than before
• Rule Unexpected outbound connection destination has more tags than before
• Rule Unexpected inbound connection source has more tags than before
• Rule Modify Shell Configuration File has more tags than before
• Rule Read Shell Configuration File has more tags than before
• Rule Schedule Cron Jobs has more tags than before
• Rule Update Package Repository has more tags than before
• Rule Write below binary dir has more tags than before
• Rule Write below monitored dir has more tags than before
• Rule Directory traversal monitored file read changed its output fields
• Rule Directory traversal monitored file read has more tags than before
• Rule Read ssh information has more tags than before
• Rule Write below etc has more tags than before
• Rule Write below root has more tags than before
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file trusted after startup has more tags than before
• Rule Read sensitive file untrusted changed its output fields
• Rule Read sensitive file untrusted has more tags than before
• Rule Write below rpm database has more tags than before
• Rule DB program spawned process has more tags than before
• Rule Modify binary dirs has more tags than before
• Rule Mkdir binary dirs has more tags than before
• Rule Change thread namespace has more tags than before
• Rule Run shell untrusted changed its output fields
• Rule Run shell untrusted has more tags than before
• Rule Launch Privileged Container has more tags than before
• Rule Launch Excessively Capable Container has more tags than before
• Rule Launch Sensitive Mount Container has more tags than before
• Rule Launch Disallowed Container has more tags than before
• Rule System user interactive changed its output fields
• Rule System user interactive has more tags than before
• Rule Terminal shell in container changed its output fields
• Rule Terminal shell in container has more tags than before
• Rule System procs network activity has more tags than before
• Rule Program run with disallowed http proxy env has more tags than before
• Rule Interpreted procs inbound network activity has more tags than before
• Rule Interpreted procs outbound network activity has more tags than before
• Rule Unexpected UDP Traffic has more tags than before
• Rule Non sudo setuid has more tags than before
• Rule User mgmt binaries has more tags than before
• Rule Create files below dev has more tags than before
• Rule Contact EC2 Instance Metadata Service From Container has more tags than before
• Rule Contact cloud metadata service from container has more tags than before
• Rule Contact K8S API Server From Container changed its output fields
• Rule Contact K8S API Server From Container has more tags than before
• Rule Unexpected K8s NodePort Connection has more tags than before
• Rule Launch Package Management Process in Container has more tags than before
• Rule Netcat Remote Code Execution in Container changed its output fields
• Rule Netcat Remote Code Execution in Container has more tags than before
• Rule Launch Suspicious Network Tool in Container has more tags than before
• Rule Launch Suspicious Network Tool on Host has more tags than before
• Rule Search Private Keys or Passwords has more tags than before
• Rule Clear Log Activities changed its output fields
• Rule Clear Log Activities has more tags than before
• Rule Remove Bulk Data from Disk changed its output fields
• Rule Remove Bulk Data from Disk has more tags than before
• Rule Delete or rename shell history has more tags than before
• Rule Delete Bash History has more tags than before
• Rule Set Setuid or Setgid bit has more tags than before
• Rule Create Hidden Files or Directories has more tags than before
• Rule Launch Remote File Copy Tools in Container has more tags than before
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Symlink Over Sensitive Files has more tags than before
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files has more tags than before
• Rule Detect outbound connections to common miner pool ports has more tags than before
• Rule Detect crypto miners using the Stratum protocol has more tags than before
• Rule The docker client is executed in a container has more tags than before
• Rule Packet socket created in container changed its output fields
• Rule Packet socket created in container has more tags than before
• Rule Network Connection outside Local Subnet has more tags than before
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
• Rule Container Drift Detected (chmod) has more tags than before
• Rule Container Drift Detected (open+create) has more tags than before
• Rule Outbound Connection to C2 Servers has more tags than before
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Linux Kernel Module Injection Detected has more tags than before
• Rule Container Run as Root User has more tags than before
• Rule Sudo Potential Privilege Escalation has more tags than before
• Rule Debugfs Launched in Privileged Container changed its output fields
• Rule Debugfs Launched in Privileged Container has more tags than before
• Rule Mount Launched in Privileged Container has more tags than before
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has more tags than before
• Rule Launch Ingress Remote File Copy Tools in Container has more tags than before
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has more tags than before
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule Detect release_agent File Container Escapes has more tags than before
• Rule Java Process Class File Download has more tags than before
• Rule Modify Container Entrypoint has more tags than before
• Rule Read environment variable from /proc files has more tags than before
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE attached to process has more tags than before
• Rule PTRACE anti-debug attempt changed its output fields
• Rule PTRACE anti-debug attempt has more tags than before
• Rule Find AWS Credentials has more tags than before
• Rule Execution from /dev/shm has more tags than before
• Rule Drop and execute new binary in container changed its output fields
• Rule Drop and execute new binary in container has more tags than before

[poiana]

LGTM label has been added.

Git tree hash: 1e4f713e068258ad9950919931ea80e33887c634

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: incertum, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/falcosecurity/rules/blob/main/OWNERS)~~ [incertum,leogr] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment