Closed incertum closed 1 year ago
Comparing 8b80815779bf2e8345c0ea596fdd138de5800797
with latest tag falco-rules-1.0.1
Major changes:
Directory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeLaunch Privileged Container
has less tags than beforeLaunch Excessively Capable Container
has less tags than beforeLaunch Sensitive Mount Container
has less tags than beforeSystem procs network activity
has less tags than beforeUser mgmt binaries
has less tags than beforeUnexpected K8s NodePort Connection
has been disabled at defaultLaunch Suspicious Network Tool in Container
has less tags than beforeLaunch Suspicious Network Tool on Host
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforeRead environment variable from /proc files
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforePatch changes:
Disallowed SSH Connection
has more tags than beforeUnexpected outbound connection destination
has more tags than beforeUnexpected inbound connection source
has more tags than beforeModify Shell Configuration File
has more tags than beforeRead Shell Configuration File
has more tags than beforeSchedule Cron Jobs
has more tags than beforeUpdate Package Repository
has more tags than beforeWrite below binary dir
has more tags than beforeWrite below monitored dir
has more tags than beforeDirectory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead ssh information
has more tags than beforeWrite below etc
has more tags than beforeWrite below root
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeWrite below rpm database
has more tags than beforeDB program spawned process
has more tags than beforeModify binary dirs
has more tags than beforeMkdir binary dirs
has more tags than beforeChange thread namespace
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeLaunch Privileged Container
has more tags than beforeLaunch Excessively Capable Container
has more tags than beforeLaunch Sensitive Mount Container
has more tags than beforeLaunch Disallowed Container
has more tags than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
changed its output fieldsTerminal shell in container
has more tags than beforeSystem procs network activity
has more tags than beforeProgram run with disallowed http proxy env
has more tags than beforeInterpreted procs inbound network activity
has more tags than beforeInterpreted procs outbound network activity
has more tags than beforeUnexpected UDP Traffic
has more tags than beforeNon sudo setuid
has more tags than beforeUser mgmt binaries
has more tags than beforeCreate files below dev
has more tags than beforeContact EC2 Instance Metadata Service From Container
has more tags than beforeContact cloud metadata service from container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeUnexpected K8s NodePort Connection
has more tags than beforeLaunch Package Management Process in Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeLaunch Suspicious Network Tool in Container
has more tags than beforeLaunch Suspicious Network Tool on Host
has more tags than beforeSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeDelete or rename shell history
has more tags than beforeDelete Bash History
has more tags than beforeSet Setuid or Setgid bit
has more tags than beforeCreate Hidden Files or Directories
has more tags than beforeLaunch Remote File Copy Tools in Container
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforeDetect outbound connections to common miner pool ports
has more tags than beforeDetect crypto miners using the Stratum protocol
has more tags than beforeThe docker client is executed in a container
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeNetwork Connection outside Local Subnet
has more tags than beforeOutbound or Inbound Traffic not to Authorized Server Process and Port
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeContainer Drift Detected (chmod)
has more tags than beforeContainer Drift Detected (open+create)
has more tags than beforeOutbound Connection to C2 Servers
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeContainer Run as Root User
has more tags than beforeSudo Potential Privilege Escalation
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeMount Launched in Privileged Container
has more tags than beforeUnprivileged Delegation of Page Faults Handling to a Userspace Process
has more tags than beforeLaunch Ingress Remote File Copy Tools in Container
has more tags than beforePolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforeJava Process Class File Download
has more tags than beforeModify Container Entrypoint
has more tags than beforeRead environment variable from /proc files
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
has more tags than beforeExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than beforeLGTM label has been added.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: incertum, leogr
The full list of commands accepted by this bot can be found here.
The pull request process is described here
What type of PR is this?
/kind cleanup
Any specific area of the project related to this PR?
What this PR does / why we need it:
Initially tag remaining rules either w/ sandbox or incubating maturity. Final initial pass, will be re-balanced and corrected as needed after each rule has been tagged alongside general improvements to rules conditions, descriptions or output fields consistency changes that will follow.
@LucaGuerra
@leogr after this one we will conform to the new guidelines when changing tags!
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: