falcosecurity / rules

Falco rule repository

https://falcosecurity.github.io/rules/

Apache License 2.0

91 stars 64 forks source link

fix(rules): fix some syntax issues and some mitre assignments #125

Closed incertum closed 11 months ago

incertum commented 11 months ago

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

Fix some syntax issues: Ensure that currently disabled rules would always be able to evaluate to something true without customization aka consistently adopt and not (never_true) for the respective placeholder macros. @jasondellaluce

Fix some mitre assignments, see https://github.com/falcosecurity/rules/issues/84. However, we need to do more thorough checks throughout to find the mitre phase and ttp that is the best fit.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

github-actions[bot] commented 11 months ago

Rules files suggestions

falco_rules.yaml

Comparing aecf271e18773d7dafccc69800030650a5ca32b2 with latest tag falco-rules-1.0.1

Major changes:

Rule Disallowed SSH Connection has less tags than before
Rule Schedule Cron Jobs has less tags than before
Rule Update Package Repository has less tags than before
Rule Directory traversal monitored file read has less tags than before
Rule Read ssh information has less tags than before
Rule Read sensitive file trusted after startup has less tags than before
Rule Read sensitive file untrusted has less tags than before
Rule Modify binary dirs has less tags than before
Rule Change thread namespace has less tags than before
Rule Launch Privileged Container has less tags than before
Rule Launch Excessively Capable Container has less tags than before
Rule Launch Sensitive Mount Container has less tags than before
Rule System procs network activity has less tags than before
Rule Program run with disallowed http proxy env has less tags than before
Rule User mgmt binaries has less tags than before
Rule Create files below dev has less tags than before
Rule Contact EC2 Instance Metadata Service From Container has less tags than before
Rule Unexpected K8s NodePort Connection has been disabled at default
Rule Launch Suspicious Network Tool in Container has less tags than before
Rule Launch Suspicious Network Tool on Host has less tags than before
Rule Remove Bulk Data from Disk has less tags than before
Rule Set Setuid or Setgid bit has less tags than before
Rule Create Hidden Files or Directories has less tags than before
Rule Launch Remote File Copy Tools in Container has less tags than before
Rule Create Symlink Over Sensitive Files has less tags than before
Rule Create Hardlink Over Sensitive Files has less tags than before
Rule Detect outbound connections to common miner pool ports has less tags than before
Rule Detect crypto miners using the Stratum protocol has less tags than before
Rule Packet socket created in container has less tags than before
Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
Rule Linux Kernel Module Injection Detected has less tags than before
Rule Debugfs Launched in Privileged Container has less tags than before
Rule Mount Launched in Privileged Container has less tags than before
Rule Detect release_agent File Container Escapes has less tags than before
Rule Read environment variable from /proc files has less tags than before
Rule PTRACE attached to process has less tags than before
Rule Execution from /dev/shm has less tags than before

Patch changes:

Rule Disallowed SSH Connection has more tags than before
Rule Unexpected outbound connection destination has more tags than before
Rule Unexpected inbound connection source has more tags than before
Rule Modify Shell Configuration File has more tags than before
Rule Read Shell Configuration File has more tags than before
Rule Schedule Cron Jobs has more tags than before
Rule Update Package Repository has more tags than before
Rule Write below binary dir has more tags than before
Rule Write below monitored dir has more tags than before
Rule Directory traversal monitored file read changed its output fields
Rule Directory traversal monitored file read has more tags than before
Rule Read ssh information has more tags than before
Rule Write below etc has more tags than before
Rule Write below root has more tags than before
Rule Read sensitive file trusted after startup changed its output fields
Rule Read sensitive file trusted after startup has more tags than before
Rule Read sensitive file untrusted changed its output fields
Rule Read sensitive file untrusted has more tags than before
Rule Write below rpm database has more tags than before
Rule DB program spawned process has more tags than before
Rule Modify binary dirs has more tags than before
Rule Mkdir binary dirs has more tags than before
Rule Change thread namespace has more tags than before
Rule Run shell untrusted changed its output fields
Rule Run shell untrusted has more tags than before
Rule Launch Privileged Container has more tags than before
Rule Launch Excessively Capable Container has more tags than before
Rule Launch Sensitive Mount Container has more tags than before
Rule Launch Disallowed Container has more tags than before
Rule System user interactive changed its output fields
Rule System user interactive has more tags than before
Rule Terminal shell in container changed its output fields
Rule Terminal shell in container has more tags than before
Rule System procs network activity has more tags than before
Rule Program run with disallowed http proxy env has more tags than before
Rule Interpreted procs inbound network activity has more tags than before
Rule Interpreted procs outbound network activity has more tags than before
Rule Unexpected UDP Traffic has more tags than before
Rule Non sudo setuid has more tags than before
Rule User mgmt binaries has more tags than before
Rule Create files below dev has more tags than before
Rule Contact EC2 Instance Metadata Service From Container has more tags than before
Rule Contact cloud metadata service from container has more tags than before
Rule Contact K8S API Server From Container changed its output fields
Rule Contact K8S API Server From Container has more tags than before
Rule Unexpected K8s NodePort Connection has more tags than before
Rule Launch Package Management Process in Container has more tags than before
Rule Netcat Remote Code Execution in Container changed its output fields
Rule Netcat Remote Code Execution in Container has more tags than before
Rule Launch Suspicious Network Tool in Container has more tags than before
Rule Launch Suspicious Network Tool on Host has more tags than before
Rule Search Private Keys or Passwords has more tags than before
Rule Clear Log Activities changed its output fields
Rule Clear Log Activities has more tags than before
Rule Remove Bulk Data from Disk changed its output fields
Rule Remove Bulk Data from Disk has more tags than before
Rule Delete or rename shell history has more tags than before
Rule Delete Bash History has more tags than before
Rule Set Setuid or Setgid bit has more tags than before
Rule Create Hidden Files or Directories has more tags than before
Rule Launch Remote File Copy Tools in Container has more tags than before
Rule Create Symlink Over Sensitive Files changed its output fields
Rule Create Symlink Over Sensitive Files has more tags than before
Rule Create Hardlink Over Sensitive Files changed its output fields
Rule Create Hardlink Over Sensitive Files has more tags than before
Rule Detect outbound connections to common miner pool ports has more tags than before
Rule Detect crypto miners using the Stratum protocol has more tags than before
Rule The docker client is executed in a container has more tags than before
Rule Packet socket created in container changed its output fields
Rule Packet socket created in container has more tags than before
Rule Network Connection outside Local Subnet has more tags than before
Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
Rule Container Drift Detected (chmod) has more tags than before
Rule Container Drift Detected (open+create) has more tags than before
Rule Outbound Connection to C2 Servers has more tags than before
Rule Linux Kernel Module Injection Detected changed its output fields
Rule Linux Kernel Module Injection Detected has more tags than before
Rule Container Run as Root User has more tags than before
Rule Sudo Potential Privilege Escalation has more tags than before
Rule Debugfs Launched in Privileged Container changed its output fields
Rule Debugfs Launched in Privileged Container has more tags than before
Rule Mount Launched in Privileged Container has more tags than before
Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has more tags than before
Rule Launch Ingress Remote File Copy Tools in Container has more tags than before
Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has more tags than before
Rule Detect release_agent File Container Escapes changed its output fields
Rule Detect release_agent File Container Escapes has more tags than before
Rule Java Process Class File Download has more tags than before
Rule Modify Container Entrypoint has more tags than before
Rule Read environment variable from /proc files has more tags than before
Rule PTRACE attached to process changed its output fields
Rule PTRACE attached to process has more tags than before
Rule PTRACE anti-debug attempt changed its output fields
Rule PTRACE anti-debug attempt has more tags than before
Rule Find AWS Credentials has more tags than before
Rule Execution from /dev/shm has more tags than before
Rule Drop and execute new binary in container changed its output fields
Rule Drop and execute new binary in container has more tags than before

github-actions[bot] commented 11 months ago

Rules files suggestions

falco_rules.yaml

Comparing f0999b1d83b7bb11299ba6eb15b5bf1a5f46ed07 with latest tag falco-rules-1.0.1

Major changes:

Macro always_true has been removed
Rule Disallowed SSH Connection has less tags than before
Rule Schedule Cron Jobs has less tags than before
Rule Update Package Repository has less tags than before
Rule Directory traversal monitored file read has less tags than before
Rule Read ssh information has less tags than before
Rule Read sensitive file trusted after startup has less tags than before
Rule Read sensitive file untrusted has less tags than before
Rule Modify binary dirs has less tags than before
Rule Change thread namespace has less tags than before
Rule Launch Privileged Container has less tags than before
Rule Launch Excessively Capable Container has less tags than before
Rule Launch Sensitive Mount Container has less tags than before
Rule System procs network activity has less tags than before
Rule Program run with disallowed http proxy env has less tags than before
Rule User mgmt binaries has less tags than before
Rule Create files below dev has less tags than before
Rule Contact EC2 Instance Metadata Service From Container has less tags than before
Rule Unexpected K8s NodePort Connection has been disabled at default
Rule Launch Suspicious Network Tool in Container has less tags than before
Rule Launch Suspicious Network Tool on Host has less tags than before
Rule Remove Bulk Data from Disk has less tags than before
Rule Set Setuid or Setgid bit has less tags than before
Rule Create Hidden Files or Directories has less tags than before
Rule Launch Remote File Copy Tools in Container has less tags than before
Rule Create Symlink Over Sensitive Files has less tags than before
Rule Create Hardlink Over Sensitive Files has less tags than before
Rule Detect outbound connections to common miner pool ports has less tags than before
Rule Detect crypto miners using the Stratum protocol has less tags than before
Rule Packet socket created in container has less tags than before
Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
Rule Linux Kernel Module Injection Detected has less tags than before
Rule Debugfs Launched in Privileged Container has less tags than before
Rule Mount Launched in Privileged Container has less tags than before
Rule Detect release_agent File Container Escapes has less tags than before
Rule Read environment variable from /proc files has less tags than before
Rule PTRACE attached to process has less tags than before
Rule Execution from /dev/shm has less tags than before

Patch changes:

Rule Disallowed SSH Connection has more tags than before
Rule Unexpected outbound connection destination has more tags than before
Rule Unexpected inbound connection source has more tags than before
Rule Modify Shell Configuration File has more tags than before
Rule Read Shell Configuration File has more tags than before
Rule Schedule Cron Jobs has more tags than before
Rule Update Package Repository has more tags than before
Rule Write below binary dir has more tags than before
Rule Write below monitored dir has more tags than before
Rule Directory traversal monitored file read changed its output fields
Rule Directory traversal monitored file read has more tags than before
Rule Read ssh information has more tags than before
Rule Write below etc has more tags than before
Rule Write below root has more tags than before
Rule Read sensitive file trusted after startup changed its output fields
Rule Read sensitive file trusted after startup has more tags than before
Rule Read sensitive file untrusted changed its output fields
Rule Read sensitive file untrusted has more tags than before
Rule Write below rpm database has more tags than before
Rule DB program spawned process has more tags than before
Rule Modify binary dirs has more tags than before
Rule Mkdir binary dirs has more tags than before
Rule Change thread namespace has more tags than before
Rule Run shell untrusted changed its output fields
Rule Run shell untrusted has more tags than before
Rule Launch Privileged Container has more tags than before
Rule Launch Excessively Capable Container has more tags than before
Rule Launch Sensitive Mount Container has more tags than before
Rule Launch Disallowed Container has more tags than before
Rule System user interactive changed its output fields
Rule System user interactive has more tags than before
Rule Terminal shell in container changed its output fields
Rule Terminal shell in container has more tags than before
Rule System procs network activity has more tags than before
Rule Program run with disallowed http proxy env has more tags than before
Rule Interpreted procs inbound network activity has more tags than before
Rule Interpreted procs outbound network activity has more tags than before
Rule Unexpected UDP Traffic has more tags than before
Rule Non sudo setuid has more tags than before
Rule User mgmt binaries has more tags than before
Rule Create files below dev has more tags than before
Rule Contact EC2 Instance Metadata Service From Container has more tags than before
Rule Contact cloud metadata service from container has more tags than before
Rule Contact K8S API Server From Container changed its output fields
Rule Contact K8S API Server From Container has more tags than before
Rule Unexpected K8s NodePort Connection has more tags than before
Rule Launch Package Management Process in Container has more tags than before
Rule Netcat Remote Code Execution in Container changed its output fields
Rule Netcat Remote Code Execution in Container has more tags than before
Rule Launch Suspicious Network Tool in Container has more tags than before
Rule Launch Suspicious Network Tool on Host has more tags than before
Rule Search Private Keys or Passwords has more tags than before
Rule Clear Log Activities changed its output fields
Rule Clear Log Activities has more tags than before
Rule Remove Bulk Data from Disk changed its output fields
Rule Remove Bulk Data from Disk has more tags than before
Rule Delete or rename shell history has more tags than before
Rule Delete Bash History has more tags than before
Rule Set Setuid or Setgid bit has more tags than before
Rule Create Hidden Files or Directories has more tags than before
Rule Launch Remote File Copy Tools in Container has more tags than before
Rule Create Symlink Over Sensitive Files changed its output fields
Rule Create Symlink Over Sensitive Files has more tags than before
Rule Create Hardlink Over Sensitive Files changed its output fields
Rule Create Hardlink Over Sensitive Files has more tags than before
Rule Detect outbound connections to common miner pool ports has more tags than before
Rule Detect crypto miners using the Stratum protocol has more tags than before
Rule The docker client is executed in a container has more tags than before
Rule Packet socket created in container changed its output fields
Rule Packet socket created in container has more tags than before
Rule Network Connection outside Local Subnet has more tags than before
Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
Rule Container Drift Detected (chmod) has more tags than before
Rule Container Drift Detected (open+create) has more tags than before
Rule Outbound Connection to C2 Servers has more tags than before
Rule Linux Kernel Module Injection Detected changed its output fields
Rule Linux Kernel Module Injection Detected has more tags than before
Rule Container Run as Root User has more tags than before
Rule Sudo Potential Privilege Escalation has more tags than before
Rule Debugfs Launched in Privileged Container changed its output fields
Rule Debugfs Launched in Privileged Container has more tags than before
Rule Mount Launched in Privileged Container has more tags than before
Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has more tags than before
Rule Launch Ingress Remote File Copy Tools in Container has more tags than before
Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has more tags than before
Rule Detect release_agent File Container Escapes changed its output fields
Rule Detect release_agent File Container Escapes has more tags than before
Rule Java Process Class File Download has more tags than before
Rule Modify Container Entrypoint has more tags than before
Rule Read environment variable from /proc files has more tags than before
Rule PTRACE attached to process changed its output fields
Rule PTRACE attached to process has more tags than before
Rule PTRACE anti-debug attempt changed its output fields
Rule PTRACE anti-debug attempt has more tags than before
Rule Find AWS Credentials has more tags than before
Rule Execution from /dev/shm has more tags than before
Rule Drop and execute new binary in container changed its output fields
Rule Drop and execute new binary in container has more tags than before

github-actions[bot] commented 11 months ago

Rules files suggestions

falco_rules.yaml

Comparing 84fc107986e7c81a1d1e4159f5b7eec5cbecc04d with latest tag falco-rules-1.0.1

Major changes:

Macro always_true has been removed
Rule Disallowed SSH Connection has less tags than before
Rule Schedule Cron Jobs has less tags than before
Rule Update Package Repository has less tags than before
Rule Directory traversal monitored file read has less tags than before
Rule Read ssh information has less tags than before
Rule Read sensitive file trusted after startup has less tags than before
Rule Read sensitive file untrusted has less tags than before
Rule Modify binary dirs has less tags than before
Rule Change thread namespace has less tags than before
Rule Launch Privileged Container has less tags than before
Rule Launch Excessively Capable Container has less tags than before
Rule Launch Sensitive Mount Container has less tags than before
Rule System procs network activity has less tags than before
Rule Program run with disallowed http proxy env has less tags than before
Rule User mgmt binaries has less tags than before
Rule Create files below dev has less tags than before
Rule Contact EC2 Instance Metadata Service From Container has less tags than before
Rule Unexpected K8s NodePort Connection has been disabled at default
Rule Launch Suspicious Network Tool in Container has less tags than before
Rule Launch Suspicious Network Tool on Host has less tags than before
Rule Remove Bulk Data from Disk has less tags than before
Rule Set Setuid or Setgid bit has less tags than before
Rule Create Hidden Files or Directories has less tags than before
Rule Launch Remote File Copy Tools in Container has less tags than before
Rule Create Symlink Over Sensitive Files has less tags than before
Rule Create Hardlink Over Sensitive Files has less tags than before
Rule Detect outbound connections to common miner pool ports has less tags than before
Rule Detect crypto miners using the Stratum protocol has less tags than before
Rule Packet socket created in container has less tags than before
Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
Rule Linux Kernel Module Injection Detected has less tags than before
Rule Debugfs Launched in Privileged Container has less tags than before
Rule Mount Launched in Privileged Container has less tags than before
Rule Detect release_agent File Container Escapes has less tags than before
Rule Read environment variable from /proc files has less tags than before
Rule PTRACE attached to process has less tags than before
Rule Execution from /dev/shm has less tags than before

Patch changes:

Rule Disallowed SSH Connection has more tags than before
Rule Unexpected outbound connection destination has more tags than before
Rule Unexpected inbound connection source has more tags than before
Rule Modify Shell Configuration File has more tags than before
Rule Read Shell Configuration File has more tags than before
Rule Schedule Cron Jobs has more tags than before
Rule Update Package Repository has more tags than before
Rule Write below binary dir has more tags than before
Rule Write below monitored dir has more tags than before
Rule Directory traversal monitored file read changed its output fields
Rule Directory traversal monitored file read has more tags than before
Rule Read ssh information has more tags than before
Rule Write below etc has more tags than before
Rule Write below root has more tags than before
Rule Read sensitive file trusted after startup changed its output fields
Rule Read sensitive file trusted after startup has more tags than before
Rule Read sensitive file untrusted changed its output fields
Rule Read sensitive file untrusted has more tags than before
Rule Write below rpm database has more tags than before
Rule DB program spawned process has more tags than before
Rule Modify binary dirs has more tags than before
Rule Mkdir binary dirs has more tags than before
Rule Change thread namespace has more tags than before
Rule Run shell untrusted changed its output fields
Rule Run shell untrusted has more tags than before
Rule Launch Privileged Container has more tags than before
Rule Launch Excessively Capable Container has more tags than before
Rule Launch Sensitive Mount Container has more tags than before
Rule Launch Disallowed Container has more tags than before
Rule System user interactive changed its output fields
Rule System user interactive has more tags than before
Rule Terminal shell in container changed its output fields
Rule Terminal shell in container has more tags than before
Rule System procs network activity has more tags than before
Rule Program run with disallowed http proxy env has more tags than before
Rule Interpreted procs inbound network activity has more tags than before
Rule Interpreted procs outbound network activity has more tags than before
Rule Unexpected UDP Traffic has more tags than before
Rule Non sudo setuid has more tags than before
Rule User mgmt binaries has more tags than before
Rule Create files below dev has more tags than before
Rule Contact EC2 Instance Metadata Service From Container has more tags than before
Rule Contact cloud metadata service from container has more tags than before
Rule Contact K8S API Server From Container changed its output fields
Rule Contact K8S API Server From Container has more tags than before
Rule Unexpected K8s NodePort Connection has more tags than before
Rule Launch Package Management Process in Container has more tags than before
Rule Netcat Remote Code Execution in Container changed its output fields
Rule Netcat Remote Code Execution in Container has more tags than before
Rule Launch Suspicious Network Tool in Container has more tags than before
Rule Launch Suspicious Network Tool on Host has more tags than before
Rule Search Private Keys or Passwords has more tags than before
Rule Clear Log Activities changed its output fields
Rule Clear Log Activities has more tags than before
Rule Remove Bulk Data from Disk changed its output fields
Rule Remove Bulk Data from Disk has more tags than before
Rule Delete or rename shell history has more tags than before
Rule Delete Bash History has more tags than before
Rule Set Setuid or Setgid bit has more tags than before
Rule Create Hidden Files or Directories has more tags than before
Rule Launch Remote File Copy Tools in Container has more tags than before
Rule Create Symlink Over Sensitive Files changed its output fields
Rule Create Symlink Over Sensitive Files has more tags than before
Rule Create Hardlink Over Sensitive Files changed its output fields
Rule Create Hardlink Over Sensitive Files has more tags than before
Rule Detect outbound connections to common miner pool ports has more tags than before
Rule Detect crypto miners using the Stratum protocol has more tags than before
Rule The docker client is executed in a container has more tags than before
Rule Packet socket created in container changed its output fields
Rule Packet socket created in container has more tags than before
Rule Network Connection outside Local Subnet has more tags than before
Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
Rule Container Drift Detected (chmod) has more tags than before
Rule Container Drift Detected (open+create) has more tags than before
Rule Outbound Connection to C2 Servers has more tags than before
Rule Linux Kernel Module Injection Detected changed its output fields
Rule Linux Kernel Module Injection Detected has more tags than before
Rule Container Run as Root User has more tags than before
Rule Sudo Potential Privilege Escalation has more tags than before
Rule Debugfs Launched in Privileged Container changed its output fields
Rule Debugfs Launched in Privileged Container has more tags than before
Rule Mount Launched in Privileged Container has more tags than before
Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has more tags than before
Rule Launch Ingress Remote File Copy Tools in Container has more tags than before
Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has more tags than before
Rule Detect release_agent File Container Escapes changed its output fields
Rule Detect release_agent File Container Escapes has more tags than before
Rule Java Process Class File Download has more tags than before
Rule Modify Container Entrypoint has more tags than before
Rule Read environment variable from /proc files has more tags than before
Rule PTRACE attached to process changed its output fields
Rule PTRACE attached to process has more tags than before
Rule PTRACE anti-debug attempt changed its output fields
Rule PTRACE anti-debug attempt has more tags than before
Rule Find AWS Credentials has more tags than before
Rule Execution from /dev/shm has more tags than before
Rule Drop and execute new binary in container changed its output fields
Rule Drop and execute new binary in container has more tags than before

github-actions[bot] commented 11 months ago

Rules files suggestions

falco_rules.yaml

Comparing de9ce6e6eb43e07ef434a6cf07002e577c1d4fb5 with latest tag falco-rules-1.0.1

Major changes:

Macro always_true has been removed
Rule Disallowed SSH Connection has less tags than before
Rule Schedule Cron Jobs has less tags than before
Rule Update Package Repository has less tags than before
Rule Directory traversal monitored file read has less tags than before
Rule Read ssh information has less tags than before
Rule Read sensitive file trusted after startup has less tags than before
Rule Read sensitive file untrusted has less tags than before
Rule Modify binary dirs has less tags than before
Rule Change thread namespace has less tags than before
Rule Launch Privileged Container has less tags than before
Rule Launch Excessively Capable Container has less tags than before
Rule Launch Sensitive Mount Container has less tags than before
Rule System procs network activity has less tags than before
Rule Program run with disallowed http proxy env has less tags than before
Rule User mgmt binaries has less tags than before
Rule Create files below dev has less tags than before
Rule Contact EC2 Instance Metadata Service From Container has less tags than before
Rule Unexpected K8s NodePort Connection has been disabled at default
Rule Launch Suspicious Network Tool in Container has less tags than before
Rule Launch Suspicious Network Tool on Host has less tags than before
Rule Remove Bulk Data from Disk has less tags than before
Rule Set Setuid or Setgid bit has less tags than before
Rule Create Hidden Files or Directories has less tags than before
Rule Launch Remote File Copy Tools in Container has less tags than before
Rule Create Symlink Over Sensitive Files has less tags than before
Rule Create Hardlink Over Sensitive Files has less tags than before
Rule Detect outbound connections to common miner pool ports has less tags than before
Rule Detect crypto miners using the Stratum protocol has less tags than before
Rule Packet socket created in container has less tags than before
Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
Rule Linux Kernel Module Injection Detected has less tags than before
Rule Debugfs Launched in Privileged Container has less tags than before
Rule Mount Launched in Privileged Container has less tags than before
Rule Detect release_agent File Container Escapes has less tags than before
Rule Read environment variable from /proc files has less tags than before
Rule PTRACE attached to process has less tags than before
Rule Execution from /dev/shm has less tags than before

Patch changes:

Rule Disallowed SSH Connection has more tags than before
Rule Unexpected outbound connection destination has more tags than before
Rule Unexpected inbound connection source has more tags than before
Rule Modify Shell Configuration File has more tags than before
Rule Read Shell Configuration File has more tags than before
Rule Schedule Cron Jobs has more tags than before
Rule Update Package Repository has more tags than before
Rule Write below binary dir has more tags than before
Rule Write below monitored dir has more tags than before
Rule Directory traversal monitored file read changed its output fields
Rule Directory traversal monitored file read has more tags than before
Rule Read ssh information has more tags than before
Rule Write below etc has more tags than before
Rule Write below root has more tags than before
Rule Read sensitive file trusted after startup changed its output fields
Rule Read sensitive file trusted after startup has more tags than before
Rule Read sensitive file untrusted changed its output fields
Rule Read sensitive file untrusted has more tags than before
Rule Write below rpm database has more tags than before
Rule DB program spawned process has more tags than before
Rule Modify binary dirs has more tags than before
Rule Mkdir binary dirs has more tags than before
Rule Change thread namespace has more tags than before
Rule Run shell untrusted changed its output fields
Rule Run shell untrusted has more tags than before
Rule Launch Privileged Container has more tags than before
Rule Launch Excessively Capable Container has more tags than before
Rule Launch Sensitive Mount Container has more tags than before
Rule Launch Disallowed Container has more tags than before
Rule System user interactive changed its output fields
Rule System user interactive has more tags than before
Rule Terminal shell in container changed its output fields
Rule Terminal shell in container has more tags than before
Rule System procs network activity has more tags than before
Rule Program run with disallowed http proxy env has more tags than before
Rule Interpreted procs inbound network activity has more tags than before
Rule Interpreted procs outbound network activity has more tags than before
Rule Unexpected UDP Traffic has more tags than before
Rule Non sudo setuid has more tags than before
Rule User mgmt binaries has more tags than before
Rule Create files below dev has more tags than before
Rule Contact EC2 Instance Metadata Service From Container has more tags than before
Rule Contact cloud metadata service from container has more tags than before
Rule Contact K8S API Server From Container changed its output fields
Rule Contact K8S API Server From Container has more tags than before
Rule Unexpected K8s NodePort Connection has more tags than before
Rule Launch Package Management Process in Container has more tags than before
Rule Netcat Remote Code Execution in Container changed its output fields
Rule Netcat Remote Code Execution in Container has more tags than before
Rule Launch Suspicious Network Tool in Container has more tags than before
Rule Launch Suspicious Network Tool on Host has more tags than before
Rule Search Private Keys or Passwords has more tags than before
Rule Clear Log Activities changed its output fields
Rule Clear Log Activities has more tags than before
Rule Remove Bulk Data from Disk changed its output fields
Rule Remove Bulk Data from Disk has more tags than before
Rule Delete or rename shell history has more tags than before
Rule Delete Bash History has more tags than before
Rule Set Setuid or Setgid bit has more tags than before
Rule Create Hidden Files or Directories has more tags than before
Rule Launch Remote File Copy Tools in Container has more tags than before
Rule Create Symlink Over Sensitive Files changed its output fields
Rule Create Symlink Over Sensitive Files has more tags than before
Rule Create Hardlink Over Sensitive Files changed its output fields
Rule Create Hardlink Over Sensitive Files has more tags than before
Rule Detect outbound connections to common miner pool ports has more tags than before
Rule Detect crypto miners using the Stratum protocol has more tags than before
Rule The docker client is executed in a container has more tags than before
Rule Packet socket created in container changed its output fields
Rule Packet socket created in container has more tags than before
Rule Network Connection outside Local Subnet has more tags than before
Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
Rule Container Drift Detected (chmod) has more tags than before
Rule Container Drift Detected (open+create) has more tags than before
Rule Outbound Connection to C2 Servers has more tags than before
Rule Linux Kernel Module Injection Detected changed its output fields
Rule Linux Kernel Module Injection Detected has more tags than before
Rule Container Run as Root User has more tags than before
Rule Sudo Potential Privilege Escalation has more tags than before
Rule Debugfs Launched in Privileged Container changed its output fields
Rule Debugfs Launched in Privileged Container has more tags than before
Rule Mount Launched in Privileged Container has more tags than before
Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has more tags than before
Rule Launch Ingress Remote File Copy Tools in Container has more tags than before
Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has more tags than before
Rule Detect release_agent File Container Escapes changed its output fields
Rule Detect release_agent File Container Escapes has more tags than before
Rule Java Process Class File Download has more tags than before
Rule Modify Container Entrypoint has more tags than before
Rule Read environment variable from /proc files has more tags than before
Rule PTRACE attached to process changed its output fields
Rule PTRACE attached to process has more tags than before
Rule PTRACE anti-debug attempt changed its output fields
Rule PTRACE anti-debug attempt has more tags than before
Rule Find AWS Credentials has more tags than before
Rule Execution from /dev/shm has more tags than before
Rule Drop and execute new binary in container changed its output fields
Rule Drop and execute new binary in container has more tags than before

github-actions[bot] commented 11 months ago

Rules files suggestions

falco_rules.yaml

Comparing 8a7dd892e828fba2dacda8ae014f5348f18fcd7f with latest tag falco-rules-1.0.1

Major changes:

Macro always_true has been removed
Rule Disallowed SSH Connection has less tags than before
Rule Schedule Cron Jobs has less tags than before
Rule Update Package Repository has less tags than before
Rule Directory traversal monitored file read has less tags than before
Rule Read ssh information has less tags than before
Rule Read sensitive file trusted after startup has less tags than before
Rule Read sensitive file untrusted has less tags than before
Rule Modify binary dirs has less tags than before
Rule Change thread namespace has less tags than before
Rule Launch Privileged Container has less tags than before
Rule Launch Excessively Capable Container has less tags than before
Rule Launch Sensitive Mount Container has less tags than before
Rule System procs network activity has less tags than before
Rule Program run with disallowed http proxy env has less tags than before
Rule User mgmt binaries has less tags than before
Rule Create files below dev has less tags than before
Rule Contact EC2 Instance Metadata Service From Container has less tags than before
Rule Unexpected K8s NodePort Connection has been disabled at default
Rule Launch Suspicious Network Tool in Container has less tags than before
Rule Launch Suspicious Network Tool on Host has less tags than before
Rule Remove Bulk Data from Disk has less tags than before
Rule Set Setuid or Setgid bit has less tags than before
Rule Create Hidden Files or Directories has less tags than before
Rule Launch Remote File Copy Tools in Container has less tags than before
Rule Create Symlink Over Sensitive Files has less tags than before
Rule Create Hardlink Over Sensitive Files has less tags than before
Rule Detect outbound connections to common miner pool ports has less tags than before
Rule Detect crypto miners using the Stratum protocol has less tags than before
Rule Packet socket created in container has less tags than before
Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
Rule Linux Kernel Module Injection Detected has less tags than before
Rule Debugfs Launched in Privileged Container has less tags than before
Rule Mount Launched in Privileged Container has less tags than before
Rule Detect release_agent File Container Escapes has less tags than before
Rule Read environment variable from /proc files has less tags than before
Rule PTRACE attached to process has less tags than before
Rule Execution from /dev/shm has less tags than before

Patch changes:

Rule Disallowed SSH Connection has more tags than before
Rule Unexpected outbound connection destination has more tags than before
Rule Unexpected inbound connection source has more tags than before
Rule Modify Shell Configuration File has more tags than before
Rule Read Shell Configuration File has more tags than before
Rule Schedule Cron Jobs has more tags than before
Rule Update Package Repository has more tags than before
Rule Write below binary dir has more tags than before
Rule Write below monitored dir has more tags than before
Rule Directory traversal monitored file read changed its output fields
Rule Directory traversal monitored file read has more tags than before
Rule Read ssh information has more tags than before
Rule Write below etc has more tags than before
Rule Write below root has more tags than before
Rule Read sensitive file trusted after startup changed its output fields
Rule Read sensitive file trusted after startup has more tags than before
Rule Read sensitive file untrusted changed its output fields
Rule Read sensitive file untrusted has more tags than before
Rule Write below rpm database has more tags than before
Rule DB program spawned process has more tags than before
Rule Modify binary dirs has more tags than before
Rule Mkdir binary dirs has more tags than before
Rule Change thread namespace has more tags than before
Rule Run shell untrusted changed its output fields
Rule Run shell untrusted has more tags than before
Rule Launch Privileged Container has more tags than before
Rule Launch Excessively Capable Container has more tags than before
Rule Launch Sensitive Mount Container has more tags than before
Rule Launch Disallowed Container has more tags than before
Rule System user interactive changed its output fields
Rule System user interactive has more tags than before
Rule Terminal shell in container changed its output fields
Rule Terminal shell in container has more tags than before
Rule System procs network activity has more tags than before
Rule Program run with disallowed http proxy env has more tags than before
Rule Interpreted procs inbound network activity has more tags than before
Rule Interpreted procs outbound network activity has more tags than before
Rule Unexpected UDP Traffic has more tags than before
Rule Non sudo setuid has more tags than before
Rule User mgmt binaries has more tags than before
Rule Create files below dev has more tags than before
Rule Contact EC2 Instance Metadata Service From Container has more tags than before
Rule Contact cloud metadata service from container has more tags than before
Rule Contact K8S API Server From Container changed its output fields
Rule Contact K8S API Server From Container has more tags than before
Rule Unexpected K8s NodePort Connection has more tags than before
Rule Launch Package Management Process in Container has more tags than before
Rule Netcat Remote Code Execution in Container changed its output fields
Rule Netcat Remote Code Execution in Container has more tags than before
Rule Launch Suspicious Network Tool in Container has more tags than before
Rule Launch Suspicious Network Tool on Host has more tags than before
Rule Search Private Keys or Passwords has more tags than before
Rule Clear Log Activities changed its output fields
Rule Clear Log Activities has more tags than before
Rule Remove Bulk Data from Disk changed its output fields
Rule Remove Bulk Data from Disk has more tags than before
Rule Delete or rename shell history has more tags than before
Rule Delete Bash History has more tags than before
Rule Set Setuid or Setgid bit has more tags than before
Rule Create Hidden Files or Directories has more tags than before
Rule Launch Remote File Copy Tools in Container has more tags than before
Rule Create Symlink Over Sensitive Files changed its output fields
Rule Create Symlink Over Sensitive Files has more tags than before
Rule Create Hardlink Over Sensitive Files changed its output fields
Rule Create Hardlink Over Sensitive Files has more tags than before
Rule Detect outbound connections to common miner pool ports has more tags than before
Rule Detect crypto miners using the Stratum protocol has more tags than before
Rule The docker client is executed in a container has more tags than before
Rule Packet socket created in container changed its output fields
Rule Packet socket created in container has more tags than before
Rule Network Connection outside Local Subnet has more tags than before
Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
Rule Container Drift Detected (chmod) has more tags than before
Rule Container Drift Detected (open+create) has more tags than before
Rule Outbound Connection to C2 Servers has more tags than before
Rule Linux Kernel Module Injection Detected changed its output fields
Rule Linux Kernel Module Injection Detected has more tags than before
Rule Container Run as Root User has more tags than before
Rule Sudo Potential Privilege Escalation has more tags than before
Rule Debugfs Launched in Privileged Container changed its output fields
Rule Debugfs Launched in Privileged Container has more tags than before
Rule Mount Launched in Privileged Container has more tags than before
Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has more tags than before
Rule Launch Ingress Remote File Copy Tools in Container has more tags than before
Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has more tags than before
Rule Detect release_agent File Container Escapes changed its output fields
Rule Detect release_agent File Container Escapes has more tags than before
Rule Java Process Class File Download has more tags than before
Rule Modify Container Entrypoint has more tags than before
Rule Read environment variable from /proc files has more tags than before
Rule PTRACE attached to process changed its output fields
Rule PTRACE attached to process has more tags than before
Rule PTRACE anti-debug attempt changed its output fields
Rule PTRACE anti-debug attempt has more tags than before
Rule Find AWS Credentials has more tags than before
Rule Execution from /dev/shm has more tags than before
Rule Drop and execute new binary in container changed its output fields
Rule Drop and execute new binary in container has more tags than before

poiana commented 11 months ago

LGTM label has been added.

Git tree hash: d88aea43bea27a68ede297099ea2d9ed7fd4d51d

poiana commented 11 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: incertum, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/falcosecurity/rules/blob/main/OWNERS)~~ [incertum,leogr] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment