poiana
commented
10 months ago @incertum: The label(s) area/maturity-incubating cannot be applied, because the repository doesn't have them.
In response to [this](https://github.com/falcosecurity/rules/pull/139):
>
>
>**What type of PR is this?**
>
>> Uncomment one (or more) `/kind <>` lines:
>
>/kind feature
>
>> /kind bug
>
>> /kind cleanup
>
>> /kind design
>
>> /kind documentation
>
>> /kind failing-test
>
>
>
>
>**Any specific area of the project related to this PR?**
>
>> Uncomment one (or more) `/area <>` lines:
>
>/area rules
>
>> /area registry
>
>> /area build
>
>> /area documentation
>
>
>
>**Proposed rule [maturity level](https://github.com/falcosecurity/rules/blob/main/CONTRIBUTING.md#maturity-levels)**
>
>> Uncomment one (or more) `/area <>` lines (only for PRs that add or modify rules):
>
>> /area maturity-stable
>
>/area maturity-incubating
>
>> /area maturity-sandbox
>
>> /area maturity-deprecated
>
>
>
>**What this PR does / why we need it**:
>
>Many of the existing rules focus on sensitive files in the traditional Linux sense, which might not align well with containerized applications.
>
>Moreover, exfiltrating artifacts from for example Kubernetes goes beyond just the usual ways of malware, interactive access or RCE. It also involves the control plane, which attackers can target if they've gained unauthorized access, such as through stolen credentials. For instance, they might use commands like `kubectl cp`. However, this kind of activity isn't expected to be the norm in production settings. This presents an opportunity to create a broad rule that can catch such behavior without having to individually profile application-specific secrets or artifacts that attackers might try to lift from the container's file system, if applicable.
>
>See https://github.com/falcosecurity/rules/issues/138.
>
>This new rule could not only benefit from feedback, but also expanded testing.
>
>@darryk10 @loresuso @LucaGuerra
>
>**Which issue(s) this PR fixes**:
>
>
>
>Fixes #
>
>**Special notes for your reviewer**:
>
Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
github-actions[bot]
leogr
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area rules
Proposed rule maturity level
/area maturity-incubating
What this PR does / why we need it:
Many of the existing rules focus on sensitive files in the traditional Linux sense, which might not align well with containerized applications.
Moreover, exfiltrating artifacts from for example Kubernetes goes beyond just the usual ways of malware, interactive access or RCE. It also involves the control plane, which attackers can target if they've gained unauthorized access, such as through stolen credentials. For instance, they might use commands like
kubectl cp. However, this kind of activity isn't expected to be the norm in production settings. This presents an opportunity to create a broad rule that can catch such behavior without having to individually profile application-specific secrets or artifacts that attackers might try to lift from the container's file system, if applicable.See https://github.com/falcosecurity/rules/issues/138.
This new rule could not only benefit from feedback, but also expanded testing.
@darryk10 @loresuso @LucaGuerra
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: