Closed incertum closed 1 year ago
Comparing 8ddd10259d39f329f3cf6b80cde2220127528b81
with latest tag falco-rules-1.0.1
Major changes:
Delete Bash History
has been removedconsider_network_tools_on_host
has been removedalways_true
has been removedDisallowed SSH Connection
has less tags than beforeSchedule Cron Jobs
has less tags than beforeUpdate Package Repository
has less tags than beforeDirectory traversal monitored file read
has less tags than beforeRead ssh information
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeModify binary dirs
has less tags than beforeChange thread namespace
has less tags than beforeLaunch Privileged Container
has less tags than beforeLaunch Excessively Capable Container
has less tags than beforeLaunch Sensitive Mount Container
has less tags than beforeSystem procs network activity
has less tags than beforeProgram run with disallowed http proxy env
has less tags than beforeUser mgmt binaries
has less tags than beforeCreate files below dev
has less tags than beforeContact EC2 Instance Metadata Service From Container
has less tags than beforeUnexpected K8s NodePort Connection
has been disabled at defaultLaunch Suspicious Network Tool in Container
has less tags than beforeLaunch Suspicious Network Tool on Host
has been disabled at defaultLaunch Suspicious Network Tool on Host
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeSet Setuid or Setgid bit
has less tags than beforeCreate Hidden Files or Directories
has less tags than beforeLaunch Remote File Copy Tools in Container
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforeDetect outbound connections to common miner pool ports
has less tags than beforeDetect crypto miners using the Stratum protocol
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeMount Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforeRead environment variable from /proc files
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforeMinor changes:
Disallowed SSH Connection Non Standard Port
has been addedssh_non_standard_ports_network
has been addedssh_non_standard_ports
has been addedPatch changes:
Disallowed SSH Connection
changed its output fieldsDisallowed SSH Connection
has more tags than beforeUnexpected outbound connection destination
changed its output fieldsUnexpected outbound connection destination
has more tags than beforeUnexpected inbound connection source
changed its output fieldsUnexpected inbound connection source
has more tags than beforeModify Shell Configuration File
changed its output fieldsModify Shell Configuration File
has more tags than beforeRead Shell Configuration File
changed its output fieldsRead Shell Configuration File
has more tags than beforeSchedule Cron Jobs
changed its output fieldsSchedule Cron Jobs
has more tags than beforeUpdate Package Repository
changed its output fieldsUpdate Package Repository
has more tags than beforeWrite below binary dir
changed its output fieldsWrite below binary dir
has more tags than beforeWrite below monitored dir
changed its output fieldsWrite below monitored dir
has more tags than beforeDirectory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead ssh information
changed its output fieldsRead ssh information
has more tags than beforeWrite below etc
changed its output fieldsWrite below etc
has more tags than beforeWrite below root
changed its output fieldsWrite below root
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeWrite below rpm database
changed its output fieldsWrite below rpm database
has more tags than beforeDB program spawned process
changed its output fieldsDB program spawned process
has more tags than beforeModify binary dirs
changed its output fieldsModify binary dirs
has more tags than beforeMkdir binary dirs
changed its output fieldsMkdir binary dirs
has more tags than beforeChange thread namespace
changed its output fieldsChange thread namespace
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeLaunch Privileged Container
changed its output fieldsLaunch Privileged Container
has more tags than beforeLaunch Excessively Capable Container
changed its output fieldsLaunch Excessively Capable Container
has more tags than beforeLaunch Sensitive Mount Container
changed its output fieldsLaunch Sensitive Mount Container
has more tags than beforeLaunch Disallowed Container
changed its output fieldsLaunch Disallowed Container
has more tags than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeSystem procs network activity
changed its output fieldsSystem procs network activity
has more tags than beforeProgram run with disallowed http proxy env
changed its output fieldsProgram run with disallowed http proxy env
has more tags than beforeInterpreted procs inbound network activity
changed its output fieldsInterpreted procs inbound network activity
has more tags than beforeInterpreted procs outbound network activity
changed its output fieldsInterpreted procs outbound network activity
has more tags than beforeUnexpected UDP Traffic
changed its output fieldsUnexpected UDP Traffic
has more tags than beforeNon sudo setuid
changed its output fieldsNon sudo setuid
has more tags than beforeUser mgmt binaries
changed its output fieldsUser mgmt binaries
has more tags than beforeCreate files below dev
changed its output fieldsCreate files below dev
has more tags than beforeContact EC2 Instance Metadata Service From Container
changed its output fieldsContact EC2 Instance Metadata Service From Container
has more tags than beforeContact cloud metadata service from container
has been enabled at defaultContact cloud metadata service from container
changed its output fieldsContact cloud metadata service from container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeUnexpected K8s NodePort Connection
changed its output fieldsUnexpected K8s NodePort Connection
has more tags than beforeLaunch Package Management Process in Container
changed its output fieldsLaunch Package Management Process in Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeLaunch Suspicious Network Tool in Container
changed its output fieldsLaunch Suspicious Network Tool in Container
has more tags than beforeLaunch Suspicious Network Tool on Host
changed its output fieldsLaunch Suspicious Network Tool on Host
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeDelete or rename shell history
changed its output fieldsDelete or rename shell history
has more tags than beforeSet Setuid or Setgid bit
changed its output fieldsSet Setuid or Setgid bit
has more tags than beforeCreate Hidden Files or Directories
changed its output fieldsCreate Hidden Files or Directories
has more tags than beforeLaunch Remote File Copy Tools in Container
changed its output fieldsLaunch Remote File Copy Tools in Container
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforeDetect outbound connections to common miner pool ports
changed its output fieldsDetect outbound connections to common miner pool ports
has more tags than beforeDetect crypto miners using the Stratum protocol
changed its output fieldsDetect crypto miners using the Stratum protocol
has more tags than beforeThe docker client is executed in a container
changed its output fieldsThe docker client is executed in a container
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeNetwork Connection outside Local Subnet
changed its output fieldsNetwork Connection outside Local Subnet
has more tags than beforeOutbound or Inbound Traffic not to Authorized Server Process and Port
changed its output fieldsOutbound or Inbound Traffic not to Authorized Server Process and Port
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeContainer Drift Detected (chmod)
changed its output fieldsContainer Drift Detected (chmod)
has more tags than beforeContainer Drift Detected (open+create)
changed its output fieldsContainer Drift Detected (open+create)
has more tags than beforeOutbound Connection to C2 Servers
changed its output fieldsOutbound Connection to C2 Servers
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeContainer Run as Root User
changed its output fieldsContainer Run as Root User
has more tags than beforeSudo Potential Privilege Escalation
changed its output fieldsSudo Potential Privilege Escalation
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeMount Launched in Privileged Container
changed its output fieldsMount Launched in Privileged Container
has more tags than beforeUnprivileged Delegation of Page Faults Handling to a Userspace Process
changed its output fieldsUnprivileged Delegation of Page Faults Handling to a Userspace Process
has more tags than beforeLaunch Ingress Remote File Copy Tools in Container
changed its output fieldsLaunch Ingress Remote File Copy Tools in Container
has more tags than beforePolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
changed its output fieldsPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforeJava Process Class File Download
changed its output fieldsJava Process Class File Download
has more tags than beforeModify Container Entrypoint
changed its output fieldsModify Container Entrypoint
has more tags than beforeRead environment variable from /proc files
changed its output fieldsRead environment variable from /proc files
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than beforeLGTM label has been added.
Thanks @darryk10 agreed this one can be bumped to Stable afterwards similarly to how we plan it for the memfd + exec case.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: Andreagit97, darryk10, incertum
The full list of commands accepted by this bot can be found here.
The pull request process is described here
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area rules
Proposed rule maturity level
/area maturity-incubating
What this PR does / why we need it:
During the latest audit I noticed a major coverage gap in the upstream rules wrt SSH connections. This rule adds yet another detection to the upstream rules to alert on various types of payloads that can be used in command injection attacks that can lead to RCE.
@loresuso @darryk10 @leogr
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: