github-actions[bot]
commented
1 year ago Rules files suggestions
falco_rules.yaml
Comparing 671afa632fcdaec6e779b8185bb7492883a310e1 with latest tag falco-rules-1.0.1
Major changes:
- Rule
Write below rpm databasehas been removed - Rule
Unexpected K8s NodePort Connectionhas been removed - Rule
Launch Suspicious Network Tool on Hosthas been removed - Rule
Launch Ingress Remote File Copy Tools in Containerhas been removed - Rule
Unexpected inbound connection sourcehas been removed - Rule
Launch Privileged Containerhas been removed - Rule
Interpreted procs inbound network activityhas been removed - Rule
Contact EC2 Instance Metadata Service From Containerhas been removed - Rule
Launch Package Management Process in Containerhas been removed - Rule
Outbound Connection to C2 Servershas been removed - Rule
Read ssh informationhas been removed - Rule
Unprivileged Delegation of Page Faults Handling to a Userspace Processhas been removed - Rule
Update Package Repositoryhas been removed - Rule
Create files below devhas been removed - Rule
Container Drift Detected (chmod)has been removed - Rule
Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)has been removed - Rule
Unexpected outbound connection destinationhas been removed - Rule
Non sudo setuidhas been removed - Rule
User mgmt binarieshas been removed - Rule
Contact cloud metadata service from containerhas been removed - Rule
Write below binary dirhas been removed - Rule
Launch Excessively Capable Containerhas been removed - Rule
Launch Disallowed Containerhas been removed - Rule
Delete or rename shell historyhas been removed - Rule
Delete Bash Historyhas been removed - Rule
Container Run as Root Userhas been removed - Rule
Write below monitored dirhas been removed - Rule
Launch Suspicious Network Tool in Containerhas been removed - Rule
Network Connection outside Local Subnethas been removed - Rule
Disallowed SSH Connectionhas been removed - Rule
Interpreted procs outbound network activityhas been removed - Rule
Create Hidden Files or Directorieshas been removed - Rule
Container Drift Detected (open+create)has been removed - Rule
Read environment variable from /proc fileshas been removed - Rule
Schedule Cron Jobshas been removed - Rule
DB program spawned processhas been removed - Rule
Read Shell Configuration Filehas been removed - Rule
Launch Sensitive Mount Containerhas been removed - Rule
Outbound or Inbound Traffic not to Authorized Server Process and Porthas been removed - Rule
Modify Container Entrypointhas been removed - Rule
Change thread namespacehas been removed - Rule
Mount Launched in Privileged Containerhas been removed - Rule
Write below etchas been removed - Rule
Detect crypto miners using the Stratum protocolhas been removed - Rule
Unexpected UDP Traffichas been removed - Rule
Program run with disallowed http proxy envhas been removed - Rule
Launch Remote File Copy Tools in Containerhas been removed - Rule
Java Process Class File Downloadhas been removed - Rule
Mkdir binary dirshas been removed - Rule
Write below roothas been removed - Rule
Modify binary dirshas been removed - Rule
System procs network activityhas been removed - Rule
Set Setuid or Setgid bithas been removed - Rule
Detect outbound connections to common miner pool portshas been removed - Rule
The docker client is executed in a containerhas been removed - Rule
Sudo Potential Privilege Escalationhas been removed - Rule
Modify Shell Configuration Filehas been removed - Macro
automount_using_mtabhas been removed - Macro
avinetworks_supervisor_writing_sshhas been removed - Macro
user_privileged_containershas been removed - Macro
nodeport_containershas been removed - Macro
user_known_create_hidden_file_activitieshas been removed - Macro
inboundhas been removed - Macro
httpd_writing_ssl_confhas been removed - Macro
run_by_ms_omshas been removed - Macro
ms_scx_writing_confhas been removed - Macro
httpd_writing_conf_logshas been removed - Macro
excessively_capable_containerhas been removed - Macro
user_known_k8s_client_containerhas been removed - Macro
java_running_sdjagenthas been removed - Macro
ms_oms_writing_confhas been removed - Macro
istio_writing_confhas been removed - Macro
http_proxy_procshas been removed - Macro
run_by_yumhas been removed - Macro
plesk_install_writing_apache_confhas been removed - Macro
write_etc_commonhas been removed - Macro
var_lib_docker_filepathhas been removed - Macro
plesk_writing_keyshas been removed - Macro
user_known_mkdir_bin_dir_activitieshas been removed - Macro
user_expected_system_procs_network_activity_conditionshas been removed - Macro
bin_dir_renamehas been removed - Macro
brandbot_writing_os_releasehas been removed - Macro
nrpe_becoming_nagioshas been removed - Macro
known_gke_mount_in_privileged_containershas been removed - Macro
somebody_becoming_themselveshas been removed - Macro
chef_client_writing_confhas been removed - Macro
maven_writing_groovyhas been removed - Macro
user_known_write_monitored_dir_conditionshas been removed - Macro
redis_writing_confhas been removed - Macro
user_known_cron_jobshas been removed - Macro
networkmanager_writing_resolv_confhas been removed - Macro
user_known_change_thread_namespace_activitieshas been removed - Macro
kubectl_writing_statehas been removed - Macro
chmodhas been removed - Macro
openshift_writing_confhas been removed - Macro
aws_eks_core_imageshas been removed - Macro
user_known_create_files_below_dev_activitieshas been removed - Macro
user_known_run_as_root_containerhas been removed - Macro
zap_writing_statehas been removed - Macro
ingress_remote_file_copy_procshas been removed - Macro
veritas_writing_confighas been removed - Macro
cassandra_writing_statehas been removed - Macro
xmlcatalog_writing_fileshas been removed - Macro
ovsdb_writing_openvswitchhas been removed - Macro
user_known_write_below_binary_dir_activitieshas been removed - Macro
iscsi_writing_confhas been removed - Macro
ipsec_writing_confhas been removed - Macro
python_running_ms_omshas been removed - Macro
curl_writing_pki_dbhas been removed - Macro
modifyhas been removed - Macro
openldap_writing_confhas been removed - Macro
sed_temporary_filehas been removed - Macro
cron_start_writing_pam_envhas been removed - Macro
user_trusted_containershas been removed - Macro
open_directoryhas been removed - Macro
rpm_procshas been removed - Macro
coreos_write_ssh_dirhas been removed - Macro
user_known_update_package_registryhas been removed - Macro
plesk_running_mktemphas been removed - Macro
mysql_writing_confhas been removed - Macro
minerpool_otherhas been removed - Macro
system_procshas been removed - Macro
liveupdate_writing_confhas been removed - Macro
user_known_write_root_conditionshas been removed - Macro
chage_listhas been removed - Macro
countly_writing_nginx_confhas been removed - Macro
root_dirhas been removed - Macro
haproxy_writing_confhas been removed - Macro
rook_writing_confhas been removed - Macro
user_known_db_spawned_processeshas been removed - Macro
mount_infohas been removed - Macro
htpasswd_writing_passwdhas been removed - Macro
git_writing_nssdbhas been removed - Macro
rancher_writing_roothas been removed - Macro
user_known_metadata_accesshas been removed - Macro
minerpool_httpshas been removed - Macro
user_known_shell_config_modifiershas been removed - Macro
pkgmgmt_progs_writing_pkihas been removed - Macro
mcafee_writing_cma_dhas been removed - Macro
allowed_aws_ecr_registry_root_for_ekshas been removed - Macro
user_known_set_setuid_or_setgid_bit_conditionshas been removed - Macro
openshift_imagehas been removed - Macro
airflow_writing_statehas been removed - Macro
keepalived_writing_confhas been removed - Macro
slapadd_writing_confhas been removed - Macro
cockpit_writing_confhas been removed - Macro
openvpn_writing_confhas been removed - Macro
modify_shell_historyhas been removed - Macro
bin_dir_mkdirhas been removed - Macro
update_ca_trust_writing_pkihas been removed - Macro
user_known_write_below_etc_activitieshas been removed - Macro
remote_file_copy_procshas been removed - Macro
allowed_openshift_registry_roothas been removed - Macro
allowed_ssh_proxy_envhas been removed - Macro
outboundhas been removed - Macro
supervise_writing_statushas been removed - Macro
nginx_writing_confhas been removed - Macro
exe_running_docker_savehas been removed - Macro
prometheus_conf_writing_confhas been removed - Macro
java_network_readhas been removed - Macro
renamehas been removed - Macro
removehas been removed - Macro
allowed_ssh_hostshas been removed - Macro
ufw_writing_confhas been removed - Macro
user_known_user_management_activitieshas been removed - Macro
package_mgmt_procshas been removed - Macro
rpm_writing_root_rpmdbhas been removed - Macro
sensitive_mounthas been removed - Macro
known_aks_mount_in_privileged_containershas been removed - Macro
ssh_porthas been removed - Macro
cloud_init_writing_sshhas been removed - Macro
minerpool_httphas been removed - Macro
kubelet_running_loopbackhas been removed - Macro
rancher_network_managerhas been removed - Macro
fluentd_writing_conf_fileshas been removed - Macro
runc_writing_var_lib_dockerhas been removed - Macro
docker_procshas been removed - Macro
azure_networkwatcher_writing_confhas been removed - Macro
couchdb_writing_confhas been removed - Macro
sosreport_writing_fileshas been removed - Macro
gugent_writing_guestagent_loghas been removed - Macro
run_by_adclienthas been removed - Macro
user_known_read_ssh_information_activitieshas been removed - Macro
add_shell_writing_shells_tmphas been removed - Macro
consider_network_tools_on_hosthas been removed - Macro
mkdirhas been removed - Macro
container_startedhas been removed - Macro
calico_writing_confhas been removed - Macro
user_known_write_below_root_activitieshas been removed - Macro
runc_writing_exec_fifohas been removed - Macro
falco_privileged_containershas been removed - Macro
ec2_metadata_containershas been removed - Macro
pki_realm_writing_realmshas been removed - Macro
dse_writing_tmphas been removed - Macro
modify_repositorieshas been removed - Macro
user_sensitive_mount_containershas been removed - Macro
userhelper_writing_etc_securityhas been removed - Macro
access_repositorieshas been removed - Macro
allowed_containershas been removed - Macro
sssd_writing_krbhas been removed - Macro
google_accounts_daemon_writing_sshhas been removed - Macro
redhat_imagehas been removed - Macro
user_known_mount_in_privileged_containershas been removed - Macro
package_mgmt_ancestor_procshas been removed - Macro
python_running_denyhostshas been removed - Macro
galley_writing_statehas been removed - Macro
mkinitramfs_writing_boothas been removed - Macro
weaveworks_scopehas been removed - Macro
network_local_subnethas been removed - Macro
python_running_chefhas been removed - Macro
checkpoint_writing_statehas been removed - Macro
multipath_writing_confhas been removed - Macro
user_known_k8s_client_container_parenshas been removed - Macro
truncate_shell_historyhas been removed - Macro
java_running_cassandrahas been removed - Macro
symantec_writing_confhas been removed - Macro
nginx_writing_certshas been removed - Macro
calico_writing_statehas been removed - Macro
user_known_write_rpm_database_activitieshas been removed - Macro
user_known_package_manager_in_containerhas been removed - Macro
interpreted_procshas been removed - Macro
rancher_agenthas been removed - Macro
selinux_writing_confhas been removed - Macro
dpkg_scriptinghas been removed - Macro
trusted_images_query_miner_domain_dnshas been removed - Macro
veritas_progshas been removed - Macro
duply_writing_exclude_fileshas been removed - Macro
monitored_dirhas been removed - Macro
user_known_modify_bin_dir_activitieshas been removed - Macro
login_doing_dns_lookuphas been removed - Macro
user_known_ingress_remote_file_copy_activitieshas been removed - Macro
parent_ucf_writing_confhas been removed - Macro
consul_template_writing_confhas been removed - Macro
qualys_writing_conf_fileshas been removed - Macro
expected_udp_traffichas been removed - Macro
user_known_write_etc_conditionshas been removed - Macro
run_by_sumologic_securefileshas been removed - Macro
mysqlsh_writing_statehas been removed - Macro
bin_dirhas been removed - Macro
rancher_writing_confhas been removed - Macro
always_truehas been removed - Macro
run_by_centrifyhas been removed - Macro
chef_writing_confhas been removed - Macro
rabbitmq_writing_confhas been removed - Macro
python_running_get_piphas been removed - Macro
datadog_writing_confhas been removed - Macro
ucpagent_writing_confhas been removed - Macro
aws_eks_image_sensitive_mounthas been removed - Macro
known_user_in_containerhas been removed - Macro
calico_writing_envvarshas been removed - Macro
sed_writing_temp_filehas been removed - Macro
calico_nodehas been removed - Macro
falco_sensitive_mount_containershas been removed - Macro
network_tool_procshas been removed - Macro
parent_supervise_running_multiloghas been removed - Macro
lvprogs_writing_confhas been removed - Macro
update_texmf_writing_confhas been removed - Macro
centrify_writing_krbhas been removed - Macro
etcd_manager_updating_dnshas been removed - Macro
known_root_conditionshas been removed - Macro
php_handlers_writing_confhas been removed - Macro
azure_scripts_writing_confhas been removed - Macro
java_writing_confhas been removed - Macro
amazon_linux_running_python_yumhas been removed - Macro
user_known_remote_file_copy_activitieshas been removed - Macro
user_known_container_drift_activitieshas been removed - Macro
inbound_outboundhas been removed - Macro
jboss_in_container_writing_passwdhas been removed - Macro
user_known_network_tool_activitieshas been removed - Macro
user_known_non_sudo_setuid_conditionshas been removed - Macro
pkg_mgmt_in_kube_proxyhas been removed - Macro
net_miner_poolhas been removed - Macro
curl_downloadhas been removed - List
coreutils_binarieshas been removed - List
openscap_rpm_binarieshas been removed - List
dev_creation_binarieshas been removed - List
user_known_k8s_ns_kube_system_imageshas been removed - List
known_binaries_to_read_environment_variables_from_proc_fileshas been removed - List
known_root_fileshas been removed - List
allowed_dev_fileshas been removed - List
authorized_server_porthas been removed - List
bash_config_fileshas been removed - List
safe_etc_dirshas been removed - List
network_plugin_binarieshas been removed - List
known_system_procs_network_activity_binarieshas been removed - List
k8s_client_binarieshas been removed - List
https_miner_domainshas been removed - List
allowed_inbound_source_ipaddrshas been removed - List
l2tp_udp_portshas been removed - List
bash_config_filenameshas been removed - List
zsh_config_filenameshas been removed - List
repository_directorieshas been removed - List
c2_server_fqdn_listhas been removed - List
openvpn_udp_portshas been removed - List
expected_udp_portshas been removed - List
http_miner_domainshas been removed - List
lxd_binarieshas been removed - List
known_setuid_binarieshas been removed - List
rfc_1918_addresseshas been removed - List
interpreted_binarieshas been removed - List
known_istio_fileshas been removed - List
exclude_hidden_directorieshas been removed - List
miner_domainshas been removed - List
csh_config_fileshas been removed - List
plesk_binarieshas been removed - List
repository_fileshas been removed - List
run_as_root_image_listhas been removed - List
known_root_directorieshas been removed - List
allowed_inbound_source_networkshas been removed - List
network_tool_binarieshas been removed - List
k8s_binarieshas been removed - List
allowed_inbound_source_domainshas been removed - List
http_proxy_binarieshas been removed - List
sysdigcloud_binarieshas been removed - List
falco_sensitive_mount_imageshas been removed - List
ssh_binarieshas been removed - List
allowed_outbound_destination_ipaddrshas been removed - List
allowed_outbound_destination_domainshas been removed - List
namespace_scope_network_only_subnethas been removed - List
ms_oms_binarieshas been removed - List
redhat_io_images_privilegedhas been removed - List
test_connect_portshas been removed - List
user_known_chmod_applicationshas been removed - List
remote_file_copy_binarieshas been removed - List
user_known_k8s_imageshas been removed - List
ssl_mgmt_binarieshas been removed - List
monitored_directorieshas been removed - List
dhcp_binarieshas been removed - List
csh_config_filenameshas been removed - List
shell_config_directorieshas been removed - List
veritas_binarieshas been removed - List
statsd_portshas been removed - List
allowed_imagehas been removed - List
authorized_server_binaryhas been removed - List
c2_server_ip_listhas been removed - List
allowed_outbound_destination_networkshas been removed - List
shell_config_filenameshas been removed - List
user_known_change_thread_namespace_binarieshas been removed - List
ingress_remote_file_copy_binarieshas been removed - List
shell_mgmt_binarieshas been removed - List
ntp_portshas been removed - List
user_known_userfaultfd_processeshas been removed - List
shell_config_fileshas been removed - List
miner_portshas been removed - Rule
Directory traversal monitored file readhas less tags than before - Rule
Read sensitive file trusted after startuphas less tags than before - Rule
Read sensitive file untrustedhas less tags than before - Rule
Remove Bulk Data from Diskhas less tags than before - Rule
Create Symlink Over Sensitive Fileshas less tags than before - Rule
Create Hardlink Over Sensitive Fileshas less tags than before - Rule
Packet socket created in containerhas less tags than before - Rule
Redirect STDOUT/STDIN to Network Connection in Containerhas less tags than before - Rule
Linux Kernel Module Injection Detectedhas less tags than before - Rule
Debugfs Launched in Privileged Containerhas less tags than before - Rule
Detect release_agent File Container Escapeshas less tags than before - Rule
PTRACE attached to processhas less tags than before - Rule
Execution from /dev/shmhas less tags than before
Patch changes:
- Rule
Directory traversal monitored file readchanged its output fields - Rule
Directory traversal monitored file readhas more tags than before - Rule
Read sensitive file trusted after startupchanged its output fields - Rule
Read sensitive file trusted after startuphas more tags than before - Rule
Read sensitive file untrustedchanged its output fields - Rule
Read sensitive file untrustedhas more tags than before - Rule
Run shell untrustedchanged its output fields - Rule
Run shell untrustedhas more tags than before - Rule
Run shell untrustedhas a more urgent priority than before - Rule
System user interactivechanged its output fields - Rule
System user interactivehas more tags than before - Rule
Terminal shell in containerhas more tags than before - Rule
Contact K8S API Server From Containerchanged its output fields - Rule
Contact K8S API Server From Containerhas more tags than before - Rule
Netcat Remote Code Execution in Containerchanged its output fields - Rule
Netcat Remote Code Execution in Containerhas more tags than before - Rule
Search Private Keys or Passwordschanged its output fields - Rule
Search Private Keys or Passwordshas more tags than before - Rule
Clear Log Activitieschanged its output fields - Rule
Clear Log Activitieshas more tags than before - Rule
Remove Bulk Data from Diskchanged its output fields - Rule
Remove Bulk Data from Diskhas more tags than before - Rule
Create Symlink Over Sensitive Fileschanged its output fields - Rule
Create Symlink Over Sensitive Fileshas more tags than before - Rule
Create Hardlink Over Sensitive Fileschanged its output fields - Rule
Create Hardlink Over Sensitive Fileshas more tags than before - Rule
Packet socket created in containerchanged its output fields - Rule
Packet socket created in containerhas more tags than before - Rule
Redirect STDOUT/STDIN to Network Connection in Containerchanged its output fields - Rule
Redirect STDOUT/STDIN to Network Connection in Containerhas more tags than before - Rule
Linux Kernel Module Injection Detectedchanged its output fields - Rule
Linux Kernel Module Injection Detectedhas more tags than before - Rule
Debugfs Launched in Privileged Containerchanged its output fields - Rule
Debugfs Launched in Privileged Containerhas more tags than before - Rule
Detect release_agent File Container Escapeschanged its output fields - Rule
Detect release_agent File Container Escapeshas more tags than before - Rule
PTRACE attached to processchanged its output fields - Rule
PTRACE attached to processhas more tags than before - Rule
PTRACE anti-debug attemptchanged its output fields - Rule
PTRACE anti-debug attempthas more tags than before - Rule
Find AWS Credentialschanged its output fields - Rule
Find AWS Credentialshas more tags than before - Rule
Execution from /dev/shmchanged its output fields - Rule
Execution from /dev/shmhas more tags than before - Rule
Drop and execute new binary in containerchanged its output fields - Rule
Drop and execute new binary in containerhas more tags than before
incertum
leogr
poiana
What type of PR is this?
/kind feature /kind cleanup /kind design /kind documentation
Any specific area of the project related to this PR?
/area rules /area registry /area build /area documentation
Proposed rule maturity level
This PR does not propose new rules or change the maturity level of any existing rule.
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
While splitting rules, I faced some issues that I needed to address in this PR