Closed leogr closed 1 year ago
Comparing 671afa632fcdaec6e779b8185bb7492883a310e1
with latest tag falco-rules-1.0.1
Major changes:
Write below rpm database
has been removedUnexpected K8s NodePort Connection
has been removedLaunch Suspicious Network Tool on Host
has been removedLaunch Ingress Remote File Copy Tools in Container
has been removedUnexpected inbound connection source
has been removedLaunch Privileged Container
has been removedInterpreted procs inbound network activity
has been removedContact EC2 Instance Metadata Service From Container
has been removedLaunch Package Management Process in Container
has been removedOutbound Connection to C2 Servers
has been removedRead ssh information
has been removedUnprivileged Delegation of Page Faults Handling to a Userspace Process
has been removedUpdate Package Repository
has been removedCreate files below dev
has been removedContainer Drift Detected (chmod)
has been removedPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has been removedUnexpected outbound connection destination
has been removedNon sudo setuid
has been removedUser mgmt binaries
has been removedContact cloud metadata service from container
has been removedWrite below binary dir
has been removedLaunch Excessively Capable Container
has been removedLaunch Disallowed Container
has been removedDelete or rename shell history
has been removedDelete Bash History
has been removedContainer Run as Root User
has been removedWrite below monitored dir
has been removedLaunch Suspicious Network Tool in Container
has been removedNetwork Connection outside Local Subnet
has been removedDisallowed SSH Connection
has been removedInterpreted procs outbound network activity
has been removedCreate Hidden Files or Directories
has been removedContainer Drift Detected (open+create)
has been removedRead environment variable from /proc files
has been removedSchedule Cron Jobs
has been removedDB program spawned process
has been removedRead Shell Configuration File
has been removedLaunch Sensitive Mount Container
has been removedOutbound or Inbound Traffic not to Authorized Server Process and Port
has been removedModify Container Entrypoint
has been removedChange thread namespace
has been removedMount Launched in Privileged Container
has been removedWrite below etc
has been removedDetect crypto miners using the Stratum protocol
has been removedUnexpected UDP Traffic
has been removedProgram run with disallowed http proxy env
has been removedLaunch Remote File Copy Tools in Container
has been removedJava Process Class File Download
has been removedMkdir binary dirs
has been removedWrite below root
has been removedModify binary dirs
has been removedSystem procs network activity
has been removedSet Setuid or Setgid bit
has been removedDetect outbound connections to common miner pool ports
has been removedThe docker client is executed in a container
has been removedSudo Potential Privilege Escalation
has been removedModify Shell Configuration File
has been removedautomount_using_mtab
has been removedavinetworks_supervisor_writing_ssh
has been removeduser_privileged_containers
has been removednodeport_containers
has been removeduser_known_create_hidden_file_activities
has been removedinbound
has been removedhttpd_writing_ssl_conf
has been removedrun_by_ms_oms
has been removedms_scx_writing_conf
has been removedhttpd_writing_conf_logs
has been removedexcessively_capable_container
has been removeduser_known_k8s_client_container
has been removedjava_running_sdjagent
has been removedms_oms_writing_conf
has been removedistio_writing_conf
has been removedhttp_proxy_procs
has been removedrun_by_yum
has been removedplesk_install_writing_apache_conf
has been removedwrite_etc_common
has been removedvar_lib_docker_filepath
has been removedplesk_writing_keys
has been removeduser_known_mkdir_bin_dir_activities
has been removeduser_expected_system_procs_network_activity_conditions
has been removedbin_dir_rename
has been removedbrandbot_writing_os_release
has been removednrpe_becoming_nagios
has been removedknown_gke_mount_in_privileged_containers
has been removedsomebody_becoming_themselves
has been removedchef_client_writing_conf
has been removedmaven_writing_groovy
has been removeduser_known_write_monitored_dir_conditions
has been removedredis_writing_conf
has been removeduser_known_cron_jobs
has been removednetworkmanager_writing_resolv_conf
has been removeduser_known_change_thread_namespace_activities
has been removedkubectl_writing_state
has been removedchmod
has been removedopenshift_writing_conf
has been removedaws_eks_core_images
has been removeduser_known_create_files_below_dev_activities
has been removeduser_known_run_as_root_container
has been removedzap_writing_state
has been removedingress_remote_file_copy_procs
has been removedveritas_writing_config
has been removedcassandra_writing_state
has been removedxmlcatalog_writing_files
has been removedovsdb_writing_openvswitch
has been removeduser_known_write_below_binary_dir_activities
has been removediscsi_writing_conf
has been removedipsec_writing_conf
has been removedpython_running_ms_oms
has been removedcurl_writing_pki_db
has been removedmodify
has been removedopenldap_writing_conf
has been removedsed_temporary_file
has been removedcron_start_writing_pam_env
has been removeduser_trusted_containers
has been removedopen_directory
has been removedrpm_procs
has been removedcoreos_write_ssh_dir
has been removeduser_known_update_package_registry
has been removedplesk_running_mktemp
has been removedmysql_writing_conf
has been removedminerpool_other
has been removedsystem_procs
has been removedliveupdate_writing_conf
has been removeduser_known_write_root_conditions
has been removedchage_list
has been removedcountly_writing_nginx_conf
has been removedroot_dir
has been removedhaproxy_writing_conf
has been removedrook_writing_conf
has been removeduser_known_db_spawned_processes
has been removedmount_info
has been removedhtpasswd_writing_passwd
has been removedgit_writing_nssdb
has been removedrancher_writing_root
has been removeduser_known_metadata_access
has been removedminerpool_https
has been removeduser_known_shell_config_modifiers
has been removedpkgmgmt_progs_writing_pki
has been removedmcafee_writing_cma_d
has been removedallowed_aws_ecr_registry_root_for_eks
has been removeduser_known_set_setuid_or_setgid_bit_conditions
has been removedopenshift_image
has been removedairflow_writing_state
has been removedkeepalived_writing_conf
has been removedslapadd_writing_conf
has been removedcockpit_writing_conf
has been removedopenvpn_writing_conf
has been removedmodify_shell_history
has been removedbin_dir_mkdir
has been removedupdate_ca_trust_writing_pki
has been removeduser_known_write_below_etc_activities
has been removedremote_file_copy_procs
has been removedallowed_openshift_registry_root
has been removedallowed_ssh_proxy_env
has been removedoutbound
has been removedsupervise_writing_status
has been removednginx_writing_conf
has been removedexe_running_docker_save
has been removedprometheus_conf_writing_conf
has been removedjava_network_read
has been removedrename
has been removedremove
has been removedallowed_ssh_hosts
has been removedufw_writing_conf
has been removeduser_known_user_management_activities
has been removedpackage_mgmt_procs
has been removedrpm_writing_root_rpmdb
has been removedsensitive_mount
has been removedknown_aks_mount_in_privileged_containers
has been removedssh_port
has been removedcloud_init_writing_ssh
has been removedminerpool_http
has been removedkubelet_running_loopback
has been removedrancher_network_manager
has been removedfluentd_writing_conf_files
has been removedrunc_writing_var_lib_docker
has been removeddocker_procs
has been removedazure_networkwatcher_writing_conf
has been removedcouchdb_writing_conf
has been removedsosreport_writing_files
has been removedgugent_writing_guestagent_log
has been removedrun_by_adclient
has been removeduser_known_read_ssh_information_activities
has been removedadd_shell_writing_shells_tmp
has been removedconsider_network_tools_on_host
has been removedmkdir
has been removedcontainer_started
has been removedcalico_writing_conf
has been removeduser_known_write_below_root_activities
has been removedrunc_writing_exec_fifo
has been removedfalco_privileged_containers
has been removedec2_metadata_containers
has been removedpki_realm_writing_realms
has been removeddse_writing_tmp
has been removedmodify_repositories
has been removeduser_sensitive_mount_containers
has been removeduserhelper_writing_etc_security
has been removedaccess_repositories
has been removedallowed_containers
has been removedsssd_writing_krb
has been removedgoogle_accounts_daemon_writing_ssh
has been removedredhat_image
has been removeduser_known_mount_in_privileged_containers
has been removedpackage_mgmt_ancestor_procs
has been removedpython_running_denyhosts
has been removedgalley_writing_state
has been removedmkinitramfs_writing_boot
has been removedweaveworks_scope
has been removednetwork_local_subnet
has been removedpython_running_chef
has been removedcheckpoint_writing_state
has been removedmultipath_writing_conf
has been removeduser_known_k8s_client_container_parens
has been removedtruncate_shell_history
has been removedjava_running_cassandra
has been removedsymantec_writing_conf
has been removednginx_writing_certs
has been removedcalico_writing_state
has been removeduser_known_write_rpm_database_activities
has been removeduser_known_package_manager_in_container
has been removedinterpreted_procs
has been removedrancher_agent
has been removedselinux_writing_conf
has been removeddpkg_scripting
has been removedtrusted_images_query_miner_domain_dns
has been removedveritas_progs
has been removedduply_writing_exclude_files
has been removedmonitored_dir
has been removeduser_known_modify_bin_dir_activities
has been removedlogin_doing_dns_lookup
has been removeduser_known_ingress_remote_file_copy_activities
has been removedparent_ucf_writing_conf
has been removedconsul_template_writing_conf
has been removedqualys_writing_conf_files
has been removedexpected_udp_traffic
has been removeduser_known_write_etc_conditions
has been removedrun_by_sumologic_securefiles
has been removedmysqlsh_writing_state
has been removedbin_dir
has been removedrancher_writing_conf
has been removedalways_true
has been removedrun_by_centrify
has been removedchef_writing_conf
has been removedrabbitmq_writing_conf
has been removedpython_running_get_pip
has been removeddatadog_writing_conf
has been removeducpagent_writing_conf
has been removedaws_eks_image_sensitive_mount
has been removedknown_user_in_container
has been removedcalico_writing_envvars
has been removedsed_writing_temp_file
has been removedcalico_node
has been removedfalco_sensitive_mount_containers
has been removednetwork_tool_procs
has been removedparent_supervise_running_multilog
has been removedlvprogs_writing_conf
has been removedupdate_texmf_writing_conf
has been removedcentrify_writing_krb
has been removedetcd_manager_updating_dns
has been removedknown_root_conditions
has been removedphp_handlers_writing_conf
has been removedazure_scripts_writing_conf
has been removedjava_writing_conf
has been removedamazon_linux_running_python_yum
has been removeduser_known_remote_file_copy_activities
has been removeduser_known_container_drift_activities
has been removedinbound_outbound
has been removedjboss_in_container_writing_passwd
has been removeduser_known_network_tool_activities
has been removeduser_known_non_sudo_setuid_conditions
has been removedpkg_mgmt_in_kube_proxy
has been removednet_miner_pool
has been removedcurl_download
has been removedcoreutils_binaries
has been removedopenscap_rpm_binaries
has been removeddev_creation_binaries
has been removeduser_known_k8s_ns_kube_system_images
has been removedknown_binaries_to_read_environment_variables_from_proc_files
has been removedknown_root_files
has been removedallowed_dev_files
has been removedauthorized_server_port
has been removedbash_config_files
has been removedsafe_etc_dirs
has been removednetwork_plugin_binaries
has been removedknown_system_procs_network_activity_binaries
has been removedk8s_client_binaries
has been removedhttps_miner_domains
has been removedallowed_inbound_source_ipaddrs
has been removedl2tp_udp_ports
has been removedbash_config_filenames
has been removedzsh_config_filenames
has been removedrepository_directories
has been removedc2_server_fqdn_list
has been removedopenvpn_udp_ports
has been removedexpected_udp_ports
has been removedhttp_miner_domains
has been removedlxd_binaries
has been removedknown_setuid_binaries
has been removedrfc_1918_addresses
has been removedinterpreted_binaries
has been removedknown_istio_files
has been removedexclude_hidden_directories
has been removedminer_domains
has been removedcsh_config_files
has been removedplesk_binaries
has been removedrepository_files
has been removedrun_as_root_image_list
has been removedknown_root_directories
has been removedallowed_inbound_source_networks
has been removednetwork_tool_binaries
has been removedk8s_binaries
has been removedallowed_inbound_source_domains
has been removedhttp_proxy_binaries
has been removedsysdigcloud_binaries
has been removedfalco_sensitive_mount_images
has been removedssh_binaries
has been removedallowed_outbound_destination_ipaddrs
has been removedallowed_outbound_destination_domains
has been removednamespace_scope_network_only_subnet
has been removedms_oms_binaries
has been removedredhat_io_images_privileged
has been removedtest_connect_ports
has been removeduser_known_chmod_applications
has been removedremote_file_copy_binaries
has been removeduser_known_k8s_images
has been removedssl_mgmt_binaries
has been removedmonitored_directories
has been removeddhcp_binaries
has been removedcsh_config_filenames
has been removedshell_config_directories
has been removedveritas_binaries
has been removedstatsd_ports
has been removedallowed_image
has been removedauthorized_server_binary
has been removedc2_server_ip_list
has been removedallowed_outbound_destination_networks
has been removedshell_config_filenames
has been removeduser_known_change_thread_namespace_binaries
has been removedingress_remote_file_copy_binaries
has been removedshell_mgmt_binaries
has been removedntp_ports
has been removeduser_known_userfaultfd_processes
has been removedshell_config_files
has been removedminer_ports
has been removedDirectory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforePatch changes:
Directory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than beforeComparing e79989c12e3fb7900c135ec8f87cc6ff40c5f3fd
with latest tag falco-rules-1.0.1
Major changes:
Unprivileged Delegation of Page Faults Handling to a Userspace Process
has been removedLaunch Ingress Remote File Copy Tools in Container
has been removedLaunch Privileged Container
has been removedCreate files below dev
has been removedSudo Potential Privilege Escalation
has been removedRead ssh information
has been removedInterpreted procs inbound network activity
has been removedDetect outbound connections to common miner pool ports
has been removedOutbound or Inbound Traffic not to Authorized Server Process and Port
has been removedOutbound Connection to C2 Servers
has been removedJava Process Class File Download
has been removedLaunch Disallowed Container
has been removedSystem procs network activity
has been removedUser mgmt binaries
has been removedDelete or rename shell history
has been removedDisallowed SSH Connection
has been removedInterpreted procs outbound network activity
has been removedThe docker client is executed in a container
has been removedMount Launched in Privileged Container
has been removedNon sudo setuid
has been removedLaunch Remote File Copy Tools in Container
has been removedPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has been removedUpdate Package Repository
has been removedLaunch Package Management Process in Container
has been removedWrite below binary dir
has been removedDB program spawned process
has been removedSet Setuid or Setgid bit
has been removedContainer Drift Detected (chmod)
has been removedProgram run with disallowed http proxy env
has been removedContact cloud metadata service from container
has been removedDelete Bash History
has been removedContainer Drift Detected (open+create)
has been removedUnexpected inbound connection source
has been removedSchedule Cron Jobs
has been removedWrite below etc
has been removedLaunch Sensitive Mount Container
has been removedModify Container Entrypoint
has been removedWrite below root
has been removedWrite below rpm database
has been removedUnexpected K8s NodePort Connection
has been removedDetect crypto miners using the Stratum protocol
has been removedChange thread namespace
has been removedCreate Hidden Files or Directories
has been removedRead Shell Configuration File
has been removedModify binary dirs
has been removedUnexpected UDP Traffic
has been removedContact EC2 Instance Metadata Service From Container
has been removedLaunch Suspicious Network Tool in Container
has been removedLaunch Suspicious Network Tool on Host
has been removedNetwork Connection outside Local Subnet
has been removedUnexpected outbound connection destination
has been removedMkdir binary dirs
has been removedLaunch Excessively Capable Container
has been removedContainer Run as Root User
has been removedRead environment variable from /proc files
has been removedModify Shell Configuration File
has been removedWrite below monitored dir
has been removedremove
has been removedcloud_init_writing_ssh
has been removedamazon_linux_running_python_yum
has been removedveritas_writing_config
has been removedparent_ucf_writing_conf
has been removedchef_client_writing_conf
has been removedexcessively_capable_container
has been removeduser_known_container_drift_activities
has been removeduser_known_ingress_remote_file_copy_activities
has been removedbin_dir_rename
has been removedpkgmgmt_progs_writing_pki
has been removedprometheus_conf_writing_conf
has been removeduser_known_modify_bin_dir_activities
has been removedmount_info
has been removedcouchdb_writing_conf
has been removedplesk_install_writing_apache_conf
has been removeduser_privileged_containers
has been removedknown_user_in_container
has been removedazure_scripts_writing_conf
has been removedmysql_writing_conf
has been removedmultipath_writing_conf
has been removeduser_known_write_below_etc_activities
has been removedpython_running_chef
has been removedms_scx_writing_conf
has been removedsosreport_writing_files
has been removedipsec_writing_conf
has been removedrunc_writing_var_lib_docker
has been removedinbound_outbound
has been removedchef_writing_conf
has been removedduply_writing_exclude_files
has been removeduser_sensitive_mount_containers
has been removedminerpool_other
has been removeduser_known_write_monitored_dir_conditions
has been removedcalico_writing_conf
has been removedroot_dir
has been removeduser_known_update_package_registry
has been removedopenvpn_writing_conf
has been removedetcd_manager_updating_dns
has been removedaws_eks_image_sensitive_mount
has been removedupdate_texmf_writing_conf
has been removedms_oms_writing_conf
has been removeddse_writing_tmp
has been removedzap_writing_state
has been removedopenshift_image
has been removedaws_eks_core_images
has been removedrunc_writing_exec_fifo
has been removeduser_known_cron_jobs
has been removedpki_realm_writing_realms
has been removedrancher_network_manager
has been removedcentrify_writing_krb
has been removednodeport_containers
has been removedhaproxy_writing_conf
has been removedwrite_etc_common
has been removedopen_directory
has been removedmkdir
has been removedinbound
has been removeduser_known_network_tool_activities
has been removedrpm_procs
has been removeduser_known_shell_config_modifiers
has been removedslapadd_writing_conf
has been removeducpagent_writing_conf
has been removedgalley_writing_state
has been removedavinetworks_supervisor_writing_ssh
has been removednrpe_becoming_nagios
has been removeduser_known_metadata_access
has been removedminerpool_http
has been removedingress_remote_file_copy_procs
has been removedrun_by_ms_oms
has been removedrun_by_adclient
has been removedjava_writing_conf
has been removedvar_lib_docker_filepath
has been removedhttp_proxy_procs
has been removedremote_file_copy_procs
has been removedmodify
has been removedrancher_agent
has been removeduser_known_create_files_below_dev_activities
has been removedbin_dir_mkdir
has been removedplesk_running_mktemp
has been removedconsider_network_tools_on_host
has been removedtrusted_images_query_miner_domain_dns
has been removedsystem_procs
has been removedkeepalived_writing_conf
has been removedknown_root_conditions
has been removedhtpasswd_writing_passwd
has been removednginx_writing_conf
has been removedcalico_writing_envvars
has been removedaccess_repositories
has been removeddpkg_scripting
has been removedredhat_image
has been removedfalco_privileged_containers
has been removedlogin_doing_dns_lookup
has been removedadd_shell_writing_shells_tmp
has been removednetwork_local_subnet
has been removeduser_known_mount_in_privileged_containers
has been removedselinux_writing_conf
has been removeduser_known_write_etc_conditions
has been removedoutbound
has been removeduser_known_remote_file_copy_activities
has been removednet_miner_pool
has been removedalways_true
has been removedcockpit_writing_conf
has been removedcalico_writing_state
has been removeduser_known_non_sudo_setuid_conditions
has been removedec2_metadata_containers
has been removedazure_networkwatcher_writing_conf
has been removedexe_running_docker_save
has been removedrpm_writing_root_rpmdb
has been removedjboss_in_container_writing_passwd
has been removedparent_supervise_running_multilog
has been removedsed_temporary_file
has been removedrancher_writing_root
has been removeduser_known_k8s_client_container_parens
has been removedbin_dir
has been removedgugent_writing_guestagent_log
has been removedmkinitramfs_writing_boot
has been removedhttpd_writing_conf_logs
has been removedcron_start_writing_pam_env
has been removedallowed_aws_ecr_registry_root_for_eks
has been removeduser_known_run_as_root_container
has been removedhttpd_writing_ssl_conf
has been removedcassandra_writing_state
has been removedmodify_repositories
has been removedmysqlsh_writing_state
has been removedfalco_sensitive_mount_containers
has been removedsomebody_becoming_themselves
has been removedchmod
has been removedcountly_writing_nginx_conf
has been removedupdate_ca_trust_writing_pki
has been removedmodify_shell_history
has been removedjava_network_read
has been removedcheckpoint_writing_state
has been removediscsi_writing_conf
has been removedchage_list
has been removedbrandbot_writing_os_release
has been removeddatadog_writing_conf
has been removedautomount_using_mtab
has been removedcoreos_write_ssh_dir
has been removedsymantec_writing_conf
has been removedkubectl_writing_state
has been removeduser_known_read_ssh_information_activities
has been removedkubelet_running_loopback
has been removedmonitored_dir
has been removeduser_known_set_setuid_or_setgid_bit_conditions
has been removedrename
has been removedjava_running_cassandra
has been removeduser_known_write_root_conditions
has been removedknown_gke_mount_in_privileged_containers
has been removedssh_port
has been removedxmlcatalog_writing_files
has been removedrancher_writing_conf
has been removednetwork_tool_procs
has been removedcontainer_started
has been removedlvprogs_writing_conf
has been removedopenldap_writing_conf
has been removedmcafee_writing_cma_d
has been removedallowed_containers
has been removednginx_writing_certs
has been removedfluentd_writing_conf_files
has been removedrabbitmq_writing_conf
has been removedphp_handlers_writing_conf
has been removedliveupdate_writing_conf
has been removeduser_known_write_below_binary_dir_activities
has been removedgoogle_accounts_daemon_writing_ssh
has been removedgit_writing_nssdb
has been removedplesk_writing_keys
has been removedcurl_writing_pki_db
has been removedpackage_mgmt_procs
has been removedrun_by_yum
has been removedrook_writing_conf
has been removedexpected_udp_traffic
has been removedknown_aks_mount_in_privileged_containers
has been removedrun_by_centrify
has been removedconsul_template_writing_conf
has been removeddocker_procs
has been removedistio_writing_conf
has been removeduser_known_mkdir_bin_dir_activities
has been removeduser_known_create_hidden_file_activities
has been removedminerpool_https
has been removedinterpreted_procs
has been removedopenshift_writing_conf
has been removedpython_running_denyhosts
has been removedtruncate_shell_history
has been removeduser_known_change_thread_namespace_activities
has been removedsensitive_mount
has been removeduser_known_user_management_activities
has been removeduserhelper_writing_etc_security
has been removedjava_running_sdjagent
has been removedveritas_progs
has been removednetworkmanager_writing_resolv_conf
has been removedufw_writing_conf
has been removedcalico_node
has been removeduser_known_write_below_root_activities
has been removedallowed_openshift_registry_root
has been removedpython_running_get_pip
has been removeduser_trusted_containers
has been removedpkg_mgmt_in_kube_proxy
has been removedallowed_ssh_hosts
has been removedsssd_writing_krb
has been removedpython_running_ms_oms
has been removedredis_writing_conf
has been removedovsdb_writing_openvswitch
has been removedqualys_writing_conf_files
has been removeduser_known_db_spawned_processes
has been removeduser_expected_system_procs_network_activity_conditions
has been removedcurl_download
has been removedsupervise_writing_status
has been removedairflow_writing_state
has been removedpackage_mgmt_ancestor_procs
has been removedrun_by_sumologic_securefiles
has been removedweaveworks_scope
has been removeduser_known_package_manager_in_container
has been removeduser_known_k8s_client_container
has been removedmaven_writing_groovy
has been removedsed_writing_temp_file
has been removeduser_known_write_rpm_database_activities
has been removedallowed_ssh_proxy_env
has been removedrepository_directories
has been removedcsh_config_files
has been removedsysdigcloud_binaries
has been removedallowed_outbound_destination_domains
has been removedk8s_client_binaries
has been removedknown_system_procs_network_activity_binaries
has been removedknown_root_directories
has been removedcoreutils_binaries
has been removedinterpreted_binaries
has been removedexpected_udp_ports
has been removeddhcp_binaries
has been removedbash_config_files
has been removedshell_config_directories
has been removeduser_known_chmod_applications
has been removedfalco_sensitive_mount_images
has been removedshell_mgmt_binaries
has been removedshell_config_filenames
has been removedsafe_etc_dirs
has been removedhttps_miner_domains
has been removedtest_connect_ports
has been removedk8s_binaries
has been removedknown_istio_files
has been removedallowed_image
has been removedauthorized_server_binary
has been removedremote_file_copy_binaries
has been removedssh_binaries
has been removedopenscap_rpm_binaries
has been removedntp_ports
has been removedc2_server_ip_list
has been removednetwork_plugin_binaries
has been removedl2tp_udp_ports
has been removeduser_known_userfaultfd_processes
has been removedallowed_inbound_source_domains
has been removedbash_config_filenames
has been removedzsh_config_filenames
has been removedcsh_config_filenames
has been removedredhat_io_images_privileged
has been removedssl_mgmt_binaries
has been removedallowed_inbound_source_networks
has been removedstatsd_ports
has been removedc2_server_fqdn_list
has been removedrun_as_root_image_list
has been removeddev_creation_binaries
has been removedallowed_outbound_destination_networks
has been removedplesk_binaries
has been removedallowed_outbound_destination_ipaddrs
has been removedmonitored_directories
has been removedallowed_dev_files
has been removedshell_config_files
has been removednamespace_scope_network_only_subnet
has been removedauthorized_server_port
has been removedopenvpn_udp_ports
has been removeduser_known_k8s_images
has been removedrepository_files
has been removednetwork_tool_binaries
has been removedhttp_miner_domains
has been removeduser_known_change_thread_namespace_binaries
has been removedhttp_proxy_binaries
has been removedminer_ports
has been removedknown_setuid_binaries
has been removedallowed_inbound_source_ipaddrs
has been removedrfc_1918_addresses
has been removedveritas_binaries
has been removedknown_root_files
has been removedexclude_hidden_directories
has been removeduser_known_k8s_ns_kube_system_images
has been removedknown_binaries_to_read_environment_variables_from_proc_files
has been removedlxd_binaries
has been removedms_oms_binaries
has been removedminer_domains
has been removedingress_remote_file_copy_binaries
has been removedDirectory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforePatch changes:
Directory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than beforeComparing f8226e3481778321b835a47b30f11ef1132c44fc
with latest tag falco-rules-1.0.1
Major changes:
Launch Remote File Copy Tools in Container
has been removedContainer Drift Detected (open+create)
has been removedWrite below monitored dir
has been removedRead ssh information
has been removedLaunch Sensitive Mount Container
has been removedCreate files below dev
has been removedUnexpected outbound connection destination
has been removedRead Shell Configuration File
has been removedInterpreted procs inbound network activity
has been removedWrite below root
has been removedSystem procs network activity
has been removedLaunch Package Management Process in Container
has been removedThe docker client is executed in a container
has been removedPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has been removedLaunch Privileged Container
has been removedLaunch Suspicious Network Tool in Container
has been removedOutbound Connection to C2 Servers
has been removedSudo Potential Privilege Escalation
has been removedModify binary dirs
has been removedUser mgmt binaries
has been removedLaunch Suspicious Network Tool on Host
has been removedWrite below etc
has been removedDB program spawned process
has been removedWrite below binary dir
has been removedProgram run with disallowed http proxy env
has been removedDelete Bash History
has been removedNetwork Connection outside Local Subnet
has been removedDisallowed SSH Connection
has been removedWrite below rpm database
has been removedLaunch Disallowed Container
has been removedUnexpected K8s NodePort Connection
has been removedModify Shell Configuration File
has been removedUnexpected UDP Traffic
has been removedOutbound or Inbound Traffic not to Authorized Server Process and Port
has been removedLaunch Ingress Remote File Copy Tools in Container
has been removedDetect crypto miners using the Stratum protocol
has been removedContainer Drift Detected (chmod)
has been removedUnexpected inbound connection source
has been removedLaunch Excessively Capable Container
has been removedNon sudo setuid
has been removedDelete or rename shell history
has been removedMkdir binary dirs
has been removedContact EC2 Instance Metadata Service From Container
has been removedContainer Run as Root User
has been removedUpdate Package Repository
has been removedSet Setuid or Setgid bit
has been removedUnprivileged Delegation of Page Faults Handling to a Userspace Process
has been removedJava Process Class File Download
has been removedSchedule Cron Jobs
has been removedInterpreted procs outbound network activity
has been removedContact cloud metadata service from container
has been removedCreate Hidden Files or Directories
has been removedDetect outbound connections to common miner pool ports
has been removedMount Launched in Privileged Container
has been removedRead environment variable from /proc files
has been removedChange thread namespace
has been removedModify Container Entrypoint
has been removedupdate_ca_trust_writing_pki
has been removedminerpool_http
has been removednetwork_local_subnet
has been removedjava_running_cassandra
has been removedopenvpn_writing_conf
has been removedopenshift_image
has been removedfalco_privileged_containers
has been removedcurl_download
has been removedrabbitmq_writing_conf
has been removedmysql_writing_conf
has been removedsosreport_writing_files
has been removeduser_known_non_sudo_setuid_conditions
has been removedec2_metadata_containers
has been removedtruncate_shell_history
has been removedms_scx_writing_conf
has been removedazure_scripts_writing_conf
has been removeduser_known_remote_file_copy_activities
has been removedmultipath_writing_conf
has been removedinbound
has been removedms_oms_writing_conf
has been removedrancher_network_manager
has been removedduply_writing_exclude_files
has been removedinterpreted_procs
has been removedopenldap_writing_conf
has been removedredis_writing_conf
has been removeduser_known_write_below_root_activities
has been removednodeport_containers
has been removeduser_known_create_hidden_file_activities
has been removeduser_known_container_drift_activities
has been removedchmod
has been removedazure_networkwatcher_writing_conf
has been removedrancher_agent
has been removedjava_network_read
has been removedhaproxy_writing_conf
has been removeduser_known_write_below_etc_activities
has been removeduser_expected_system_procs_network_activity_conditions
has been removedcoreos_write_ssh_dir
has been removedcockpit_writing_conf
has been removeduser_known_metadata_access
has been removedaws_eks_core_images
has been removednrpe_becoming_nagios
has been removedsupervise_writing_status
has been removedexe_running_docker_save
has been removeduser_known_write_monitored_dir_conditions
has been removedhttp_proxy_procs
has been removeddse_writing_tmp
has been removedsed_writing_temp_file
has been removeduser_known_cron_jobs
has been removedalways_true
has been removeduserhelper_writing_etc_security
has been removeduser_sensitive_mount_containers
has been removedsssd_writing_krb
has been removedqualys_writing_conf_files
has been removeduser_known_package_manager_in_container
has been removeduser_known_network_tool_activities
has been removedoutbound
has been removedcouchdb_writing_conf
has been removedipsec_writing_conf
has been removedopenshift_writing_conf
has been removedwrite_etc_common
has been removedpython_running_denyhosts
has been removedrunc_writing_exec_fifo
has been removedweaveworks_scope
has been removedetcd_manager_updating_dns
has been removeduser_known_user_management_activities
has been removedrancher_writing_root
has been removedvar_lib_docker_filepath
has been removedchef_client_writing_conf
has been removedmaven_writing_groovy
has been removedmodify_repositories
has been removedovsdb_writing_openvswitch
has been removedgugent_writing_guestagent_log
has been removedhttpd_writing_conf_logs
has been removedpkg_mgmt_in_kube_proxy
has been removeduser_known_run_as_root_container
has been removeduser_known_ingress_remote_file_copy_activities
has been removedzap_writing_state
has been removedrook_writing_conf
has been removedmysqlsh_writing_state
has been removedcontainer_started
has been removedcloud_init_writing_ssh
has been removedjboss_in_container_writing_passwd
has been removedexpected_udp_traffic
has been removeduser_known_write_etc_conditions
has been removedhttpd_writing_ssl_conf
has been removedgit_writing_nssdb
has been removedadd_shell_writing_shells_tmp
has been removedhtpasswd_writing_passwd
has been removeddatadog_writing_conf
has been removedaws_eks_image_sensitive_mount
has been removeduser_known_k8s_client_container_parens
has been removedopen_directory
has been removedrun_by_centrify
has been removeduser_known_db_spawned_processes
has been removedmodify
has been removedssh_port
has been removedparent_supervise_running_multilog
has been removedplesk_install_writing_apache_conf
has been removedlogin_doing_dns_lookup
has been removeduser_known_create_files_below_dev_activities
has been removedrpm_procs
has been removedsystem_procs
has been removedpython_running_ms_oms
has been removeduser_known_mount_in_privileged_containers
has been removedcalico_writing_state
has been removedjava_writing_conf
has been removedbin_dir_rename
has been removednginx_writing_certs
has been removedmcafee_writing_cma_d
has been removedcalico_writing_envvars
has been removeduser_known_mkdir_bin_dir_activities
has been removedveritas_writing_config
has been removedkubectl_writing_state
has been removedmodify_shell_history
has been removedselinux_writing_conf
has been removedcalico_writing_conf
has been removedknown_root_conditions
has been removedamazon_linux_running_python_yum
has been removeduser_known_modify_bin_dir_activities
has been removednetwork_tool_procs
has been removedconsider_network_tools_on_host
has been removedrun_by_adclient
has been removedgoogle_accounts_daemon_writing_ssh
has been removedslapadd_writing_conf
has been removedchef_writing_conf
has been removedroot_dir
has been removedinbound_outbound
has been removedallowed_ssh_hosts
has been removedbin_dir_mkdir
has been removedplesk_writing_keys
has been removedchage_list
has been removedairflow_writing_state
has been removedsensitive_mount
has been removedrun_by_sumologic_securefiles
has been removedrun_by_yum
has been removedallowed_containers
has been removeduser_known_k8s_client_container
has been removeducpagent_writing_conf
has been removeduser_known_read_ssh_information_activities
has been removeduser_known_write_root_conditions
has been removedautomount_using_mtab
has been removedcentrify_writing_krb
has been removedmkinitramfs_writing_boot
has been removedcurl_writing_pki_db
has been removedtrusted_images_query_miner_domain_dns
has been removedingress_remote_file_copy_procs
has been removeduser_known_change_thread_namespace_activities
has been removedremote_file_copy_procs
has been removeddpkg_scripting
has been removedrunc_writing_var_lib_docker
has been removedsed_temporary_file
has been removednetworkmanager_writing_resolv_conf
has been removedcron_start_writing_pam_env
has been removedremove
has been removedcheckpoint_writing_state
has been removedredhat_image
has been removedpkgmgmt_progs_writing_pki
has been removednginx_writing_conf
has been removedmonitored_dir
has been removedkubelet_running_loopback
has been removediscsi_writing_conf
has been removeddocker_procs
has been removeduser_known_update_package_registry
has been removedcountly_writing_nginx_conf
has been removedbrandbot_writing_os_release
has been removedveritas_progs
has been removedexcessively_capable_container
has been removedminerpool_https
has been removednet_miner_pool
has been removedknown_aks_mount_in_privileged_containers
has been removedmkdir
has been removedaccess_repositories
has been removedxmlcatalog_writing_files
has been removedcalico_node
has been removedconsul_template_writing_conf
has been removedfalco_sensitive_mount_containers
has been removeduser_known_shell_config_modifiers
has been removedallowed_openshift_registry_root
has been removeduser_trusted_containers
has been removeduser_known_write_rpm_database_activities
has been removedpackage_mgmt_procs
has been removedrun_by_ms_oms
has been removedkeepalived_writing_conf
has been removedknown_user_in_container
has been removedistio_writing_conf
has been removedprometheus_conf_writing_conf
has been removedrpm_writing_root_rpmdb
has been removedrancher_writing_conf
has been removedmount_info
has been removedgalley_writing_state
has been removedpki_realm_writing_realms
has been removedcassandra_writing_state
has been removedbin_dir
has been removedallowed_aws_ecr_registry_root_for_eks
has been removeduser_privileged_containers
has been removedknown_gke_mount_in_privileged_containers
has been removedpython_running_chef
has been removedliveupdate_writing_conf
has been removedavinetworks_supervisor_writing_ssh
has been removedallowed_ssh_proxy_env
has been removeduser_known_set_setuid_or_setgid_bit_conditions
has been removedlvprogs_writing_conf
has been removedpython_running_get_pip
has been removedrename
has been removedminerpool_other
has been removedjava_running_sdjagent
has been removedsymantec_writing_conf
has been removedufw_writing_conf
has been removedfluentd_writing_conf_files
has been removedplesk_running_mktemp
has been removedphp_handlers_writing_conf
has been removedpackage_mgmt_ancestor_procs
has been removedparent_ucf_writing_conf
has been removedupdate_texmf_writing_conf
has been removeduser_known_write_below_binary_dir_activities
has been removedsomebody_becoming_themselves
has been removedk8s_binaries
has been removedc2_server_ip_list
has been removedingress_remote_file_copy_binaries
has been removedms_oms_binaries
has been removedknown_root_directories
has been removedopenscap_rpm_binaries
has been removedsysdigcloud_binaries
has been removedk8s_client_binaries
has been removedallowed_dev_files
has been removeddhcp_binaries
has been removedplesk_binaries
has been removedsafe_etc_dirs
has been removedredhat_io_images_privileged
has been removedallowed_image
has been removedssh_binaries
has been removedshell_mgmt_binaries
has been removednetwork_plugin_binaries
has been removedallowed_inbound_source_ipaddrs
has been removedtest_connect_ports
has been removedrfc_1918_addresses
has been removedallowed_outbound_destination_ipaddrs
has been removedzsh_config_filenames
has been removedknown_binaries_to_read_environment_variables_from_proc_files
has been removedbash_config_files
has been removedcsh_config_filenames
has been removedallowed_outbound_destination_networks
has been removedcsh_config_files
has been removedveritas_binaries
has been removedrun_as_root_image_list
has been removedbash_config_filenames
has been removedhttps_miner_domains
has been removeduser_known_k8s_images
has been removednetwork_tool_binaries
has been removednamespace_scope_network_only_subnet
has been removedallowed_inbound_source_domains
has been removedhttp_proxy_binaries
has been removedknown_root_files
has been removedopenvpn_udp_ports
has been removeduser_known_userfaultfd_processes
has been removedshell_config_files
has been removedmonitored_directories
has been removedl2tp_udp_ports
has been removedc2_server_fqdn_list
has been removedknown_setuid_binaries
has been removeddev_creation_binaries
has been removedshell_config_directories
has been removedauthorized_server_port
has been removedssl_mgmt_binaries
has been removedallowed_inbound_source_networks
has been removedfalco_sensitive_mount_images
has been removedhttp_miner_domains
has been removeduser_known_change_thread_namespace_binaries
has been removedremote_file_copy_binaries
has been removedminer_domains
has been removedstatsd_ports
has been removedknown_istio_files
has been removedrepository_files
has been removeduser_known_k8s_ns_kube_system_images
has been removedshell_config_filenames
has been removedlxd_binaries
has been removeduser_known_chmod_applications
has been removedauthorized_server_binary
has been removedcoreutils_binaries
has been removedinterpreted_binaries
has been removedexpected_udp_ports
has been removedexclude_hidden_directories
has been removedallowed_outbound_destination_domains
has been removedrepository_directories
has been removedntp_ports
has been removedminer_ports
has been removedknown_system_procs_network_activity_binaries
has been removedDirectory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforePatch changes:
Directory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than beforeComparing d90939c2a0f143357c83988b765ecf3a1c774282
with latest tag falco-rules-1.0.1
Major changes:
Interpreted procs inbound network activity
has been removedUser mgmt binaries
has been removedCreate files below dev
has been removedModify Shell Configuration File
has been removedUpdate Package Repository
has been removedLaunch Privileged Container
has been removedUnexpected K8s NodePort Connection
has been removedLaunch Suspicious Network Tool on Host
has been removedOutbound or Inbound Traffic not to Authorized Server Process and Port
has been removedRead ssh information
has been removedModify binary dirs
has been removedChange thread namespace
has been removedDelete Bash History
has been removedModify Container Entrypoint
has been removedWrite below etc
has been removedLaunch Disallowed Container
has been removedContainer Drift Detected (chmod)
has been removedUnexpected inbound connection source
has been removedPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has been removedSudo Potential Privilege Escalation
has been removedProgram run with disallowed http proxy env
has been removedContainer Drift Detected (open+create)
has been removedNetwork Connection outside Local Subnet
has been removedOutbound Connection to C2 Servers
has been removedContainer Run as Root User
has been removedUnprivileged Delegation of Page Faults Handling to a Userspace Process
has been removedLaunch Sensitive Mount Container
has been removedUnexpected UDP Traffic
has been removedUnexpected outbound connection destination
has been removedWrite below rpm database
has been removedLaunch Suspicious Network Tool in Container
has been removedDetect outbound connections to common miner pool ports
has been removedLaunch Ingress Remote File Copy Tools in Container
has been removedMkdir binary dirs
has been removedLaunch Remote File Copy Tools in Container
has been removedWrite below root
has been removedSet Setuid or Setgid bit
has been removedDB program spawned process
has been removedContact EC2 Instance Metadata Service From Container
has been removedSchedule Cron Jobs
has been removedWrite below binary dir
has been removedThe docker client is executed in a container
has been removedMount Launched in Privileged Container
has been removedNon sudo setuid
has been removedDelete or rename shell history
has been removedInterpreted procs outbound network activity
has been removedDetect crypto miners using the Stratum protocol
has been removedRead environment variable from /proc files
has been removedDisallowed SSH Connection
has been removedLaunch Package Management Process in Container
has been removedLaunch Excessively Capable Container
has been removedSystem procs network activity
has been removedContact cloud metadata service from container
has been removedCreate Hidden Files or Directories
has been removedJava Process Class File Download
has been removedRead Shell Configuration File
has been removedWrite below monitored dir
has been removedhtpasswd_writing_passwd
has been removedaws_eks_core_images
has been removedallowed_ssh_proxy_env
has been removedgalley_writing_state
has been removedlogin_doing_dns_lookup
has been removednet_miner_pool
has been removedknown_gke_mount_in_privileged_containers
has been removedistio_writing_conf
has been removedpkgmgmt_progs_writing_pki
has been removedtruncate_shell_history
has been removedbin_dir_mkdir
has been removedjava_writing_conf
has been removedphp_handlers_writing_conf
has been removeduser_expected_system_procs_network_activity_conditions
has been removedminerpool_https
has been removedrun_by_sumologic_securefiles
has been removedcalico_writing_state
has been removeduser_known_user_management_activities
has been removednetwork_tool_procs
has been removedparent_ucf_writing_conf
has been removedrpm_procs
has been removedamazon_linux_running_python_yum
has been removeduser_sensitive_mount_containers
has been removedcontainer_started
has been removedsed_writing_temp_file
has been removedallowed_openshift_registry_root
has been removedsystem_procs
has been removedsssd_writing_krb
has been removeduser_known_write_rpm_database_activities
has been removedchage_list
has been removedpython_running_denyhosts
has been removedveritas_writing_config
has been removedzap_writing_state
has been removeduser_known_modify_bin_dir_activities
has been removedpython_running_get_pip
has been removedgit_writing_nssdb
has been removedcurl_writing_pki_db
has been removedovsdb_writing_openvswitch
has been removedveritas_progs
has been removedrun_by_centrify
has been removedxmlcatalog_writing_files
has been removedexcessively_capable_container
has been removedcurl_download
has been removedduply_writing_exclude_files
has been removedexe_running_docker_save
has been removedconsul_template_writing_conf
has been removeduser_known_mount_in_privileged_containers
has been removeduser_known_non_sudo_setuid_conditions
has been removedcheckpoint_writing_state
has been removedweaveworks_scope
has been removedpython_running_ms_oms
has been removedrancher_network_manager
has been removedselinux_writing_conf
has been removedrancher_agent
has been removedopenshift_writing_conf
has been removeduser_known_db_spawned_processes
has been removedjboss_in_container_writing_passwd
has been removedopenldap_writing_conf
has been removedairflow_writing_state
has been removednrpe_becoming_nagios
has been removedvar_lib_docker_filepath
has been removedchef_writing_conf
has been removedhaproxy_writing_conf
has been removedfluentd_writing_conf_files
has been removedpackage_mgmt_procs
has been removedsed_temporary_file
has been removedcloud_init_writing_ssh
has been removedsupervise_writing_status
has been removedcron_start_writing_pam_env
has been removeduser_known_change_thread_namespace_activities
has been removedopenvpn_writing_conf
has been removedmodify_shell_history
has been removeducpagent_writing_conf
has been removedcockpit_writing_conf
has been removeduser_known_write_below_root_activities
has been removedalways_true
has been removedupdate_ca_trust_writing_pki
has been removedmysqlsh_writing_state
has been removedec2_metadata_containers
has been removedchef_client_writing_conf
has been removedmaven_writing_groovy
has been removedredis_writing_conf
has been removeduser_known_mkdir_bin_dir_activities
has been removedredhat_image
has been removedminerpool_other
has been removedjava_network_read
has been removedbin_dir
has been removedazure_networkwatcher_writing_conf
has been removedcouchdb_writing_conf
has been removeduser_known_run_as_root_container
has been removedcassandra_writing_state
has been removedallowed_aws_ecr_registry_root_for_eks
has been removeduser_known_container_drift_activities
has been removedcoreos_write_ssh_dir
has been removeduser_known_shell_config_modifiers
has been removeddpkg_scripting
has been removedetcd_manager_updating_dns
has been removedsomebody_becoming_themselves
has been removedminerpool_http
has been removedinbound
has been removedallowed_ssh_hosts
has been removednginx_writing_conf
has been removeddse_writing_tmp
has been removedrpm_writing_root_rpmdb
has been removeduser_known_write_root_conditions
has been removedremove
has been removedpackage_mgmt_ancestor_procs
has been removedcountly_writing_nginx_conf
has been removedexpected_udp_traffic
has been removedplesk_install_writing_apache_conf
has been removedrancher_writing_root
has been removedhttp_proxy_procs
has been removedinterpreted_procs
has been removedinbound_outbound
has been removedms_oms_writing_conf
has been removedhttpd_writing_conf_logs
has been removedmkdir
has been removedbin_dir_rename
has been removedroot_dir
has been removedfalco_sensitive_mount_containers
has been removedallowed_containers
has been removeduser_known_k8s_client_container_parens
has been removeduser_known_cron_jobs
has been removedms_scx_writing_conf
has been removedrancher_writing_conf
has been removedrabbitmq_writing_conf
has been removeduser_known_package_manager_in_container
has been removedliveupdate_writing_conf
has been removedmultipath_writing_conf
has been removedmount_info
has been removeduser_known_ingress_remote_file_copy_activities
has been removedufw_writing_conf
has been removedplesk_writing_keys
has been removedprometheus_conf_writing_conf
has been removedmcafee_writing_cma_d
has been removedknown_user_in_container
has been removedpython_running_chef
has been removedlvprogs_writing_conf
has been removedqualys_writing_conf_files
has been removedmysql_writing_conf
has been removedavinetworks_supervisor_writing_ssh
has been removedknown_root_conditions
has been removediscsi_writing_conf
has been removeduser_known_write_below_binary_dir_activities
has been removedoutbound
has been removeduser_trusted_containers
has been removedjava_running_cassandra
has been removedrunc_writing_exec_fifo
has been removedfalco_privileged_containers
has been removeddocker_procs
has been removedopen_directory
has been removedsosreport_writing_files
has been removedkubectl_writing_state
has been removednetworkmanager_writing_resolv_conf
has been removedkeepalived_writing_conf
has been removeduser_known_write_etc_conditions
has been removedchmod
has been removedipsec_writing_conf
has been removedgoogle_accounts_daemon_writing_ssh
has been removedmodify
has been removedcentrify_writing_krb
has been removeduser_known_read_ssh_information_activities
has been removedkubelet_running_loopback
has been removedmkinitramfs_writing_boot
has been removeduser_known_write_below_etc_activities
has been removeduser_known_network_tool_activities
has been removedssh_port
has been removeduser_known_set_setuid_or_setgid_bit_conditions
has been removedremote_file_copy_procs
has been removedrunc_writing_var_lib_docker
has been removednodeport_containers
has been removednginx_writing_certs
has been removedcalico_writing_envvars
has been removeduser_known_metadata_access
has been removedconsider_network_tools_on_host
has been removeduser_known_remote_file_copy_activities
has been removeduser_known_update_package_registry
has been removedopenshift_image
has been removedrun_by_ms_oms
has been removedsymantec_writing_conf
has been removedpki_realm_writing_realms
has been removedbrandbot_writing_os_release
has been removedgugent_writing_guestagent_log
has been removednetwork_local_subnet
has been removeduser_known_write_monitored_dir_conditions
has been removeduser_known_k8s_client_container
has been removedsensitive_mount
has been removedingress_remote_file_copy_procs
has been removeduserhelper_writing_etc_security
has been removedslapadd_writing_conf
has been removedplesk_running_mktemp
has been removeddatadog_writing_conf
has been removeduser_known_create_hidden_file_activities
has been removedrename
has been removedparent_supervise_running_multilog
has been removedmodify_repositories
has been removedmonitored_dir
has been removedknown_aks_mount_in_privileged_containers
has been removeduser_privileged_containers
has been removedadd_shell_writing_shells_tmp
has been removedrook_writing_conf
has been removedaws_eks_image_sensitive_mount
has been removedrun_by_adclient
has been removedjava_running_sdjagent
has been removedupdate_texmf_writing_conf
has been removedaccess_repositories
has been removedwrite_etc_common
has been removedrun_by_yum
has been removedazure_scripts_writing_conf
has been removedautomount_using_mtab
has been removedpkg_mgmt_in_kube_proxy
has been removedhttpd_writing_ssl_conf
has been removedcalico_writing_conf
has been removeduser_known_create_files_below_dev_activities
has been removedcalico_node
has been removedtrusted_images_query_miner_domain_dns
has been removedssl_mgmt_binaries
has been removedcoreutils_binaries
has been removedzsh_config_filenames
has been removedredhat_io_images_privileged
has been removedallowed_image
has been removedinterpreted_binaries
has been removedplesk_binaries
has been removedallowed_inbound_source_ipaddrs
has been removedknown_root_files
has been removedallowed_dev_files
has been removedk8s_client_binaries
has been removedtest_connect_ports
has been removedminer_ports
has been removedhttps_miner_domains
has been removedauthorized_server_port
has been removedknown_setuid_binaries
has been removedshell_config_files
has been removedrepository_directories
has been removedk8s_binaries
has been removedshell_config_directories
has been removedhttp_miner_domains
has been removedlxd_binaries
has been removedallowed_outbound_destination_ipaddrs
has been removedallowed_inbound_source_domains
has been removedstatsd_ports
has been removednetwork_plugin_binaries
has been removedknown_istio_files
has been removedl2tp_udp_ports
has been removedexclude_hidden_directories
has been removeduser_known_userfaultfd_processes
has been removedknown_binaries_to_read_environment_variables_from_proc_files
has been removedknown_root_directories
has been removeduser_known_change_thread_namespace_binaries
has been removedexpected_udp_ports
has been removednetwork_tool_binaries
has been removedssh_binaries
has been removedsafe_etc_dirs
has been removednamespace_scope_network_only_subnet
has been removedms_oms_binaries
has been removedfalco_sensitive_mount_images
has been removedremote_file_copy_binaries
has been removedingress_remote_file_copy_binaries
has been removedshell_config_filenames
has been removedc2_server_fqdn_list
has been removedshell_mgmt_binaries
has been removedallowed_inbound_source_networks
has been removedbash_config_files
has been removedbash_config_filenames
has been removedveritas_binaries
has been removedopenvpn_udp_ports
has been removeduser_known_chmod_applications
has been removedallowed_outbound_destination_domains
has been removedcsh_config_files
has been removeduser_known_k8s_images
has been removeddev_creation_binaries
has been removedc2_server_ip_list
has been removedrfc_1918_addresses
has been removedcsh_config_filenames
has been removeduser_known_k8s_ns_kube_system_images
has been removedsysdigcloud_binaries
has been removedopenscap_rpm_binaries
has been removedauthorized_server_binary
has been removeddhcp_binaries
has been removedallowed_outbound_destination_networks
has been removedrepository_files
has been removedhttp_proxy_binaries
has been removedmonitored_directories
has been removedknown_system_procs_network_activity_binaries
has been removedntp_ports
has been removedminer_domains
has been removedrun_as_root_image_list
has been removedDirectory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforePatch changes:
Directory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than before@leogr 🚀 did a first pass and verified we didn't loose any rule or don't have a duplicated rules. Pushed an update to the py rules overview generator.
Will do a second pass review later.
Agreed with naming convention, looks good!
@leogr just reviewed again and LGTM! Seems we still need some more CI adjustments.
I think this is a great idea for now to duplicate the macros and lists in the respective rules files to ensure that they are self contained. In the future we can think of better ways to reduce duplication.
You also mentioned that the comments within the rules files are inconsistent -- I do agree, it would be a much appreciated follow up cleanup. In that line, perhaps should we have all macros first then all lists vs now some are at the top and some right before the rule uses the macro (mostly when its a very specific macro)? WDYT? Maybe even have the rules and macros listed in alphabetical order or by "topic"?
@leogr just reviewed again and LGTM! Seems we still need some more CI adjustments. Thank you! :pray:
re: CI adjustments
The CI failing CI checks ( the 3 Rules / check-version...
) should be skipped in this case, since the previous versions of the rules files are non-existing. Let me see if I can fix it shortly, otherwise, we will do a follow-up PR.
I think this is a great idea for now to duplicate the macros and lists in the respective rules files to ensure that they are self contained. In the future we can think of better ways to reduce duplication.
Before sharing my final thoughts on that, I want to play a bit with the current approach when multiple rules files are loaded simultaneously. I will let you know.
You also mentioned that the comments within the rules files are inconsistent -- I do agree, it would be a much appreciated follow up cleanup. In that line, perhaps should we have all macros first then all lists vs now some are at the top and some right before the rule uses the macro (mostly when its a very specific macro)? WDYT? Maybe even have the rules and macros listed in alphabetical order or by "topic"?
The issues I found with comments are due to practical reasons. In particular:
However, all of this is for another PR for sure. I'll open an issue to track it.
Comparing bb404ca03e5943e2214d61e33b8d52d32754d26d
with latest tag falco-rules-1.0.1
Major changes:
Unexpected outbound connection destination
has been removedWrite below monitored dir
has been removedProgram run with disallowed http proxy env
has been removedDelete or rename shell history
has been removedUnexpected UDP Traffic
has been removedUnexpected inbound connection source
has been removedSystem procs network activity
has been removedCreate files below dev
has been removedUnexpected K8s NodePort Connection
has been removedRead ssh information
has been removedWrite below root
has been removedLaunch Sensitive Mount Container
has been removedUser mgmt binaries
has been removedLaunch Package Management Process in Container
has been removedLaunch Suspicious Network Tool on Host
has been removedModify Container Entrypoint
has been removedNon sudo setuid
has been removedRead environment variable from /proc files
has been removedModify Shell Configuration File
has been removedWrite below binary dir
has been removedDB program spawned process
has been removedLaunch Excessively Capable Container
has been removedUpdate Package Repository
has been removedModify binary dirs
has been removedLaunch Remote File Copy Tools in Container
has been removedLaunch Ingress Remote File Copy Tools in Container
has been removedCreate Hidden Files or Directories
has been removedContact EC2 Instance Metadata Service From Container
has been removedOutbound or Inbound Traffic not to Authorized Server Process and Port
has been removedJava Process Class File Download
has been removedChange thread namespace
has been removedDetect crypto miners using the Stratum protocol
has been removedSudo Potential Privilege Escalation
has been removedMount Launched in Privileged Container
has been removedSchedule Cron Jobs
has been removedInterpreted procs outbound network activity
has been removedDetect outbound connections to common miner pool ports
has been removedMkdir binary dirs
has been removedLaunch Privileged Container
has been removedInterpreted procs inbound network activity
has been removedLaunch Suspicious Network Tool in Container
has been removedContainer Drift Detected (chmod)
has been removedWrite below etc
has been removedWrite below rpm database
has been removedNetwork Connection outside Local Subnet
has been removedUnprivileged Delegation of Page Faults Handling to a Userspace Process
has been removedDisallowed SSH Connection
has been removedOutbound Connection to C2 Servers
has been removedPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has been removedRead Shell Configuration File
has been removedLaunch Disallowed Container
has been removedContact cloud metadata service from container
has been removedContainer Run as Root User
has been removedDelete Bash History
has been removedSet Setuid or Setgid bit
has been removedThe docker client is executed in a container
has been removedContainer Drift Detected (open+create)
has been removedms_oms_writing_conf
has been removedfluentd_writing_conf_files
has been removeduser_known_create_files_below_dev_activities
has been removedjboss_in_container_writing_passwd
has been removeduser_expected_system_procs_network_activity_conditions
has been removedknown_aks_mount_in_privileged_containers
has been removedpackage_mgmt_ancestor_procs
has been removedavinetworks_supervisor_writing_ssh
has been removedfalco_privileged_containers
has been removedrename
has been removedmount_info
has been removedmaven_writing_groovy
has been removedknown_root_conditions
has been removeduser_known_write_below_root_activities
has been removeddse_writing_tmp
has been removedetcd_manager_updating_dns
has been removedcalico_node
has been removedchage_list
has been removeduser_known_package_manager_in_container
has been removedvar_lib_docker_filepath
has been removedparent_supervise_running_multilog
has been removeduser_known_read_ssh_information_activities
has been removeduser_known_metadata_access
has been removeduser_known_ingress_remote_file_copy_activities
has been removeduser_known_update_package_registry
has been removedfalco_sensitive_mount_containers
has been removedallowed_ssh_proxy_env
has been removedcockpit_writing_conf
has been removedexe_running_docker_save
has been removedmodify_repositories
has been removedec2_metadata_containers
has been removedminerpool_http
has been removedminerpool_other
has been removedazure_networkwatcher_writing_conf
has been removedcheckpoint_writing_state
has been removedautomount_using_mtab
has been removedovsdb_writing_openvswitch
has been removedcassandra_writing_state
has been removedmkinitramfs_writing_boot
has been removedipsec_writing_conf
has been removednrpe_becoming_nagios
has been removednet_miner_pool
has been removedallowed_ssh_hosts
has been removeduser_known_db_spawned_processes
has been removedmodify_shell_history
has been removedalways_true
has been removedconsul_template_writing_conf
has been removedopenldap_writing_conf
has been removedmcafee_writing_cma_d
has been removedpackage_mgmt_procs
has been removedjava_writing_conf
has been removedamazon_linux_running_python_yum
has been removeduser_sensitive_mount_containers
has been removedairflow_writing_state
has been removedexcessively_capable_container
has been removedpkg_mgmt_in_kube_proxy
has been removedrun_by_ms_oms
has been removedmkdir
has been removedslapadd_writing_conf
has been removeduser_known_non_sudo_setuid_conditions
has been removeduser_known_user_management_activities
has been removedmultipath_writing_conf
has been removednetwork_local_subnet
has been removedduply_writing_exclude_files
has been removedcron_start_writing_pam_env
has been removedufw_writing_conf
has been removedkubelet_running_loopback
has been removedbrandbot_writing_os_release
has been removeduser_known_write_monitored_dir_conditions
has been removednetworkmanager_writing_resolv_conf
has been removedpython_running_ms_oms
has been removednodeport_containers
has been removedsystem_procs
has been removedcountly_writing_nginx_conf
has been removediscsi_writing_conf
has been removedveritas_progs
has been removedchef_writing_conf
has been removedmonitored_dir
has been removeduser_known_change_thread_namespace_activities
has been removedknown_user_in_container
has been removedjava_network_read
has been removedcalico_writing_state
has been removedsed_writing_temp_file
has been removedpython_running_chef
has been removedparent_ucf_writing_conf
has been removedpkgmgmt_progs_writing_pki
has been removedselinux_writing_conf
has been removedpki_realm_writing_realms
has been removedcouchdb_writing_conf
has been removedadd_shell_writing_shells_tmp
has been removeduser_known_write_rpm_database_activities
has been removedconsider_network_tools_on_host
has been removeduser_known_container_drift_activities
has been removeduser_known_k8s_client_container
has been removedazure_scripts_writing_conf
has been removeduser_known_modify_bin_dir_activities
has been removedcurl_writing_pki_db
has been removedopenshift_writing_conf
has been removedallowed_openshift_registry_root
has been removedinbound
has been removedcontainer_started
has been removedupdate_ca_trust_writing_pki
has been removedzap_writing_state
has been removedknown_gke_mount_in_privileged_containers
has been removedsomebody_becoming_themselves
has been removedliveupdate_writing_conf
has been removednginx_writing_conf
has been removedgalley_writing_state
has been removeddpkg_scripting
has been removedinterpreted_procs
has been removedprometheus_conf_writing_conf
has been removeduser_known_write_below_etc_activities
has been removedrun_by_sumologic_securefiles
has been removedhtpasswd_writing_passwd
has been removedsssd_writing_krb
has been removedweaveworks_scope
has been removedsensitive_mount
has been removedrun_by_centrify
has been removedsosreport_writing_files
has been removedrun_by_yum
has been removedallowed_aws_ecr_registry_root_for_eks
has been removeduser_known_shell_config_modifiers
has been removedopen_directory
has been removedssh_port
has been removednginx_writing_certs
has been removedremote_file_copy_procs
has been removeduser_known_cron_jobs
has been removedupdate_texmf_writing_conf
has been removedrancher_writing_root
has been removeduser_known_mount_in_privileged_containers
has been removedlvprogs_writing_conf
has been removedredhat_image
has been removedaws_eks_core_images
has been removedgugent_writing_guestagent_log
has been removedveritas_writing_config
has been removedsed_temporary_file
has been removedgit_writing_nssdb
has been removedphp_handlers_writing_conf
has been removedremove
has been removedrun_by_adclient
has been removeduser_known_write_root_conditions
has been removedallowed_containers
has been removedmodify
has been removedminerpool_https
has been removedchef_client_writing_conf
has been removedexpected_udp_traffic
has been removedmysql_writing_conf
has been removeduser_known_mkdir_bin_dir_activities
has been removedaws_eks_image_sensitive_mount
has been removedroot_dir
has been removedoutbound
has been removedjava_running_cassandra
has been removeducpagent_writing_conf
has been removedrancher_agent
has been removeduser_known_create_hidden_file_activities
has been removedopenshift_image
has been removeddocker_procs
has been removedbin_dir_mkdir
has been removedpython_running_denyhosts
has been removedrabbitmq_writing_conf
has been removedhttpd_writing_conf_logs
has been removeduser_known_write_below_binary_dir_activities
has been removedhaproxy_writing_conf
has been removedredis_writing_conf
has been removedwrite_etc_common
has been removedhttpd_writing_ssl_conf
has been removedkubectl_writing_state
has been removedaccess_repositories
has been removeddatadog_writing_conf
has been removedrook_writing_conf
has been removedistio_writing_conf
has been removedgoogle_accounts_daemon_writing_ssh
has been removedcloud_init_writing_ssh
has been removeduserhelper_writing_etc_security
has been removednetwork_tool_procs
has been removeduser_trusted_containers
has been removedchmod
has been removedbin_dir
has been removedsymantec_writing_conf
has been removedms_scx_writing_conf
has been removedtruncate_shell_history
has been removedingress_remote_file_copy_procs
has been removedcurl_download
has been removedjava_running_sdjagent
has been removedtrusted_images_query_miner_domain_dns
has been removedrpm_writing_root_rpmdb
has been removedplesk_running_mktemp
has been removedcalico_writing_conf
has been removeduser_known_network_tool_activities
has been removedopenvpn_writing_conf
has been removedkeepalived_writing_conf
has been removeduser_known_run_as_root_container
has been removedbin_dir_rename
has been removedrancher_network_manager
has been removedpython_running_get_pip
has been removeduser_known_write_etc_conditions
has been removedrunc_writing_var_lib_docker
has been removedqualys_writing_conf_files
has been removedplesk_writing_keys
has been removedxmlcatalog_writing_files
has been removeduser_privileged_containers
has been removeduser_known_set_setuid_or_setgid_bit_conditions
has been removedrpm_procs
has been removedsupervise_writing_status
has been removedcentrify_writing_krb
has been removedlogin_doing_dns_lookup
has been removedhttp_proxy_procs
has been removeduser_known_remote_file_copy_activities
has been removedinbound_outbound
has been removedrunc_writing_exec_fifo
has been removedmysqlsh_writing_state
has been removeduser_known_k8s_client_container_parens
has been removedcoreos_write_ssh_dir
has been removedplesk_install_writing_apache_conf
has been removedcalico_writing_envvars
has been removedrancher_writing_conf
has been removedhttp_miner_domains
has been removedallowed_image
has been removedsysdigcloud_binaries
has been removedrfc_1918_addresses
has been removedc2_server_fqdn_list
has been removedcoreutils_binaries
has been removedinterpreted_binaries
has been removednetwork_tool_binaries
has been removedremote_file_copy_binaries
has been removedc2_server_ip_list
has been removedlxd_binaries
has been removedshell_config_directories
has been removedl2tp_udp_ports
has been removedhttps_miner_domains
has been removedknown_root_directories
has been removedopenscap_rpm_binaries
has been removedrepository_directories
has been removedveritas_binaries
has been removedexclude_hidden_directories
has been removedminer_ports
has been removedssh_binaries
has been removedknown_root_files
has been removedhttp_proxy_binaries
has been removedminer_domains
has been removeddhcp_binaries
has been removeduser_known_change_thread_namespace_binaries
has been removedexpected_udp_ports
has been removedauthorized_server_port
has been removeduser_known_userfaultfd_processes
has been removedplesk_binaries
has been removedrepository_files
has been removedknown_system_procs_network_activity_binaries
has been removedbash_config_files
has been removedallowed_outbound_destination_domains
has been removedallowed_inbound_source_ipaddrs
has been removednetwork_plugin_binaries
has been removeduser_known_chmod_applications
has been removedshell_config_files
has been removedfalco_sensitive_mount_images
has been removeduser_known_k8s_ns_kube_system_images
has been removedshell_mgmt_binaries
has been removedcsh_config_files
has been removedmonitored_directories
has been removedknown_binaries_to_read_environment_variables_from_proc_files
has been removedallowed_outbound_destination_networks
has been removedshell_config_filenames
has been removednamespace_scope_network_only_subnet
has been removedzsh_config_filenames
has been removedk8s_binaries
has been removedk8s_client_binaries
has been removedssl_mgmt_binaries
has been removeduser_known_k8s_images
has been removedcsh_config_filenames
has been removedsafe_etc_dirs
has been removedknown_istio_files
has been removedauthorized_server_binary
has been removedrun_as_root_image_list
has been removedknown_setuid_binaries
has been removedallowed_inbound_source_networks
has been removedredhat_io_images_privileged
has been removedstatsd_ports
has been removeddev_creation_binaries
has been removedtest_connect_ports
has been removedallowed_outbound_destination_ipaddrs
has been removedntp_ports
has been removedopenvpn_udp_ports
has been removedingress_remote_file_copy_binaries
has been removedallowed_inbound_source_domains
has been removedbash_config_filenames
has been removedms_oms_binaries
has been removedallowed_dev_files
has been removedDirectory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforePatch changes:
Directory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than beforeComparing a0c034569ecd024a69768cc12aeba0785982f814
with latest tag falco-rules-1.0.1
Major changes:
User mgmt binaries
has been removedCreate files below dev
has been removedUnexpected K8s NodePort Connection
has been removedDetect outbound connections to common miner pool ports
has been removedLaunch Privileged Container
has been removedLaunch Remote File Copy Tools in Container
has been removedThe docker client is executed in a container
has been removedPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has been removedRead ssh information
has been removedModify binary dirs
has been removedDisallowed SSH Connection
has been removedWrite below root
has been removedOutbound or Inbound Traffic not to Authorized Server Process and Port
has been removedContainer Drift Detected (open+create)
has been removedLaunch Ingress Remote File Copy Tools in Container
has been removedMkdir binary dirs
has been removedInterpreted procs inbound network activity
has been removedUnexpected UDP Traffic
has been removedDetect crypto miners using the Stratum protocol
has been removedUnexpected outbound connection destination
has been removedWrite below binary dir
has been removedContainer Run as Root User
has been removedSchedule Cron Jobs
has been removedLaunch Suspicious Network Tool on Host
has been removedNetwork Connection outside Local Subnet
has been removedJava Process Class File Download
has been removedRead Shell Configuration File
has been removedWrite below rpm database
has been removedLaunch Excessively Capable Container
has been removedLaunch Disallowed Container
has been removedContainer Drift Detected (chmod)
has been removedSet Setuid or Setgid bit
has been removedWrite below monitored dir
has been removedProgram run with disallowed http proxy env
has been removedUnexpected inbound connection source
has been removedUpdate Package Repository
has been removedNon sudo setuid
has been removedDelete Bash History
has been removedCreate Hidden Files or Directories
has been removedOutbound Connection to C2 Servers
has been removedUnprivileged Delegation of Page Faults Handling to a Userspace Process
has been removedModify Shell Configuration File
has been removedWrite below etc
has been removedDB program spawned process
has been removedContact cloud metadata service from container
has been removedSudo Potential Privilege Escalation
has been removedModify Container Entrypoint
has been removedLaunch Sensitive Mount Container
has been removedContact EC2 Instance Metadata Service From Container
has been removedLaunch Suspicious Network Tool in Container
has been removedDelete or rename shell history
has been removedRead environment variable from /proc files
has been removedChange thread namespace
has been removedSystem procs network activity
has been removedInterpreted procs outbound network activity
has been removedMount Launched in Privileged Container
has been removedLaunch Package Management Process in Container
has been removedssh_port
has been removedslapadd_writing_conf
has been removedchef_client_writing_conf
has been removeduser_trusted_containers
has been removeduser_sensitive_mount_containers
has been removedalways_true
has been removedlvprogs_writing_conf
has been removedpython_running_get_pip
has been removedopenshift_writing_conf
has been removedopenshift_image
has been removeduser_known_create_files_below_dev_activities
has been removedminerpool_https
has been removedjava_writing_conf
has been removedcalico_writing_conf
has been removeduser_known_write_below_binary_dir_activities
has been removedinterpreted_procs
has been removediscsi_writing_conf
has been removedjava_running_sdjagent
has been removedconsider_network_tools_on_host
has been removedremove
has been removedazure_scripts_writing_conf
has been removedazure_networkwatcher_writing_conf
has been removedkubectl_writing_state
has been removeduser_known_network_tool_activities
has been removedzap_writing_state
has been removedredhat_image
has been removedmount_info
has been removedbin_dir
has been removedbrandbot_writing_os_release
has been removedaws_eks_core_images
has been removeduser_known_cron_jobs
has been removedcalico_node
has been removeduser_known_write_root_conditions
has been removeduser_known_set_setuid_or_setgid_bit_conditions
has been removednetwork_local_subnet
has been removedcurl_download
has been removedoutbound
has been removedrun_by_centrify
has been removeddse_writing_tmp
has been removedprometheus_conf_writing_conf
has been removednrpe_becoming_nagios
has been removedroot_dir
has been removedrun_by_adclient
has been removedkubelet_running_loopback
has been removedpython_running_ms_oms
has been removedgoogle_accounts_daemon_writing_ssh
has been removedwrite_etc_common
has been removedcoreos_write_ssh_dir
has been removedchef_writing_conf
has been removedopen_directory
has been removedcountly_writing_nginx_conf
has been removeduser_known_user_management_activities
has been removedbin_dir_rename
has been removedinbound_outbound
has been removedsed_temporary_file
has been removedknown_user_in_container
has been removedpackage_mgmt_procs
has been removeduserhelper_writing_etc_security
has been removedupdate_ca_trust_writing_pki
has been removedetcd_manager_updating_dns
has been removeduser_known_write_rpm_database_activities
has been removeduser_known_shell_config_modifiers
has been removedrancher_network_manager
has been removedexe_running_docker_save
has been removedqualys_writing_conf_files
has been removedrancher_writing_root
has been removedmysql_writing_conf
has been removedallowed_ssh_proxy_env
has been removeduser_known_non_sudo_setuid_conditions
has been removedsymantec_writing_conf
has been removedcassandra_writing_state
has been removeduser_known_update_package_registry
has been removedcloud_init_writing_ssh
has been removedrancher_writing_conf
has been removedrpm_procs
has been removedrpm_writing_root_rpmdb
has been removeddocker_procs
has been removedrabbitmq_writing_conf
has been removedopenvpn_writing_conf
has been removeduser_expected_system_procs_network_activity_conditions
has been removedpkg_mgmt_in_kube_proxy
has been removedpython_running_denyhosts
has been removedistio_writing_conf
has been removedmodify_repositories
has been removedcheckpoint_writing_state
has been removedredis_writing_conf
has been removeduser_known_write_etc_conditions
has been removedsensitive_mount
has been removedallowed_containers
has been removedtrusted_images_query_miner_domain_dns
has been removeduser_known_container_drift_activities
has been removedcentrify_writing_krb
has been removeddatadog_writing_conf
has been removedcron_start_writing_pam_env
has been removedexcessively_capable_container
has been removednginx_writing_conf
has been removedgalley_writing_state
has been removedcalico_writing_envvars
has been removeddpkg_scripting
has been removeduser_known_metadata_access
has been removedmodify_shell_history
has been removedplesk_writing_keys
has been removedovsdb_writing_openvswitch
has been removedufw_writing_conf
has been removeduser_known_modify_bin_dir_activities
has been removedrename
has been removedamazon_linux_running_python_yum
has been removedrun_by_yum
has been removedparent_ucf_writing_conf
has been removedliveupdate_writing_conf
has been removedingress_remote_file_copy_procs
has been removeduser_known_ingress_remote_file_copy_activities
has been removedjava_network_read
has been removeduser_known_mkdir_bin_dir_activities
has been removedtruncate_shell_history
has been removedcalico_writing_state
has been removedexpected_udp_traffic
has been removedjava_running_cassandra
has been removedsystem_procs
has been removedupdate_texmf_writing_conf
has been removedplesk_install_writing_apache_conf
has been removedsed_writing_temp_file
has been removedknown_root_conditions
has been removedmkdir
has been removedmodify
has been removedinbound
has been removedpkgmgmt_progs_writing_pki
has been removedselinux_writing_conf
has been removedadd_shell_writing_shells_tmp
has been removedxmlcatalog_writing_files
has been removedphp_handlers_writing_conf
has been removeduser_known_write_below_root_activities
has been removedbin_dir_mkdir
has been removedsomebody_becoming_themselves
has been removedparent_supervise_running_multilog
has been removeduser_privileged_containers
has been removeduser_known_create_hidden_file_activities
has been removedms_scx_writing_conf
has been removedveritas_progs
has been removedmkinitramfs_writing_boot
has been removedrook_writing_conf
has been removedminerpool_http
has been removeduser_known_run_as_root_container
has been removedsssd_writing_krb
has been removedfalco_privileged_containers
has been removedfalco_sensitive_mount_containers
has been removedlogin_doing_dns_lookup
has been removeduser_known_remote_file_copy_activities
has been removedminerpool_other
has been removedcontainer_started
has been removednetworkmanager_writing_resolv_conf
has been removedmonitored_dir
has been removedavinetworks_supervisor_writing_ssh
has been removeduser_known_change_thread_namespace_activities
has been removeduser_known_k8s_client_container
has been removedremote_file_copy_procs
has been removedpackage_mgmt_ancestor_procs
has been removeduser_known_write_monitored_dir_conditions
has been removedjboss_in_container_writing_passwd
has been removedhttpd_writing_conf_logs
has been removeduser_known_write_below_etc_activities
has been removedhttpd_writing_ssl_conf
has been removedmaven_writing_groovy
has been removeduser_known_read_ssh_information_activities
has been removedpython_running_chef
has been removedsosreport_writing_files
has been removednginx_writing_certs
has been removedairflow_writing_state
has been removedmultipath_writing_conf
has been removedhttp_proxy_procs
has been removedsupervise_writing_status
has been removednodeport_containers
has been removedchmod
has been removedmcafee_writing_cma_d
has been removedrunc_writing_exec_fifo
has been removednet_miner_pool
has been removedaccess_repositories
has been removedgit_writing_nssdb
has been removedchage_list
has been removednetwork_tool_procs
has been removedrun_by_sumologic_securefiles
has been removeducpagent_writing_conf
has been removedrunc_writing_var_lib_docker
has been removedec2_metadata_containers
has been removedrun_by_ms_oms
has been removedipsec_writing_conf
has been removedduply_writing_exclude_files
has been removedmysqlsh_writing_state
has been removedallowed_ssh_hosts
has been removedopenldap_writing_conf
has been removedplesk_running_mktemp
has been removeduser_known_k8s_client_container_parens
has been removedknown_aks_mount_in_privileged_containers
has been removedautomount_using_mtab
has been removedvar_lib_docker_filepath
has been removedpki_realm_writing_realms
has been removedms_oms_writing_conf
has been removedfluentd_writing_conf_files
has been removedhaproxy_writing_conf
has been removedweaveworks_scope
has been removeduser_known_package_manager_in_container
has been removedconsul_template_writing_conf
has been removedveritas_writing_config
has been removedcurl_writing_pki_db
has been removedcockpit_writing_conf
has been removedkeepalived_writing_conf
has been removedknown_gke_mount_in_privileged_containers
has been removedallowed_openshift_registry_root
has been removedaws_eks_image_sensitive_mount
has been removeduser_known_mount_in_privileged_containers
has been removedhtpasswd_writing_passwd
has been removedcouchdb_writing_conf
has been removedallowed_aws_ecr_registry_root_for_eks
has been removedrancher_agent
has been removedgugent_writing_guestagent_log
has been removeduser_known_db_spawned_processes
has been removedallowed_outbound_destination_domains
has been removedrun_as_root_image_list
has been removedk8s_binaries
has been removedinterpreted_binaries
has been removedshell_config_files
has been removedallowed_inbound_source_ipaddrs
has been removeduser_known_change_thread_namespace_binaries
has been removedl2tp_udp_ports
has been removedredhat_io_images_privileged
has been removedk8s_client_binaries
has been removedssl_mgmt_binaries
has been removedknown_istio_files
has been removedexclude_hidden_directories
has been removedminer_domains
has been removedc2_server_ip_list
has been removedcsh_config_files
has been removedrepository_directories
has been removedmonitored_directories
has been removedfalco_sensitive_mount_images
has been removedallowed_dev_files
has been removedingress_remote_file_copy_binaries
has been removedknown_setuid_binaries
has been removedbash_config_filenames
has been removedtest_connect_ports
has been removedminer_ports
has been removedbash_config_files
has been removedauthorized_server_binary
has been removedauthorized_server_port
has been removedknown_binaries_to_read_environment_variables_from_proc_files
has been removedshell_mgmt_binaries
has been removeddev_creation_binaries
has been removedallowed_outbound_destination_ipaddrs
has been removedntp_ports
has been removedallowed_inbound_source_networks
has been removedcsh_config_filenames
has been removedlxd_binaries
has been removedshell_config_directories
has been removedms_oms_binaries
has been removedstatsd_ports
has been removedsafe_etc_dirs
has been removeduser_known_k8s_ns_kube_system_images
has been removedcoreutils_binaries
has been removedopenscap_rpm_binaries
has been removedrfc_1918_addresses
has been removednetwork_plugin_binaries
has been removedveritas_binaries
has been removedhttps_miner_domains
has been removeduser_known_k8s_images
has been removedssh_binaries
has been removedzsh_config_filenames
has been removedrepository_files
has been removednetwork_tool_binaries
has been removedsysdigcloud_binaries
has been removedallowed_inbound_source_domains
has been removedexpected_udp_ports
has been removedc2_server_fqdn_list
has been removedopenvpn_udp_ports
has been removedknown_root_files
has been removednamespace_scope_network_only_subnet
has been removeddhcp_binaries
has been removedallowed_outbound_destination_networks
has been removedknown_root_directories
has been removedhttp_proxy_binaries
has been removedhttp_miner_domains
has been removedplesk_binaries
has been removeduser_known_chmod_applications
has been removedshell_config_filenames
has been removedknown_system_procs_network_activity_binaries
has been removedremote_file_copy_binaries
has been removedallowed_image
has been removeduser_known_userfaultfd_processes
has been removedDirectory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforePatch changes:
Directory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than beforeComparing e7507257093549dce877839693955bc689f258ef
with latest tag falco-rules-1.0.1
Major changes:
Unexpected inbound connection source
has been removedWrite below monitored dir
has been removedMkdir binary dirs
has been removedRead ssh information
has been removedLaunch Remote File Copy Tools in Container
has been removedMount Launched in Privileged Container
has been removedRead Shell Configuration File
has been removedDB program spawned process
has been removedDelete or rename shell history
has been removedNetwork Connection outside Local Subnet
has been removedContainer Drift Detected (chmod)
has been removedJava Process Class File Download
has been removedContainer Drift Detected (open+create)
has been removedWrite below binary dir
has been removedModify binary dirs
has been removedLaunch Privileged Container
has been removedNon sudo setuid
has been removedCreate files below dev
has been removedUnexpected UDP Traffic
has been removedUnexpected K8s NodePort Connection
has been removedDetect outbound connections to common miner pool ports
has been removedRead environment variable from /proc files
has been removedUnprivileged Delegation of Page Faults Handling to a Userspace Process
has been removedLaunch Ingress Remote File Copy Tools in Container
has been removedWrite below root
has been removedLaunch Sensitive Mount Container
has been removedLaunch Package Management Process in Container
has been removedContainer Run as Root User
has been removedContact EC2 Instance Metadata Service From Container
has been removedLaunch Suspicious Network Tool on Host
has been removedSet Setuid or Setgid bit
has been removedCreate Hidden Files or Directories
has been removedWrite below etc
has been removedInterpreted procs outbound network activity
has been removedThe docker client is executed in a container
has been removedPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has been removedDisallowed SSH Connection
has been removedContact cloud metadata service from container
has been removedDetect crypto miners using the Stratum protocol
has been removedUnexpected outbound connection destination
has been removedLaunch Suspicious Network Tool in Container
has been removedOutbound or Inbound Traffic not to Authorized Server Process and Port
has been removedOutbound Connection to C2 Servers
has been removedSudo Potential Privilege Escalation
has been removedModify Shell Configuration File
has been removedSchedule Cron Jobs
has been removedSystem procs network activity
has been removedUser mgmt binaries
has been removedUpdate Package Repository
has been removedWrite below rpm database
has been removedChange thread namespace
has been removedInterpreted procs inbound network activity
has been removedLaunch Excessively Capable Container
has been removedProgram run with disallowed http proxy env
has been removedDelete Bash History
has been removedModify Container Entrypoint
has been removedLaunch Disallowed Container
has been removedparent_ucf_writing_conf
has been removedallowed_containers
has been removedcurl_writing_pki_db
has been removedamazon_linux_running_python_yum
has been removeduser_trusted_containers
has been removedalways_true
has been removedmaven_writing_groovy
has been removeduser_known_write_below_root_activities
has been removedms_oms_writing_conf
has been removedremote_file_copy_procs
has been removedgoogle_accounts_daemon_writing_ssh
has been removedopenshift_writing_conf
has been removedxmlcatalog_writing_files
has been removedaws_eks_core_images
has been removedaws_eks_image_sensitive_mount
has been removedfalco_privileged_containers
has been removednodeport_containers
has been removedtruncate_shell_history
has been removedupdate_ca_trust_writing_pki
has been removedhttpd_writing_conf_logs
has been removedrunc_writing_var_lib_docker
has been removedexcessively_capable_container
has been removedinbound
has been removedssh_port
has been removedveritas_progs
has been removedphp_handlers_writing_conf
has been removeduser_known_create_files_below_dev_activities
has been removedinbound_outbound
has been removednginx_writing_conf
has been removedpython_running_get_pip
has been removedexe_running_docker_save
has been removedplesk_running_mktemp
has been removedmcafee_writing_cma_d
has been removeduser_known_change_thread_namespace_activities
has been removedufw_writing_conf
has been removeduser_sensitive_mount_containers
has been removedrancher_network_manager
has been removedmonitored_dir
has been removedsed_writing_temp_file
has been removeduser_known_modify_bin_dir_activities
has been removedcron_start_writing_pam_env
has been removedrunc_writing_exec_fifo
has been removedminerpool_https
has been removedkubelet_running_loopback
has been removedparent_supervise_running_multilog
has been removedpkg_mgmt_in_kube_proxy
has been removedjava_running_sdjagent
has been removedopenshift_image
has been removednrpe_becoming_nagios
has been removednetwork_tool_procs
has been removedpackage_mgmt_ancestor_procs
has been removeduserhelper_writing_etc_security
has been removedchef_writing_conf
has been removeduser_known_write_root_conditions
has been removedec2_metadata_containers
has been removedcontainer_started
has been removedslapadd_writing_conf
has been removedcockpit_writing_conf
has been removeduser_known_user_management_activities
has been removedtrusted_images_query_miner_domain_dns
has been removeduser_known_mount_in_privileged_containers
has been removedcheckpoint_writing_state
has been removedmodify_shell_history
has been removedcountly_writing_nginx_conf
has been removeduser_known_write_below_binary_dir_activities
has been removedautomount_using_mtab
has been removeduser_known_non_sudo_setuid_conditions
has been removedcalico_writing_conf
has been removedhttp_proxy_procs
has been removedrename
has been removedsosreport_writing_files
has been removedopenvpn_writing_conf
has been removedbin_dir
has been removedrun_by_centrify
has been removedazure_networkwatcher_writing_conf
has been removedcassandra_writing_state
has been removedkeepalived_writing_conf
has been removedveritas_writing_config
has been removeduser_known_update_package_registry
has been removedrancher_writing_conf
has been removedjboss_in_container_writing_passwd
has been removedexpected_udp_traffic
has been removednginx_writing_certs
has been removedqualys_writing_conf_files
has been removedjava_writing_conf
has been removedknown_aks_mount_in_privileged_containers
has been removedhttpd_writing_ssl_conf
has been removeduser_known_write_rpm_database_activities
has been removeduser_known_remote_file_copy_activities
has been removedmodify_repositories
has been removeduser_known_read_ssh_information_activities
has been removedplesk_install_writing_apache_conf
has been removedrun_by_yum
has been removeduser_known_k8s_client_container_parens
has been removednetworkmanager_writing_resolv_conf
has been removedprometheus_conf_writing_conf
has been removedcalico_node
has been removedremove
has been removediscsi_writing_conf
has been removedliveupdate_writing_conf
has been removedweaveworks_scope
has been removeduser_known_run_as_root_container
has been removedpython_running_chef
has been removedcentrify_writing_krb
has been removedsomebody_becoming_themselves
has been removedchage_list
has been removedistio_writing_conf
has been removedzap_writing_state
has been removedknown_root_conditions
has been removedmkdir
has been removedupdate_texmf_writing_conf
has been removedavinetworks_supervisor_writing_ssh
has been removedknown_user_in_container
has been removedbin_dir_mkdir
has been removedopenldap_writing_conf
has been removeddse_writing_tmp
has been removeduser_privileged_containers
has been removedcouchdb_writing_conf
has been removedwrite_etc_common
has been removeduser_known_metadata_access
has been removednet_miner_pool
has been removedmount_info
has been removedpackage_mgmt_procs
has been removedaccess_repositories
has been removedingress_remote_file_copy_procs
has been removedroot_dir
has been removedpkgmgmt_progs_writing_pki
has been removedhaproxy_writing_conf
has been removedms_scx_writing_conf
has been removeduser_known_db_spawned_processes
has been removedminerpool_http
has been removednetwork_local_subnet
has been removedhtpasswd_writing_passwd
has been removedconsul_template_writing_conf
has been removedsed_temporary_file
has been removedcalico_writing_state
has been removedlvprogs_writing_conf
has been removedsymantec_writing_conf
has been removedmodify
has been removedipsec_writing_conf
has been removedairflow_writing_state
has been removeduser_expected_system_procs_network_activity_conditions
has been removeduser_known_create_hidden_file_activities
has been removedplesk_writing_keys
has been removedmultipath_writing_conf
has been removedchmod
has been removedovsdb_writing_openvswitch
has been removedchef_client_writing_conf
has been removedgugent_writing_guestagent_log
has been removedcoreos_write_ssh_dir
has been removedazure_scripts_writing_conf
has been removeddatadog_writing_conf
has been removeduser_known_k8s_client_container
has been removedcurl_download
has been removedoutbound
has been removeduser_known_set_setuid_or_setgid_bit_conditions
has been removeddocker_procs
has been removedpython_running_ms_oms
has been removeduser_known_mkdir_bin_dir_activities
has been removeducpagent_writing_conf
has been removedrook_writing_conf
has been removeddpkg_scripting
has been removeduser_known_ingress_remote_file_copy_activities
has been removedallowed_ssh_hosts
has been removedrancher_agent
has been removedcloud_init_writing_ssh
has been removedsupervise_writing_status
has been removedbrandbot_writing_os_release
has been removedrancher_writing_root
has been removedpython_running_denyhosts
has been removeduser_known_write_monitored_dir_conditions
has been removedadd_shell_writing_shells_tmp
has been removedlogin_doing_dns_lookup
has been removedconsider_network_tools_on_host
has been removedrun_by_adclient
has been removedgalley_writing_state
has been removedsensitive_mount
has been removedallowed_ssh_proxy_env
has been removedrpm_procs
has been removedselinux_writing_conf
has been removedkubectl_writing_state
has been removedetcd_manager_updating_dns
has been removeduser_known_write_etc_conditions
has been removedrpm_writing_root_rpmdb
has been removedfluentd_writing_conf_files
has been removedgit_writing_nssdb
has been removedduply_writing_exclude_files
has been removedmysql_writing_conf
has been removeduser_known_shell_config_modifiers
has been removedmkinitramfs_writing_boot
has been removedopen_directory
has been removedmysqlsh_writing_state
has been removedrabbitmq_writing_conf
has been removeduser_known_package_manager_in_container
has been removeduser_known_cron_jobs
has been removedpki_realm_writing_realms
has been removedallowed_openshift_registry_root
has been removedsystem_procs
has been removedrun_by_sumologic_securefiles
has been removedsssd_writing_krb
has been removedjava_running_cassandra
has been removedredhat_image
has been removedvar_lib_docker_filepath
has been removedbin_dir_rename
has been removedinterpreted_procs
has been removedredis_writing_conf
has been removedallowed_aws_ecr_registry_root_for_eks
has been removeduser_known_container_drift_activities
has been removedcalico_writing_envvars
has been removeduser_known_write_below_etc_activities
has been removedminerpool_other
has been removedknown_gke_mount_in_privileged_containers
has been removedrun_by_ms_oms
has been removedfalco_sensitive_mount_containers
has been removeduser_known_network_tool_activities
has been removedjava_network_read
has been removedallowed_outbound_destination_networks
has been removedopenvpn_udp_ports
has been removedk8s_binaries
has been removedallowed_inbound_source_domains
has been removedknown_system_procs_network_activity_binaries
has been removednetwork_plugin_binaries
has been removeduser_known_k8s_ns_kube_system_images
has been removedc2_server_ip_list
has been removeddhcp_binaries
has been removednamespace_scope_network_only_subnet
has been removedcsh_config_files
has been removedl2tp_udp_ports
has been removedredhat_io_images_privileged
has been removedntp_ports
has been removedknown_istio_files
has been removedknown_binaries_to_read_environment_variables_from_proc_files
has been removedlxd_binaries
has been removedshell_config_filenames
has been removedshell_config_files
has been removedbash_config_filenames
has been removedsysdigcloud_binaries
has been removedbash_config_files
has been removedstatsd_ports
has been removedauthorized_server_binary
has been removedknown_root_files
has been removeduser_known_k8s_images
has been removedallowed_image
has been removedc2_server_fqdn_list
has been removedallowed_outbound_destination_ipaddrs
has been removeduser_known_change_thread_namespace_binaries
has been removedshell_mgmt_binaries
has been removedcoreutils_binaries
has been removedinterpreted_binaries
has been removedopenscap_rpm_binaries
has been removedknown_root_directories
has been removedremote_file_copy_binaries
has been removedallowed_dev_files
has been removedssh_binaries
has been removedauthorized_server_port
has been removedveritas_binaries
has been removedhttp_proxy_binaries
has been removedzsh_config_filenames
has been removedfalco_sensitive_mount_images
has been removedexpected_udp_ports
has been removedhttps_miner_domains
has been removedk8s_client_binaries
has been removedallowed_inbound_source_networks
has been removedrepository_files
has been removedrepository_directories
has been removedmonitored_directories
has been removedallowed_outbound_destination_domains
has been removedallowed_inbound_source_ipaddrs
has been removedexclude_hidden_directories
has been removedplesk_binaries
has been removedrun_as_root_image_list
has been removedingress_remote_file_copy_binaries
has been removeduser_known_chmod_applications
has been removedminer_domains
has been removeddev_creation_binaries
has been removedrfc_1918_addresses
has been removedms_oms_binaries
has been removedtest_connect_ports
has been removedssl_mgmt_binaries
has been removedminer_ports
has been removeduser_known_userfaultfd_processes
has been removedknown_setuid_binaries
has been removedsafe_etc_dirs
has been removednetwork_tool_binaries
has been removedhttp_miner_domains
has been removedshell_config_directories
has been removedcsh_config_filenames
has been removedDirectory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforePatch changes:
Directory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than beforeComparing 6651dbd69046499600ab8b86366526a466a6cabd
with latest tag falco-rules-1.0.1
Major changes:
Launch Ingress Remote File Copy Tools in Container
has been removedUnexpected inbound connection source
has been removedInterpreted procs outbound network activity
has been removedDelete or rename shell history
has been removedDetect crypto miners using the Stratum protocol
has been removedPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has been removedInterpreted procs inbound network activity
has been removedMount Launched in Privileged Container
has been removedDB program spawned process
has been removedWrite below monitored dir
has been removedSchedule Cron Jobs
has been removedWrite below binary dir
has been removedMkdir binary dirs
has been removedThe docker client is executed in a container
has been removedOutbound or Inbound Traffic not to Authorized Server Process and Port
has been removedModify Shell Configuration File
has been removedLaunch Sensitive Mount Container
has been removedNon sudo setuid
has been removedLaunch Remote File Copy Tools in Container
has been removedSudo Potential Privilege Escalation
has been removedJava Process Class File Download
has been removedUpdate Package Repository
has been removedUser mgmt binaries
has been removedDelete Bash History
has been removedContainer Run as Root User
has been removedUnexpected outbound connection destination
has been removedLaunch Privileged Container
has been removedLaunch Excessively Capable Container
has been removedLaunch Suspicious Network Tool in Container
has been removedContainer Drift Detected (chmod)
has been removedWrite below rpm database
has been removedChange thread namespace
has been removedUnexpected UDP Traffic
has been removedRead ssh information
has been removedLaunch Disallowed Container
has been removedDetect outbound connections to common miner pool ports
has been removedModify Container Entrypoint
has been removedModify binary dirs
has been removedWrite below root
has been removedCreate files below dev
has been removedUnexpected K8s NodePort Connection
has been removedSet Setuid or Setgid bit
has been removedCreate Hidden Files or Directories
has been removedRead Shell Configuration File
has been removedNetwork Connection outside Local Subnet
has been removedContact cloud metadata service from container
has been removedLaunch Package Management Process in Container
has been removedContainer Drift Detected (open+create)
has been removedProgram run with disallowed http proxy env
has been removedRead environment variable from /proc files
has been removedWrite below etc
has been removedSystem procs network activity
has been removedContact EC2 Instance Metadata Service From Container
has been removedLaunch Suspicious Network Tool on Host
has been removedOutbound Connection to C2 Servers
has been removedUnprivileged Delegation of Page Faults Handling to a Userspace Process
has been removedDisallowed SSH Connection
has been removedslapadd_writing_conf
has been removedopenldap_writing_conf
has been removedmkinitramfs_writing_boot
has been removedopenvpn_writing_conf
has been removedmysqlsh_writing_state
has been removedparent_supervise_running_multilog
has been removedcouchdb_writing_conf
has been removedrunc_writing_exec_fifo
has been removedaws_eks_image_sensitive_mount
has been removeduser_known_metadata_access
has been removeddocker_procs
has been removednginx_writing_conf
has been removedairflow_writing_state
has been removedavinetworks_supervisor_writing_ssh
has been removednrpe_becoming_nagios
has been removedovsdb_writing_openvswitch
has been removedadd_shell_writing_shells_tmp
has been removedphp_handlers_writing_conf
has been removedknown_user_in_container
has been removednginx_writing_certs
has been removedopenshift_writing_conf
has been removeduser_privileged_containers
has been removedexcessively_capable_container
has been removedsed_temporary_file
has been removedaccess_repositories
has been removedtruncate_shell_history
has been removedallowed_openshift_registry_root
has been removedconsider_network_tools_on_host
has been removeduser_known_create_hidden_file_activities
has been removeduser_known_write_etc_conditions
has been removednetwork_tool_procs
has been removeduser_known_cron_jobs
has been removedknown_root_conditions
has been removedliveupdate_writing_conf
has been removeduser_known_modify_bin_dir_activities
has been removedsomebody_becoming_themselves
has been removeduser_known_non_sudo_setuid_conditions
has been removedpki_realm_writing_realms
has been removeducpagent_writing_conf
has been removedsosreport_writing_files
has been removedcron_start_writing_pam_env
has been removedminerpool_https
has been removedallowed_ssh_hosts
has been removedistio_writing_conf
has been removedsssd_writing_krb
has been removedmultipath_writing_conf
has been removeduserhelper_writing_etc_security
has been removedhtpasswd_writing_passwd
has been removedcentrify_writing_krb
has been removeduser_known_update_package_registry
has been removeduser_known_package_manager_in_container
has been removedplesk_writing_keys
has been removedfalco_sensitive_mount_containers
has been removedexpected_udp_traffic
has been removedtrusted_images_query_miner_domain_dns
has been removedcalico_writing_state
has been removedminerpool_http
has been removeduser_known_k8s_client_container
has been removedaws_eks_core_images
has been removedoutbound
has been removedhttpd_writing_ssl_conf
has been removedmaven_writing_groovy
has been removedfluentd_writing_conf_files
has been removedredhat_image
has been removedexe_running_docker_save
has been removedremote_file_copy_procs
has been removeduser_known_mount_in_privileged_containers
has been removeduser_known_write_rpm_database_activities
has been removedallowed_ssh_proxy_env
has been removedrun_by_adclient
has been removeduser_known_mkdir_bin_dir_activities
has been removedupdate_texmf_writing_conf
has been removedgalley_writing_state
has been removedjava_network_read
has been removedrun_by_centrify
has been removedmodify_repositories
has been removedqualys_writing_conf_files
has been removednetworkmanager_writing_resolv_conf
has been removedpython_running_ms_oms
has been removedkeepalived_writing_conf
has been removedknown_gke_mount_in_privileged_containers
has been removedetcd_manager_updating_dns
has been removedallowed_containers
has been removedknown_aks_mount_in_privileged_containers
has been removedrun_by_yum
has been removedrun_by_ms_oms
has been removedsupervise_writing_status
has been removedbrandbot_writing_os_release
has been removedcalico_writing_conf
has been removedms_scx_writing_conf
has been removedwrite_etc_common
has been removedamazon_linux_running_python_yum
has been removedlogin_doing_dns_lookup
has been removedsystem_procs
has been removedcontainer_started
has been removeduser_known_write_below_binary_dir_activities
has been removedrabbitmq_writing_conf
has been removedfalco_privileged_containers
has been removedopen_directory
has been removeduser_known_shell_config_modifiers
has been removedkubelet_running_loopback
has been removeduser_known_read_ssh_information_activities
has been removeduser_known_user_management_activities
has been removedmount_info
has been removedazure_networkwatcher_writing_conf
has been removedpython_running_get_pip
has been removedrpm_writing_root_rpmdb
has been removeddatadog_writing_conf
has been removedrun_by_sumologic_securefiles
has been removedduply_writing_exclude_files
has been removedrancher_agent
has been removedveritas_progs
has been removeddse_writing_tmp
has been removedrunc_writing_var_lib_docker
has been removedbin_dir
has been removedms_oms_writing_conf
has been removedsensitive_mount
has been removedkubectl_writing_state
has been removedcloud_init_writing_ssh
has been removeduser_known_write_monitored_dir_conditions
has been removedcheckpoint_writing_state
has been removeduser_known_set_setuid_or_setgid_bit_conditions
has been removedupdate_ca_trust_writing_pki
has been removedcassandra_writing_state
has been removeddpkg_scripting
has been removedautomount_using_mtab
has been removedmodify_shell_history
has been removedrpm_procs
has been removedpackage_mgmt_ancestor_procs
has been removedcountly_writing_nginx_conf
has been removeduser_known_write_below_etc_activities
has been removedvar_lib_docker_filepath
has been removedlvprogs_writing_conf
has been removedhaproxy_writing_conf
has been removeduser_known_create_files_below_dev_activities
has been removeduser_known_ingress_remote_file_copy_activities
has been removedinterpreted_procs
has been removedzap_writing_state
has been removedopenshift_image
has been removeduser_known_write_below_root_activities
has been removedchmod
has been removedbin_dir_mkdir
has been removedparent_ucf_writing_conf
has been removedgit_writing_nssdb
has been removedcoreos_write_ssh_dir
has been removedufw_writing_conf
has been removedxmlcatalog_writing_files
has been removedmysql_writing_conf
has been removedrename
has been removediscsi_writing_conf
has been removedselinux_writing_conf
has been removedipsec_writing_conf
has been removedmonitored_dir
has been removeduser_sensitive_mount_containers
has been removedingress_remote_file_copy_procs
has been removeduser_known_run_as_root_container
has been removedconsul_template_writing_conf
has been removeduser_trusted_containers
has been removedchage_list
has been removedec2_metadata_containers
has been removeduser_known_k8s_client_container_parens
has been removedmodify
has been removedazure_scripts_writing_conf
has been removedgoogle_accounts_daemon_writing_ssh
has been removedplesk_running_mktemp
has been removedremove
has been removedchef_client_writing_conf
has been removedjboss_in_container_writing_passwd
has been removedcurl_writing_pki_db
has been removedhttp_proxy_procs
has been removedminerpool_other
has been removedbin_dir_rename
has been removedjava_running_cassandra
has been removedhttpd_writing_conf_logs
has been removednetwork_local_subnet
has been removedredis_writing_conf
has been removedinbound_outbound
has been removedrancher_network_manager
has been removedrancher_writing_root
has been removedjava_writing_conf
has been removeduser_known_db_spawned_processes
has been removedpkg_mgmt_in_kube_proxy
has been removedpkgmgmt_progs_writing_pki
has been removedrancher_writing_conf
has been removedallowed_aws_ecr_registry_root_for_eks
has been removeduser_known_network_tool_activities
has been removeduser_known_container_drift_activities
has been removedcurl_download
has been removedpackage_mgmt_procs
has been removedssh_port
has been removeduser_known_remote_file_copy_activities
has been removedrook_writing_conf
has been removedmcafee_writing_cma_d
has been removeduser_expected_system_procs_network_activity_conditions
has been removedmkdir
has been removedroot_dir
has been removedcockpit_writing_conf
has been removedchef_writing_conf
has been removedcalico_writing_envvars
has been removedsed_writing_temp_file
has been removedplesk_install_writing_apache_conf
has been removeduser_known_change_thread_namespace_activities
has been removedpython_running_chef
has been removedpython_running_denyhosts
has been removedveritas_writing_config
has been removedprometheus_conf_writing_conf
has been removedcalico_node
has been removeduser_known_write_root_conditions
has been removednodeport_containers
has been removednet_miner_pool
has been removedinbound
has been removedjava_running_sdjagent
has been removedsymantec_writing_conf
has been removedgugent_writing_guestagent_log
has been removedweaveworks_scope
has been removedalways_true
has been removednetwork_tool_binaries
has been removedauthorized_server_port
has been removedssl_mgmt_binaries
has been removedbash_config_filenames
has been removedshell_config_directories
has been removedms_oms_binaries
has been removeddhcp_binaries
has been removedrfc_1918_addresses
has been removedallowed_inbound_source_ipaddrs
has been removedshell_config_filenames
has been removedknown_root_directories
has been removedminer_ports
has been removedknown_root_files
has been removedl2tp_udp_ports
has been removedtest_connect_ports
has been removedminer_domains
has been removedk8s_client_binaries
has been removedopenscap_rpm_binaries
has been removedknown_istio_files
has been removedsysdigcloud_binaries
has been removedbash_config_files
has been removedmonitored_directories
has been removedhttps_miner_domains
has been removedshell_mgmt_binaries
has been removedallowed_outbound_destination_networks
has been removedcsh_config_files
has been removedexpected_udp_ports
has been removedexclude_hidden_directories
has been removedrepository_directories
has been removedzsh_config_filenames
has been removedallowed_dev_files
has been removeduser_known_userfaultfd_processes
has been removedsafe_etc_dirs
has been removedfalco_sensitive_mount_images
has been removedstatsd_ports
has been removedk8s_binaries
has been removednetwork_plugin_binaries
has been removedredhat_io_images_privileged
has been removedveritas_binaries
has been removedingress_remote_file_copy_binaries
has been removedallowed_inbound_source_domains
has been removedhttp_proxy_binaries
has been removeduser_known_k8s_images
has been removedknown_binaries_to_read_environment_variables_from_proc_files
has been removedlxd_binaries
has been removedallowed_outbound_destination_ipaddrs
has been removedopenvpn_udp_ports
has been removeduser_known_change_thread_namespace_binaries
has been removedc2_server_ip_list
has been removedshell_config_files
has been removedntp_ports
has been removeduser_known_k8s_ns_kube_system_images
has been removedknown_system_procs_network_activity_binaries
has been removednamespace_scope_network_only_subnet
has been removeduser_known_chmod_applications
has been removedrepository_files
has been removedhttp_miner_domains
has been removedc2_server_fqdn_list
has been removedcoreutils_binaries
has been removedinterpreted_binaries
has been removedcsh_config_filenames
has been removedallowed_image
has been removedplesk_binaries
has been removedauthorized_server_binary
has been removedknown_setuid_binaries
has been removedallowed_outbound_destination_domains
has been removedallowed_inbound_source_networks
has been removedrun_as_root_image_list
has been removedssh_binaries
has been removedremote_file_copy_binaries
has been removeddev_creation_binaries
has been removedDirectory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforePatch changes:
Directory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than before@incertum
I think this is a great idea for now to duplicate the macros and lists in the respective rules files to ensure that they are self contained. In the future we can think of better ways to reduce duplication.
Before sharing my final thoughts on that, I want to play a bit with the current approach when multiple rules files are loaded simultaneously. I will let you know.
Ok, I did some experiments, and my conclusion is that we should keep duplicate entries for now. In this way, duplicated items are just silently overwritten. The only con is that the loading order affects the end results when the duplicate item is not identical (for example, if it has been modified in one file but not in the other).
The alternative would be to use an idiomatic syntax to make one rules file depend on an item defined in another other rule files, for example:
- macro: ansible_running_python
append: true
condition: " "
This :point_up: would force the user to load another rules file with the ansible_running_python
macro definition.
However, this is ugly and not necessarily the best option. In any case, the duplicated item issue should be separately discussed in another issue/PR (and likely to be postponed to Falco 0.37).
For the record, here's the list of dups:
Duplicated Macros:
Duplicated macro: ansible_running_python
File: ../rules/falco_rules.yaml, Line: 248
File: ../rules/falco-sandbox_rules.yaml, Line: 489
Duplicated macro: calico_node
File: ../rules/falco-incubating_rules.yaml, Line: 383
File: ../rules/falco-sandbox_rules.yaml, Line: 1022
Duplicated macro: open_write
File: ../rules/falco_rules.yaml, Line: 37
File: ../rules/falco-incubating_rules.yaml, Line: 29
File: ../rules/falco-sandbox_rules.yaml, Line: 37
Duplicated macro: container_started
File: ../rules/falco-incubating_rules.yaml, Line: 299
File: ../rules/falco-sandbox_rules.yaml, Line: 467
Duplicated macro: exe_running_docker_save
File: ../rules/falco-incubating_rules.yaml, Line: 351
File: ../rules/falco-sandbox_rules.yaml, Line: 660
Duplicated macro: never_true
File: ../rules/falco_rules.yaml, Line: 58
File: ../rules/falco-deprecated_rules.yaml, Line: 37
File: ../rules/falco-incubating_rules.yaml, Line: 46
File: ../rules/falco-sandbox_rules.yaml, Line: 51
Duplicated macro: open_read
File: ../rules/falco_rules.yaml, Line: 40
File: ../rules/falco-incubating_rules.yaml, Line: 32
File: ../rules/falco-sandbox_rules.yaml, Line: 40
Duplicated macro: modify
File: ../rules/falco-incubating_rules.yaml, Line: 73
File: ../rules/falco-sandbox_rules.yaml, Line: 81
Duplicated macro: allowed_aws_ecr_registry_root_for_eks
File: ../rules/falco-incubating_rules.yaml, Line: 486
File: ../rules/falco-sandbox_rules.yaml, Line: 1362
Duplicated macro: remove
File: ../rules/falco-incubating_rules.yaml, Line: 70
File: ../rules/falco-sandbox_rules.yaml, Line: 78
Duplicated macro: rename
File: ../rules/falco-incubating_rules.yaml, Line: 67
File: ../rules/falco-sandbox_rules.yaml, Line: 72
Duplicated macro: container
File: ../rules/falco_rules.yaml, Line: 224
File: ../rules/falco-deprecated_rules.yaml, Line: 133
File: ../rules/falco-incubating_rules.yaml, Line: 296
File: ../rules/falco-sandbox_rules.yaml, Line: 464
Duplicated macro: inbound_outbound
File: ../rules/falco-deprecated_rules.yaml, Line: 55
File: ../rules/falco-incubating_rules.yaml, Line: 218
File: ../rules/falco-sandbox_rules.yaml, Line: 364
Duplicated macro: user_ssh_directory
File: ../rules/falco_rules.yaml, Line: 309
File: ../rules/falco-incubating_rules.yaml, Line: 358
File: ../rules/falco-sandbox_rules.yaml, Line: 793
Duplicated macro: run_by_qualys
File: ../rules/falco_rules.yaml, Line: 254
File: ../rules/falco-incubating_rules.yaml, Line: 311
Duplicated macro: outbound
File: ../rules/falco-deprecated_rules.yaml, Line: 44
File: ../rules/falco-incubating_rules.yaml, Line: 207
File: ../rules/falco-sandbox_rules.yaml, Line: 353
Duplicated macro: spawned_process
File: ../rules/falco_rules.yaml, Line: 79
File: ../rules/falco-incubating_rules.yaml, Line: 76
File: ../rules/falco-sandbox_rules.yaml, Line: 84
Duplicated macro: veritas_driver_script
File: ../rules/falco_rules.yaml, Line: 306
File: ../rules/falco-sandbox_rules.yaml, Line: 627
Duplicated macro: etc_dir
File: ../rules/falco_rules.yaml, Line: 95
File: ../rules/falco-sandbox_rules.yaml, Line: 120
Duplicated macro: run_by_google_accounts_daemon
File: ../rules/falco_rules.yaml, Line: 261
File: ../rules/falco-incubating_rules.yaml, Line: 333
Duplicated macro: package_mgmt_ancestor_procs
File: ../rules/falco-incubating_rules.yaml, Line: 166
File: ../rules/falco-sandbox_rules.yaml, Line: 298
Duplicated macro: postgres_running_wal_e
File: ../rules/falco_rules.yaml, Line: 433
File: ../rules/falco-incubating_rules.yaml, Line: 386
Duplicated macro: package_mgmt_procs
File: ../rules/falco-incubating_rules.yaml, Line: 163
File: ../rules/falco-sandbox_rules.yaml, Line: 295
Duplicated macro: proc_name_exists
File: ../rules/falco_rules.yaml, Line: 76
File: ../rules/falco-incubating_rules.yaml, Line: 64
File: ../rules/falco-sandbox_rules.yaml, Line: 69
Duplicated macro: chmod
File: ../rules/falco-incubating_rules.yaml, Line: 79
File: ../rules/falco-sandbox_rules.yaml, Line: 87
Duplicated macro: user_trusted_containers
File: ../rules/falco-incubating_rules.yaml, Line: 525
File: ../rules/falco-sandbox_rules.yaml, Line: 1399
Duplicated macro: run_by_chef
File: ../rules/falco_rules.yaml, Line: 268
File: ../rules/falco-sandbox_rules.yaml, Line: 501
Duplicated Lists:
Duplicated list: bash_config_files
File: ../rules/falco-incubating_rules.yaml, Line: 228
File: ../rules/falco-sandbox_rules.yaml, Line: 416
Duplicated list: user_mgmt_binaries
File: ../rules/falco_rules.yaml, Line: 175
File: ../rules/falco-incubating_rules.yaml, Line: 184
Duplicated list: trusted_images
File: ../rules/falco_rules.yaml, Line: 612
File: ../rules/falco-incubating_rules.yaml, Line: 511
File: ../rules/falco-sandbox_rules.yaml, Line: 1385
Duplicated list: shadowutils_binaries
File: ../rules/falco_rules.yaml, Line: 122
File: ../rules/falco-incubating_rules.yaml, Line: 124
File: ../rules/falco-sandbox_rules.yaml, Line: 171
Duplicated list: sysdigcloud_binaries
File: ../rules/falco-incubating_rules.yaml, Line: 131
File: ../rules/falco-sandbox_rules.yaml, Line: 203
Duplicated list: rfc_1918_addresses
File: ../rules/falco-deprecated_rules.yaml, Line: 41
File: ../rules/falco-incubating_rules.yaml, Line: 204
File: ../rules/falco-sandbox_rules.yaml, Line: 350
Duplicated list: mail_binaries
File: ../rules/falco_rules.yaml, Line: 187
File: ../rules/falco-incubating_rules.yaml, Line: 196
Duplicated list: docker_binaries
File: ../rules/falco_rules.yaml, Line: 1081
File: ../rules/falco-incubating_rules.yaml, Line: 1165
File: ../rules/falco-sandbox_rules.yaml, Line: 1999
Duplicated list: passwd_binaries
File: ../rules/falco_rules.yaml, Line: 112
File: ../rules/falco-incubating_rules.yaml, Line: 114
File: ../rules/falco-sandbox_rules.yaml, Line: 134
Duplicated list: dev_creation_binaries
File: ../rules/falco-incubating_rules.yaml, Line: 187
File: ../rules/falco-sandbox_rules.yaml, Line: 313
Duplicated list: shell_config_files
File: ../rules/falco-incubating_rules.yaml, Line: 244
File: ../rules/falco-sandbox_rules.yaml, Line: 432
Duplicated list: nomachine_binaries
File: ../rules/falco_rules.yaml, Line: 184
File: ../rules/falco-incubating_rules.yaml, Line: 190
File: ../rules/falco-sandbox_rules.yaml, Line: 316
Duplicated list: db_server_binaries
File: ../rules/falco_rules.yaml, Line: 132
File: ../rules/falco-incubating_rules.yaml, Line: 140
Duplicated list: sshkit_script_binaries
File: ../rules/falco_rules.yaml, Line: 240
File: ../rules/falco-sandbox_rules.yaml, Line: 474
Duplicated list: sematext_images
File: ../rules/falco_rules.yaml, Line: 615
File: ../rules/falco-incubating_rules.yaml, Line: 528
Duplicated list: userexec_binaries
File: ../rules/falco_rules.yaml, Line: 172
File: ../rules/falco-incubating_rules.yaml, Line: 174
Duplicated list: bash_config_filenames
File: ../rules/falco-incubating_rules.yaml, Line: 225
File: ../rules/falco-sandbox_rules.yaml, Line: 404
Duplicated list: shell_config_directories
File: ../rules/falco-incubating_rules.yaml, Line: 247
File: ../rules/falco-sandbox_rules.yaml, Line: 435
Duplicated list: shell_binaries
File: ../rules/falco_rules.yaml, Line: 98
File: ../rules/falco-incubating_rules.yaml, Line: 82
File: ../rules/falco-sandbox_rules.yaml, Line: 127
Duplicated list: mail_config_binaries
File: ../rules/falco_rules.yaml, Line: 194
File: ../rules/falco-sandbox_rules.yaml, Line: 319
Duplicated list: login_binaries
File: ../rules/falco_rules.yaml, Line: 105
File: ../rules/falco-incubating_rules.yaml, Line: 107
Duplicated list: package_mgmt_binaries
File: ../rules/falco_rules.yaml, Line: 164
File: ../rules/falco-incubating_rules.yaml, Line: 160
File: ../rules/falco-sandbox_rules.yaml, Line: 279
Duplicated list: shell_config_filenames
File: ../rules/falco-incubating_rules.yaml, Line: 241
File: ../rules/falco-sandbox_rules.yaml, Line: 429
Duplicated list: falco_privileged_images
File: ../rules/falco_rules.yaml, Line: 637
File: ../rules/falco-incubating_rules.yaml, Line: 548
Duplicated list: csh_config_filenames
File: ../rules/falco-incubating_rules.yaml, Line: 232
File: ../rules/falco-sandbox_rules.yaml, Line: 420
Duplicated list: rpm_binaries
File: ../rules/falco_rules.yaml, Line: 149
File: ../rules/falco-incubating_rules.yaml, Line: 145
File: ../rules/falco-sandbox_rules.yaml, Line: 216
Duplicated list: python_package_managers
File: ../rules/falco_rules.yaml, Line: 159
File: ../rules/falco-incubating_rules.yaml, Line: 155
File: ../rules/falco-sandbox_rules.yaml, Line: 274
Duplicated list: cron_binaries
File: ../rules/falco_rules.yaml, Line: 232
File: ../rules/falco-incubating_rules.yaml, Line: 305
Duplicated list: csh_config_files
File: ../rules/falco-incubating_rules.yaml, Line: 235
File: ../rules/falco-sandbox_rules.yaml, Line: 423
Duplicated list: deb_binaries
File: ../rules/falco_rules.yaml, Line: 154
File: ../rules/falco-incubating_rules.yaml, Line: 150
File: ../rules/falco-sandbox_rules.yaml, Line: 253
Duplicated list: falco_containers
File: ../rules/falco_rules.yaml, Line: 622
File: ../rules/falco-incubating_rules.yaml, Line: 535
File: ../rules/falco-sandbox_rules.yaml, Line: 1403
Duplicated list: zsh_config_filenames
File: ../rules/falco-incubating_rules.yaml, Line: 238
File: ../rules/falco-sandbox_rules.yaml, Line: 426
/hold cancel
Hey @falcosecurity/rules-maintainers
This PR is ready. PTAL :pray:
Once merged, I will tag each ruleset with version 2.0.0-rc1
so that we can test with the upcoming Falco 0.36 RC1 :pray:
cc @falcosecurity/falco-maintainers
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: incertum, leogr
The full list of commands accepted by this bot can be found here.
The pull request process is described here
re https://github.com/falcosecurity/rules/pull/149#issuecomment-1704807897
- There's no standard item's comment structure
- I would love to define a simple Rule Doc convention (i.e., something similar to Go Doc Comments, but simpler)
- There's no clear way to distinguish sections from item's comment
Agreed, instead of yet another doc, could we check how much of the comments could simply be removed (for example the engine version mentions could be removed) vs what information could be added to the desc
since we now adopt an approach of the desc
being a small paragraph vs what information could be generically shared on the existing Falco website rules sections? If it's at the end just about 4-5 special comments about unique macros or rules, we can leave them in the rules yaml where adopters are most likely to find them.
re the duplicate macros: Could we add a CI check ensuring macros and lists are the same in all files? And while we do that ensure upstream rules have no duplicative rules aka no overriding and also ensure macros and lists only appear once per rules file and as said ensure they match up across rules files?
What type of PR is this?
/kind feature /kind cleanup /kind design /kind documentation
Any specific area of the project related to this PR?
/area rules /area registry /area build /area documentation
Proposed rule maturity level
This PR does not propose new rules or change the maturity level of any existing rule.
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
While splitting rules, I faced some issues that I needed to address in this PR