Closed loresuso closed 9 months ago
Comparing 900a915c3f81e4bfd3cd746145449a8d04e5fe97
with latest tag falco-rules-1.0.2
Major changes:
Launch Package Management Process in Container
has been removedWrite below rpm database
has been removedLaunch Privileged Container
has been removedJava Process Class File Download
has been removedUnexpected UDP Traffic
has been removedDetect crypto miners using the Stratum protocol
has been removedPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has been removedDelete or rename shell history
has been removedDB program spawned process
has been removedSystem procs network activity
has been removedContact EC2 Instance Metadata Service From Container
has been removedWrite below etc
has been removedModify binary dirs
has been removedNon sudo setuid
has been removedOutbound Connection to C2 Servers
has been removedMkdir binary dirs
has been removedChange thread namespace
has been removedNetwork Connection outside Local Subnet
has been removedInterpreted procs inbound network activity
has been removedLaunch Suspicious Network Tool in Container
has been removedUser mgmt binaries
has been removedSet Setuid or Setgid bit
has been removedCreate Hidden Files or Directories
has been removedModify Shell Configuration File
has been removedWrite below binary dir
has been removedRead ssh information
has been removedContainer Drift Detected (open+create)
has been removedRead environment variable from /proc files
has been removedWrite below root
has been removedDelete Bash History
has been removedContainer Drift Detected (chmod)
has been removedUnexpected inbound connection source
has been removedLaunch Sensitive Mount Container
has been removedModify Container Entrypoint
has been removedUpdate Package Repository
has been removedOutbound or Inbound Traffic not to Authorized Server Process and Port
has been removedUnprivileged Delegation of Page Faults Handling to a Userspace Process
has been removedUnexpected outbound connection destination
has been removedContainer Run as Root User
has been removedLaunch Excessively Capable Container
has been removedProgram run with disallowed http proxy env
has been removedLaunch Suspicious Network Tool on Host
has been removedMount Launched in Privileged Container
has been removedRead Shell Configuration File
has been removedSchedule Cron Jobs
has been removedWrite below monitored dir
has been removedInterpreted procs outbound network activity
has been removedDetect outbound connections to common miner pool ports
has been removedSudo Potential Privilege Escalation
has been removedCreate files below dev
has been removedUnexpected K8s NodePort Connection
has been removedLaunch Remote File Copy Tools in Container
has been removedContact cloud metadata service from container
has been removedThe docker client is executed in a container
has been removedLaunch Ingress Remote File Copy Tools in Container
has been removedDisallowed SSH Connection
has been removedLaunch Disallowed Container
has been removedrpm_writing_root_rpmdb
has been removedcassandra_writing_state
has been removedetcd_manager_updating_dns
has been removeduser_known_modify_bin_dir_activities
has been removedvar_lib_docker_filepath
has been removedchmod
has been removedinbound_outbound
has been removedpython_running_denyhosts
has been removednet_miner_pool
has been removedmount_info
has been removedpython_running_ms_oms
has been removedveritas_progs
has been removedduply_writing_exclude_files
has been removedkeepalived_writing_conf
has been removedrename
has been removedazure_scripts_writing_conf
has been removedopenshift_image
has been removedpackage_mgmt_ancestor_procs
has been removedchef_client_writing_conf
has been removeddse_writing_tmp
has been removedinbound
has been removedmultipath_writing_conf
has been removednetwork_local_subnet
has been removedsystem_procs
has been removedec2_metadata_containers
has been removedrun_by_adclient
has been removedgalley_writing_state
has been removedrunc_writing_var_lib_docker
has been removedopenshift_writing_conf
has been removedaws_eks_image_sensitive_mount
has been removeduser_known_create_hidden_file_activities
has been removedzap_writing_state
has been removedredis_writing_conf
has been removedmysqlsh_writing_state
has been removedjava_running_cassandra
has been removednrpe_becoming_nagios
has been removeduser_known_create_files_below_dev_activities
has been removedbin_dir_rename
has been removedrancher_network_manager
has been removedkubelet_running_loopback
has been removedhttpd_writing_conf_logs
has been removedmcafee_writing_cma_d
has been removedknown_aks_mount_in_privileged_containers
has been removedgugent_writing_guestagent_log
has been removedfluentd_writing_conf_files
has been removedufw_writing_conf
has been removeduserhelper_writing_etc_security
has been removedsed_temporary_file
has been removeduser_known_change_thread_namespace_activities
has been removedfalco_privileged_containers
has been removeduser_known_container_drift_activities
has been removedpython_running_chef
has been removedupdate_ca_trust_writing_pki
has been removeduser_known_write_below_etc_activities
has been removeduser_known_k8s_client_container
has been removeduser_known_cron_jobs
has been removeduser_known_read_ssh_information_activities
has been removedopenvpn_writing_conf
has been removednetwork_tool_procs
has been removedmaven_writing_groovy
has been removedgit_writing_nssdb
has been removedparent_supervise_running_multilog
has been removeduser_known_metadata_access
has been removedallowed_ssh_hosts
has been removedhaproxy_writing_conf
has been removeduser_known_package_manager_in_container
has been removeduser_expected_system_procs_network_activity_conditions
has been removedtrusted_images_query_miner_domain_dns
has been removedupdate_texmf_writing_conf
has been removedpkgmgmt_progs_writing_pki
has been removeduser_known_update_package_registry
has been removedrpm_procs
has been removedgoogle_accounts_daemon_writing_ssh
has been removedconsider_network_tools_on_host
has been removedplesk_running_mktemp
has been removeduser_known_shell_config_modifiers
has been removedms_scx_writing_conf
has been removedcalico_writing_state
has been removedmkdir
has been removedmodify
has been removedsupervise_writing_status
has been removedchef_writing_conf
has been removedexcessively_capable_container
has been removedcockpit_writing_conf
has been removednetworkmanager_writing_resolv_conf
has been removednginx_writing_certs
has been removedsensitive_mount
has been removednodeport_containers
has been removedsosreport_writing_files
has been removedipsec_writing_conf
has been removedcheckpoint_writing_state
has been removeduser_known_set_setuid_or_setgid_bit_conditions
has been removedminerpool_http
has been removedconsul_template_writing_conf
has been removedbrandbot_writing_os_release
has been removedcurl_download
has been removedrabbitmq_writing_conf
has been removedphp_handlers_writing_conf
has been removedrunc_writing_exec_fifo
has been removedexpected_udp_traffic
has been removedslapadd_writing_conf
has been removedadd_shell_writing_shells_tmp
has been removedroot_dir
has been removedallowed_openshift_registry_root
has been removedopenldap_writing_conf
has been removedavinetworks_supervisor_writing_ssh
has been removeduser_known_write_root_conditions
has been removedplesk_writing_keys
has been removedsymantec_writing_conf
has been removedcontainer_started
has been removedrun_by_yum
has been removedjava_network_read
has been removedhtpasswd_writing_passwd
has been removedcloud_init_writing_ssh
has been removedaws_eks_core_images
has been removedlogin_doing_dns_lookup
has been removedminerpool_https
has been removedrun_by_ms_oms
has been removedrun_by_centrify
has been removeduser_known_run_as_root_container
has been removedcalico_node
has been removedpki_realm_writing_realms
has been removedkubectl_writing_state
has been removedcalico_writing_envvars
has been removeduser_known_write_rpm_database_activities
has been removedknown_user_in_container
has been removedlvprogs_writing_conf
has been removeduser_known_write_below_root_activities
has been removednginx_writing_conf
has been removedjava_writing_conf
has been removedprometheus_conf_writing_conf
has been removeduser_sensitive_mount_containers
has been removeddatadog_writing_conf
has been removedsed_writing_temp_file
has been removedrancher_agent
has been removeduser_known_write_etc_conditions
has been removediscsi_writing_conf
has been removedrancher_writing_conf
has been removedinterpreted_procs
has been removedhttp_proxy_procs
has been removedwrite_etc_common
has been removeduser_known_non_sudo_setuid_conditions
has been removedremote_file_copy_procs
has been removedcoreos_write_ssh_dir
has been removedsssd_writing_krb
has been removedredhat_image
has been removeduser_known_user_management_activities
has been removeddocker_procs
has been removedpython_running_get_pip
has been removedqualys_writing_conf_files
has been removedknown_root_conditions
has been removedweaveworks_scope
has been removedknown_gke_mount_in_privileged_containers
has been removedliveupdate_writing_conf
has been removedrancher_writing_root
has been removedmonitored_dir
has been removedcountly_writing_nginx_conf
has been removeduser_known_write_below_binary_dir_activities
has been removedautomount_using_mtab
has been removedchage_list
has been removedalways_true
has been removedbin_dir_mkdir
has been removedtruncate_shell_history
has been removeddpkg_scripting
has been removedamazon_linux_running_python_yum
has been removedjboss_in_container_writing_passwd
has been removedmysql_writing_conf
has been removedovsdb_writing_openvswitch
has been removedairflow_writing_state
has been removeduser_known_ingress_remote_file_copy_activities
has been removeduser_known_remote_file_copy_activities
has been removeducpagent_writing_conf
has been removedmodify_repositories
has been removedmodify_shell_history
has been removedcron_start_writing_pam_env
has been removedcentrify_writing_krb
has been removeduser_known_mkdir_bin_dir_activities
has been removedallowed_ssh_proxy_env
has been removedbin_dir
has been removedhttpd_writing_ssl_conf
has been removeduser_known_k8s_client_container_parens
has been removedingress_remote_file_copy_procs
has been removedpackage_mgmt_procs
has been removedselinux_writing_conf
has been removeduser_privileged_containers
has been removedcurl_writing_pki_db
has been removedsomebody_becoming_themselves
has been removedminerpool_other
has been removeduser_known_mount_in_privileged_containers
has been removedjava_running_sdjagent
has been removedms_oms_writing_conf
has been removedxmlcatalog_writing_files
has been removedparent_ucf_writing_conf
has been removedcouchdb_writing_conf
has been removedistio_writing_conf
has been removedmkinitramfs_writing_boot
has been removedfalco_sensitive_mount_containers
has been removedplesk_install_writing_apache_conf
has been removedveritas_writing_config
has been removedaccess_repositories
has been removedssh_port
has been removedazure_networkwatcher_writing_conf
has been removedallowed_containers
has been removedpkg_mgmt_in_kube_proxy
has been removedrun_by_sumologic_securefiles
has been removedrook_writing_conf
has been removedallowed_aws_ecr_registry_root_for_eks
has been removeduser_trusted_containers
has been removeduser_known_network_tool_activities
has been removedexe_running_docker_save
has been removeduser_known_write_monitored_dir_conditions
has been removedcalico_writing_conf
has been removedopen_directory
has been removeduser_known_db_spawned_processes
has been removedremove
has been removedrepository_files
has been removedshell_config_directories
has been removedk8s_client_binaries
has been removedlxd_binaries
has been removedssl_mgmt_binaries
has been removedshell_config_files
has been removedcoreutils_binaries
has been removedallowed_image
has been removedc2_server_fqdn_list
has been removeduser_known_userfaultfd_processes
has been removedsysdigcloud_binaries
has been removedbash_config_filenames
has been removedplesk_binaries
has been removednetwork_plugin_binaries
has been removedhttps_miner_domains
has been removedhttp_miner_domains
has been removedcsh_config_files
has been removedhttp_proxy_binaries
has been removedallowed_inbound_source_networks
has been removedknown_system_procs_network_activity_binaries
has been removedl2tp_udp_ports
has been removedexpected_udp_ports
has been removedshell_mgmt_binaries
has been removedallowed_outbound_destination_ipaddrs
has been removedallowed_inbound_source_domains
has been removeduser_known_change_thread_namespace_binaries
has been removeddhcp_binaries
has been removedbash_config_files
has been removedallowed_dev_files
has been removedc2_server_ip_list
has been removeduser_known_chmod_applications
has been removedauthorized_server_binary
has been removedinterpreted_binaries
has been removedshell_config_filenames
has been removedtest_connect_ports
has been removedstatsd_ports
has been removedallowed_inbound_source_ipaddrs
has been removedveritas_binaries
has been removeddev_creation_binaries
has been removedopenscap_rpm_binaries
has been removedrepository_directories
has been removeduser_known_k8s_ns_kube_system_images
has been removedknown_root_directories
has been removedknown_istio_files
has been removedminer_ports
has been removedmonitored_directories
has been removedfalco_sensitive_mount_images
has been removedms_oms_binaries
has been removedrun_as_root_image_list
has been removedcsh_config_filenames
has been removedexclude_hidden_directories
has been removedredhat_io_images_privileged
has been removednamespace_scope_network_only_subnet
has been removedingress_remote_file_copy_binaries
has been removeduser_known_k8s_images
has been removedssh_binaries
has been removedsafe_etc_dirs
has been removedknown_setuid_binaries
has been removedallowed_outbound_destination_networks
has been removedopenvpn_udp_ports
has been removednetwork_tool_binaries
has been removedremote_file_copy_binaries
has been removedallowed_outbound_destination_domains
has been removedzsh_config_filenames
has been removedknown_root_files
has been removedknown_binaries_to_read_environment_variables_from_proc_files
has been removedk8s_binaries
has been removedntp_ports
has been removedminer_domains
has been removedauthorized_server_port
has been removedDirectory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforeMinor changes:
Disallowed SSH Connection Non Standard Port
has been addedFileless execution via memfd_create
has been addedssh_non_standard_ports_network
has been addedknown_memfd_execution_processes
has been addedknown_memfd_execution_binaries
has been addedssh_non_standard_ports
has been addedPatch changes:
Directory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than beforeComparing 0008e29e79f616f26c97e9d48e802a123e15a9b3
with latest tag falco-rules-1.0.2
Major changes:
Launch Remote File Copy Tools in Container
has been removedContainer Drift Detected (open+create)
has been removedRead environment variable from /proc files
has been removedWrite below root
has been removedChange thread namespace
has been removedLaunch Suspicious Network Tool on Host
has been removedRead Shell Configuration File
has been removedInterpreted procs inbound network activity
has been removedThe docker client is executed in a container
has been removedSudo Potential Privilege Escalation
has been removedCreate Hidden Files or Directories
has been removedMount Launched in Privileged Container
has been removedWrite below monitored dir
has been removedLaunch Excessively Capable Container
has been removedContact EC2 Instance Metadata Service From Container
has been removedDetect crypto miners using the Stratum protocol
has been removedOutbound or Inbound Traffic not to Authorized Server Process and Port
has been removedModify Shell Configuration File
has been removedWrite below binary dir
has been removedSystem procs network activity
has been removedUnexpected K8s NodePort Connection
has been removedUnexpected inbound connection source
has been removedNon sudo setuid
has been removedPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
has been removedSchedule Cron Jobs
has been removedLaunch Package Management Process in Container
has been removedDelete or rename shell history
has been removedMkdir binary dirs
has been removedLaunch Sensitive Mount Container
has been removedSet Setuid or Setgid bit
has been removedContainer Run as Root User
has been removedModify Container Entrypoint
has been removedDisallowed SSH Connection
has been removedModify binary dirs
has been removedLaunch Privileged Container
has been removedDelete Bash History
has been removedUpdate Package Repository
has been removedLaunch Disallowed Container
has been removedUnexpected UDP Traffic
has been removedCreate files below dev
has been removedProgram run with disallowed http proxy env
has been removedDetect outbound connections to common miner pool ports
has been removedWrite below etc
has been removedWrite below rpm database
has been removedContact cloud metadata service from container
has been removedLaunch Suspicious Network Tool in Container
has been removedNetwork Connection outside Local Subnet
has been removedUnprivileged Delegation of Page Faults Handling to a Userspace Process
has been removedJava Process Class File Download
has been removedUnexpected outbound connection destination
has been removedDB program spawned process
has been removedUser mgmt binaries
has been removedLaunch Ingress Remote File Copy Tools in Container
has been removedRead ssh information
has been removedInterpreted procs outbound network activity
has been removedContainer Drift Detected (chmod)
has been removedOutbound Connection to C2 Servers
has been removeduser_known_write_rpm_database_activities
has been removedmaven_writing_groovy
has been removedknown_gke_mount_in_privileged_containers
has been removedconsul_template_writing_conf
has been removeduser_known_update_package_registry
has been removednetworkmanager_writing_resolv_conf
has been removednetwork_local_subnet
has been removedpackage_mgmt_ancestor_procs
has been removedlvprogs_writing_conf
has been removedmkinitramfs_writing_boot
has been removedmysqlsh_writing_state
has been removedallowed_containers
has been removedallowed_ssh_proxy_env
has been removednrpe_becoming_nagios
has been removeduser_known_network_tool_activities
has been removedsed_temporary_file
has been removeduser_known_write_monitored_dir_conditions
has been removeduser_known_db_spawned_processes
has been removedopenshift_image
has been removedchmod
has been removedjboss_in_container_writing_passwd
has been removedrabbitmq_writing_conf
has been removedaws_eks_image_sensitive_mount
has been removeduser_known_create_files_below_dev_activities
has been removedcalico_writing_conf
has been removedknown_user_in_container
has been removedmkdir
has been removedinbound_outbound
has been removedpkgmgmt_progs_writing_pki
has been removeduser_known_write_etc_conditions
has been removeduser_known_mkdir_bin_dir_activities
has been removeduser_known_k8s_client_container
has been removedsupervise_writing_status
has been removeduser_privileged_containers
has been removedpython_running_get_pip
has been removedexcessively_capable_container
has been removedslapadd_writing_conf
has been removedchef_writing_conf
has been removeduser_known_container_drift_activities
has been removeduser_known_mount_in_privileged_containers
has been removedrun_by_sumologic_securefiles
has been removedsosreport_writing_files
has been removedgoogle_accounts_daemon_writing_ssh
has been removeduser_known_remote_file_copy_activities
has been removeddocker_procs
has been removedveritas_progs
has been removeddse_writing_tmp
has been removeddpkg_scripting
has been removeduser_known_write_root_conditions
has been removedrun_by_adclient
has been removedrancher_writing_conf
has been removeduser_known_create_hidden_file_activities
has been removedpackage_mgmt_procs
has been removedhttpd_writing_ssl_conf
has been removedmcafee_writing_cma_d
has been removeduser_known_package_manager_in_container
has been removedbin_dir
has been removedselinux_writing_conf
has been removedcouchdb_writing_conf
has been removedms_oms_writing_conf
has been removedfalco_sensitive_mount_containers
has been removedexpected_udp_traffic
has been removedmodify
has been removeduser_known_write_below_etc_activities
has been removeduser_known_write_below_root_activities
has been removedec2_metadata_containers
has been removeduser_known_run_as_root_container
has been removedcontainer_started
has been removedfluentd_writing_conf_files
has been removedcheckpoint_writing_state
has been removedrunc_writing_var_lib_docker
has been removedallowed_openshift_registry_root
has been removedredhat_image
has been removedchef_client_writing_conf
has been removedplesk_running_mktemp
has been removedetcd_manager_updating_dns
has been removedknown_aks_mount_in_privileged_containers
has been removedknown_root_conditions
has been removeduser_known_set_setuid_or_setgid_bit_conditions
has been removeduser_known_ingress_remote_file_copy_activities
has been removedbin_dir_mkdir
has been removedrpm_writing_root_rpmdb
has been removedhttpd_writing_conf_logs
has been removedopenshift_writing_conf
has been removedkeepalived_writing_conf
has been removedcurl_download
has been removedopen_directory
has been removedrpm_procs
has been removedrancher_agent
has been removedjava_running_cassandra
has been removedgalley_writing_state
has been removedremote_file_copy_procs
has been removedhtpasswd_writing_passwd
has been removedduply_writing_exclude_files
has been removedufw_writing_conf
has been removedrancher_network_manager
has been removedrunc_writing_exec_fifo
has been removedmodify_shell_history
has been removedrun_by_centrify
has been removedwrite_etc_common
has been removedvar_lib_docker_filepath
has been removedminerpool_http
has been removedssh_port
has been removedazure_networkwatcher_writing_conf
has been removedlogin_doing_dns_lookup
has been removedallowed_ssh_hosts
has been removedcentrify_writing_krb
has been removedcassandra_writing_state
has been removedcloud_init_writing_ssh
has been removedconsider_network_tools_on_host
has been removedjava_network_read
has been removedbrandbot_writing_os_release
has been removedgugent_writing_guestagent_log
has been removedzap_writing_state
has been removedingress_remote_file_copy_procs
has been removedrun_by_yum
has been removedovsdb_writing_openvswitch
has been removedpython_running_ms_oms
has been removedallowed_aws_ecr_registry_root_for_eks
has been removedxmlcatalog_writing_files
has been removedmysql_writing_conf
has been removeduser_known_non_sudo_setuid_conditions
has been removednginx_writing_certs
has been removedqualys_writing_conf_files
has been removedrook_writing_conf
has been removeduser_trusted_containers
has been removedsomebody_becoming_themselves
has been removednet_miner_pool
has been removedinbound
has been removeduser_known_modify_bin_dir_activities
has been removedfalco_privileged_containers
has been removednetwork_tool_procs
has been removedremove
has been removedparent_supervise_running_multilog
has been removedcountly_writing_nginx_conf
has been removednginx_writing_conf
has been removeduser_known_k8s_client_container_parens
has been removedrename
has been removedinterpreted_procs
has been removedexe_running_docker_save
has been removedweaveworks_scope
has been removedupdate_texmf_writing_conf
has been removeduser_known_write_below_binary_dir_activities
has been removedrun_by_ms_oms
has been removedistio_writing_conf
has been removedphp_handlers_writing_conf
has been removedsystem_procs
has been removedjava_running_sdjagent
has been removedparent_ucf_writing_conf
has been removedupdate_ca_trust_writing_pki
has been removedcalico_writing_state
has been removedjava_writing_conf
has been removedalways_true
has been removedcurl_writing_pki_db
has been removedsensitive_mount
has been removeduser_known_shell_config_modifiers
has been removedazure_scripts_writing_conf
has been removedmonitored_dir
has been removedamazon_linux_running_python_yum
has been removedsssd_writing_krb
has been removedkubectl_writing_state
has been removedaccess_repositories
has been removeduser_known_read_ssh_information_activities
has been removedplesk_writing_keys
has been removedopenvpn_writing_conf
has been removedkubelet_running_loopback
has been removedchage_list
has been removedroot_dir
has been removedairflow_writing_state
has been removedms_scx_writing_conf
has been removedminerpool_https
has been removeduserhelper_writing_etc_security
has been removediscsi_writing_conf
has been removedsymantec_writing_conf
has been removedliveupdate_writing_conf
has been removedprometheus_conf_writing_conf
has been removedaws_eks_core_images
has been removedhttp_proxy_procs
has been removedminerpool_other
has been removedmodify_repositories
has been removedadd_shell_writing_shells_tmp
has been removeduser_sensitive_mount_containers
has been removeduser_known_metadata_access
has been removedpython_running_denyhosts
has been removedipsec_writing_conf
has been removedautomount_using_mtab
has been removeducpagent_writing_conf
has been removedcockpit_writing_conf
has been removedpython_running_chef
has been removedcalico_writing_envvars
has been removeduser_known_cron_jobs
has been removedhaproxy_writing_conf
has been removedredis_writing_conf
has been removedpkg_mgmt_in_kube_proxy
has been removedopenldap_writing_conf
has been removedplesk_install_writing_apache_conf
has been removedrancher_writing_root
has been removedcron_start_writing_pam_env
has been removeduser_expected_system_procs_network_activity_conditions
has been removednodeport_containers
has been removedbin_dir_rename
has been removedsed_writing_temp_file
has been removeduser_known_change_thread_namespace_activities
has been removedpki_realm_writing_realms
has been removeddatadog_writing_conf
has been removedcoreos_write_ssh_dir
has been removedavinetworks_supervisor_writing_ssh
has been removedmount_info
has been removedveritas_writing_config
has been removedgit_writing_nssdb
has been removedmultipath_writing_conf
has been removedcalico_node
has been removeduser_known_user_management_activities
has been removedtruncate_shell_history
has been removedtrusted_images_query_miner_domain_dns
has been removedallowed_inbound_source_ipaddrs
has been removedshell_config_filenames
has been removedknown_istio_files
has been removedsafe_etc_dirs
has been removeddhcp_binaries
has been removedknown_system_procs_network_activity_binaries
has been removedhttp_miner_domains
has been removedshell_mgmt_binaries
has been removedlxd_binaries
has been removedplesk_binaries
has been removedms_oms_binaries
has been removedinterpreted_binaries
has been removedredhat_io_images_privileged
has been removedminer_domains
has been removeddev_creation_binaries
has been removedcoreutils_binaries
has been removedknown_setuid_binaries
has been removedrepository_files
has been removedknown_root_files
has been removedrun_as_root_image_list
has been removedrepository_directories
has been removednamespace_scope_network_only_subnet
has been removedc2_server_fqdn_list
has been removedknown_root_directories
has been removedntp_ports
has been removedminer_ports
has been removedhttps_miner_domains
has been removedopenscap_rpm_binaries
has been removedfalco_sensitive_mount_images
has been removedauthorized_server_binary
has been removedveritas_binaries
has been removednetwork_tool_binaries
has been removedingress_remote_file_copy_binaries
has been removedtest_connect_ports
has been removeduser_known_userfaultfd_processes
has been removedssh_binaries
has been removedsysdigcloud_binaries
has been removedbash_config_files
has been removeduser_known_k8s_ns_kube_system_images
has been removeduser_known_k8s_images
has been removedk8s_binaries
has been removeduser_known_chmod_applications
has been removedk8s_client_binaries
has been removedknown_binaries_to_read_environment_variables_from_proc_files
has been removedexpected_udp_ports
has been removedc2_server_ip_list
has been removedssl_mgmt_binaries
has been removedallowed_outbound_destination_networks
has been removedexclude_hidden_directories
has been removedshell_config_files
has been removedshell_config_directories
has been removedallowed_image
has been removednetwork_plugin_binaries
has been removedallowed_outbound_destination_domains
has been removedallowed_outbound_destination_ipaddrs
has been removedallowed_inbound_source_domains
has been removedcsh_config_filenames
has been removedallowed_dev_files
has been removedmonitored_directories
has been removedremote_file_copy_binaries
has been removedauthorized_server_port
has been removedbash_config_filenames
has been removedstatsd_ports
has been removedzsh_config_filenames
has been removedl2tp_udp_ports
has been removedcsh_config_files
has been removeduser_known_change_thread_namespace_binaries
has been removedhttp_proxy_binaries
has been removedopenvpn_udp_ports
has been removedallowed_inbound_source_networks
has been removedDirectory traversal monitored file read
has less tags than beforeRead sensitive file trusted after startup
has less tags than beforeRead sensitive file untrusted
has less tags than beforeRemove Bulk Data from Disk
has less tags than beforeCreate Symlink Over Sensitive Files
has less tags than beforeCreate Hardlink Over Sensitive Files
has less tags than beforePacket socket created in container
has less tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
has less tags than beforeLinux Kernel Module Injection Detected
has less tags than beforeDebugfs Launched in Privileged Container
has less tags than beforeDetect release_agent File Container Escapes
has less tags than beforePTRACE attached to process
has less tags than beforeExecution from /dev/shm
has less tags than beforeMinor changes:
Fileless execution via memfd_create
has been addedDisallowed SSH Connection Non Standard Port
has been addedknown_memfd_execution_processes
has been addedssh_non_standard_ports_network
has been addedknown_memfd_execution_binaries
has been addedssh_non_standard_ports
has been addedPatch changes:
Directory traversal monitored file read
changed its output fieldsDirectory traversal monitored file read
has more tags than beforeRead sensitive file trusted after startup
changed its output fieldsRead sensitive file trusted after startup
has more tags than beforeRead sensitive file untrusted
changed its output fieldsRead sensitive file untrusted
has more tags than beforeRun shell untrusted
changed its output fieldsRun shell untrusted
has more tags than beforeRun shell untrusted
has a more urgent priority than beforeSystem user interactive
changed its output fieldsSystem user interactive
has more tags than beforeTerminal shell in container
has more tags than beforeContact K8S API Server From Container
changed its output fieldsContact K8S API Server From Container
has more tags than beforeNetcat Remote Code Execution in Container
changed its output fieldsNetcat Remote Code Execution in Container
has more tags than beforeSearch Private Keys or Passwords
changed its output fieldsSearch Private Keys or Passwords
has more tags than beforeClear Log Activities
changed its output fieldsClear Log Activities
has more tags than beforeRemove Bulk Data from Disk
changed its output fieldsRemove Bulk Data from Disk
has more tags than beforeCreate Symlink Over Sensitive Files
changed its output fieldsCreate Symlink Over Sensitive Files
has more tags than beforeCreate Hardlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
has more tags than beforePacket socket created in container
changed its output fieldsPacket socket created in container
has more tags than beforeRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
has more tags than beforeLinux Kernel Module Injection Detected
changed its output fieldsLinux Kernel Module Injection Detected
has more tags than beforeDebugfs Launched in Privileged Container
changed its output fieldsDebugfs Launched in Privileged Container
has more tags than beforeDetect release_agent File Container Escapes
changed its output fieldsDetect release_agent File Container Escapes
has more tags than beforePTRACE attached to process
changed its output fieldsPTRACE attached to process
has more tags than beforePTRACE anti-debug attempt
changed its output fieldsPTRACE anti-debug attempt
has more tags than beforeFind AWS Credentials
changed its output fieldsFind AWS Credentials
has more tags than beforeExecution from /dev/shm
changed its output fieldsExecution from /dev/shm
has more tags than beforeDrop and execute new binary in container
changed its output fieldsDrop and execute new binary in container
has more tags than beforeLGTM label has been added.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: darryk10, incertum, loresuso
The full list of commands accepted by this bot can be found here.
The pull request process is described here
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area rules
Proposed rule maturity level
/area maturity-stable
What this PR does / why we need it: As per PR title, add fileless execution rule to stable state.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: