update(rules): graduate fileless execution rule

[loresuso]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it: As per PR title, add fileless execution rule to stable state.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[github-actions[bot]]

Rules files suggestions

falco_rules.yaml

Comparing 900a915c3f81e4bfd3cd746145449a8d04e5fe97 with latest tag falco-rules-1.0.2

Major changes:

• Rule Launch Package Management Process in Container has been removed
• Rule Write below rpm database has been removed
• Rule Launch Privileged Container has been removed
• Rule Java Process Class File Download has been removed
• Rule Unexpected UDP Traffic has been removed
• Rule Detect crypto miners using the Stratum protocol has been removed
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has been removed
• Rule Delete or rename shell history has been removed
• Rule DB program spawned process has been removed
• Rule System procs network activity has been removed
• Rule Contact EC2 Instance Metadata Service From Container has been removed
• Rule Write below etc has been removed
• Rule Modify binary dirs has been removed
• Rule Non sudo setuid has been removed
• Rule Outbound Connection to C2 Servers has been removed
• Rule Mkdir binary dirs has been removed
• Rule Change thread namespace has been removed
• Rule Network Connection outside Local Subnet has been removed
• Rule Interpreted procs inbound network activity has been removed
• Rule Launch Suspicious Network Tool in Container has been removed
• Rule User mgmt binaries has been removed
• Rule Set Setuid or Setgid bit has been removed
• Rule Create Hidden Files or Directories has been removed
• Rule Modify Shell Configuration File has been removed
• Rule Write below binary dir has been removed
• Rule Read ssh information has been removed
• Rule Container Drift Detected (open+create) has been removed
• Rule Read environment variable from /proc files has been removed
• Rule Write below root has been removed
• Rule Delete Bash History has been removed
• Rule Container Drift Detected (chmod) has been removed
• Rule Unexpected inbound connection source has been removed
• Rule Launch Sensitive Mount Container has been removed
• Rule Modify Container Entrypoint has been removed
• Rule Update Package Repository has been removed
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has been removed
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has been removed
• Rule Unexpected outbound connection destination has been removed
• Rule Container Run as Root User has been removed
• Rule Launch Excessively Capable Container has been removed
• Rule Program run with disallowed http proxy env has been removed
• Rule Launch Suspicious Network Tool on Host has been removed
• Rule Mount Launched in Privileged Container has been removed
• Rule Read Shell Configuration File has been removed
• Rule Schedule Cron Jobs has been removed
• Rule Write below monitored dir has been removed
• Rule Interpreted procs outbound network activity has been removed
• Rule Detect outbound connections to common miner pool ports has been removed
• Rule Sudo Potential Privilege Escalation has been removed
• Rule Create files below dev has been removed
• Rule Unexpected K8s NodePort Connection has been removed
• Rule Launch Remote File Copy Tools in Container has been removed
• Rule Contact cloud metadata service from container has been removed
• Rule The docker client is executed in a container has been removed
• Rule Launch Ingress Remote File Copy Tools in Container has been removed
• Rule Disallowed SSH Connection has been removed
• Rule Launch Disallowed Container has been removed
• Macro rpm_writing_root_rpmdb has been removed
• Macro cassandra_writing_state has been removed
• Macro etcd_manager_updating_dns has been removed
• Macro user_known_modify_bin_dir_activities has been removed
• Macro var_lib_docker_filepath has been removed
• Macro chmod has been removed
• Macro inbound_outbound has been removed
• Macro python_running_denyhosts has been removed
• Macro net_miner_pool has been removed
• Macro mount_info has been removed
• Macro python_running_ms_oms has been removed
• Macro veritas_progs has been removed
• Macro duply_writing_exclude_files has been removed
• Macro keepalived_writing_conf has been removed
• Macro rename has been removed
• Macro azure_scripts_writing_conf has been removed
• Macro openshift_image has been removed
• Macro package_mgmt_ancestor_procs has been removed
• Macro chef_client_writing_conf has been removed
• Macro dse_writing_tmp has been removed
• Macro inbound has been removed
• Macro multipath_writing_conf has been removed
• Macro network_local_subnet has been removed
• Macro system_procs has been removed
• Macro ec2_metadata_containers has been removed
• Macro run_by_adclient has been removed
• Macro galley_writing_state has been removed
• Macro runc_writing_var_lib_docker has been removed
• Macro openshift_writing_conf has been removed
• Macro aws_eks_image_sensitive_mount has been removed
• Macro user_known_create_hidden_file_activities has been removed
• Macro zap_writing_state has been removed
• Macro redis_writing_conf has been removed
• Macro mysqlsh_writing_state has been removed
• Macro java_running_cassandra has been removed
• Macro nrpe_becoming_nagios has been removed
• Macro user_known_create_files_below_dev_activities has been removed
• Macro bin_dir_rename has been removed
• Macro rancher_network_manager has been removed
• Macro kubelet_running_loopback has been removed
• Macro httpd_writing_conf_logs has been removed
• Macro mcafee_writing_cma_d has been removed
• Macro known_aks_mount_in_privileged_containers has been removed
• Macro gugent_writing_guestagent_log has been removed
• Macro fluentd_writing_conf_files has been removed
• Macro ufw_writing_conf has been removed
• Macro userhelper_writing_etc_security has been removed
• Macro sed_temporary_file has been removed
• Macro user_known_change_thread_namespace_activities has been removed
• Macro falco_privileged_containers has been removed
• Macro user_known_container_drift_activities has been removed
• Macro python_running_chef has been removed
• Macro update_ca_trust_writing_pki has been removed
• Macro user_known_write_below_etc_activities has been removed
• Macro user_known_k8s_client_container has been removed
• Macro user_known_cron_jobs has been removed
• Macro user_known_read_ssh_information_activities has been removed
• Macro openvpn_writing_conf has been removed
• Macro network_tool_procs has been removed
• Macro maven_writing_groovy has been removed
• Macro git_writing_nssdb has been removed
• Macro parent_supervise_running_multilog has been removed
• Macro user_known_metadata_access has been removed
• Macro allowed_ssh_hosts has been removed
• Macro haproxy_writing_conf has been removed
• Macro user_known_package_manager_in_container has been removed
• Macro user_expected_system_procs_network_activity_conditions has been removed
• Macro trusted_images_query_miner_domain_dns has been removed
• Macro update_texmf_writing_conf has been removed
• Macro pkgmgmt_progs_writing_pki has been removed
• Macro user_known_update_package_registry has been removed
• Macro rpm_procs has been removed
• Macro google_accounts_daemon_writing_ssh has been removed
• Macro consider_network_tools_on_host has been removed
• Macro plesk_running_mktemp has been removed
• Macro user_known_shell_config_modifiers has been removed
• Macro ms_scx_writing_conf has been removed
• Macro calico_writing_state has been removed
• Macro mkdir has been removed
• Macro modify has been removed
• Macro supervise_writing_status has been removed
• Macro chef_writing_conf has been removed
• Macro excessively_capable_container has been removed
• Macro cockpit_writing_conf has been removed
• Macro networkmanager_writing_resolv_conf has been removed
• Macro nginx_writing_certs has been removed
• Macro sensitive_mount has been removed
• Macro nodeport_containers has been removed
• Macro sosreport_writing_files has been removed
• Macro ipsec_writing_conf has been removed
• Macro checkpoint_writing_state has been removed
• Macro user_known_set_setuid_or_setgid_bit_conditions has been removed
• Macro minerpool_http has been removed
• Macro consul_template_writing_conf has been removed
• Macro brandbot_writing_os_release has been removed
• Macro curl_download has been removed
• Macro rabbitmq_writing_conf has been removed
• Macro php_handlers_writing_conf has been removed
• Macro runc_writing_exec_fifo has been removed
• Macro expected_udp_traffic has been removed
• Macro slapadd_writing_conf has been removed
• Macro add_shell_writing_shells_tmp has been removed
• Macro root_dir has been removed
• Macro allowed_openshift_registry_root has been removed
• Macro openldap_writing_conf has been removed
• Macro avinetworks_supervisor_writing_ssh has been removed
• Macro user_known_write_root_conditions has been removed
• Macro plesk_writing_keys has been removed
• Macro symantec_writing_conf has been removed
• Macro container_started has been removed
• Macro run_by_yum has been removed
• Macro java_network_read has been removed
• Macro htpasswd_writing_passwd has been removed
• Macro cloud_init_writing_ssh has been removed
• Macro aws_eks_core_images has been removed
• Macro login_doing_dns_lookup has been removed
• Macro minerpool_https has been removed
• Macro run_by_ms_oms has been removed
• Macro run_by_centrify has been removed
• Macro user_known_run_as_root_container has been removed
• Macro calico_node has been removed
• Macro pki_realm_writing_realms has been removed
• Macro kubectl_writing_state has been removed
• Macro calico_writing_envvars has been removed
• Macro user_known_write_rpm_database_activities has been removed
• Macro known_user_in_container has been removed
• Macro lvprogs_writing_conf has been removed
• Macro user_known_write_below_root_activities has been removed
• Macro nginx_writing_conf has been removed
• Macro java_writing_conf has been removed
• Macro prometheus_conf_writing_conf has been removed
• Macro user_sensitive_mount_containers has been removed
• Macro datadog_writing_conf has been removed
• Macro sed_writing_temp_file has been removed
• Macro rancher_agent has been removed
• Macro user_known_write_etc_conditions has been removed
• Macro iscsi_writing_conf has been removed
• Macro rancher_writing_conf has been removed
• Macro interpreted_procs has been removed
• Macro http_proxy_procs has been removed
• Macro write_etc_common has been removed
• Macro user_known_non_sudo_setuid_conditions has been removed
• Macro remote_file_copy_procs has been removed
• Macro coreos_write_ssh_dir has been removed
• Macro sssd_writing_krb has been removed
• Macro redhat_image has been removed
• Macro user_known_user_management_activities has been removed
• Macro docker_procs has been removed
• Macro python_running_get_pip has been removed
• Macro qualys_writing_conf_files has been removed
• Macro known_root_conditions has been removed
• Macro weaveworks_scope has been removed
• Macro known_gke_mount_in_privileged_containers has been removed
• Macro liveupdate_writing_conf has been removed
• Macro rancher_writing_root has been removed
• Macro monitored_dir has been removed
• Macro countly_writing_nginx_conf has been removed
• Macro user_known_write_below_binary_dir_activities has been removed
• Macro automount_using_mtab has been removed
• Macro chage_list has been removed
• Macro always_true has been removed
• Macro bin_dir_mkdir has been removed
• Macro truncate_shell_history has been removed
• Macro dpkg_scripting has been removed
• Macro amazon_linux_running_python_yum has been removed
• Macro jboss_in_container_writing_passwd has been removed
• Macro mysql_writing_conf has been removed
• Macro ovsdb_writing_openvswitch has been removed
• Macro airflow_writing_state has been removed
• Macro user_known_ingress_remote_file_copy_activities has been removed
• Macro user_known_remote_file_copy_activities has been removed
• Macro ucpagent_writing_conf has been removed
• Macro modify_repositories has been removed
• Macro modify_shell_history has been removed
• Macro cron_start_writing_pam_env has been removed
• Macro centrify_writing_krb has been removed
• Macro user_known_mkdir_bin_dir_activities has been removed
• Macro allowed_ssh_proxy_env has been removed
• Macro bin_dir has been removed
• Macro httpd_writing_ssl_conf has been removed
• Macro user_known_k8s_client_container_parens has been removed
• Macro ingress_remote_file_copy_procs has been removed
• Macro package_mgmt_procs has been removed
• Macro selinux_writing_conf has been removed
• Macro user_privileged_containers has been removed
• Macro curl_writing_pki_db has been removed
• Macro somebody_becoming_themselves has been removed
• Macro minerpool_other has been removed
• Macro user_known_mount_in_privileged_containers has been removed
• Macro java_running_sdjagent has been removed
• Macro ms_oms_writing_conf has been removed
• Macro xmlcatalog_writing_files has been removed
• Macro parent_ucf_writing_conf has been removed
• Macro couchdb_writing_conf has been removed
• Macro istio_writing_conf has been removed
• Macro mkinitramfs_writing_boot has been removed
• Macro falco_sensitive_mount_containers has been removed
• Macro plesk_install_writing_apache_conf has been removed
• Macro veritas_writing_config has been removed
• Macro access_repositories has been removed
• Macro ssh_port has been removed
• Macro azure_networkwatcher_writing_conf has been removed
• Macro allowed_containers has been removed
• Macro pkg_mgmt_in_kube_proxy has been removed
• Macro run_by_sumologic_securefiles has been removed
• Macro rook_writing_conf has been removed
• Macro allowed_aws_ecr_registry_root_for_eks has been removed
• Macro user_trusted_containers has been removed
• Macro user_known_network_tool_activities has been removed
• Macro exe_running_docker_save has been removed
• Macro user_known_write_monitored_dir_conditions has been removed
• Macro calico_writing_conf has been removed
• Macro open_directory has been removed
• Macro user_known_db_spawned_processes has been removed
• Macro remove has been removed
• List repository_files has been removed
• List shell_config_directories has been removed
• List k8s_client_binaries has been removed
• List lxd_binaries has been removed
• List ssl_mgmt_binaries has been removed
• List shell_config_files has been removed
• List coreutils_binaries has been removed
• List allowed_image has been removed
• List c2_server_fqdn_list has been removed
• List user_known_userfaultfd_processes has been removed
• List sysdigcloud_binaries has been removed
• List bash_config_filenames has been removed
• List plesk_binaries has been removed
• List network_plugin_binaries has been removed
• List https_miner_domains has been removed
• List http_miner_domains has been removed
• List csh_config_files has been removed
• List http_proxy_binaries has been removed
• List allowed_inbound_source_networks has been removed
• List known_system_procs_network_activity_binaries has been removed
• List l2tp_udp_ports has been removed
• List expected_udp_ports has been removed
• List shell_mgmt_binaries has been removed
• List allowed_outbound_destination_ipaddrs has been removed
• List allowed_inbound_source_domains has been removed
• List user_known_change_thread_namespace_binaries has been removed
• List dhcp_binaries has been removed
• List bash_config_files has been removed
• List allowed_dev_files has been removed
• List c2_server_ip_list has been removed
• List user_known_chmod_applications has been removed
• List authorized_server_binary has been removed
• List interpreted_binaries has been removed
• List shell_config_filenames has been removed
• List test_connect_ports has been removed
• List statsd_ports has been removed
• List allowed_inbound_source_ipaddrs has been removed
• List veritas_binaries has been removed
• List dev_creation_binaries has been removed
• List openscap_rpm_binaries has been removed
• List repository_directories has been removed
• List user_known_k8s_ns_kube_system_images has been removed
• List known_root_directories has been removed
• List known_istio_files has been removed
• List miner_ports has been removed
• List monitored_directories has been removed
• List falco_sensitive_mount_images has been removed
• List ms_oms_binaries has been removed
• List run_as_root_image_list has been removed
• List csh_config_filenames has been removed
• List exclude_hidden_directories has been removed
• List redhat_io_images_privileged has been removed
• List namespace_scope_network_only_subnet has been removed
• List ingress_remote_file_copy_binaries has been removed
• List user_known_k8s_images has been removed
• List ssh_binaries has been removed
• List safe_etc_dirs has been removed
• List known_setuid_binaries has been removed
• List allowed_outbound_destination_networks has been removed
• List openvpn_udp_ports has been removed
• List network_tool_binaries has been removed
• List remote_file_copy_binaries has been removed
• List allowed_outbound_destination_domains has been removed
• List zsh_config_filenames has been removed
• List known_root_files has been removed
• List known_binaries_to_read_environment_variables_from_proc_files has been removed
• List k8s_binaries has been removed
• List ntp_ports has been removed
• List miner_domains has been removed
• List authorized_server_port has been removed
• Rule Directory traversal monitored file read has less tags than before
• Rule Read sensitive file trusted after startup has less tags than before
• Rule Read sensitive file untrusted has less tags than before
• Rule Remove Bulk Data from Disk has less tags than before
• Rule Create Symlink Over Sensitive Files has less tags than before
• Rule Create Hardlink Over Sensitive Files has less tags than before
• Rule Packet socket created in container has less tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
• Rule Linux Kernel Module Injection Detected has less tags than before
• Rule Debugfs Launched in Privileged Container has less tags than before
• Rule Detect release_agent File Container Escapes has less tags than before
• Rule PTRACE attached to process has less tags than before
• Rule Execution from /dev/shm has less tags than before

Minor changes:

• Rule Disallowed SSH Connection Non Standard Port has been added
• Rule Fileless execution via memfd_create has been added
• Macro ssh_non_standard_ports_network has been added
• Macro known_memfd_execution_processes has been added
• List known_memfd_execution_binaries has been added
• List ssh_non_standard_ports has been added

Patch changes:

• Rule Directory traversal monitored file read changed its output fields
• Rule Directory traversal monitored file read has more tags than before
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file trusted after startup has more tags than before
• Rule Read sensitive file untrusted changed its output fields
• Rule Read sensitive file untrusted has more tags than before
• Rule Run shell untrusted changed its output fields
• Rule Run shell untrusted has more tags than before
• Rule Run shell untrusted has a more urgent priority than before
• Rule System user interactive changed its output fields
• Rule System user interactive has more tags than before
• Rule Terminal shell in container has more tags than before
• Rule Contact K8S API Server From Container changed its output fields
• Rule Contact K8S API Server From Container has more tags than before
• Rule Netcat Remote Code Execution in Container changed its output fields
• Rule Netcat Remote Code Execution in Container has more tags than before
• Rule Search Private Keys or Passwords changed its output fields
• Rule Search Private Keys or Passwords has more tags than before
• Rule Clear Log Activities changed its output fields
• Rule Clear Log Activities has more tags than before
• Rule Remove Bulk Data from Disk changed its output fields
• Rule Remove Bulk Data from Disk has more tags than before
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Symlink Over Sensitive Files has more tags than before
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files has more tags than before
• Rule Packet socket created in container changed its output fields
• Rule Packet socket created in container has more tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Linux Kernel Module Injection Detected has more tags than before
• Rule Debugfs Launched in Privileged Container changed its output fields
• Rule Debugfs Launched in Privileged Container has more tags than before
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule Detect release_agent File Container Escapes has more tags than before
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE attached to process has more tags than before
• Rule PTRACE anti-debug attempt changed its output fields
• Rule PTRACE anti-debug attempt has more tags than before
• Rule Find AWS Credentials changed its output fields
• Rule Find AWS Credentials has more tags than before
• Rule Execution from /dev/shm changed its output fields
• Rule Execution from /dev/shm has more tags than before
• Rule Drop and execute new binary in container changed its output fields
• Rule Drop and execute new binary in container has more tags than before

[github-actions[bot]]

Rules files suggestions

falco_rules.yaml

Comparing 0008e29e79f616f26c97e9d48e802a123e15a9b3 with latest tag falco-rules-1.0.2

Major changes:

• Rule Launch Remote File Copy Tools in Container has been removed
• Rule Container Drift Detected (open+create) has been removed
• Rule Read environment variable from /proc files has been removed
• Rule Write below root has been removed
• Rule Change thread namespace has been removed
• Rule Launch Suspicious Network Tool on Host has been removed
• Rule Read Shell Configuration File has been removed
• Rule Interpreted procs inbound network activity has been removed
• Rule The docker client is executed in a container has been removed
• Rule Sudo Potential Privilege Escalation has been removed
• Rule Create Hidden Files or Directories has been removed
• Rule Mount Launched in Privileged Container has been removed
• Rule Write below monitored dir has been removed
• Rule Launch Excessively Capable Container has been removed
• Rule Contact EC2 Instance Metadata Service From Container has been removed
• Rule Detect crypto miners using the Stratum protocol has been removed
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has been removed
• Rule Modify Shell Configuration File has been removed
• Rule Write below binary dir has been removed
• Rule System procs network activity has been removed
• Rule Unexpected K8s NodePort Connection has been removed
• Rule Unexpected inbound connection source has been removed
• Rule Non sudo setuid has been removed
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has been removed
• Rule Schedule Cron Jobs has been removed
• Rule Launch Package Management Process in Container has been removed
• Rule Delete or rename shell history has been removed
• Rule Mkdir binary dirs has been removed
• Rule Launch Sensitive Mount Container has been removed
• Rule Set Setuid or Setgid bit has been removed
• Rule Container Run as Root User has been removed
• Rule Modify Container Entrypoint has been removed
• Rule Disallowed SSH Connection has been removed
• Rule Modify binary dirs has been removed
• Rule Launch Privileged Container has been removed
• Rule Delete Bash History has been removed
• Rule Update Package Repository has been removed
• Rule Launch Disallowed Container has been removed
• Rule Unexpected UDP Traffic has been removed
• Rule Create files below dev has been removed
• Rule Program run with disallowed http proxy env has been removed
• Rule Detect outbound connections to common miner pool ports has been removed
• Rule Write below etc has been removed
• Rule Write below rpm database has been removed
• Rule Contact cloud metadata service from container has been removed
• Rule Launch Suspicious Network Tool in Container has been removed
• Rule Network Connection outside Local Subnet has been removed
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has been removed
• Rule Java Process Class File Download has been removed
• Rule Unexpected outbound connection destination has been removed
• Rule DB program spawned process has been removed
• Rule User mgmt binaries has been removed
• Rule Launch Ingress Remote File Copy Tools in Container has been removed
• Rule Read ssh information has been removed
• Rule Interpreted procs outbound network activity has been removed
• Rule Container Drift Detected (chmod) has been removed
• Rule Outbound Connection to C2 Servers has been removed
• Macro user_known_write_rpm_database_activities has been removed
• Macro maven_writing_groovy has been removed
• Macro known_gke_mount_in_privileged_containers has been removed
• Macro consul_template_writing_conf has been removed
• Macro user_known_update_package_registry has been removed
• Macro networkmanager_writing_resolv_conf has been removed
• Macro network_local_subnet has been removed
• Macro package_mgmt_ancestor_procs has been removed
• Macro lvprogs_writing_conf has been removed
• Macro mkinitramfs_writing_boot has been removed
• Macro mysqlsh_writing_state has been removed
• Macro allowed_containers has been removed
• Macro allowed_ssh_proxy_env has been removed
• Macro nrpe_becoming_nagios has been removed
• Macro user_known_network_tool_activities has been removed
• Macro sed_temporary_file has been removed
• Macro user_known_write_monitored_dir_conditions has been removed
• Macro user_known_db_spawned_processes has been removed
• Macro openshift_image has been removed
• Macro chmod has been removed
• Macro jboss_in_container_writing_passwd has been removed
• Macro rabbitmq_writing_conf has been removed
• Macro aws_eks_image_sensitive_mount has been removed
• Macro user_known_create_files_below_dev_activities has been removed
• Macro calico_writing_conf has been removed
• Macro known_user_in_container has been removed
• Macro mkdir has been removed
• Macro inbound_outbound has been removed
• Macro pkgmgmt_progs_writing_pki has been removed
• Macro user_known_write_etc_conditions has been removed
• Macro user_known_mkdir_bin_dir_activities has been removed
• Macro user_known_k8s_client_container has been removed
• Macro supervise_writing_status has been removed
• Macro user_privileged_containers has been removed
• Macro python_running_get_pip has been removed
• Macro excessively_capable_container has been removed
• Macro slapadd_writing_conf has been removed
• Macro chef_writing_conf has been removed
• Macro user_known_container_drift_activities has been removed
• Macro user_known_mount_in_privileged_containers has been removed
• Macro run_by_sumologic_securefiles has been removed
• Macro sosreport_writing_files has been removed
• Macro google_accounts_daemon_writing_ssh has been removed
• Macro user_known_remote_file_copy_activities has been removed
• Macro docker_procs has been removed
• Macro veritas_progs has been removed
• Macro dse_writing_tmp has been removed
• Macro dpkg_scripting has been removed
• Macro user_known_write_root_conditions has been removed
• Macro run_by_adclient has been removed
• Macro rancher_writing_conf has been removed
• Macro user_known_create_hidden_file_activities has been removed
• Macro package_mgmt_procs has been removed
• Macro httpd_writing_ssl_conf has been removed
• Macro mcafee_writing_cma_d has been removed
• Macro user_known_package_manager_in_container has been removed
• Macro bin_dir has been removed
• Macro selinux_writing_conf has been removed
• Macro couchdb_writing_conf has been removed
• Macro ms_oms_writing_conf has been removed
• Macro falco_sensitive_mount_containers has been removed
• Macro expected_udp_traffic has been removed
• Macro modify has been removed
• Macro user_known_write_below_etc_activities has been removed
• Macro user_known_write_below_root_activities has been removed
• Macro ec2_metadata_containers has been removed
• Macro user_known_run_as_root_container has been removed
• Macro container_started has been removed
• Macro fluentd_writing_conf_files has been removed
• Macro checkpoint_writing_state has been removed
• Macro runc_writing_var_lib_docker has been removed
• Macro allowed_openshift_registry_root has been removed
• Macro redhat_image has been removed
• Macro chef_client_writing_conf has been removed
• Macro plesk_running_mktemp has been removed
• Macro etcd_manager_updating_dns has been removed
• Macro known_aks_mount_in_privileged_containers has been removed
• Macro known_root_conditions has been removed
• Macro user_known_set_setuid_or_setgid_bit_conditions has been removed
• Macro user_known_ingress_remote_file_copy_activities has been removed
• Macro bin_dir_mkdir has been removed
• Macro rpm_writing_root_rpmdb has been removed
• Macro httpd_writing_conf_logs has been removed
• Macro openshift_writing_conf has been removed
• Macro keepalived_writing_conf has been removed
• Macro curl_download has been removed
• Macro open_directory has been removed
• Macro rpm_procs has been removed
• Macro rancher_agent has been removed
• Macro java_running_cassandra has been removed
• Macro galley_writing_state has been removed
• Macro remote_file_copy_procs has been removed
• Macro htpasswd_writing_passwd has been removed
• Macro duply_writing_exclude_files has been removed
• Macro ufw_writing_conf has been removed
• Macro rancher_network_manager has been removed
• Macro runc_writing_exec_fifo has been removed
• Macro modify_shell_history has been removed
• Macro run_by_centrify has been removed
• Macro write_etc_common has been removed
• Macro var_lib_docker_filepath has been removed
• Macro minerpool_http has been removed
• Macro ssh_port has been removed
• Macro azure_networkwatcher_writing_conf has been removed
• Macro login_doing_dns_lookup has been removed
• Macro allowed_ssh_hosts has been removed
• Macro centrify_writing_krb has been removed
• Macro cassandra_writing_state has been removed
• Macro cloud_init_writing_ssh has been removed
• Macro consider_network_tools_on_host has been removed
• Macro java_network_read has been removed
• Macro brandbot_writing_os_release has been removed
• Macro gugent_writing_guestagent_log has been removed
• Macro zap_writing_state has been removed
• Macro ingress_remote_file_copy_procs has been removed
• Macro run_by_yum has been removed
• Macro ovsdb_writing_openvswitch has been removed
• Macro python_running_ms_oms has been removed
• Macro allowed_aws_ecr_registry_root_for_eks has been removed
• Macro xmlcatalog_writing_files has been removed
• Macro mysql_writing_conf has been removed
• Macro user_known_non_sudo_setuid_conditions has been removed
• Macro nginx_writing_certs has been removed
• Macro qualys_writing_conf_files has been removed
• Macro rook_writing_conf has been removed
• Macro user_trusted_containers has been removed
• Macro somebody_becoming_themselves has been removed
• Macro net_miner_pool has been removed
• Macro inbound has been removed
• Macro user_known_modify_bin_dir_activities has been removed
• Macro falco_privileged_containers has been removed
• Macro network_tool_procs has been removed
• Macro remove has been removed
• Macro parent_supervise_running_multilog has been removed
• Macro countly_writing_nginx_conf has been removed
• Macro nginx_writing_conf has been removed
• Macro user_known_k8s_client_container_parens has been removed
• Macro rename has been removed
• Macro interpreted_procs has been removed
• Macro exe_running_docker_save has been removed
• Macro weaveworks_scope has been removed
• Macro update_texmf_writing_conf has been removed
• Macro user_known_write_below_binary_dir_activities has been removed
• Macro run_by_ms_oms has been removed
• Macro istio_writing_conf has been removed
• Macro php_handlers_writing_conf has been removed
• Macro system_procs has been removed
• Macro java_running_sdjagent has been removed
• Macro parent_ucf_writing_conf has been removed
• Macro update_ca_trust_writing_pki has been removed
• Macro calico_writing_state has been removed
• Macro java_writing_conf has been removed
• Macro always_true has been removed
• Macro curl_writing_pki_db has been removed
• Macro sensitive_mount has been removed
• Macro user_known_shell_config_modifiers has been removed
• Macro azure_scripts_writing_conf has been removed
• Macro monitored_dir has been removed
• Macro amazon_linux_running_python_yum has been removed
• Macro sssd_writing_krb has been removed
• Macro kubectl_writing_state has been removed
• Macro access_repositories has been removed
• Macro user_known_read_ssh_information_activities has been removed
• Macro plesk_writing_keys has been removed
• Macro openvpn_writing_conf has been removed
• Macro kubelet_running_loopback has been removed
• Macro chage_list has been removed
• Macro root_dir has been removed
• Macro airflow_writing_state has been removed
• Macro ms_scx_writing_conf has been removed
• Macro minerpool_https has been removed
• Macro userhelper_writing_etc_security has been removed
• Macro iscsi_writing_conf has been removed
• Macro symantec_writing_conf has been removed
• Macro liveupdate_writing_conf has been removed
• Macro prometheus_conf_writing_conf has been removed
• Macro aws_eks_core_images has been removed
• Macro http_proxy_procs has been removed
• Macro minerpool_other has been removed
• Macro modify_repositories has been removed
• Macro add_shell_writing_shells_tmp has been removed
• Macro user_sensitive_mount_containers has been removed
• Macro user_known_metadata_access has been removed
• Macro python_running_denyhosts has been removed
• Macro ipsec_writing_conf has been removed
• Macro automount_using_mtab has been removed
• Macro ucpagent_writing_conf has been removed
• Macro cockpit_writing_conf has been removed
• Macro python_running_chef has been removed
• Macro calico_writing_envvars has been removed
• Macro user_known_cron_jobs has been removed
• Macro haproxy_writing_conf has been removed
• Macro redis_writing_conf has been removed
• Macro pkg_mgmt_in_kube_proxy has been removed
• Macro openldap_writing_conf has been removed
• Macro plesk_install_writing_apache_conf has been removed
• Macro rancher_writing_root has been removed
• Macro cron_start_writing_pam_env has been removed
• Macro user_expected_system_procs_network_activity_conditions has been removed
• Macro nodeport_containers has been removed
• Macro bin_dir_rename has been removed
• Macro sed_writing_temp_file has been removed
• Macro user_known_change_thread_namespace_activities has been removed
• Macro pki_realm_writing_realms has been removed
• Macro datadog_writing_conf has been removed
• Macro coreos_write_ssh_dir has been removed
• Macro avinetworks_supervisor_writing_ssh has been removed
• Macro mount_info has been removed
• Macro veritas_writing_config has been removed
• Macro git_writing_nssdb has been removed
• Macro multipath_writing_conf has been removed
• Macro calico_node has been removed
• Macro user_known_user_management_activities has been removed
• Macro truncate_shell_history has been removed
• Macro trusted_images_query_miner_domain_dns has been removed
• List allowed_inbound_source_ipaddrs has been removed
• List shell_config_filenames has been removed
• List known_istio_files has been removed
• List safe_etc_dirs has been removed
• List dhcp_binaries has been removed
• List known_system_procs_network_activity_binaries has been removed
• List http_miner_domains has been removed
• List shell_mgmt_binaries has been removed
• List lxd_binaries has been removed
• List plesk_binaries has been removed
• List ms_oms_binaries has been removed
• List interpreted_binaries has been removed
• List redhat_io_images_privileged has been removed
• List miner_domains has been removed
• List dev_creation_binaries has been removed
• List coreutils_binaries has been removed
• List known_setuid_binaries has been removed
• List repository_files has been removed
• List known_root_files has been removed
• List run_as_root_image_list has been removed
• List repository_directories has been removed
• List namespace_scope_network_only_subnet has been removed
• List c2_server_fqdn_list has been removed
• List known_root_directories has been removed
• List ntp_ports has been removed
• List miner_ports has been removed
• List https_miner_domains has been removed
• List openscap_rpm_binaries has been removed
• List falco_sensitive_mount_images has been removed
• List authorized_server_binary has been removed
• List veritas_binaries has been removed
• List network_tool_binaries has been removed
• List ingress_remote_file_copy_binaries has been removed
• List test_connect_ports has been removed
• List user_known_userfaultfd_processes has been removed
• List ssh_binaries has been removed
• List sysdigcloud_binaries has been removed
• List bash_config_files has been removed
• List user_known_k8s_ns_kube_system_images has been removed
• List user_known_k8s_images has been removed
• List k8s_binaries has been removed
• List user_known_chmod_applications has been removed
• List k8s_client_binaries has been removed
• List known_binaries_to_read_environment_variables_from_proc_files has been removed
• List expected_udp_ports has been removed
• List c2_server_ip_list has been removed
• List ssl_mgmt_binaries has been removed
• List allowed_outbound_destination_networks has been removed
• List exclude_hidden_directories has been removed
• List shell_config_files has been removed
• List shell_config_directories has been removed
• List allowed_image has been removed
• List network_plugin_binaries has been removed
• List allowed_outbound_destination_domains has been removed
• List allowed_outbound_destination_ipaddrs has been removed
• List allowed_inbound_source_domains has been removed
• List csh_config_filenames has been removed
• List allowed_dev_files has been removed
• List monitored_directories has been removed
• List remote_file_copy_binaries has been removed
• List authorized_server_port has been removed
• List bash_config_filenames has been removed
• List statsd_ports has been removed
• List zsh_config_filenames has been removed
• List l2tp_udp_ports has been removed
• List csh_config_files has been removed
• List user_known_change_thread_namespace_binaries has been removed
• List http_proxy_binaries has been removed
• List openvpn_udp_ports has been removed
• List allowed_inbound_source_networks has been removed
• Rule Directory traversal monitored file read has less tags than before
• Rule Read sensitive file trusted after startup has less tags than before
• Rule Read sensitive file untrusted has less tags than before
• Rule Remove Bulk Data from Disk has less tags than before
• Rule Create Symlink Over Sensitive Files has less tags than before
• Rule Create Hardlink Over Sensitive Files has less tags than before
• Rule Packet socket created in container has less tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
• Rule Linux Kernel Module Injection Detected has less tags than before
• Rule Debugfs Launched in Privileged Container has less tags than before
• Rule Detect release_agent File Container Escapes has less tags than before
• Rule PTRACE attached to process has less tags than before
• Rule Execution from /dev/shm has less tags than before

Minor changes:

• Required engine version was incremented from 17 to 26
• Rule Fileless execution via memfd_create has been added
• Rule Disallowed SSH Connection Non Standard Port has been added
• Macro known_memfd_execution_processes has been added
• Macro ssh_non_standard_ports_network has been added
• List known_memfd_execution_binaries has been added
• List ssh_non_standard_ports has been added

Patch changes:

• Rule Directory traversal monitored file read changed its output fields
• Rule Directory traversal monitored file read has more tags than before
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file trusted after startup has more tags than before
• Rule Read sensitive file untrusted changed its output fields
• Rule Read sensitive file untrusted has more tags than before
• Rule Run shell untrusted changed its output fields
• Rule Run shell untrusted has more tags than before
• Rule Run shell untrusted has a more urgent priority than before
• Rule System user interactive changed its output fields
• Rule System user interactive has more tags than before
• Rule Terminal shell in container has more tags than before
• Rule Contact K8S API Server From Container changed its output fields
• Rule Contact K8S API Server From Container has more tags than before
• Rule Netcat Remote Code Execution in Container changed its output fields
• Rule Netcat Remote Code Execution in Container has more tags than before
• Rule Search Private Keys or Passwords changed its output fields
• Rule Search Private Keys or Passwords has more tags than before
• Rule Clear Log Activities changed its output fields
• Rule Clear Log Activities has more tags than before
• Rule Remove Bulk Data from Disk changed its output fields
• Rule Remove Bulk Data from Disk has more tags than before
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Symlink Over Sensitive Files has more tags than before
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files has more tags than before
• Rule Packet socket created in container changed its output fields
• Rule Packet socket created in container has more tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Linux Kernel Module Injection Detected has more tags than before
• Rule Debugfs Launched in Privileged Container changed its output fields
• Rule Debugfs Launched in Privileged Container has more tags than before
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule Detect release_agent File Container Escapes has more tags than before
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE attached to process has more tags than before
• Rule PTRACE anti-debug attempt changed its output fields
• Rule PTRACE anti-debug attempt has more tags than before
• Rule Find AWS Credentials changed its output fields
• Rule Find AWS Credentials has more tags than before
• Rule Execution from /dev/shm changed its output fields
• Rule Execution from /dev/shm has more tags than before
• Rule Drop and execute new binary in container changed its output fields
• Rule Drop and execute new binary in container has more tags than before

[poiana]

LGTM label has been added.

Git tree hash: 90275f476d43d4cfb30af173a0a815b6f973c161

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: darryk10, incertum, loresuso

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/falcosecurity/rules/blob/main/OWNERS)~~ [incertum] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment