Closed incertum closed 5 months ago
Comparing 24ed7b81e8394313552d2ce14ca84f4dc73aea8d
with latest tag falco-incubating-rules-2.0.0
Minor changes:
Potential Local Privilege Escalation via Environment Variables Misuse
has been addedAdding ssh keys to authorized_keys
has been addedglibc_tunables_env
has been addedPatch changes:
Change thread namespace
changed its output fieldsLaunch Privileged Container
changed its output fieldsLaunch Excessively Capable Container
changed its output fieldsSystem procs network activity
changed its output fieldsUnexpected UDP Traffic
changed its output fieldsNon sudo setuid
changed its output fieldsContact EC2 Instance Metadata Service From Container
changed its output fieldsContact cloud metadata service from container
changed its output fieldsDelete or rename shell history
changed its output fieldsSet Setuid or Setgid bit
changed its output fieldsNetwork Connection outside Local Subnet
changed its output fieldsComparing 24ed7b81e8394313552d2ce14ca84f4dc73aea8d
with latest tag falco-rules-2.0.0
Minor changes:
containerd_activities
has been addedPatch changes:
Contact K8S API Server From Container
changed its output fieldsCreate Symlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
changed its output fieldsPacket socket created in container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsLinux Kernel Module Injection Detected
changed its output fieldsPTRACE attached to process
changed its output fieldsPTRACE anti-debug attempt
changed its output fieldsDisallowed SSH Connection Non Standard Port
changed its output fieldsComparing 24ed7b81e8394313552d2ce14ca84f4dc73aea8d
with latest tag falco-sandbox-rules-2.0.0
Patch changes:
Unexpected inbound connection source
changed its output fieldsModify binary dirs
changed its output fieldsMkdir binary dirs
changed its output fieldsLaunch Sensitive Mount Container
changed its output fieldsLaunch Disallowed Container
changed its output fieldsInterpreted procs inbound network activity
changed its output fieldsInterpreted procs outbound network activity
changed its output fieldsUnexpected K8s NodePort Connection
changed its output fieldsCreate Hidden Files or Directories
changed its output fieldsDetect outbound connections to common miner pool ports
changed its output fieldsContainer Drift Detected (chmod)
changed its output fieldsUnprivileged Delegation of Page Faults Handling to a Userspace Process
changed its output fieldsJava Process Class File Download
changed its output fieldsBPF Program Not Profiled
changed its output fieldsI would prefer to keep the
exe_flags=%evt.arg.flags
in all rules withspawned_process
and remove all the other usages instead of renaming them.exe_flags
has a lot of value because it reportsexe_writable
/exe_upper_layer
flag, in all other cases i don't see so much value, WDYT?
Indifferent at the end of the day. Let's wait to hear from more folks and go with what everyone prefers. Only asking for a final decision so that we update the style guide one more time now and hopefully afterwards things can stabilize.
I agree with
I would prefer to keep the exe_flags=%evt.arg.flags in all rules with spawned_process and remove all the other usages instead of renaming them
+1 from me
Roger that plz help me double-checking if it is all correct. Thanks!
Comparing 8f52e05fb16d5c735d0f04d9361d3f7b2319bc88
with latest tag falco-incubating-rules-2.0.0
Minor changes:
Potential Local Privilege Escalation via Environment Variables Misuse
has been addedAdding ssh keys to authorized_keys
has been addedglibc_tunables_env
has been addedPatch changes:
Modify Shell Configuration File
changed its output fieldsSchedule Cron Jobs
changed its output fieldsRead ssh information
changed its output fieldsChange thread namespace
changed its output fieldsChange namespace privileges via unshare
changed its output fieldsLaunch Privileged Container
changed its output fieldsLaunch Excessively Capable Container
changed its output fieldsSystem procs network activity
changed its output fieldsUnexpected UDP Traffic
changed its output fieldsNon sudo setuid
changed its output fieldsCreate files below dev
changed its output fieldsContact EC2 Instance Metadata Service From Container
changed its output fieldsContact cloud metadata service from container
changed its output fieldsDelete or rename shell history
changed its output fieldsSet Setuid or Setgid bit
changed its output fieldsNetwork Connection outside Local Subnet
changed its output fieldsRead environment variable from /proc files
changed its output fieldsExfiltrating Artifacts via Kubernetes Control Plane
changed its output fieldsComparing 8f52e05fb16d5c735d0f04d9361d3f7b2319bc88
with latest tag falco-rules-2.0.0
Minor changes:
containerd_activities
has been addedPatch changes:
Directory traversal monitored file read
changed its output fieldsRead sensitive file trusted after startup
changed its output fieldsRead sensitive file untrusted
changed its output fieldsContact K8S API Server From Container
changed its output fieldsClear Log Activities
changed its output fieldsCreate Symlink Over Sensitive Files
changed its output fieldsCreate Hardlink Over Sensitive Files
changed its output fieldsPacket socket created in container
changed its output fieldsRedirect STDOUT/STDIN to Network Connection in Container
changed its output fieldsLinux Kernel Module Injection Detected
changed its output fieldsDetect release_agent File Container Escapes
changed its output fieldsPTRACE attached to process
changed its output fieldsPTRACE anti-debug attempt
changed its output fieldsDisallowed SSH Connection Non Standard Port
changed its output fieldsComparing 8f52e05fb16d5c735d0f04d9361d3f7b2319bc88
with latest tag falco-sandbox-rules-2.0.0
Patch changes:
Unexpected inbound connection source
changed its output fieldsRead Shell Configuration File
changed its output fieldsUpdate Package Repository
changed its output fieldsWrite below binary dir
changed its output fieldsWrite below monitored dir
changed its output fieldsWrite below etc
changed its output fieldsWrite below root
changed its output fieldsWrite below rpm database
changed its output fieldsModify binary dirs
changed its output fieldsMkdir binary dirs
changed its output fieldsLaunch Sensitive Mount Container
changed its output fieldsLaunch Disallowed Container
changed its output fieldsInterpreted procs inbound network activity
changed its output fieldsInterpreted procs outbound network activity
changed its output fieldsUnexpected K8s NodePort Connection
changed its output fieldsCreate Hidden Files or Directories
changed its output fieldsDetect outbound connections to common miner pool ports
changed its output fieldsContainer Drift Detected (chmod)
changed its output fieldsContainer Drift Detected (open+create)
changed its output fieldsUnprivileged Delegation of Page Faults Handling to a Userspace Process
changed its output fieldsJava Process Class File Download
changed its output fieldsModify Container Entrypoint
changed its output fieldsBPF Program Not Profiled
changed its output fields[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: Andreagit97, incertum
The full list of commands accepted by this bot can be found here.
The pull request process is described here
LGTM label has been added.
What type of PR is this?
Any specific area of the project related to this PR?
/area rules
Proposed rule maturity level
/area maturity-stable
/area maturity-incubating
/area maturity-sandbox
What this PR does / why we need it:
chore: rename exe_flags= to flags= in output fields
Which issue(s) this PR fixes:
https://github.com/falcosecurity/rules/issues/176#issuecomment-1741234872
Fixes #
Special notes for your reviewer: