Closed Andreagit97 closed 2 months ago
Comparing 1a26fd14483677785ec686e6b4ebfd876fc28b92
with latest tag falco-incubating-rules-3.0.1
Minor changes:
Backdoored library loaded into SSHD (CVE-2024-3094)
has been addedPatch changes:
falco_privileged_images
has some item added or removedComparing 1a26fd14483677785ec686e6b4ebfd876fc28b92
with latest tag falco-sandbox-rules-3.0.1
Minor changes:
etckeeper
has been addedetckeeper_activities
has been addedPatch changes:
user_known_k8s_ns_kube_system_images
has some item added or removedbpf_profiled_binaries
has some item added or removedLGTM label has been added.
/hold
I will check if we need to keep both N/A
and <NA>
or <NA>
is enough
Comparing 90e927bf5b6bf99b5a9e263d1ed12e122126210c
with latest tag falco-incubating-rules-3.0.1
Minor changes:
Backdoored library loaded into SSHD (CVE-2024-3094)
has been addedPatch changes:
falco_privileged_images
has some item added or removedComparing 90e927bf5b6bf99b5a9e263d1ed12e122126210c
with latest tag falco-sandbox-rules-3.0.1
Minor changes:
etckeeper_activities
has been addedetckeeper
has been addedPatch changes:
user_known_k8s_ns_kube_system_images
has some item added or removedbpf_profiled_binaries
has some item added or removedUhm Yamllint Github Actions / Yamllint
suggests that the line length is too long, but this is true for almost all the lines of the files... so probably we should fix it in one shot and not here
Comparing ed98e45732964a1936e009327ad2232c7c6e8eb4
with latest tag falco-incubating-rules-3.0.1
Minor changes:
Backdoored library loaded into SSHD (CVE-2024-3094)
has been addedPatch changes:
falco_privileged_images
has some item added or removedComparing ed98e45732964a1936e009327ad2232c7c6e8eb4
with latest tag falco-rules-3.0.1
Minor changes:
known_drop_and_execute_activities
has been addedPatch changes:
falco_privileged_images
has some item added or removedComparing ed98e45732964a1936e009327ad2232c7c6e8eb4
with latest tag falco-sandbox-rules-3.0.1
Minor changes:
etckeeper
has been addedetckeeper_activities
has been addedPatch changes:
user_known_k8s_ns_kube_system_images
has some item added or removedbpf_profiled_binaries
has some item added or removedLGTM label has been added.
/hold
Uhm
Yamllint Github Actions / Yamllint
suggests that the line length is too long, but this is true for almost all the lines of the files... so probably we should fix it in one shot and not here
you can ignore this for now, since here's an ongoing discussion https://github.com/falcosecurity/rules/pull/238
LGTM label has been added.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: Andreagit97, darryk10, incertum, leogr
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Comparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e
with latest tag falco-incubating-rules-3.0.1
Minor changes:
Backdoored library loaded into SSHD (CVE-2024-3094)
has been addedPatch changes:
falco_privileged_images
has some item added or removedComparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e
with latest tag falco-rules-3.0.1
Minor changes:
known_drop_and_execute_activities
has been addedPatch changes:
falco_privileged_images
has some item added or removedComparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e
with latest tag falco-sandbox-rules-3.0.1
Minor changes:
etckeeper
has been addedetckeeper_activities
has been addedPatch changes:
user_known_k8s_ns_kube_system_images
has some item added or removedbpf_profiled_binaries
has some item added or removed/unhold
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
/area rules
Proposed rule maturity level
/area maturity-incubating
/area maturity-sandbox
What this PR does / why we need it:
Debugging some issues in Falco CI https://github.com/falcosecurity/falco/actions/runs/8845222090?pr=3177 I faced this inconsistency. The rule
Non sudo setuid
was triggered withuser.name=<NA>
because the macroknown_user_in_container
checks forN/A
. This PR fixes the usages ofN/A
Which issue(s) this PR fixes:
Special notes for your reviewer: