github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-25 20:30:47 +00:00
Code Issues Projects Releases Wiki Activity

Fixed use of "tag" instead of "tags" in default rules

Browse Source 
Signed-off-by: Vicente Herrera <vicenteherrera@vicenteherrera.com>
This commit is contained in:
Vicente Herrera
2020-01-27 15:47:19 +01:00
committed by poiana
parent 788d3294bd
commit 085009ad93
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
rules/falco_rules.yaml
View File

@@ -450,7 +450,7 @@
a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository) a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority: priority:
WARNING WARNING
tag: [file, mitre_persistence] tags: [file, mitre_persistence]
# This rule is not enabled by default, as there are many legitimate # This rule is not enabled by default, as there are many legitimate
# readers of shell config files. If you want to enable it, modify the # readers of shell config files. If you want to enable it, modify the
@@ -472,7 +472,7 @@
a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority: priority:
WARNING WARNING
tag: [file, mitre_discovery] tags: [file, mitre_discovery]
- macro: consider_all_cron_jobs - macro: consider_all_cron_jobs
condition: (never_true) condition: (never_true)
@@ -488,7 +488,7 @@
file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: priority:
NOTICE NOTICE
tag: [file, mitre_persistence] tags: [file, mitre_persistence]
# Use this to test whether the event occurred within a container. # Use this to test whether the event occurred within a container.
@@ -2480,7 +2480,7 @@
Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
priority: priority:
WARNING WARNING
tag: [process, mitre_defense_evation] tags: [process, mitre_defense_evation]
# This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility. # This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
# Rule Delete or rename shell history is the preferred rule to use now. # Rule Delete or rename shell history is the preferred rule to use now.
@@ -2493,7 +2493,7 @@
Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
priority: priority:
WARNING WARNING
tag: [process, mitre_defense_evation] tags: [process, mitre_defense_evation]
- macro: consider_all_chmods - macro: consider_all_chmods
condition: (always_true) condition: (always_true)
@@ -2515,7 +2515,7 @@
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: priority:
NOTICE NOTICE
tag: [process, mitre_persistence] tags: [process, mitre_persistence]
- list: exclude_hidden_directories - list: exclude_hidden_directories
items: [/root/.cassandra] items: [/root/.cassandra]
@@ -2537,7 +2537,7 @@
file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: priority:
NOTICE NOTICE
tag: [file, mitre_persistence] tags: [file, mitre_persistence]
- list: remote_file_copy_binaries - list: remote_file_copy_binaries
items: [rsync, scp, sftp, dcp] items: [rsync, scp, sftp, dcp]