github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-03 01:46:38 +00:00
Code Issues Projects Releases Wiki Activity

refactor: remove rules_inventory as being moved to another repo

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2023-01-16 13:44:45 +00:00 committed by poiana
parent 45f5589b69
commit 32dcb9ffd0
4 changed files with 1 additions and 338 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -80,7 +80,7 @@ For example, Falco can easily detect incidents including but not limited to:
- A standard system binary, such as `ls`, is making an outbound network connection.
- A privileged pod is started in a Kubernetes cluster.
The Falco rules inventory [document](rules_inventory/rules_overview.md) provides additional details around the default rules Falco ships with.
The Falco rules inventory [document](https://github.com/falcosecurity/rules/blob/main/rules_inventory/rules_overview.md) provides additional details around the default rules Falco ships with.
## Installing Falco

245
rules_inventory/rules_overview.md
View File

@ -1,245 +0,0 @@
# Falco Rules - Summary Stats
This document is auto-generated. Last Updated: 2022-11-17.
The Falco project ships with 75 [default rules](https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml) contributed by the community. The intended outcome of this document is to provide a comprehensive overview of the default rules, provide additional resources and help drive future improvements.
Falco default rules per workload type:
| workload | rule_count | percentage |
|:----------------|-------------:|:-------------|
| container | 27 | 36.0% |
| container, host | 47 | 62.67% |
| host | 1 | 1.33% |
Falco default rules per [Falco tag](https://falco.org/docs/rules/#tags):
| extra_tag | rule_count | percentage |
|:--------------|-------------:|:-------------|
| aws | 1 | 1.0% |
| cis | 5 | 5.0% |
| database | 1 | 1.0% |
| filesystem | 30 | 30.0% |
| k8s | 2 | 2.0% |
| network | 22 | 22.0% |
| process | 26 | 26.0% |
| shell | 2 | 2.0% |
| software_mgmt | 3 | 3.0% |
| users | 8 | 8.0% |
Falco default rules per [Mitre Attack](https://attack.mitre.org/) phase:
| mitre_phase | rules | percentage |
|:---------------------------|:-----------------------------------------------------------------------|:-------------|
| mitre_command_and_control | Disallowed SSH Connection | 8.0% |
| | Launch Ingress Remote File Copy Tools in Container | |
| | Outbound Connection to C2 Servers | |
| | Program run with disallowed http proxy env | |
| | Unexpected inbound connection source | |
| | Unexpected outbound connection destination | |
| mitre_credential_access | Create Hardlink Over Sensitive Files | 9.33% |
| | Create Symlink Over Sensitive Files | |
| | Directory traversal monitored file read | |
| | Read environment variable from /proc files | |
| | Read sensitive file trusted after startup | |
| | Read sensitive file untrusted | |
| | Search Private Keys or Passwords | |
| mitre_defense_evasion | Clear Log Activities | 5.33% |
| | Delete Bash History | |
| | Delete or rename shell history | |
| | Unprivileged Delegation of Page Faults Handling to a Userspace Process | |
| mitre_discovery | Contact EC2 Instance Metadata Service From Container | 18.67% |
| | Contact K8S API Server From Container | |
| | Contact cloud metadata service from container | |
| | Directory traversal monitored file read | |
| | Launch Suspicious Network Tool in Container | |
| | Launch Suspicious Network Tool on Host | |
| | Network Connection outside Local Subnet | |
| | Outbound or Inbound Traffic not to Authorized Server Process and Port | |
| | Packet socket created in container | |
| | Read Shell Configuration File | |
| | Read environment variable from /proc files | |
| | Read sensitive file untrusted | |
| | Read ssh information | |
| | Redirect STDOUT/STDIN to Network Connection in Container | |
| mitre_execution | Container Drift Detected (chmod) | 18.67% |
| | Container Drift Detected (open+create) | |
| | Container Run as Root User | |
| | DB program spawned process | |
| | Debugfs Launched in Privileged Container | |
| | Detect crypto miners using the Stratum protocol | |
| | Detect outbound connections to common miner pool ports | |
| | Linux Kernel Module Injection Detected | |
| | Netcat Remote Code Execution in Container | |
| | Redirect STDOUT/STDIN to Network Connection in Container | |
| | Run shell untrusted | |
| | System user interactive | |
| | Terminal shell in container | |
| | The docker client is executed in a container | |
| mitre_exfiltration | Create Hardlink Over Sensitive Files | 13.33% |
| | Create Symlink Over Sensitive Files | |
| | Directory traversal monitored file read | |
| | Interpreted procs inbound network activity | |
| | Interpreted procs outbound network activity | |
| | Launch Remote File Copy Tools in Container | |
| | Launch Suspicious Network Tool in Container | |
| | Launch Suspicious Network Tool on Host | |
| | System procs network activity | |
| | Unexpected UDP Traffic | |
| mitre_initial_access | Java Process Class File Download | 2.67% |
| | Modify Container Entrypoint | |
| mitre_lateral_movement | Change thread namespace | 13.33% |
| | Debugfs Launched in Privileged Container | |
| | Detect release_agent File Container Escapes | |
| | Disallowed SSH Connection | |
| | Launch Disallowed Container | |
| | Launch Excessively Capable Container | |
| | Launch Privileged Container | |
| | Launch Remote File Copy Tools in Container | |
| | Launch Sensitive Mount Container | |
| | Mount Launched in Privileged Container | |
| mitre_persistence | Create Hidden Files or Directories | 24.0% |
| | Create files below dev | |
| | Launch Package Management Process in Container | |
| | Linux Kernel Module Injection Detected | |
| | Mkdir binary dirs | |
| | Modify Shell Configuration File | |
| | Modify binary dirs | |
| | Remove Bulk Data from Disk | |
| | Schedule Cron Jobs | |
| | Set Setuid or Setgid bit | |
| | Unexpected K8s NodePort Connection | |
| | Update Package Repository | |
| | User mgmt binaries | |
| | Write below binary dir | |
| | Write below etc | |
| | Write below monitored dir | |
| | Write below root | |
| | Write below rpm database | |
| mitre_privilege_escalation | Change thread namespace | 9.33% |
| | Detect release_agent File Container Escapes | |
| | Launch Excessively Capable Container | |
| | Launch Privileged Container | |
| | Non sudo setuid | |
| | Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) | |
| | Sudo Potential Privilege Escalation | |
# Falco Rules - Detailed Overview
54 Falco rules (72.00% of rules) are enabled by default:
| rule | desc | workload | mitre_phase | mitre_ttp | extra_tags |
|:-----------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------|:-------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------|
| Contact EC2 Instance Metadata Service From Container | Detect attempts to contact the EC2 Instance Metadata Service from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network, aws |
| Contact K8S API Server From Container | Detect attempts to contact the K8S API Server from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network, k8s |
| Debugfs Launched in Privileged Container | Detect file system debugger debugfs launched inside a privileged container which might lead to container escape. | container | mitre_execution, mitre_lateral_movement | [T1611](https://attack.mitre.org/techniques/T1611) | cis, process |
| Detect release_agent File Container Escapes | This rule detect an attempt to exploit a container escape using release_agent file. By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container | container | mitre_lateral_movement, mitre_privilege_escalation | [T1611](https://attack.mitre.org/techniques/T1611) | process |
| Launch Disallowed Container | Detect the initial process started by a container that is not in a list of allowed containers. | container | mitre_lateral_movement | [T1610](https://attack.mitre.org/techniques/T1610) | |
| Launch Excessively Capable Container | Detect container started with a powerful set of capabilities. Exceptions are made for known trusted images. | container | mitre_lateral_movement, mitre_privilege_escalation | [T1610](https://attack.mitre.org/techniques/T1610) | cis |
| Launch Ingress Remote File Copy Tools in Container | Detect ingress remote file copy tools launched in container | container | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network, process |
| Launch Package Management Process in Container | Package management process ran inside container | container | mitre_persistence | [T1505](https://attack.mitre.org/techniques/T1505) | process, software_mgmt |
| Launch Privileged Container | Detect the initial process started in a privileged container. Exceptions are made for known trusted images. | container | mitre_lateral_movement, mitre_privilege_escalation | [T1610](https://attack.mitre.org/techniques/T1610) | cis |
| Launch Remote File Copy Tools in Container | Detect remote file copy tools launched in container | container | mitre_exfiltration, mitre_lateral_movement | [T1020](https://attack.mitre.org/techniques/T1020), [T1210](https://attack.mitre.org/techniques/T1210) | network, process |
| Launch Sensitive Mount Container | Detect the initial process started by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images. | container | mitre_lateral_movement | [T1610](https://attack.mitre.org/techniques/T1610) | cis |
| Launch Suspicious Network Tool in Container | Detect network tools launched inside container | container | mitre_discovery, mitre_exfiltration | [T1046](https://attack.mitre.org/techniques/T1046), [T1595](https://attack.mitre.org/techniques/T1595) | network, process |
| Mount Launched in Privileged Container | Detect file system mount happened inside a privileged container which might lead to container escape. | container | mitre_lateral_movement | [T1611](https://attack.mitre.org/techniques/T1611) | cis, filesystem |
| Netcat Remote Code Execution in Container | Netcat Program runs inside container that allows remote code execution | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | network, process |
| Packet socket created in container | Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker. | container | mitre_discovery | [T1046](https://attack.mitre.org/techniques/T1046) | network |
| Read environment variable from /proc files | An attempt to read process environment variables from /proc files | container | mitre_credential_access, mitre_discovery | [T1083](https://attack.mitre.org/techniques/T1083) | filesystem, process |
| Redirect STDOUT/STDIN to Network Connection in Container | Detect redirecting stdout/stdin to network connection in container (potential reverse shell). | container | mitre_discovery, mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | network, process |
| Terminal shell in container | A shell was used as the entrypoint/exec point into a container with an attached terminal. | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | shell |
| The docker client is executed in a container | Detect a k8s client tool executed inside a container | container | mitre_execution | [T1610](https://attack.mitre.org/techniques/T1610) | |
| Unexpected K8s NodePort Connection | Detect attempts to use K8s NodePorts from a container | container | mitre_persistence | [T1205.001](https://attack.mitre.org/techniques/T1205/001) | network, k8s |
| Clear Log Activities | Detect clearing of critical log files | container, host | mitre_defense_evasion | [T1070](https://attack.mitre.org/techniques/T1070) | filesystem |
| Create Hardlink Over Sensitive Files | Detect hardlink created over sensitive files | container, host | mitre_credential_access, mitre_exfiltration | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem |
| Create Symlink Over Sensitive Files | Detect symlink created over sensitive files | container, host | mitre_credential_access, mitre_exfiltration | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem |
| Create files below dev | creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev. | container, host | mitre_persistence | [T1083](https://attack.mitre.org/techniques/T1083), [T1543](https://attack.mitre.org/techniques/T1543) | filesystem |
| DB program spawned process | a database-server related program spawned a new process other than itself. This shouldn\'t occur and is a follow on from some SQL injection attacks. | container, host | mitre_execution | [T1190](https://attack.mitre.org/techniques/T1190) | process, database |
| Delete Bash History | Detect bash history deletion | container, host | mitre_defense_evasion | [T1070](https://attack.mitre.org/techniques/T1070) | process, filesystem |
| Delete or rename shell history | Detect shell history deletion | container, host | mitre_defense_evasion | [T1070](https://attack.mitre.org/techniques/T1070) | process, filesystem |
| Detect crypto miners using the Stratum protocol | Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp' | container, host | mitre_execution | [T1496](https://attack.mitre.org/techniques/T1496) | process |
| Directory traversal monitored file read | Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs). System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. This rule includes failed file open attempts. | container, host | mitre_credential_access, mitre_discovery, mitre_exfiltration | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem |
| Java Process Class File Download | Detected Java process downloading a class file which could indicate a successful exploit of the log4shell Log4j vulnerability (CVE-2021-44228) | container, host | mitre_initial_access | [T1190](https://attack.mitre.org/techniques/T1190) | process |
| Linux Kernel Module Injection Detected | Detect kernel module was injected (from container). | container, host | mitre_execution, mitre_persistence | [TA0002](https://attack.mitre.org/tactics/TA0002) | process |
| Mkdir binary dirs | an attempt to create a directory below a set of binary directories. | container, host | mitre_persistence | [T1222.002](https://attack.mitre.org/techniques/T1222/002) | filesystem |
| Modify Shell Configuration File | Detect attempt to modify shell configuration files | container, host | mitre_persistence | [T1546.004](https://attack.mitre.org/techniques/T1546/004) | filesystem |
| Modify binary dirs | an attempt to modify any file below a set of binary directories. | container, host | mitre_persistence | [T1222.002](https://attack.mitre.org/techniques/T1222/002) | filesystem |
| Non sudo setuid | an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody" suing to itself are also excluded, as setuid calls typically involve dropping privileges. | container, host | mitre_privilege_escalation | [T1548.001](https://attack.mitre.org/techniques/T1548/001) | users |
| Outbound Connection to C2 Servers | Detect outbound connection to command & control servers | container, host | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network |
| Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) | This rule detects an attempt to exploit a privilege escalation vulnerability in Polkit's pkexec. By running specially crafted code, a local user can leverage this flaw to gain root privileges on a compromised system | container, host | mitre_privilege_escalation | [TA0004](https://attack.mitre.org/tactics/TA0004) | process, users |
| Read sensitive file trusted after startup | an attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards. | container, host | mitre_credential_access | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem |
| Read sensitive file untrusted | an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs. | container, host | mitre_credential_access, mitre_discovery | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem |
| Remove Bulk Data from Disk | Detect process running to clear bulk data from disk | container, host | mitre_persistence | [T1485](https://attack.mitre.org/techniques/T1485) | process, filesystem |
| Run shell untrusted | an attempt to spawn a shell below a non-shell application. Specific applications are monitored. | container, host | mitre_execution | [T1059.004](https://attack.mitre.org/techniques/T1059/004) | process, shell |
| Search Private Keys or Passwords | Detect grep private keys or passwords activity. | container, host | mitre_credential_access | [T1552.001](https://attack.mitre.org/techniques/T1552/001) | process, filesystem |
| Sudo Potential Privilege Escalation | Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root. | container, host | mitre_privilege_escalation | [T1548.003](https://attack.mitre.org/techniques/T1548/003) | filesystem, users |
| System procs network activity | any network activity performed by system binaries that are not expected to send or receive any network traffic | container, host | mitre_exfiltration | [T1059](https://attack.mitre.org/techniques/T1059), [TA0011](https://attack.mitre.org/tactics/TA0011) | network |
| System user interactive | an attempt to run interactive commands by a system (i.e. non-login) user | container, host | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | users |
| Unprivileged Delegation of Page Faults Handling to a Userspace Process | Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs | container, host | mitre_defense_evasion | [TA0005](https://attack.mitre.org/tactics/TA0005) | process |
| Update Package Repository | Detect package repositories get updated | container, host | mitre_persistence | [T1072](https://attack.mitre.org/techniques/T1072) | filesystem |
| User mgmt binaries | activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup. Some innocuous command lines that don't actually change anything are excluded. | container, host | mitre_persistence | [T1098](https://attack.mitre.org/techniques/T1098), [T1543](https://attack.mitre.org/techniques/T1543) | users, software_mgmt |
| Write below binary dir | an attempt to write to any file below a set of binary directories | container, host | mitre_persistence | [T1543](https://attack.mitre.org/techniques/T1543) | filesystem |
| Write below etc | an attempt to write to any file below /etc | container, host | mitre_persistence | [T1098](https://attack.mitre.org/techniques/T1098) | filesystem |
| Write below monitored dir | an attempt to write to any file below a set of monitored directories | container, host | mitre_persistence | [T1543](https://attack.mitre.org/techniques/T1543) | filesystem |
| Write below root | an attempt to write to any file directly below / or /root | container, host | mitre_persistence | [TA0003](https://attack.mitre.org/tactics/TA0003) | filesystem |
| Write below rpm database | an attempt to write to the rpm database by any non-rpm related program | container, host | mitre_persistence | [T1072](https://attack.mitre.org/techniques/T1072) | filesystem, software_mgmt |
| Launch Suspicious Network Tool on Host | Detect network tools launched on the host | host | mitre_discovery, mitre_exfiltration | [T1046](https://attack.mitre.org/techniques/T1046), [T1595](https://attack.mitre.org/techniques/T1595) | network, process |
21 Falco rules (28.00% of rules) are *not* enabled by default:
| rule | desc | workload | mitre_phase | mitre_ttp | extra_tags |
|:----------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------|:---------------------------------------------------|:-------------------------------------------------------------------------------------------------------|:--------------------|
| Contact cloud metadata service from container | Detect attempts to contact the Cloud Instance Metadata Service from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network |
| Container Drift Detected (chmod) | New executable created in a container due to chmod | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | process, filesystem |
| Container Drift Detected (open+create) | New executable created in a container due to open+create | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | process, filesystem |
| Container Run as Root User | Detected container running as root user | container | mitre_execution | [T1610](https://attack.mitre.org/techniques/T1610) | process, users |
| Modify Container Entrypoint | This rule detect an attempt to write on container entrypoint symlink (/proc/self/exe). Possible CVE-2019-5736 Container Breakout exploitation attempt. | container | mitre_initial_access | [T1611](https://attack.mitre.org/techniques/T1611) | filesystem |
| Network Connection outside Local Subnet | Detect traffic to image outside local subnet. | container | mitre_discovery | [T1046](https://attack.mitre.org/techniques/T1046) | network |
| Outbound or Inbound Traffic not to Authorized Server Process and Port | Detect traffic that is not to authorized server process and port. | container | mitre_discovery | [TA0011](https://attack.mitre.org/tactics/TA0011) | network |
| Change thread namespace | an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. | container, host | mitre_lateral_movement, mitre_privilege_escalation | [T1611](https://attack.mitre.org/techniques/T1611) | process |
| Create Hidden Files or Directories | Detect hidden files or directories created | container, host | mitre_persistence | [T1564.001](https://attack.mitre.org/techniques/T1564/001) | filesystem |
| Detect outbound connections to common miner pool ports | Miners typically connect to miner pools on common ports. | container, host | mitre_execution | [T1496](https://attack.mitre.org/techniques/T1496) | network |
| Disallowed SSH Connection | Detect any new ssh connection to a host other than those in an allowed group of hosts | container, host | mitre_command_and_control, mitre_lateral_movement | [T1021.004](https://attack.mitre.org/techniques/T1021/004) | network |
| Interpreted procs inbound network activity | Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.) | container, host | mitre_exfiltration | [TA0011](https://attack.mitre.org/tactics/TA0011) | network |
| Interpreted procs outbound network activity | Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.) | container, host | mitre_exfiltration | [TA0011](https://attack.mitre.org/tactics/TA0011) | network |
| Program run with disallowed http proxy env | An attempt to run a program with a disallowed HTTP_PROXY environment variable | container, host | mitre_command_and_control | [T1090](https://attack.mitre.org/techniques/T1090), [T1204](https://attack.mitre.org/techniques/T1204) | users |
| Read Shell Configuration File | Detect attempts to read shell configuration files by non-shell programs | container, host | mitre_discovery | [T1546.004](https://attack.mitre.org/techniques/T1546/004) | filesystem |
| Read ssh information | Any attempt to read files below ssh directories by non-ssh programs | container, host | mitre_discovery | [T1005](https://attack.mitre.org/techniques/T1005) | filesystem |
| Schedule Cron Jobs | Detect cron jobs scheduled | container, host | mitre_persistence | [T1053.003](https://attack.mitre.org/techniques/T1053/003) | filesystem |
| Set Setuid or Setgid bit | When the setuid or setgid bits are set for an application, this means that the application will run with the privileges of the owning user or group respectively. Detect setuid or setgid bits set via chmod | container, host | mitre_persistence | [T1548.001](https://attack.mitre.org/techniques/T1548/001) | process, users |
| Unexpected UDP Traffic | UDP traffic not on port 53 (DNS) or other commonly used ports | container, host | mitre_exfiltration | [TA0011](https://attack.mitre.org/tactics/TA0011) | network |
| Unexpected inbound connection source | Detect any inbound connection from a source outside of an allowed set of ips, networks, or domain names | container, host | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network |
| Unexpected outbound connection destination | Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names | container, host | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network |

3
rules_inventory/scripts/requirements.txt
View File

@ -1,3 +0,0 @@
pandas
pyyaml
tabulate

89
rules_inventory/scripts/rules_overview_generator.py
View File

@ -1,89 +0,0 @@
import pandas as pd
import yaml
import argparse
import datetime
"""
Usage:
python rules_inventory/scripts/rules_overview_generator.py --rules_file=rules/falco_rules.yaml
"""
BASE_MITRE_URL_TECHNIQUE="https://attack.mitre.org/techniques/"
BASE_MITRE_URL_TACTIC="https://attack.mitre.org/tactics/"
COLUMNS=['rule', 'desc', 'workload', 'mitre_phase', 'mitre_ttp', 'extra_tags', 'extra_tags_list', 'mitre_phase_list', 'enabled']
def arg_parser():
parser = argparse.ArgumentParser()
parser.add_argument('--rules_file', help='Path to falco rules yaml file')
return parser.parse_args()
def rules_to_df(rules_file):
l = []
with open(rules_file, 'r') as f:
items = yaml.safe_load(f)
for item in items:
if 'rule' in item and 'tags' in item:
if len(item['tags']) > 0:
item['workload'], item['mitre_phase'], item['mitre_ttp'], item['extra_tags'] = [], [], [], []
for i in item['tags']:
if i in ['host', 'container']:
item['workload'].append(i)
elif i.startswith('mitre'):
item['mitre_phase'].append(i)
elif i.startswith('T'):
if i.startswith('TA'):
item['mitre_ttp'].append('[{}]({}{})'.format(i, BASE_MITRE_URL_TACTIC, i.replace('.', '/')))
else:
item['mitre_ttp'].append('[{}]({}{})'.format(i, BASE_MITRE_URL_TECHNIQUE, i.replace('.', '/')))
else:
item['extra_tags'].append(i)
item['workload'].sort()
item['mitre_phase'].sort()
item['mitre_ttp'].sort()
item['mitre_phase_list'] = item['mitre_phase']
item['extra_tags_list'] = item['extra_tags']
item['enabled'] = (item['enabled'] if 'enabled' in item else True)
l.append([', '.join(item[x]) if x in ['workload', 'mitre_ttp', 'extra_tags', 'mitre_phase'] else item[x] for x in COLUMNS])
df = pd.DataFrame.from_records(l, columns=COLUMNS)
return df.sort_values(by=['workload','rule'], inplace=False)
def print_markdown(df):
n_rules=len(df)
print('\n\n\n# Falco Rules - Summary Stats\n\n\n')
print('\n\n\nThis document is auto-generated. Last Updated: {}.\n\n'.format(datetime.date.today()))
print('The Falco project ships with {} [default rules](https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml) contributed by the community. The intended outcome of this document is to provide a comprehensive overview of the default rules, provide additional resources and help drive future improvements.\n\n\n'.format(n_rules))
print('\n\n\nFalco default rules per workload type:\n\n\n')
df_stats1 = df.groupby('workload').agg(rule_count=('workload', 'count'))
df_stats1['percentage'] = round(100.0 * df_stats1['rule_count'] / df_stats1['rule_count'].sum(), 2).astype(str) + '%'
print(df_stats1.to_markdown(index=True))
print('\n\n\nFalco default rules per [Falco tag](https://falco.org/docs/rules/#tags):\n\n\n')
df_stats2 = df[['rule', 'extra_tags_list']].explode('extra_tags_list')
df_stats2.rename(columns={'extra_tags_list':'extra_tag'}, inplace=True)
df_stats2 = df_stats2.groupby('extra_tag').agg(rule_count=('extra_tag', 'count'))
df_stats2['percentage'] = round(100.0 * df_stats2['rule_count'] / df_stats2['rule_count'].sum(), 2).astype(str) + '%'
print(df_stats2.to_markdown(index=True))
print('\n\n\nFalco default rules per [Mitre Attack](https://attack.mitre.org/) phase:\n\n\n')
df_stats3 = df[['rule', 'mitre_phase_list']].explode('mitre_phase_list')
df_stats3.rename(columns={'mitre_phase_list':'mitre_phase'}, inplace=True)
df_stats3.sort_values(by=['mitre_phase','rule'], inplace=True)
df_stats3 = df_stats3.groupby("mitre_phase").agg({"rule": lambda x: ['\n'.join(list(x)), len(list(x))]})
df_stats3['rules'] = df_stats3['rule'].apply(lambda x: x[0])
df_stats3['percentage'] = df_stats3['rule'].apply(lambda x: round((100.0 * x[1] / n_rules), 2)).astype(str) + '%'
print(df_stats3.drop('rule', axis=1).to_markdown(index=True))
print('\n\n\n# Falco Rules - Detailed Overview\n\n\n')
df_stats4 = df.drop(['extra_tags_list', 'mitre_phase_list'], axis=1)
df_enabled = df_stats4[(df_stats4['enabled'] == True)].drop(['enabled'], axis=1)
df_disabled = df_stats4[(df_stats4['enabled'] == False)].drop(['enabled'], axis=1)
print('\n\n{} Falco rules ({:.2f}% of rules) are enabled by default:\n\n'.format(len(df_enabled), (100.0 * len(df_enabled) / n_rules)))
print(df_enabled.to_markdown(index=False))
print('\n\n{} Falco rules ({:.2f}% of rules) are *not* enabled by default:\n\n'.format(len(df_disabled), (100.0 * len(df_disabled) / n_rules)))
print(df_disabled.to_markdown(index=False))
if __name__ == "__main__":
args_parsed = arg_parser()
print_markdown(rules_to_df(args_parsed.rules_file))