github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-16 07:47:00 +00:00
Code Issues Projects Releases Wiki Activity

update(rules): introducing the macro consider_userfaultfd_activities to act as a gate

Browse Source 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leonardo Di Donato 2021-06-17 12:02:29 +00:00 committed by poiana
parent 84257912e0
commit 7f761ade4b
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@ -3056,10 +3056,13 @@
priority: WARNING
tags: [container, cis, mitre_lateral_movement]
- macro: consider_userfaultfd_activities
condition: (always_true)
- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
condition: >
evt.type = userfaultfd and
consider_userfaultfd_activities and evt.type = userfaultfd and
user.uid != 0 and
(evt.rawres >= 0 or evt.res != -1)
output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)