mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-18 16:51:30 +00:00
update(rules): introducing the macro consider_userfaultfd_activities to act as a gate
Co-authored-by: Kaizhe Huang <derek0405@gmail.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leonardo Di Donato
poiana
parent
84257912e0
commit
7f761ade4b
@ -3056,10 +3056,13 @@
|
|||||||
priority: WARNING
|
priority: WARNING
|
||||||
tags: [container, cis, mitre_lateral_movement]
|
tags: [container, cis, mitre_lateral_movement]
|
||||||
|
|
||||||
|
- macro: consider_userfaultfd_activities
|
||||||
|
condition: (always_true)
|
||||||
|
|
||||||
- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
|
- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
|
||||||
desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
|
desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
|
||||||
condition: >
|
condition: >
|
||||||
evt.type = userfaultfd and
|
consider_userfaultfd_activities and evt.type = userfaultfd and
|
||||||
user.uid != 0 and
|
user.uid != 0 and
|
||||||
(evt.rawres >= 0 or evt.res != -1)
|
(evt.rawres >= 0 or evt.res != -1)
|
||||||
output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
|
output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user