mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-04 02:16:46 +00:00
new(rules): init rules_inventory/
* add ad-hoc python script to generate Falco default rules overview markdown document * init rules_inventory/rules_overview.md doc Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
This commit is contained in:
Melissa Kilby
poiana
parent
6afe9d9200
commit
f04ff10bd7
@ -8,7 +8,7 @@
|
||||
|
||||
|
||||
|
||||
This document is auto-generated. Last Updated: 2022-11-16.
|
||||
This document is auto-generated. Last Updated: 2022-11-17.
|
||||
|
||||
|
||||
The Falco project ships with 75 [default rules](https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml) contributed by the community. The intended outcome of this document is to provide a comprehensive overview of the default rules, provide additional resources and help drive future improvements.
|
||||
@ -36,16 +36,16 @@ Falco default rules per [Falco tag](https://falco.org/docs/rules/#tags):
|
||||
|
||||
| extra_tag | rule_count | percentage |
|
||||
|:--------------|-------------:|:-------------|
|
||||
| aws | 1 | 1.01% |
|
||||
| cis | 5 | 5.05% |
|
||||
| database | 1 | 1.01% |
|
||||
| filesystem | 30 | 30.3% |
|
||||
| k8s | 2 | 2.02% |
|
||||
| network | 22 | 22.22% |
|
||||
| process | 26 | 26.26% |
|
||||
| shell | 2 | 2.02% |
|
||||
| software_mgmt | 2 | 2.02% |
|
||||
| users | 8 | 8.08% |
|
||||
| aws | 1 | 1.0% |
|
||||
| cis | 5 | 5.0% |
|
||||
| database | 1 | 1.0% |
|
||||
| filesystem | 30 | 30.0% |
|
||||
| k8s | 2 | 2.0% |
|
||||
| network | 22 | 22.0% |
|
||||
| process | 26 | 26.0% |
|
||||
| shell | 2 | 2.0% |
|
||||
| software_mgmt | 3 | 3.0% |
|
||||
| users | 8 | 8.0% |
|
||||
|
||||
|
||||
|
||||
@ -160,7 +160,7 @@ Falco default rules per [Mitre Attack](https://attack.mitre.org/) phase:
|
||||
|
||||
|
||||
| rule | desc | workload | mitre_phase | mitre_ttp | extra_tags |
|
||||
|:-----------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------|:-------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------|
|
||||
|:-----------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------|:-------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------|
|
||||
| Contact EC2 Instance Metadata Service From Container | Detect attempts to contact the EC2 Instance Metadata Service from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network, aws |
|
||||
| Contact K8S API Server From Container | Detect attempts to contact the K8S API Server from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network, k8s |
|
||||
| Debugfs Launched in Privileged Container | Detect file system debugger debugfs launched inside a privileged container which might lead to container escape. | container | mitre_execution, mitre_lateral_movement | [T1611](https://attack.mitre.org/techniques/T1611) | cis, process |
|
||||
@ -213,7 +213,7 @@ Falco default rules per [Mitre Attack](https://attack.mitre.org/) phase:
|
||||
| Write below etc | an attempt to write to any file below /etc | container, host | mitre_persistence | [T1098](https://attack.mitre.org/techniques/T1098) | filesystem |
|
||||
| Write below monitored dir | an attempt to write to any file below a set of monitored directories | container, host | mitre_persistence | [T1543](https://attack.mitre.org/techniques/T1543) | filesystem |
|
||||
| Write below root | an attempt to write to any file directly below / or /root | container, host | mitre_persistence | [TA0003](https://attack.mitre.org/tactics/TA0003) | filesystem |
|
||||
| Write below rpm database | an attempt to write to the rpm database by any non-rpm related program | container, host | mitre_persistence | [T1072](https://attack.mitre.org/techniques/T1072) | filesystem |
|
||||
| Write below rpm database | an attempt to write to the rpm database by any non-rpm related program | container, host | mitre_persistence | [T1072](https://attack.mitre.org/techniques/T1072) | filesystem, software_mgmt |
|
||||
| Launch Suspicious Network Tool on Host | Detect network tools launched on the host | host | mitre_discovery, mitre_exfiltration | [T1046](https://attack.mitre.org/techniques/T1046), [T1595](https://attack.mitre.org/techniques/T1595) | network, process |
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@ import datetime
|
||||
|
||||
"""
|
||||
Usage:
|
||||
python rules-inventory/scripts/rules_mitre_overview_generator.py --rules_file=rules/falco_rules.yaml
|
||||
python rules_inventory/scripts/rules_overview_generator.py --rules_file=rules/falco_rules.yaml
|
||||
"""
|
||||
|
||||
BASE_MITRE_URL_TECHNIQUE="https://attack.mitre.org/techniques/"
|
||||
Loading…
Reference in New Issue
Block a user