github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-20 03:32:09 +00:00
Code Issues Projects Releases Wiki Activity
2,711 Commits 124 Branches 184 Tags
add-app-actions
Commit Graph

614 Commits

Author SHA1 Message Date
Matt Moyer
36acd6dfbf Add user_known_mount_in_privileged_containers 
This adds a new macro `user_known_mount_in_privileged_containers` which
allows the easier user-defined exclusions for the "Mount Launched in
Privileged Container" rule.

This would be cleaner with the exclusions feature, but this feature
is not used in the default ruleset yet, if I understand correctly.

Signed-off-by: Matt Moyer <mmoyer@figma.com>
 2022-03-17 10:50:56 +01:00
Claudio Vellage
4705a92c49 Allow to whitelist config modifiers 
Signed-off-by: Claudio Vellage <claudio.vellage@pm.me>
 2022-03-15 22:32:59 +01:00
Josh Soref
e8aac31890 spelling: themselves 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
9a314d9443 spelling: privileged 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
53c77ea6b5 spelling: https://cryptoioc.ch 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
1306fd6ac1 spelling: hierarchy 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
19ab9e5f35 spelling: expand 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
3646fb6e03 spelling: discretion 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
fa7fab525f spelling: command lines 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
eabd3ad24b spelling: altogether 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
a84adbd231 spelling: allowed 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
pablopez
87c410e49e upgrade macro(keepalived_writing_conf) 
Signed-off-by: pablopez <pablo.lopezzaldivar@sysdig.com>
 2022-02-11 11:36:47 +01:00
schie
b9925577ef Update rules/falco_rules.yaml 
Signed-off-by: darryk10 stefano.chierici@sysdig.com

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-02-11 11:28:46 +01:00
Stefano
ae5342c54b Fixed rule condition 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-02-11 11:28:46 +01:00
Stefano
1324522721 Added new Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) 
Co-authored-by: javery-sysdig <jason.avery@sysdig.com>

Signed-off-by: Stefano <stefano.chierici@sysdig.com>
 2022-02-11 11:28:46 +01:00
rileydakota
7999e33aea Rule Update - Adds npm support 
Adds `npm` to `package_mgmt_binaries` for detection of "living off the land" style attacks that utilize NPM pull down additional tooling

Signed-off-by: rileydakota <dakotariley2@gmail.com>
 2022-02-11 11:27:46 +01:00
m4wh6k
f49a95f334 rule(macro modify_shell_history): Fix missing s on endswith 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
 2022-02-11 11:26:46 +01:00
m4wh6k
9e8687401d fix(macro truncate_shell_history): avoid false positives from .zsh_history.new and .LOCK files 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
 2022-02-11 11:26:46 +01:00
m4wh6k
6ead925f51 fix(macro modify_shell_history): avoid false positives from .zsh_history.new and .LOCK files 
Signed-off-by: m4wh6k <m4wh6k@users.noreply.github.com>
 2022-02-11 11:26:46 +01:00
Mac Chaffee
8a3a4c4d57 rule(maco write_etc_common): Fix false-positive of sssd updating /etc/krb5.keytab 
Signed-off-by: Mac Chaffee <me@macchaffee.com>
 2022-02-11 11:25:47 +01:00
pablopez
5da10a3b89 rule_output(Delete Bucket Public Access Block) typo 
Signed-off-by: pablopez <pablo.lopezzaldivar@sysdig.com>
 2022-02-03 18:23:08 +01:00
Leonardo Grasso
24e7e84153 update(rules): updated aws cloudtrail rule bumping plugins version 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-28 15:33:22 +01:00
Andrea Terzolo
7750b6f209 rule: update Copyright in falco rules 
Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>
 2022-01-25 18:58:05 +01:00
Andrea Terzolo
8c705448cc rule: add execveat as evt.type for spawned_process macro in falco rules 
Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>
 2022-01-25 18:58:05 +01:00
Shay Berkovich
6b9fafb75f rule update(Sudo Potential Privilege Escalation): trigger the most common CVE-2021-3156 exploit 
Signed-off-by: Shay Berkovich <sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Shay Berkovich
fdcd7bffd0 rule update(Detect crypto miners using the Stratum protocol): update protocols 
Signed-off-by: Shay Berkovich <Sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Shay Berkovich
d989e9c2d5 new(rules): Create Hardlink Over Sensitive Files 
New rule to prevent hardlink bypass and symlink rule set to WARNING for consistency
Signed-off-by: Shay Berkovich <sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Federico Di Pierro
996ccf555c rule: updated aws_cloudtrail_rules with correct copyright year and required plugin versions. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-25 17:50:06 +01:00
Leonardo Di Donato
c705623f9e update(rules): move falco_hostnetwork_images list to k8s audit rules 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2022-01-24 15:03:12 +01:00
Leo Di Donato
3640871725 update(rules): remove falco_hostnetwork_images list (unused) 
The `falco_hostnetwork_images` list is unused.

This PR removes it to avoid the warning.

```console
When reading rules content: 1 warnings:
list falco_hostnetwork_images not refered to by any rule/macro/list
```

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2022-01-24 15:03:12 +01:00
Andrea Terzolo
18c7b6500d refactor: remove apt-config from debian_packages monitoring 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: karthikc911 <ckinnovative@gmail.com>
 2022-01-20 11:07:47 +01:00
Lorenzo Susini
6319be8146 update(rules): Add containerd socket to sensitive_mount macro 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2021-12-21 16:53:57 +01:00
Angelo Puglisi
f035829ca2 fix(rules): typo in Create Symlink Over Sensitive Files rule output 
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
 2021-12-13 20:05:33 +01:00
Calvin Bui
cd471a78db re-add double empty newline 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Calvin Bui
65969c30f9 Add ECR repository to rules 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Jason Dellaluce
2a00a4d853 rules: adding support to openat2 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:12:14 +01:00
Erick Cheng
205a8fd23b Move wget and curl to own rule 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
bdba37a790 Fix remove scp and add curl 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
19fb3458ef Add wget and curl to remote_file_copy_binaries 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
b0565794f5 Move user_known_ingress_remote_file_copy_activities to outside condition 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
66df790b9d Fix syntax error 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
749d4b4512 Add more curl download checks 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
851033c5f4 Add curl macro 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
af6f3bfeab Move wget and curl to own rule 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
c4d25b1d24 Fix remove scp and add curl 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
d434853d5f Add wget and curl to remote_file_copy_binaries 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Jason Dellaluce
85db078dc4 chore: renaming comment references 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-11-18 16:26:18 +01:00
Mark Stemm
69e32f7ed1 Add initial set of Cloudtrail rules 
These rules can be used when combined with the cloudtrail plugin.

They're installed to /etc/falco like the other rules files.

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Loris Degioanni <loris@sysdig.com>
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-11-12 18:27:59 +01:00
Sverre Boschman
762500a361 add known k8s service accounts 
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
 2021-10-29 10:41:54 +02:00
Sverre Boschman
8563af8a79 reformat known_sa_list 
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
 2021-10-29 10:41:54 +02:00