Lorenzo Susini
6319be8146
update(rules): Add containerd socket to sensitive_mount macro
...
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com >
2021-12-21 16:53:57 +01:00
Angelo Puglisi
f035829ca2
fix(rules): typo in Create Symlink Over Sensitive Files rule output
...
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com >
2021-12-13 20:05:33 +01:00
Calvin Bui
cd471a78db
re-add double empty newline
...
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com >
2021-12-10 10:27:33 +01:00
Calvin Bui
65969c30f9
Add ECR repository to rules
...
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com >
2021-12-10 10:27:33 +01:00
Jason Dellaluce
2a00a4d853
rules: adding support to openat2
...
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com >
2021-12-06 19:12:14 +01:00
Erick Cheng
205a8fd23b
Move wget and curl to own rule
...
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com >
2021-11-29 17:42:40 +01:00
Erick Cheng
bdba37a790
Fix remove scp and add curl
...
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com >
2021-11-29 17:42:40 +01:00
Erick Cheng
19fb3458ef
Add wget and curl to remote_file_copy_binaries
...
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com >
2021-11-29 17:42:40 +01:00
Erick Cheng
b0565794f5
Move user_known_ingress_remote_file_copy_activities to outside condition
...
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com >
2021-11-29 17:42:40 +01:00
Erick Cheng
66df790b9d
Fix syntax error
...
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com >
2021-11-29 17:42:40 +01:00
Erick Cheng
749d4b4512
Add more curl download checks
...
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com >
2021-11-29 17:42:40 +01:00
Erick Cheng
851033c5f4
Add curl macro
...
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com >
2021-11-29 17:42:40 +01:00
Erick Cheng
af6f3bfeab
Move wget and curl to own rule
...
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com >
2021-11-29 17:42:40 +01:00
Erick Cheng
c4d25b1d24
Fix remove scp and add curl
...
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com >
2021-11-29 17:42:40 +01:00
Erick Cheng
d434853d5f
Add wget and curl to remote_file_copy_binaries
...
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com >
2021-11-29 17:42:40 +01:00
Jason Dellaluce
85db078dc4
chore: renaming comment references
...
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com >
Co-authored-by: Federico Di Pierro <nierro92@gmail.com >
Co-authored-by: Leonardo Grasso <me@leonardograsso.com >
2021-11-18 16:26:18 +01:00
Mark Stemm
69e32f7ed1
Add initial set of Cloudtrail rules
...
These rules can be used when combined with the cloudtrail plugin.
They're installed to /etc/falco like the other rules files.
Co-authored-by: Leonardo Grasso <me@leonardograsso.com >
Co-authored-by: Loris Degioanni <loris@sysdig.com >
Signed-off-by: Mark Stemm <mark.stemm@gmail.com >
2021-11-12 18:27:59 +01:00
Sverre Boschman
762500a361
add known k8s service accounts
...
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com >
2021-10-29 10:41:54 +02:00
Sverre Boschman
8563af8a79
reformat known_sa_list
...
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com >
2021-10-29 10:41:54 +02:00
Mark Stemm
3b390793b9
Fix bug in macro that was masked by old evttype checking
...
It turns out that the macro inbound_outbound had a logical bug where
joining the beginning and end of the macro with "or" led to the macro
matching all event types by accident.
Most of the time this isn't harmful but it turns out some trace files
will do operations on inet connection fds like "dup", and those get
mistakenly picked up by this macro, as the fd for the event does
happen to be a network connection fd.
This fixes the macro to only match those event types *and* when the fd
is a inet connection fd.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com >
2021-10-12 17:59:38 +02:00
Tom Keyte
e0f8b81692
Remove duplicate allowed ecr registry rule
...
Signed-off-by: Tom Keyte <tom.keyte@onsecurity.co.uk >
2021-09-17 11:12:54 +02:00
Alberto Pellitteri
874809351f
rules(list https_miner_domains): fix typo in the list
...
Co-authored-by: darryk10 <stefano.chierici@sysdig.com >
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com >
2021-09-17 09:16:54 +02:00
Alberto Pellitteri
4527228ef8
rules(list https_miner_domains): add new miner domains
...
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com >
Co-authored-by: darryk10 <stefano.chierici@sysdig.com >
2021-09-17 09:16:54 +02:00
Alberto Pellitteri
e684c95e23
rules(list miner_domains): add new miner domains
...
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com >
Co-authored-by: darryk10 <stefano.chierici@sysdig.com >
2021-09-17 09:16:54 +02:00
Leonardo Di Donato
d6690313a0
update(rules): bump the required engine version to version 9
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com >
2021-06-23 10:44:03 +02:00
Leonardo Di Donato
98ce88f7ef
chore(rules): imporve name of the list for userfaultfd exceptions
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com >
2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9ff8099501
update(userspace/engine): bump falco engine version
...
Co-authored-by: Kaizhe Huang <derek0405@gmail.com >
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com >
2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7db4778f55
update(rules): introducing list user_known_userfaultfd_activities to exclude processes known to use userfaultfd syscall
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com >
2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7f761ade4b
update(rules): introducing the macro consider_userfaultfd_activities to act as a gate
...
Co-authored-by: Kaizhe Huang <derek0405@gmail.com >
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com >
2021-06-23 10:44:03 +02:00
Leonardo Di Donato
84257912e0
update(rules): tag rule as syscall
...
Co-authored-by: Kaizhe Huang <derek0405@gmail.com >
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com >
2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9bc942c654
new(rules): detect unprivileged (successful) userfaultfd syscalls
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com >
2021-06-23 10:44:03 +02:00
Leonardo Di Donato
8216b435cb
update(rules): adding container info to the output of the Lryke detecting kernel module injections from containers
...
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com >
2021-06-23 10:44:03 +02:00
Lorenzo Fontana
0f24448d18
rules(list miner_domains): add rx.unmineable.com for anti-miner detection
...
Signed-off-by: Lorenzo Fontana <lo@linux.com >
2021-06-17 09:59:25 +02:00
Kaizhe Huang
b268d4d6c3
rule update(Non sudo setuid): check user id as well in case user name info is not available
...
Signed-off-by: Kaizhe Huang <khuang@aurora.tech >
2021-06-10 13:44:05 +02:00
Kaizhe Huang
ad82f66be3
rules update(Change thread namespace and Set Setuid or Setgid bit): disable by default
...
Signed-off-by: Kaizhe Huang <derek0405@gmail.com >
2021-06-07 12:17:21 +02:00
Sverre Boschman
35dc315390
add known k8s service accounts
...
Signed-off-by: Sverre Boschman
2021-06-04 10:46:09 +02:00
Kaizhe Huang
09e1604fe0
rule update(Debugfs Launched in Privileged Container): fix typo in description
...
Signed-off-by: Kaizhe Huang <khuang@aurora.tech >
2021-05-27 11:21:30 +02:00
ismail yenigul
2226a1508c
exception to privileged container for EKS images
...
Signed-off-by: ismail yenigul <ismailyenigul@gmail.com >
2021-05-06 02:36:48 +02:00
maxgio92
fd6a1d0d05
clean(rules/falco_rules.yaml): remove deprecated oci image repositories
...
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com >
2021-04-29 11:51:35 +02:00
Leonardo Grasso
e95ab26f33
update(rules): stricter detection of man-db postinst exception
...
Signed-off-by: Leonardo Grasso <me@leonardograsso.com >
2021-04-19 17:01:10 +02:00
Leonardo Grasso
23a611b343
chore(rules): remove too week macro python_running_sdchecks
...
Signed-off-by: Leonardo Grasso <me@leonardograsso.com >
2021-04-19 17:01:10 +02:00
Leonardo Di Donato
2e97d0e27c
chore(rules): cleanup old macros
...
Co-authored-by: Lorenzo Fontana <lo@linux.com >
Co-authored-by: Leonardo Grasso <me@leonardograsso.com >
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com >
2021-04-09 18:17:11 +02:00
Leonardo Di Donato
06086df21e
chore(rules): re-enable negation of package_mgmt_procs for Write below binary dir rule
...
Co-authored-by: Leonardo Grasso <me@leonardograsso.com >
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com >
2021-04-09 18:17:11 +02:00
Lorenzo Fontana
194cdf7873
update(rules): revert exceptions in default ruleset for k8s audit
...
Signed-off-by: Lorenzo Fontana <lo@linux.com >
2021-04-09 18:17:11 +02:00
Lorenzo Fontana
35fe14e691
rules(list user_known_sa_list): revert as an empty list for user overwrite
...
rules(list known_sa_list): list of known sa moved here from user_known_sa_list
Signed-off-by: Lorenzo Fontana <lo@linux.com >
2021-04-09 18:17:11 +02:00
Lorenzo Fontana
abc79fb548
update(rules): revert exceptions in default ruleset
...
Exceptions have been introduced in commit 64a231b962lo@linux.com >
2021-04-09 18:17:11 +02:00
stevenshuang
167c5bc691
fix: update rule description
...
Signed-off-by: stevenshuang <stevenshuang521@gmail.com >
2021-03-24 18:47:55 +01:00
Kaizhe Huang
7ea80e39b1
rule(Set Setuid or Setgid bit) update: add k3s-agent in the whitelist
...
Signed-off-by: Kaizhe Huang <derek0405@gmail.com >
2021-03-22 11:36:59 +01:00
Kaizhe Huang
b58f76b268
rule (Debugfs Launched in Privileged Container and Mount Launched in Privileged Container): create
...
Signed-off-by: Kaizhe Huang <derek0405@gmail.com >
2021-03-22 11:36:59 +01:00
Shane Lawrence
2f0e09b549
rule (Write below monitored dir): Clean up and use glob matching.
...
Signed-off-by: Shane Lawrence <shane@lawrence.dev >
2021-03-12 10:37:16 +01:00
