github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-19 11:12:36 +00:00
Code Issues Projects Releases Wiki Activity
2,537 Commits 122 Branches 184 Tags
embed-lua-scripts
Commit Graph

515 Commits

Author SHA1 Message Date
Lorenzo Susini
6319be8146 update(rules): Add containerd socket to sensitive_mount macro 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2021-12-21 16:53:57 +01:00
Angelo Puglisi
f035829ca2 fix(rules): typo in Create Symlink Over Sensitive Files rule output 
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
 2021-12-13 20:05:33 +01:00
Calvin Bui
cd471a78db re-add double empty newline 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Calvin Bui
65969c30f9 Add ECR repository to rules 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Jason Dellaluce
2a00a4d853 rules: adding support to openat2 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:12:14 +01:00
Erick Cheng
205a8fd23b Move wget and curl to own rule 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
bdba37a790 Fix remove scp and add curl 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
19fb3458ef Add wget and curl to remote_file_copy_binaries 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
b0565794f5 Move user_known_ingress_remote_file_copy_activities to outside condition 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
66df790b9d Fix syntax error 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
749d4b4512 Add more curl download checks 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
851033c5f4 Add curl macro 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
af6f3bfeab Move wget and curl to own rule 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
c4d25b1d24 Fix remove scp and add curl 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
d434853d5f Add wget and curl to remote_file_copy_binaries 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Jason Dellaluce
85db078dc4 chore: renaming comment references 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-11-18 16:26:18 +01:00
Mark Stemm
3b390793b9 Fix bug in macro that was masked by old evttype checking 
It turns out that the macro inbound_outbound had a logical bug where
joining the beginning and end of the macro with "or" led to the macro
matching all event types by accident.

Most of the time this isn't harmful but it turns out some trace files
will do operations on inet connection fds like "dup", and those get
mistakenly picked up by this macro, as the fd for the event does
happen to be a network connection fd.

This fixes the macro to only match those event types *and* when the fd
is a inet connection fd.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-10-12 17:59:38 +02:00
Tom Keyte
e0f8b81692 Remove duplicate allowed ecr registry rule 
Signed-off-by: Tom Keyte <tom.keyte@onsecurity.co.uk>
 2021-09-17 11:12:54 +02:00
Alberto Pellitteri
874809351f rules(list https_miner_domains): fix typo in the list 
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
 2021-09-17 09:16:54 +02:00
Alberto Pellitteri
4527228ef8 rules(list https_miner_domains): add new miner domains 
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
 2021-09-17 09:16:54 +02:00
Alberto Pellitteri
e684c95e23 rules(list miner_domains): add new miner domains 
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
 2021-09-17 09:16:54 +02:00
Leonardo Di Donato
d6690313a0 update(rules): bump the required engine version to version 9 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
98ce88f7ef chore(rules): imporve name of the list for userfaultfd exceptions 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9ff8099501 update(userspace/engine): bump falco engine version 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7db4778f55 update(rules): introducing list user_known_userfaultfd_activities to exclude processes known to use userfaultfd syscall 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7f761ade4b update(rules): introducing the macro consider_userfaultfd_activities to act as a gate 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
84257912e0 update(rules): tag rule as syscall 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9bc942c654 new(rules): detect unprivileged (successful) userfaultfd syscalls 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
8216b435cb update(rules): adding container info to the output of the Lryke detecting kernel module injections from containers 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Lorenzo Fontana
0f24448d18 rules(list miner_domains): add rx.unmineable.com for anti-miner detection 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-06-17 09:59:25 +02:00
Kaizhe Huang
b268d4d6c3 rule update(Non sudo setuid): check user id as well in case user name info is not available 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-06-10 13:44:05 +02:00
Kaizhe Huang
ad82f66be3 rules update(Change thread namespace and Set Setuid or Setgid bit): disable by default 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-06-07 12:17:21 +02:00
Kaizhe Huang
09e1604fe0 rule update(Debugfs Launched in Privileged Container): fix typo in description 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-05-27 11:21:30 +02:00
ismail yenigul
2226a1508c exception to privileged container for EKS images 
Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-05-06 02:36:48 +02:00
maxgio92
fd6a1d0d05 clean(rules/falco_rules.yaml): remove deprecated oci image repositories 
Signed-off-by: maxgio92 <massimiliano.giovagnoli.1992@gmail.com>
 2021-04-29 11:51:35 +02:00
Leonardo Grasso
e95ab26f33 update(rules): stricter detection of man-db postinst exception 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-19 17:01:10 +02:00
Leonardo Grasso
23a611b343 chore(rules): remove too week macro python_running_sdchecks 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-04-19 17:01:10 +02:00
Leonardo Di Donato
2e97d0e27c chore(rules): cleanup old macros 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-09 18:17:11 +02:00
Leonardo Di Donato
06086df21e chore(rules): re-enable negation of package_mgmt_procs for Write below binary dir rule 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-04-09 18:17:11 +02:00
Lorenzo Fontana
abc79fb548 update(rules): revert exceptions in default ruleset 
Exceptions have been introduced in commit 64a231b962
The feature itself is very useful for more complex environments where
the simple conditions are difficult to handle.
However, many users reported that they find them difficult to understand so
we are doing a rollback of them in the default ruleset in favor of the
syntax without exceptions.

Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-04-09 18:17:11 +02:00
stevenshuang
167c5bc691 fix: update rule description 
Signed-off-by: stevenshuang <stevenshuang521@gmail.com>
 2021-03-24 18:47:55 +01:00
Kaizhe Huang
7ea80e39b1 rule(Set Setuid or Setgid bit) update: add k3s-agent in the whitelist 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-03-22 11:36:59 +01:00
Kaizhe Huang
b58f76b268 rule (Debugfs Launched in Privileged Container and Mount Launched in Privileged Container): create 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-03-22 11:36:59 +01:00
Shane Lawrence
2f0e09b549 rule (Write below monitored dir): Clean up and use glob matching. 
Signed-off-by: Shane Lawrence <shane@lawrence.dev>
 2021-03-12 10:37:16 +01:00
Spencer Krum
b3693a0b75 chore(rules): Add ibmcloud operator lifecycle manager 
Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
 2021-02-19 12:35:30 +01:00
Spencer Krum
a54f946135 chore(rules): Rule exceptions for ibm cloud 
Whitelist ibm images for connecting to k8s api server

IBM Observability by Sysdig has a vendored sysdig/agent image.

IBM's Kubernetes Service ships with an operator manager. Example:

19:12:45.090908160: Notice Unexpected connection to K8s API Server from
container (command=catalog -namespace ibm-system
-configmapServerImage=registry.ng.bluemix.net/armada-master/configmap-operator-registry:v1.6.1
k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z
container=4ad7a04fa1e0
image=registry.ng.bluemix.net/armada-master/olm:0.14.1-IKS-1
connection=172.30.108.219:48200->172.21.0.1:443) k8s.ns=ibm-system
k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0

IBM's Kubernetes service also ships with a metrics collecting agent

Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
 2021-02-19 12:35:30 +01:00
Leonardo Grasso
85db1aa997 fix(rules): correct indentation 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2021-02-19 09:24:55 +01:00
ismail yenigul
37a6caae12 remove commercial images to unblock PR 
add endpoint-controller to user_known_sa_list
related event:
    {
        "output": "05:19:25.557989888: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=endpoint-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-16T05:19:25.557989888Z",
        "output_fields": {
            "jevt.time": "05:19:25.557989888",
            "ka.target.name": "endpoint-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-02-19 09:24:55 +01:00
ismail yenigul
2d962dfcb0 rebase to master 
update user_known_sa_list with k8s internal sa in kube-system

{
        "output": "10:27:56.539783936: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=replicaset-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-15T10:27:56.539783936Z",
        "output_fields": {
            "jevt.time": "10:27:56.539783936",
            "ka.target.name": "replicaset-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

{
        "output": "17:06:18.267429888: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=deployment-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-15T17:06:18.267429888Z",
        "output_fields": {
            "jevt.time": "17:06:18.267429888",
            "ka.target.name": "deployment-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

and more..

Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
 2021-02-19 09:24:55 +01:00
Petr Michalec
541845156f rhsm cert updates 
Signed-off-by: Petr Michalec <epcim@apealive.net>
Signed-off-by: Petr Michalec <pmichalec@ves.io>
 2021-02-18 15:42:06 +01:00