github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-09 10:39:28 +00:00
Code Issues Projects Releases Wiki Activity
4,161 Commits 119 Branches 173 Tags
fix/use_plugin_name
Commit Graph

698 Commits

Author SHA1 Message Date
Kaizhe Huang
8a1f43f284 remove kaizhe from falco rule owner 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2022-06-22 22:16:21 -05:00
joon
625201f9f6 Add Java compatibility note 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
 2022-06-14 17:01:12 +02:00
joon
583ac4192c rule(Java Process Class Download): detect potential successful log4shell exploitation 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
 2022-06-14 17:01:12 +02:00
stephanmiehe
c782655a53 Fix rule linting 
Signed-off-by: Stephan Miehe <stephanmiehe@github.com>
 2022-06-10 13:58:42 +02:00
Matan Monitz
9f163f3fe0 Update rules/falco_rules.yaml 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Matan Monitz <mmonitz@gmail.com>
 2022-05-28 10:13:30 +02:00
Matan Monitz
4c95c717d2 known_shell_spawn_cmdlines - lighttpd 
Signed-off-by: Matan Monitz <mmonitz@gmail.com>
 2022-05-28 10:13:30 +02:00
beryxz
54a2f7bdaa rule(macro net_miner_pool): additional syscall for detection 
Signed-off-by: beryxz <coppi.lore@gmail.com>
 2022-05-28 09:29:30 +02:00
Brad Clark
9d41b0a151 use endswith ash_history to catch both bash and ash 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Brad Clark
b9bcf79035 rule(macro truncate_shell_history): include .ash_history 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Brad Clark
3cca4c23cc rule(macro modify_shell_history): include .ash_history 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Leonardo Grasso
d4f76f1f93 update!: moving out plugins ruleset files 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-12 18:28:34 +02:00
Leonardo Grasso
65de03aa29 update(rules): remove plugins ruleset files 
Plugins' rules files now lives in their repositories. See https://github.com/falcosecurity/plugins/pull/98

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-12 18:28:34 +02:00
Stefano
3e603188d4 Changed field in thread.cap_effective 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
c3bcf604a5 Changed Rule focus to be broader then just a specific CVE 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
2e2b13236b Fixed CVE number 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
24bd1abc43 Added new rule for CVE-2022-4092 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Sebastien Le Digabel
2bc4fec33c rule(Anonymous Request Allowed): exclude {/livez, /readyz} 
Fixes #1794.

/livez and /readyz don't require authentication and can generate a lot
of noise if the cluster is checked by an anonymous external
system.

Some k8s systems have those endpoints required to be anonymous, as per this
[link to an OpenShift
setup](http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_api_server_anonymous_auth).

Signed-off-by: Sebastien Le Digabel <sledigabel@gmail.com>
 2022-05-04 13:04:29 +02:00
Jason Dellaluce
67d2fe45a5 refactor: add k8saudit plugin and adapt config, tests, and rulesets 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-29 20:47:19 +02:00
Lorenzo Susini
9fb9215dbf new(rule): excessively capable containers 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <khuang@aurora.tech>
 2022-04-29 07:35:50 +02:00
Furkan
990a8fd6d5 update(rules): k8s: secret get detection 
Signed-off-by: Furkan <furkan.turkal@trendyol.com>
 2022-04-28 11:33:00 +02:00
Leonardo Grasso
b4d9261ce2 build: define "falco" component 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-04-22 09:41:56 +02:00
Mateusz Gozdek
1fdfbd3a3d Fix more typos 
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
 2022-04-20 12:21:27 +02:00
Clemence Saussez
af96a930eb rules(allowed_kube_namespace_image_list): add container threat detection image 
Signed-off-by: Clemence Saussez <clemence@zen.ly>
 2022-04-15 10:52:58 +02:00
Clemence Saussez
5d65671d3a rules(falco_privileged_images): add container threat detection image 
Signed-off-by: Clemence Saussez <clemence@zen.ly>
 2022-04-15 10:52:58 +02:00
Stefano
d3383b4b23 Fixed ouput Rules K8s Serviceaccount Created/Deleted 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: AlbertoPellitteri <alberto.pellitteri@sysdig.com>
 2022-04-15 10:49:58 +02:00
Stefano
65435d4418 Removed use cases not triggering 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Brucedh <alessandro.brucato@sysdig.com>
Co-authored-by: AlbertoPellitteri <alberto.pellitteri@sysdig.com>
 2022-04-13 10:03:25 +02:00
Lorenzo Susini
4343fe8a8b new(rules/k8s_audit): add rules to detect pods sharing host pid and IPC namespaces 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-04-11 18:29:19 +02:00
Stefano
36bd07d82d Fix spaces 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-04-01 19:38:40 +02:00
Stefano
bcff88922a Added eks_allowed_k8s_users list to whitelist EKS users 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Alberto Pellitteri <alberto.pellitteri@sysdig.com>
 2022-04-01 19:38:40 +02:00
Stefano
1988f3b0be Disabled by default noisy rules 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-03-29 17:39:25 +02:00
schie
64f0cefab0 Update rules/okta_rules.yaml 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Thomas Labarussias <issif+github@gadz.org>
 2022-03-29 17:39:25 +02:00
schie
48041a517b Update rules/okta_rules.yaml 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Thomas Labarussias <issif+github@gadz.org>
 2022-03-29 17:39:25 +02:00
Stefano
6a1492a828 Added okta_rules.yaml 
Signed-off-by: darryk10<stefano.chierici@sysdig.com>
 2022-03-29 17:39:25 +02:00
Leonardo Grasso
5023851000 chore(rules): remove leftover 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-03-25 13:02:28 +01:00
Matt Moyer
36acd6dfbf Add user_known_mount_in_privileged_containers 
This adds a new macro `user_known_mount_in_privileged_containers` which
allows the easier user-defined exclusions for the "Mount Launched in
Privileged Container" rule.

This would be cleaner with the exclusions feature, but this feature
is not used in the default ruleset yet, if I understand correctly.

Signed-off-by: Matt Moyer <mmoyer@figma.com>
 2022-03-17 10:50:56 +01:00
Claudio Vellage
4705a92c49 Allow to whitelist config modifiers 
Signed-off-by: Claudio Vellage <claudio.vellage@pm.me>
 2022-03-15 22:32:59 +01:00
Josh Soref
e8aac31890 spelling: themselves 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
9a314d9443 spelling: privileged 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
53c77ea6b5 spelling: https://cryptoioc.ch 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
1306fd6ac1 spelling: hierarchy 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
19ab9e5f35 spelling: expand 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
3646fb6e03 spelling: discretion 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
fa7fab525f spelling: command lines 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
eabd3ad24b spelling: altogether 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
a84adbd231 spelling: allowed 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
pablopez
87c410e49e upgrade macro(keepalived_writing_conf) 
Signed-off-by: pablopez <pablo.lopezzaldivar@sysdig.com>
 2022-02-11 11:36:47 +01:00
schie
b9925577ef Update rules/falco_rules.yaml 
Signed-off-by: darryk10 stefano.chierici@sysdig.com

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-02-11 11:28:46 +01:00
Stefano
ae5342c54b Fixed rule condition 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-02-11 11:28:46 +01:00
Stefano
1324522721 Added new Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) 
Co-authored-by: javery-sysdig <jason.avery@sysdig.com>

Signed-off-by: Stefano <stefano.chierici@sysdig.com>
 2022-02-11 11:28:46 +01:00
rileydakota
7999e33aea Rule Update - Adds npm support 
Adds `npm` to `package_mgmt_binaries` for detection of "living off the land" style attacks that utilize NPM pull down additional tooling

Signed-off-by: rileydakota <dakotariley2@gmail.com>
 2022-02-11 11:27:46 +01:00