github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-09 02:29:36 +00:00
Code Issues Projects Releases Wiki Activity
4,280 Commits 119 Branches 173 Tags
fix_CI_5
Commit Graph

698 Commits

Author SHA1 Message Date
m4wh6k
f49a95f334 rule(macro modify_shell_history): Fix missing s on endswith 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
 2022-02-11 11:26:46 +01:00
m4wh6k
9e8687401d fix(macro truncate_shell_history): avoid false positives from .zsh_history.new and .LOCK files 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
 2022-02-11 11:26:46 +01:00
m4wh6k
6ead925f51 fix(macro modify_shell_history): avoid false positives from .zsh_history.new and .LOCK files 
Signed-off-by: m4wh6k <m4wh6k@users.noreply.github.com>
 2022-02-11 11:26:46 +01:00
Mac Chaffee
8a3a4c4d57 rule(maco write_etc_common): Fix false-positive of sssd updating /etc/krb5.keytab 
Signed-off-by: Mac Chaffee <me@macchaffee.com>
 2022-02-11 11:25:47 +01:00
pablopez
5da10a3b89 rule_output(Delete Bucket Public Access Block) typo 
Signed-off-by: pablopez <pablo.lopezzaldivar@sysdig.com>
 2022-02-03 18:23:08 +01:00
Leonardo Grasso
24e7e84153 update(rules): updated aws cloudtrail rule bumping plugins version 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-28 15:33:22 +01:00
Andrea Terzolo
7750b6f209 rule: update Copyright in falco rules 
Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>
 2022-01-25 18:58:05 +01:00
Andrea Terzolo
8c705448cc rule: add execveat as evt.type for spawned_process macro in falco rules 
Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>
 2022-01-25 18:58:05 +01:00
Shay Berkovich
6b9fafb75f rule update(Sudo Potential Privilege Escalation): trigger the most common CVE-2021-3156 exploit 
Signed-off-by: Shay Berkovich <sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Shay Berkovich
fdcd7bffd0 rule update(Detect crypto miners using the Stratum protocol): update protocols 
Signed-off-by: Shay Berkovich <Sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Shay Berkovich
d989e9c2d5 new(rules): Create Hardlink Over Sensitive Files 
New rule to prevent hardlink bypass and symlink rule set to WARNING for consistency
Signed-off-by: Shay Berkovich <sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Federico Di Pierro
996ccf555c rule: updated aws_cloudtrail_rules with correct copyright year and required plugin versions. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-25 17:50:06 +01:00
Leonardo Di Donato
c705623f9e update(rules): move falco_hostnetwork_images list to k8s audit rules 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2022-01-24 15:03:12 +01:00
Leo Di Donato
3640871725 update(rules): remove falco_hostnetwork_images list (unused) 
The `falco_hostnetwork_images` list is unused.

This PR removes it to avoid the warning.

```console
When reading rules content: 1 warnings:
list falco_hostnetwork_images not refered to by any rule/macro/list
```

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2022-01-24 15:03:12 +01:00
Andrea Terzolo
18c7b6500d refactor: remove apt-config from debian_packages monitoring 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: karthikc911 <ckinnovative@gmail.com>
 2022-01-20 11:07:47 +01:00
Lorenzo Susini
6319be8146 update(rules): Add containerd socket to sensitive_mount macro 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2021-12-21 16:53:57 +01:00
Angelo Puglisi
f035829ca2 fix(rules): typo in Create Symlink Over Sensitive Files rule output 
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
 2021-12-13 20:05:33 +01:00
Calvin Bui
cd471a78db re-add double empty newline 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Calvin Bui
65969c30f9 Add ECR repository to rules 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Jason Dellaluce
2a00a4d853 rules: adding support to openat2 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:12:14 +01:00
Erick Cheng
205a8fd23b Move wget and curl to own rule 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
bdba37a790 Fix remove scp and add curl 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
19fb3458ef Add wget and curl to remote_file_copy_binaries 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
b0565794f5 Move user_known_ingress_remote_file_copy_activities to outside condition 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
66df790b9d Fix syntax error 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
749d4b4512 Add more curl download checks 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
851033c5f4 Add curl macro 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
af6f3bfeab Move wget and curl to own rule 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
c4d25b1d24 Fix remove scp and add curl 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
d434853d5f Add wget and curl to remote_file_copy_binaries 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Jason Dellaluce
85db078dc4 chore: renaming comment references 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-11-18 16:26:18 +01:00
Mark Stemm
69e32f7ed1 Add initial set of Cloudtrail rules 
These rules can be used when combined with the cloudtrail plugin.

They're installed to /etc/falco like the other rules files.

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Loris Degioanni <loris@sysdig.com>
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-11-12 18:27:59 +01:00
Sverre Boschman
762500a361 add known k8s service accounts 
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
 2021-10-29 10:41:54 +02:00
Sverre Boschman
8563af8a79 reformat known_sa_list 
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
 2021-10-29 10:41:54 +02:00
Mark Stemm
3b390793b9 Fix bug in macro that was masked by old evttype checking 
It turns out that the macro inbound_outbound had a logical bug where
joining the beginning and end of the macro with "or" led to the macro
matching all event types by accident.

Most of the time this isn't harmful but it turns out some trace files
will do operations on inet connection fds like "dup", and those get
mistakenly picked up by this macro, as the fd for the event does
happen to be a network connection fd.

This fixes the macro to only match those event types *and* when the fd
is a inet connection fd.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-10-12 17:59:38 +02:00
Tom Keyte
e0f8b81692 Remove duplicate allowed ecr registry rule 
Signed-off-by: Tom Keyte <tom.keyte@onsecurity.co.uk>
 2021-09-17 11:12:54 +02:00
Alberto Pellitteri
874809351f rules(list https_miner_domains): fix typo in the list 
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
 2021-09-17 09:16:54 +02:00
Alberto Pellitteri
4527228ef8 rules(list https_miner_domains): add new miner domains 
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
 2021-09-17 09:16:54 +02:00
Alberto Pellitteri
e684c95e23 rules(list miner_domains): add new miner domains 
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
 2021-09-17 09:16:54 +02:00
Leonardo Di Donato
d6690313a0 update(rules): bump the required engine version to version 9 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
98ce88f7ef chore(rules): imporve name of the list for userfaultfd exceptions 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9ff8099501 update(userspace/engine): bump falco engine version 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7db4778f55 update(rules): introducing list user_known_userfaultfd_activities to exclude processes known to use userfaultfd syscall 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7f761ade4b update(rules): introducing the macro consider_userfaultfd_activities to act as a gate 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
84257912e0 update(rules): tag rule as syscall 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9bc942c654 new(rules): detect unprivileged (successful) userfaultfd syscalls 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
8216b435cb update(rules): adding container info to the output of the Lryke detecting kernel module injections from containers 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Lorenzo Fontana
0f24448d18 rules(list miner_domains): add rx.unmineable.com for anti-miner detection 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-06-17 09:59:25 +02:00
Kaizhe Huang
b268d4d6c3 rule update(Non sudo setuid): check user id as well in case user name info is not available 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-06-10 13:44:05 +02:00
Kaizhe Huang
ad82f66be3 rules update(Change thread namespace and Set Setuid or Setgid bit): disable by default 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-06-07 12:17:21 +02:00