github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-10 05:03:37 +00:00
Code Issues Projects Releases Wiki Activity
4,919 Commits 118 Branches 173 Tags 104 MiB
master
Commit Graph

698 Commits

Author SHA1 Message Date
Jason Dellaluce
0ca7fe29fa new: add falcosecurity/rules submodule 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-21 17:58:08 +01:00
Jason Dellaluce
aafbbdb31f refactor: remove rules directory as moved to another repo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-21 17:58:08 +01:00
Oscar Utbult
b17d513251 rules: use list of Falco containers instead of repeating them 
Signed-off-by: Oscar Utbult <oscar.utbult@gmail.com>
 2022-12-16 12:56:23 +01:00
Alberto Pellitteri
d9a9fdf577 Rule: detecting executions from /dev/shm 
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
 2022-12-16 11:33:23 +01:00
Alberto Pellitteri
68b87a6f13 Rule: detecting executions looking for AWS credentials 
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-12-16 10:42:23 +01:00
Melissa Kilby
6afe9d9200 update(rules): ehanced rules tagging for inventory / threat modeling 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-12-15 16:46:20 +01:00
Oscar Utbult
f43e6c445a rules: add OpenSSH private key to macro private_key_or_password 
Signed-off-by: Oscar Utbult <oscar.utbult@gmail.com>
 2022-12-15 13:36:18 +01:00
Nicolas-Peiffer
1f15af1e4f feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses. 
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses.

doc: add comment

Fixing DCO append amend

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

Revert to original C2 rule name

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

modify comments on C2 rule

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

comment

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

clean comments

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

clean comments

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

modify stdout

Signed-off-by: thedetective <nicolas@lrasc.fr>
 2022-12-15 13:27:18 +01:00
Lorenzo Susini
ecc1853d60 update(rule): improve insmod detection within container using CAP_SYS_MODULE 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-12-01 11:17:50 +01:00
vin01
234026e14b rule(macro rpm_procs): let salt-call write to rpm database 
Signed-off-by: vin01 <vinc.i@protonmail.ch>
 2022-11-30 19:20:47 +01:00
vin01
d03826379b rule(Read sensitive file untrusted): let salt-call read sensitive files 
Signed-off-by: vin01 <vinc.i@protonmail.ch>
 2022-11-30 19:20:47 +01:00
Alessandro Brucato
3697d1fae2 Fixed typo 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-11-30 19:12:47 +01:00
Alessandro Brucato
e76c31b493 Added PTRACE_SEIZE, PTRACE_POKETEXT, PTRACE_POKEDATA, PTRACE_SETREGS and whitelist macro 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-11-30 19:12:47 +01:00
Alessandro Brucato
d95e36b526 Rule: PTRACE attached to process 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-11-30 19:12:47 +01:00
Jason Dellaluce
32ec3240b4 fix(rules): add falco no-driver images to k8s_containers macro 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 15:44:10 +02:00
spyder-kyle
38c823533c Add PIDs to falco_rules.yaml rules 
Signed-off-by: Kyle Smith Hanna <kyle.smithhanna@spyderbat.com>
 2022-09-27 10:51:00 +02:00
Hi120ki
30b56d2960 revert and create new known macro 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:24:40 +02:00
Hi120ki
d6b5789b7a add user_known_mount_in_privileged_containers 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:24:40 +02:00
Hi120ki
af4524491d put open_read in the beginning of the rule 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
36a08aee13 Update rules/falco_rules.yaml to delete enabled field 
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
39de011751 Update rules/falco_rules.yaml to add argoexec into allowlist 
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
a83d38c6d7 add allowlist 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
86c3a9cd69 revert to container 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
8473706526 add systemd-sysctl to allowlist 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
4e622fc033 add host to target 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
16dca8f905 add rule Read environment variable from /proc files 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Stefano
366bcfd7a3 Added disable by default option to reduce noise 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-09-16 12:44:38 +02:00
Stefano
c844eb9ef3 Added rule to detect CVE-2019-5736 
Co-authored-by: wcc526 <wcc526@gmail.com>
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-09-16 12:44:38 +02:00
Melissa Kilby
5dcc329339 chore(rules): change FALCO_ENGINE_VERSION to 13 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-09-01 14:45:23 +02:00
Melissa Kilby
721aa30e80 cleanup(rules): cleanup redundant use of always_true macros - 2 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-09-01 14:45:23 +02:00
Melissa Kilby
565ddd70d3 cleanup(rules): cleanup rules disabled by default - 4 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-09-01 14:45:23 +02:00
Jason Dellaluce
98b8e390a1 chore(rules): fix old url redirection 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-29 15:42:33 +02:00
Melissa Kilby
6c12cc655e cleanup(rules): cleanup redundant use of always_true macros 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-26 11:40:18 +02:00
Melissa Kilby
7387fffcef cleanup(rules): cleanup rules disabled by default - 3 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-26 11:40:18 +02:00
Melissa Kilby
a6137e9475 update(rules): Directory traversal monitored file read - include failed open attempts w/ new macro open_file_failed 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-25 21:44:15 +02:00
Melissa Kilby
dd49038b0d cleanup(rules): Directory traversal monitored file read 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-25 21:44:15 +02:00
Melissa Kilby
6efc5b42f7 new(rules): Directory traversal monitored file read 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-25 21:44:15 +02:00
Melissa Kilby
0828296abc cleanup(rules): cleanup rules disabled by default - 2 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-17 10:55:14 +02:00
Melissa Kilby
e9ba5d751f cleanup(rules): cleanup rules disabled by default 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-05 14:50:28 +02:00
Stefano
b378c3a77d Add darryk10 as rules OWNERS as reviewer 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-07-21 17:42:07 +02:00
Jason Dellaluce
0cab9ba6ed chore(OWNERS): remove duplicates in reviewers 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-20 10:39:56 +02:00
Alessandro Brucato
c40d1a5141 Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
409ca4382e Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
a71a635b7e Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
07024a2e0f Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Brucedh
6feeaee0cd Added exception to Launch Privileged Container 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-07-13 11:54:23 +02:00
Ravi Ranjan
c078f7c21d Falco Rules/Conditions Updates 
Signed-off-by: Ravi Ranjan <ravi.ranjan@elastisys.com>
 2022-07-12 12:08:38 +02:00
Leonardo Grasso
b6245d77c7 update(rules): lower priority to noisy rule (after the dup improvement) 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 18:12:24 +02:00
Aldo Lacuku
d90421387f update(rules): add macro for dup syscalls 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-23 10:06:13 +02:00
Aldo Lacuku
07b4d5a47a fix(rules): use exit event in reverse shell detection rule 
In some cases the rule is not triggered when a reverse shell is spawned.
That's because in the rule we are checking that the file descriptor passed
as argument to the dup functions is of type socket and its fd number is "0, 1, or 2"
and the event direction is "enter".
The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO);
But using the exit event the rule is triggered.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-23 10:06:13 +02:00