Jason Dellaluce
0ca7fe29fa
new: add falcosecurity/rules submodule
...
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2023-01-21 17:58:08 +01:00
Jason Dellaluce
aafbbdb31f
refactor: remove rules directory as moved to another repo
...
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2023-01-21 17:58:08 +01:00
Oscar Utbult
b17d513251
rules: use list of Falco containers instead of repeating them
...
Signed-off-by: Oscar Utbult <oscar.utbult@gmail.com>
2022-12-16 12:56:23 +01:00
Alberto Pellitteri
d9a9fdf577
Rule: detecting executions from /dev/shm
...
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
2022-12-16 11:33:23 +01:00
Alberto Pellitteri
68b87a6f13
Rule: detecting executions looking for AWS credentials
...
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-12-16 10:42:23 +01:00
Melissa Kilby
6afe9d9200
update(rules): ehanced rules tagging for inventory / threat modeling
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-12-15 16:46:20 +01:00
Oscar Utbult
f43e6c445a
rules: add OpenSSH private key to macro private_key_or_password
...
Signed-off-by: Oscar Utbult <oscar.utbult@gmail.com>
2022-12-15 13:36:18 +01:00
Nicolas-Peiffer
1f15af1e4f
feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses.
...
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses.
doc: add comment
Fixing DCO append amend
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
Revert to original C2 rule name
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
modify comments on C2 rule
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
comment
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
clean comments
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
clean comments
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
modify stdout
Signed-off-by: thedetective <nicolas@lrasc.fr>
2022-12-15 13:27:18 +01:00
Lorenzo Susini
ecc1853d60
update(rule): improve insmod detection within container using CAP_SYS_MODULE
...
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
2022-12-01 11:17:50 +01:00
vin01
234026e14b
rule(macro rpm_procs): let salt-call write to rpm database
...
Signed-off-by: vin01 <vinc.i@protonmail.ch>
2022-11-30 19:20:47 +01:00
vin01
d03826379b
rule(Read sensitive file untrusted): let salt-call read sensitive files
...
Signed-off-by: vin01 <vinc.i@protonmail.ch>
2022-11-30 19:20:47 +01:00
Alessandro Brucato
3697d1fae2
Fixed typo
...
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-11-30 19:12:47 +01:00
Alessandro Brucato
e76c31b493
Added PTRACE_SEIZE, PTRACE_POKETEXT, PTRACE_POKEDATA, PTRACE_SETREGS and whitelist macro
...
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-11-30 19:12:47 +01:00
Alessandro Brucato
d95e36b526
Rule: PTRACE attached to process
...
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-11-30 19:12:47 +01:00
Jason Dellaluce
32ec3240b4
fix(rules): add falco no-driver images to k8s_containers macro
...
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2022-10-06 15:44:10 +02:00
spyder-kyle
38c823533c
Add PIDs to falco_rules.yaml rules
...
Signed-off-by: Kyle Smith Hanna <kyle.smithhanna@spyderbat.com>
2022-09-27 10:51:00 +02:00
Hi120ki
30b56d2960
revert and create new known macro
...
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:24:40 +02:00
Hi120ki
d6b5789b7a
add user_known_mount_in_privileged_containers
...
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:24:40 +02:00
Hi120ki
af4524491d
put open_read in the beginning of the rule
...
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
36a08aee13
Update rules/falco_rules.yaml to delete enabled field
...
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
39de011751
Update rules/falco_rules.yaml to add argoexec into allowlist
...
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
a83d38c6d7
add allowlist
...
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
86c3a9cd69
revert to container
...
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
8473706526
add systemd-sysctl to allowlist
...
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
4e622fc033
add host to target
...
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
16dca8f905
add rule Read environment variable from /proc files
...
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Stefano
366bcfd7a3
Added disable by default option to reduce noise
...
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
2022-09-16 12:44:38 +02:00
Stefano
c844eb9ef3
Added rule to detect CVE-2019-5736
...
Co-authored-by: wcc526 <wcc526@gmail.com>
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
2022-09-16 12:44:38 +02:00
Melissa Kilby
5dcc329339
chore(rules): change FALCO_ENGINE_VERSION to 13
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-09-01 14:45:23 +02:00
Melissa Kilby
721aa30e80
cleanup(rules): cleanup redundant use of always_true macros - 2
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-09-01 14:45:23 +02:00
Melissa Kilby
565ddd70d3
cleanup(rules): cleanup rules disabled by default - 4
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-09-01 14:45:23 +02:00
Jason Dellaluce
98b8e390a1
chore(rules): fix old url redirection
...
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2022-08-29 15:42:33 +02:00
Melissa Kilby
6c12cc655e
cleanup(rules): cleanup redundant use of always_true macros
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-26 11:40:18 +02:00
Melissa Kilby
7387fffcef
cleanup(rules): cleanup rules disabled by default - 3
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-26 11:40:18 +02:00
Melissa Kilby
a6137e9475
update(rules): Directory traversal monitored file read - include failed open attempts w/ new macro open_file_failed
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-25 21:44:15 +02:00
Melissa Kilby
dd49038b0d
cleanup(rules): Directory traversal monitored file read
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-25 21:44:15 +02:00
Melissa Kilby
6efc5b42f7
new(rules): Directory traversal monitored file read
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-25 21:44:15 +02:00
Melissa Kilby
0828296abc
cleanup(rules): cleanup rules disabled by default - 2
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-17 10:55:14 +02:00
Melissa Kilby
e9ba5d751f
cleanup(rules): cleanup rules disabled by default
...
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-05 14:50:28 +02:00
Stefano
b378c3a77d
Add darryk10 as rules OWNERS as reviewer
...
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
2022-07-21 17:42:07 +02:00
Jason Dellaluce
0cab9ba6ed
chore(OWNERS): remove duplicates in reviewers
...
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2022-07-20 10:39:56 +02:00
Alessandro Brucato
c40d1a5141
Update rules/falco_rules.yaml
...
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-07-13 11:54:23 +02:00
Alessandro Brucato
409ca4382e
Update rules/falco_rules.yaml
...
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
2022-07-13 11:54:23 +02:00
Alessandro Brucato
a71a635b7e
Update rules/falco_rules.yaml
...
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
2022-07-13 11:54:23 +02:00
Alessandro Brucato
07024a2e0f
Update rules/falco_rules.yaml
...
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
2022-07-13 11:54:23 +02:00
Brucedh
6feeaee0cd
Added exception to Launch Privileged Container
...
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-07-13 11:54:23 +02:00
Ravi Ranjan
c078f7c21d
Falco Rules/Conditions Updates
...
Signed-off-by: Ravi Ranjan <ravi.ranjan@elastisys.com>
2022-07-12 12:08:38 +02:00
Leonardo Grasso
b6245d77c7
update(rules): lower priority to noisy rule (after the dup improvement)
...
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
2022-06-23 18:12:24 +02:00
Aldo Lacuku
d90421387f
update(rules): add macro for dup syscalls
...
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
2022-06-23 10:06:13 +02:00
Aldo Lacuku
07b4d5a47a
fix(rules): use exit event in reverse shell detection rule
...
In some cases the rule is not triggered when a reverse shell is spawned.
That's because in the rule we are checking that the file descriptor passed
as argument to the dup functions is of type socket and its fd number is "0, 1, or 2"
and the event direction is "enter".
The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO);
But using the exit event the rule is triggered.
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
2022-06-23 10:06:13 +02:00