Commit Graph

698 Commits

Author SHA1 Message Date
Jason Dellaluce
0ca7fe29fa new: add falcosecurity/rules submodule
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2023-01-21 17:58:08 +01:00
Jason Dellaluce
aafbbdb31f refactor: remove rules directory as moved to another repo
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2023-01-21 17:58:08 +01:00
Oscar Utbult
b17d513251 rules: use list of Falco containers instead of repeating them
Signed-off-by: Oscar Utbult <oscar.utbult@gmail.com>
2022-12-16 12:56:23 +01:00
Alberto Pellitteri
d9a9fdf577 Rule: detecting executions from /dev/shm
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
2022-12-16 11:33:23 +01:00
Alberto Pellitteri
68b87a6f13 Rule: detecting executions looking for AWS credentials
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-12-16 10:42:23 +01:00
Melissa Kilby
6afe9d9200 update(rules): ehanced rules tagging for inventory / threat modeling
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-12-15 16:46:20 +01:00
Oscar Utbult
f43e6c445a rules: add OpenSSH private key to macro private_key_or_password
Signed-off-by: Oscar Utbult <oscar.utbult@gmail.com>
2022-12-15 13:36:18 +01:00
Nicolas-Peiffer
1f15af1e4f feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses.
Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses.

doc: add comment

Fixing DCO append amend

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

Revert to original C2 rule name

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

modify comments on C2 rule

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

comment

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

clean comments

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

clean comments

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>

modify stdout

Signed-off-by: thedetective <nicolas@lrasc.fr>
2022-12-15 13:27:18 +01:00
Lorenzo Susini
ecc1853d60 update(rule): improve insmod detection within container using CAP_SYS_MODULE
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
2022-12-01 11:17:50 +01:00
vin01
234026e14b rule(macro rpm_procs): let salt-call write to rpm database
Signed-off-by: vin01 <vinc.i@protonmail.ch>
2022-11-30 19:20:47 +01:00
vin01
d03826379b rule(Read sensitive file untrusted): let salt-call read sensitive files
Signed-off-by: vin01 <vinc.i@protonmail.ch>
2022-11-30 19:20:47 +01:00
Alessandro Brucato
3697d1fae2 Fixed typo
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-11-30 19:12:47 +01:00
Alessandro Brucato
e76c31b493 Added PTRACE_SEIZE, PTRACE_POKETEXT, PTRACE_POKEDATA, PTRACE_SETREGS and whitelist macro
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-11-30 19:12:47 +01:00
Alessandro Brucato
d95e36b526 Rule: PTRACE attached to process
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-11-30 19:12:47 +01:00
Jason Dellaluce
32ec3240b4 fix(rules): add falco no-driver images to k8s_containers macro
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2022-10-06 15:44:10 +02:00
spyder-kyle
38c823533c Add PIDs to falco_rules.yaml rules
Signed-off-by: Kyle Smith Hanna <kyle.smithhanna@spyderbat.com>
2022-09-27 10:51:00 +02:00
Hi120ki
30b56d2960 revert and create new known macro
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:24:40 +02:00
Hi120ki
d6b5789b7a add user_known_mount_in_privileged_containers
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:24:40 +02:00
Hi120ki
af4524491d put open_read in the beginning of the rule
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
36a08aee13 Update rules/falco_rules.yaml to delete enabled field
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
39de011751 Update rules/falco_rules.yaml to add argoexec into allowlist
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
a83d38c6d7 add allowlist
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
86c3a9cd69 revert to container
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
8473706526 add systemd-sysctl to allowlist
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
4e622fc033 add host to target
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Hi120ki
16dca8f905 add rule Read environment variable from /proc files
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
2022-09-16 14:22:39 +02:00
Stefano
366bcfd7a3 Added disable by default option to reduce noise
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
2022-09-16 12:44:38 +02:00
Stefano
c844eb9ef3 Added rule to detect CVE-2019-5736
Co-authored-by: wcc526 <wcc526@gmail.com>
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
2022-09-16 12:44:38 +02:00
Melissa Kilby
5dcc329339 chore(rules): change FALCO_ENGINE_VERSION to 13
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-09-01 14:45:23 +02:00
Melissa Kilby
721aa30e80 cleanup(rules): cleanup redundant use of always_true macros - 2
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-09-01 14:45:23 +02:00
Melissa Kilby
565ddd70d3 cleanup(rules): cleanup rules disabled by default - 4
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-09-01 14:45:23 +02:00
Jason Dellaluce
98b8e390a1 chore(rules): fix old url redirection
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2022-08-29 15:42:33 +02:00
Melissa Kilby
6c12cc655e cleanup(rules): cleanup redundant use of always_true macros
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-26 11:40:18 +02:00
Melissa Kilby
7387fffcef cleanup(rules): cleanup rules disabled by default - 3
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-26 11:40:18 +02:00
Melissa Kilby
a6137e9475 update(rules): Directory traversal monitored file read - include failed open attempts w/ new macro open_file_failed
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-25 21:44:15 +02:00
Melissa Kilby
dd49038b0d cleanup(rules): Directory traversal monitored file read
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-25 21:44:15 +02:00
Melissa Kilby
6efc5b42f7 new(rules): Directory traversal monitored file read
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-25 21:44:15 +02:00
Melissa Kilby
0828296abc cleanup(rules): cleanup rules disabled by default - 2
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-17 10:55:14 +02:00
Melissa Kilby
e9ba5d751f cleanup(rules): cleanup rules disabled by default
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2022-08-05 14:50:28 +02:00
Stefano
b378c3a77d Add darryk10 as rules OWNERS as reviewer
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
2022-07-21 17:42:07 +02:00
Jason Dellaluce
0cab9ba6ed chore(OWNERS): remove duplicates in reviewers
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2022-07-20 10:39:56 +02:00
Alessandro Brucato
c40d1a5141 Update rules/falco_rules.yaml
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-07-13 11:54:23 +02:00
Alessandro Brucato
409ca4382e Update rules/falco_rules.yaml
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
2022-07-13 11:54:23 +02:00
Alessandro Brucato
a71a635b7e Update rules/falco_rules.yaml
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
2022-07-13 11:54:23 +02:00
Alessandro Brucato
07024a2e0f Update rules/falco_rules.yaml
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
2022-07-13 11:54:23 +02:00
Brucedh
6feeaee0cd Added exception to Launch Privileged Container
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
2022-07-13 11:54:23 +02:00
Ravi Ranjan
c078f7c21d Falco Rules/Conditions Updates
Signed-off-by: Ravi Ranjan <ravi.ranjan@elastisys.com>
2022-07-12 12:08:38 +02:00
Leonardo Grasso
b6245d77c7 update(rules): lower priority to noisy rule (after the dup improvement)
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
2022-06-23 18:12:24 +02:00
Aldo Lacuku
d90421387f update(rules): add macro for dup syscalls
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
2022-06-23 10:06:13 +02:00
Aldo Lacuku
07b4d5a47a fix(rules): use exit event in reverse shell detection rule
In some cases the rule is not triggered when a reverse shell is spawned.
That's because in the rule we are checking that the file descriptor passed
as argument to the dup functions is of type socket and its fd number is "0, 1, or 2"
and the event direction is "enter".
The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO);
But using the exit event the rule is triggered.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
2022-06-23 10:06:13 +02:00