github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-19 17:16:53 +00:00
Code Issues Projects Releases Wiki Activity
4,906 Commits 119 Branches 173 Tags 104 MiB
new/add_mimalloc
Commit Graph

698 Commits

Author SHA1 Message Date
Kaizhe Huang
8a1f43f284 remove kaizhe from falco rule owner 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2022-06-22 22:16:21 -05:00
joon
625201f9f6 Add Java compatibility note 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
 2022-06-14 17:01:12 +02:00
joon
583ac4192c rule(Java Process Class Download): detect potential successful log4shell exploitation 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
 2022-06-14 17:01:12 +02:00
stephanmiehe
c782655a53 Fix rule linting 
Signed-off-by: Stephan Miehe <stephanmiehe@github.com>
 2022-06-10 13:58:42 +02:00
Matan Monitz
9f163f3fe0 Update rules/falco_rules.yaml 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Matan Monitz <mmonitz@gmail.com>
 2022-05-28 10:13:30 +02:00
Matan Monitz
4c95c717d2 known_shell_spawn_cmdlines - lighttpd 
Signed-off-by: Matan Monitz <mmonitz@gmail.com>
 2022-05-28 10:13:30 +02:00
beryxz
54a2f7bdaa rule(macro net_miner_pool): additional syscall for detection 
Signed-off-by: beryxz <coppi.lore@gmail.com>
 2022-05-28 09:29:30 +02:00
Brad Clark
9d41b0a151 use endswith ash_history to catch both bash and ash 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Brad Clark
b9bcf79035 rule(macro truncate_shell_history): include .ash_history 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Brad Clark
3cca4c23cc rule(macro modify_shell_history): include .ash_history 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Leonardo Grasso
d4f76f1f93 update!: moving out plugins ruleset files 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-12 18:28:34 +02:00
Leonardo Grasso
65de03aa29 update(rules): remove plugins ruleset files 
Plugins' rules files now lives in their repositories. See https://github.com/falcosecurity/plugins/pull/98

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-12 18:28:34 +02:00
Stefano
3e603188d4 Changed field in thread.cap_effective 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
c3bcf604a5 Changed Rule focus to be broader then just a specific CVE 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
2e2b13236b Fixed CVE number 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
24bd1abc43 Added new rule for CVE-2022-4092 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Sebastien Le Digabel
2bc4fec33c rule(Anonymous Request Allowed): exclude {/livez, /readyz} 
Fixes #1794.

/livez and /readyz don't require authentication and can generate a lot
of noise if the cluster is checked by an anonymous external
system.

Some k8s systems have those endpoints required to be anonymous, as per this
[link to an OpenShift
setup](http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_api_server_anonymous_auth).

Signed-off-by: Sebastien Le Digabel <sledigabel@gmail.com>
 2022-05-04 13:04:29 +02:00
Jason Dellaluce
67d2fe45a5 refactor: add k8saudit plugin and adapt config, tests, and rulesets 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-29 20:47:19 +02:00
Lorenzo Susini
9fb9215dbf new(rule): excessively capable containers 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <khuang@aurora.tech>
 2022-04-29 07:35:50 +02:00
Furkan
990a8fd6d5 update(rules): k8s: secret get detection 
Signed-off-by: Furkan <furkan.turkal@trendyol.com>
 2022-04-28 11:33:00 +02:00
Leonardo Grasso
b4d9261ce2 build: define "falco" component 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-04-22 09:41:56 +02:00
Mateusz Gozdek
1fdfbd3a3d Fix more typos 
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
 2022-04-20 12:21:27 +02:00
Clemence Saussez
af96a930eb rules(allowed_kube_namespace_image_list): add container threat detection image 
Signed-off-by: Clemence Saussez <clemence@zen.ly>
 2022-04-15 10:52:58 +02:00
Clemence Saussez
5d65671d3a rules(falco_privileged_images): add container threat detection image 
Signed-off-by: Clemence Saussez <clemence@zen.ly>
 2022-04-15 10:52:58 +02:00
Stefano
d3383b4b23 Fixed ouput Rules K8s Serviceaccount Created/Deleted 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: AlbertoPellitteri <alberto.pellitteri@sysdig.com>
 2022-04-15 10:49:58 +02:00
Stefano
65435d4418 Removed use cases not triggering 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Brucedh <alessandro.brucato@sysdig.com>
Co-authored-by: AlbertoPellitteri <alberto.pellitteri@sysdig.com>
 2022-04-13 10:03:25 +02:00
Lorenzo Susini
4343fe8a8b new(rules/k8s_audit): add rules to detect pods sharing host pid and IPC namespaces 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-04-11 18:29:19 +02:00
Stefano
36bd07d82d Fix spaces 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-04-01 19:38:40 +02:00
Stefano
bcff88922a Added eks_allowed_k8s_users list to whitelist EKS users 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Alberto Pellitteri <alberto.pellitteri@sysdig.com>
 2022-04-01 19:38:40 +02:00
Stefano
1988f3b0be Disabled by default noisy rules 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-03-29 17:39:25 +02:00
schie
64f0cefab0 Update rules/okta_rules.yaml 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Thomas Labarussias <issif+github@gadz.org>
 2022-03-29 17:39:25 +02:00
schie
48041a517b Update rules/okta_rules.yaml 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Thomas Labarussias <issif+github@gadz.org>
 2022-03-29 17:39:25 +02:00
Stefano
6a1492a828 Added okta_rules.yaml 
Signed-off-by: darryk10<stefano.chierici@sysdig.com>
 2022-03-29 17:39:25 +02:00
Leonardo Grasso
5023851000 chore(rules): remove leftover 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-03-25 13:02:28 +01:00
Matt Moyer
36acd6dfbf Add user_known_mount_in_privileged_containers 
This adds a new macro `user_known_mount_in_privileged_containers` which
allows the easier user-defined exclusions for the "Mount Launched in
Privileged Container" rule.

This would be cleaner with the exclusions feature, but this feature
is not used in the default ruleset yet, if I understand correctly.

Signed-off-by: Matt Moyer <mmoyer@figma.com>
 2022-03-17 10:50:56 +01:00
Claudio Vellage
4705a92c49 Allow to whitelist config modifiers 
Signed-off-by: Claudio Vellage <claudio.vellage@pm.me>
 2022-03-15 22:32:59 +01:00
Josh Soref
e8aac31890 spelling: themselves 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
9a314d9443 spelling: privileged 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
53c77ea6b5 spelling: https://cryptoioc.ch 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
1306fd6ac1 spelling: hierarchy 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
19ab9e5f35 spelling: expand 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
3646fb6e03 spelling: discretion 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
fa7fab525f spelling: command lines 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
eabd3ad24b spelling: altogether 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
a84adbd231 spelling: allowed 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
pablopez
87c410e49e upgrade macro(keepalived_writing_conf) 
Signed-off-by: pablopez <pablo.lopezzaldivar@sysdig.com>
 2022-02-11 11:36:47 +01:00
schie
b9925577ef Update rules/falco_rules.yaml 
Signed-off-by: darryk10 stefano.chierici@sysdig.com

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-02-11 11:28:46 +01:00
Stefano
ae5342c54b Fixed rule condition 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-02-11 11:28:46 +01:00
Stefano
1324522721 Added new Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) 
Co-authored-by: javery-sysdig <jason.avery@sysdig.com>

Signed-off-by: Stefano <stefano.chierici@sysdig.com>
 2022-02-11 11:28:46 +01:00
rileydakota
7999e33aea Rule Update - Adds npm support 
Adds `npm` to `package_mgmt_binaries` for detection of "living off the land" style attacks that utilize NPM pull down additional tooling

Signed-off-by: rileydakota <dakotariley2@gmail.com>
 2022-02-11 11:27:46 +01:00
m4wh6k
f49a95f334 rule(macro modify_shell_history): Fix missing s on endswith 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
 2022-02-11 11:26:46 +01:00
m4wh6k
9e8687401d fix(macro truncate_shell_history): avoid false positives from .zsh_history.new and .LOCK files 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
 2022-02-11 11:26:46 +01:00
m4wh6k
6ead925f51 fix(macro modify_shell_history): avoid false positives from .zsh_history.new and .LOCK files 
Signed-off-by: m4wh6k <m4wh6k@users.noreply.github.com>
 2022-02-11 11:26:46 +01:00
Mac Chaffee
8a3a4c4d57 rule(maco write_etc_common): Fix false-positive of sssd updating /etc/krb5.keytab 
Signed-off-by: Mac Chaffee <me@macchaffee.com>
 2022-02-11 11:25:47 +01:00
pablopez
5da10a3b89 rule_output(Delete Bucket Public Access Block) typo 
Signed-off-by: pablopez <pablo.lopezzaldivar@sysdig.com>
 2022-02-03 18:23:08 +01:00
Leonardo Grasso
24e7e84153 update(rules): updated aws cloudtrail rule bumping plugins version 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-01-28 15:33:22 +01:00
Andrea Terzolo
7750b6f209 rule: update Copyright in falco rules 
Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>
 2022-01-25 18:58:05 +01:00
Andrea Terzolo
8c705448cc rule: add execveat as evt.type for spawned_process macro in falco rules 
Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>
 2022-01-25 18:58:05 +01:00
Shay Berkovich
6b9fafb75f rule update(Sudo Potential Privilege Escalation): trigger the most common CVE-2021-3156 exploit 
Signed-off-by: Shay Berkovich <sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Shay Berkovich
fdcd7bffd0 rule update(Detect crypto miners using the Stratum protocol): update protocols 
Signed-off-by: Shay Berkovich <Sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Shay Berkovich
d989e9c2d5 new(rules): Create Hardlink Over Sensitive Files 
New rule to prevent hardlink bypass and symlink rule set to WARNING for consistency
Signed-off-by: Shay Berkovich <sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Federico Di Pierro
996ccf555c rule: updated aws_cloudtrail_rules with correct copyright year and required plugin versions. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-01-25 17:50:06 +01:00
Leonardo Di Donato
c705623f9e update(rules): move falco_hostnetwork_images list to k8s audit rules 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2022-01-24 15:03:12 +01:00
Leo Di Donato
3640871725 update(rules): remove falco_hostnetwork_images list (unused) 
The `falco_hostnetwork_images` list is unused.

This PR removes it to avoid the warning.

```console
When reading rules content: 1 warnings:
list falco_hostnetwork_images not refered to by any rule/macro/list
```

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2022-01-24 15:03:12 +01:00
Andrea Terzolo
18c7b6500d refactor: remove apt-config from debian_packages monitoring 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: karthikc911 <ckinnovative@gmail.com>
 2022-01-20 11:07:47 +01:00
Lorenzo Susini
6319be8146 update(rules): Add containerd socket to sensitive_mount macro 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2021-12-21 16:53:57 +01:00
Angelo Puglisi
f035829ca2 fix(rules): typo in Create Symlink Over Sensitive Files rule output 
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
 2021-12-13 20:05:33 +01:00
Calvin Bui
cd471a78db re-add double empty newline 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Calvin Bui
65969c30f9 Add ECR repository to rules 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Jason Dellaluce
2a00a4d853 rules: adding support to openat2 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:12:14 +01:00
Erick Cheng
205a8fd23b Move wget and curl to own rule 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
bdba37a790 Fix remove scp and add curl 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
19fb3458ef Add wget and curl to remote_file_copy_binaries 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
b0565794f5 Move user_known_ingress_remote_file_copy_activities to outside condition 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
66df790b9d Fix syntax error 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
749d4b4512 Add more curl download checks 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
851033c5f4 Add curl macro 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
af6f3bfeab Move wget and curl to own rule 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
c4d25b1d24 Fix remove scp and add curl 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Erick Cheng
d434853d5f Add wget and curl to remote_file_copy_binaries 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00
Jason Dellaluce
85db078dc4 chore: renaming comment references 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2021-11-18 16:26:18 +01:00
Mark Stemm
69e32f7ed1 Add initial set of Cloudtrail rules 
These rules can be used when combined with the cloudtrail plugin.

They're installed to /etc/falco like the other rules files.

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Loris Degioanni <loris@sysdig.com>
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-11-12 18:27:59 +01:00
Sverre Boschman
762500a361 add known k8s service accounts 
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
 2021-10-29 10:41:54 +02:00
Sverre Boschman
8563af8a79 reformat known_sa_list 
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
 2021-10-29 10:41:54 +02:00
Mark Stemm
3b390793b9 Fix bug in macro that was masked by old evttype checking 
It turns out that the macro inbound_outbound had a logical bug where
joining the beginning and end of the macro with "or" led to the macro
matching all event types by accident.

Most of the time this isn't harmful but it turns out some trace files
will do operations on inet connection fds like "dup", and those get
mistakenly picked up by this macro, as the fd for the event does
happen to be a network connection fd.

This fixes the macro to only match those event types *and* when the fd
is a inet connection fd.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2021-10-12 17:59:38 +02:00
Tom Keyte
e0f8b81692 Remove duplicate allowed ecr registry rule 
Signed-off-by: Tom Keyte <tom.keyte@onsecurity.co.uk>
 2021-09-17 11:12:54 +02:00
Alberto Pellitteri
874809351f rules(list https_miner_domains): fix typo in the list 
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
 2021-09-17 09:16:54 +02:00
Alberto Pellitteri
4527228ef8 rules(list https_miner_domains): add new miner domains 
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
 2021-09-17 09:16:54 +02:00
Alberto Pellitteri
e684c95e23 rules(list miner_domains): add new miner domains 
Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com>
Co-authored-by: darryk10 <stefano.chierici@sysdig.com>
 2021-09-17 09:16:54 +02:00
Leonardo Di Donato
d6690313a0 update(rules): bump the required engine version to version 9 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
98ce88f7ef chore(rules): imporve name of the list for userfaultfd exceptions 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9ff8099501 update(userspace/engine): bump falco engine version 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7db4778f55 update(rules): introducing list user_known_userfaultfd_activities to exclude processes known to use userfaultfd syscall 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
7f761ade4b update(rules): introducing the macro consider_userfaultfd_activities to act as a gate 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
84257912e0 update(rules): tag rule as syscall 
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
9bc942c654 new(rules): detect unprivileged (successful) userfaultfd syscalls 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Leonardo Di Donato
8216b435cb update(rules): adding container info to the output of the Lryke detecting kernel module injections from containers 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2021-06-23 10:44:03 +02:00
Lorenzo Fontana
0f24448d18 rules(list miner_domains): add rx.unmineable.com for anti-miner detection 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2021-06-17 09:59:25 +02:00
Kaizhe Huang
b268d4d6c3 rule update(Non sudo setuid): check user id as well in case user name info is not available 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2021-06-10 13:44:05 +02:00
Kaizhe Huang
ad82f66be3 rules update(Change thread namespace and Set Setuid or Setgid bit): disable by default 
Signed-off-by: Kaizhe Huang <derek0405@gmail.com>
 2021-06-07 12:17:21 +02:00