github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00
Code Issues Projects Releases Wiki Activity
3,256 Commits 122 Branches 184 Tags
test_falco_bump
Commit Graph

684 Commits

Author SHA1 Message Date
Jason Dellaluce
32ec3240b4 fix(rules): add falco no-driver images to k8s_containers macro 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 15:44:10 +02:00
spyder-kyle
38c823533c Add PIDs to falco_rules.yaml rules 
Signed-off-by: Kyle Smith Hanna <kyle.smithhanna@spyderbat.com>
 2022-09-27 10:51:00 +02:00
Hi120ki
30b56d2960 revert and create new known macro 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:24:40 +02:00
Hi120ki
d6b5789b7a add user_known_mount_in_privileged_containers 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:24:40 +02:00
Hi120ki
af4524491d put open_read in the beginning of the rule 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
36a08aee13 Update rules/falco_rules.yaml to delete enabled field 
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
39de011751 Update rules/falco_rules.yaml to add argoexec into allowlist 
Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
a83d38c6d7 add allowlist 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
86c3a9cd69 revert to container 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
8473706526 add systemd-sysctl to allowlist 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
4e622fc033 add host to target 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Hi120ki
16dca8f905 add rule Read environment variable from /proc files 
Signed-off-by: Hi120ki <12624257+hi120ki@users.noreply.github.com>
 2022-09-16 14:22:39 +02:00
Stefano
366bcfd7a3 Added disable by default option to reduce noise 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-09-16 12:44:38 +02:00
Stefano
c844eb9ef3 Added rule to detect CVE-2019-5736 
Co-authored-by: wcc526 <wcc526@gmail.com>
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-09-16 12:44:38 +02:00
Melissa Kilby
5dcc329339 chore(rules): change FALCO_ENGINE_VERSION to 13 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-09-01 14:45:23 +02:00
Melissa Kilby
721aa30e80 cleanup(rules): cleanup redundant use of always_true macros - 2 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-09-01 14:45:23 +02:00
Melissa Kilby
565ddd70d3 cleanup(rules): cleanup rules disabled by default - 4 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-09-01 14:45:23 +02:00
Jason Dellaluce
98b8e390a1 chore(rules): fix old url redirection 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-29 15:42:33 +02:00
Melissa Kilby
6c12cc655e cleanup(rules): cleanup redundant use of always_true macros 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-26 11:40:18 +02:00
Melissa Kilby
7387fffcef cleanup(rules): cleanup rules disabled by default - 3 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-26 11:40:18 +02:00
Melissa Kilby
a6137e9475 update(rules): Directory traversal monitored file read - include failed open attempts w/ new macro open_file_failed 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-25 21:44:15 +02:00
Melissa Kilby
dd49038b0d cleanup(rules): Directory traversal monitored file read 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-25 21:44:15 +02:00
Melissa Kilby
6efc5b42f7 new(rules): Directory traversal monitored file read 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-25 21:44:15 +02:00
Melissa Kilby
0828296abc cleanup(rules): cleanup rules disabled by default - 2 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-17 10:55:14 +02:00
Melissa Kilby
e9ba5d751f cleanup(rules): cleanup rules disabled by default 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-08-05 14:50:28 +02:00
Stefano
b378c3a77d Add darryk10 as rules OWNERS as reviewer 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-07-21 17:42:07 +02:00
Jason Dellaluce
0cab9ba6ed chore(OWNERS): remove duplicates in reviewers 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-20 10:39:56 +02:00
Alessandro Brucato
c40d1a5141 Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
409ca4382e Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
a71a635b7e Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
07024a2e0f Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Brucedh
6feeaee0cd Added exception to Launch Privileged Container 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-07-13 11:54:23 +02:00
Ravi Ranjan
c078f7c21d Falco Rules/Conditions Updates 
Signed-off-by: Ravi Ranjan <ravi.ranjan@elastisys.com>
 2022-07-12 12:08:38 +02:00
Leonardo Grasso
b6245d77c7 update(rules): lower priority to noisy rule (after the dup improvement) 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 18:12:24 +02:00
Aldo Lacuku
d90421387f update(rules): add macro for dup syscalls 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-23 10:06:13 +02:00
Aldo Lacuku
07b4d5a47a fix(rules): use exit event in reverse shell detection rule 
In some cases the rule is not triggered when a reverse shell is spawned.
That's because in the rule we are checking that the file descriptor passed
as argument to the dup functions is of type socket and its fd number is "0, 1, or 2"
and the event direction is "enter".
The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO);
But using the exit event the rule is triggered.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-23 10:06:13 +02:00
Kaizhe Huang
8a1f43f284 remove kaizhe from falco rule owner 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2022-06-22 22:16:21 -05:00
joon
625201f9f6 Add Java compatibility note 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
 2022-06-14 17:01:12 +02:00
joon
583ac4192c rule(Java Process Class Download): detect potential successful log4shell exploitation 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
 2022-06-14 17:01:12 +02:00
stephanmiehe
c782655a53 Fix rule linting 
Signed-off-by: Stephan Miehe <stephanmiehe@github.com>
 2022-06-10 13:58:42 +02:00
Matan Monitz
9f163f3fe0 Update rules/falco_rules.yaml 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Matan Monitz <mmonitz@gmail.com>
 2022-05-28 10:13:30 +02:00
Matan Monitz
4c95c717d2 known_shell_spawn_cmdlines - lighttpd 
Signed-off-by: Matan Monitz <mmonitz@gmail.com>
 2022-05-28 10:13:30 +02:00
beryxz
54a2f7bdaa rule(macro net_miner_pool): additional syscall for detection 
Signed-off-by: beryxz <coppi.lore@gmail.com>
 2022-05-28 09:29:30 +02:00
Brad Clark
9d41b0a151 use endswith ash_history to catch both bash and ash 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Brad Clark
b9bcf79035 rule(macro truncate_shell_history): include .ash_history 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Brad Clark
3cca4c23cc rule(macro modify_shell_history): include .ash_history 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Leonardo Grasso
d4f76f1f93 update!: moving out plugins ruleset files 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-12 18:28:34 +02:00
Leonardo Grasso
65de03aa29 update(rules): remove plugins ruleset files 
Plugins' rules files now lives in their repositories. See https://github.com/falcosecurity/plugins/pull/98

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-12 18:28:34 +02:00
Stefano
3e603188d4 Changed field in thread.cap_effective 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
c3bcf604a5 Changed Rule focus to be broader then just a specific CVE 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00