github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-04-09 21:43:12 +00:00
Code Issues Projects Releases Wiki Activity
2,964 Commits 129 Branches 185 Tags
1f2e6d46292bd2e5c433c303ee04bd26673edf21
Commit Graph

559 Commits

Author SHA1 Message Date
Aldo Lacuku
d90421387f update(rules): add macro for dup syscalls 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-23 10:06:13 +02:00
Aldo Lacuku
07b4d5a47a fix(rules): use exit event in reverse shell detection rule 
In some cases the rule is not triggered when a reverse shell is spawned.
That's because in the rule we are checking that the file descriptor passed
as argument to the dup functions is of type socket and its fd number is "0, 1, or 2"
and the event direction is "enter".
The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO);
But using the exit event the rule is triggered.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-23 10:06:13 +02:00
joon
625201f9f6 Add Java compatibility note 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
 2022-06-14 17:01:12 +02:00
joon
583ac4192c rule(Java Process Class Download): detect potential successful log4shell exploitation 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
 2022-06-14 17:01:12 +02:00
stephanmiehe
c782655a53 Fix rule linting 
Signed-off-by: Stephan Miehe <stephanmiehe@github.com>
 2022-06-10 13:58:42 +02:00
Matan Monitz
9f163f3fe0 Update rules/falco_rules.yaml 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Matan Monitz <mmonitz@gmail.com>
 2022-05-28 10:13:30 +02:00
Matan Monitz
4c95c717d2 known_shell_spawn_cmdlines - lighttpd 
Signed-off-by: Matan Monitz <mmonitz@gmail.com>
 2022-05-28 10:13:30 +02:00
beryxz
54a2f7bdaa rule(macro net_miner_pool): additional syscall for detection 
Signed-off-by: beryxz <coppi.lore@gmail.com>
 2022-05-28 09:29:30 +02:00
Brad Clark
9d41b0a151 use endswith ash_history to catch both bash and ash 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Brad Clark
b9bcf79035 rule(macro truncate_shell_history): include .ash_history 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Brad Clark
3cca4c23cc rule(macro modify_shell_history): include .ash_history 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Stefano
3e603188d4 Changed field in thread.cap_effective 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
c3bcf604a5 Changed Rule focus to be broader then just a specific CVE 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
2e2b13236b Fixed CVE number 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
24bd1abc43 Added new rule for CVE-2022-4092 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Lorenzo Susini
9fb9215dbf new(rule): excessively capable containers 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <khuang@aurora.tech>
 2022-04-29 07:35:50 +02:00
Clemence Saussez
5d65671d3a rules(falco_privileged_images): add container threat detection image 
Signed-off-by: Clemence Saussez <clemence@zen.ly>
 2022-04-15 10:52:58 +02:00
Stefano
65435d4418 Removed use cases not triggering 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Brucedh <alessandro.brucato@sysdig.com>
Co-authored-by: AlbertoPellitteri <alberto.pellitteri@sysdig.com>
 2022-04-13 10:03:25 +02:00
Leonardo Grasso
5023851000 chore(rules): remove leftover 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-03-25 13:02:28 +01:00
Matt Moyer
36acd6dfbf Add user_known_mount_in_privileged_containers 
This adds a new macro `user_known_mount_in_privileged_containers` which
allows the easier user-defined exclusions for the "Mount Launched in
Privileged Container" rule.

This would be cleaner with the exclusions feature, but this feature
is not used in the default ruleset yet, if I understand correctly.

Signed-off-by: Matt Moyer <mmoyer@figma.com>
 2022-03-17 10:50:56 +01:00
Claudio Vellage
4705a92c49 Allow to whitelist config modifiers 
Signed-off-by: Claudio Vellage <claudio.vellage@pm.me>
 2022-03-15 22:32:59 +01:00
Josh Soref
e8aac31890 spelling: themselves 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
9a314d9443 spelling: privileged 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
53c77ea6b5 spelling: https://cryptoioc.ch 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
1306fd6ac1 spelling: hierarchy 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
fa7fab525f spelling: command lines 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
eabd3ad24b spelling: altogether 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
a84adbd231 spelling: allowed 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
pablopez
87c410e49e upgrade macro(keepalived_writing_conf) 
Signed-off-by: pablopez <pablo.lopezzaldivar@sysdig.com>
 2022-02-11 11:36:47 +01:00
schie
b9925577ef Update rules/falco_rules.yaml 
Signed-off-by: darryk10 stefano.chierici@sysdig.com

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-02-11 11:28:46 +01:00
Stefano
ae5342c54b Fixed rule condition 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-02-11 11:28:46 +01:00
Stefano
1324522721 Added new Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) 
Co-authored-by: javery-sysdig <jason.avery@sysdig.com>

Signed-off-by: Stefano <stefano.chierici@sysdig.com>
 2022-02-11 11:28:46 +01:00
rileydakota
7999e33aea Rule Update - Adds npm support 
Adds `npm` to `package_mgmt_binaries` for detection of "living off the land" style attacks that utilize NPM pull down additional tooling

Signed-off-by: rileydakota <dakotariley2@gmail.com>
 2022-02-11 11:27:46 +01:00
m4wh6k
f49a95f334 rule(macro modify_shell_history): Fix missing s on endswith 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
 2022-02-11 11:26:46 +01:00
m4wh6k
9e8687401d fix(macro truncate_shell_history): avoid false positives from .zsh_history.new and .LOCK files 
Signed-off-by: m4wh6k m4wh6k@users.noreply.github.com
 2022-02-11 11:26:46 +01:00
m4wh6k
6ead925f51 fix(macro modify_shell_history): avoid false positives from .zsh_history.new and .LOCK files 
Signed-off-by: m4wh6k <m4wh6k@users.noreply.github.com>
 2022-02-11 11:26:46 +01:00
Mac Chaffee
8a3a4c4d57 rule(maco write_etc_common): Fix false-positive of sssd updating /etc/krb5.keytab 
Signed-off-by: Mac Chaffee <me@macchaffee.com>
 2022-02-11 11:25:47 +01:00
Andrea Terzolo
7750b6f209 rule: update Copyright in falco rules 
Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>
 2022-01-25 18:58:05 +01:00
Andrea Terzolo
8c705448cc rule: add execveat as evt.type for spawned_process macro in falco rules 
Signed-off-by: Andrea Terzolo <s276109@studenti.polito.it>
 2022-01-25 18:58:05 +01:00
Shay Berkovich
6b9fafb75f rule update(Sudo Potential Privilege Escalation): trigger the most common CVE-2021-3156 exploit 
Signed-off-by: Shay Berkovich <sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Shay Berkovich
fdcd7bffd0 rule update(Detect crypto miners using the Stratum protocol): update protocols 
Signed-off-by: Shay Berkovich <Sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Shay Berkovich
d989e9c2d5 new(rules): Create Hardlink Over Sensitive Files 
New rule to prevent hardlink bypass and symlink rule set to WARNING for consistency
Signed-off-by: Shay Berkovich <sberkovich@blackberry.com>
Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
 2022-01-25 17:54:06 +01:00
Leo Di Donato
3640871725 update(rules): remove falco_hostnetwork_images list (unused) 
The `falco_hostnetwork_images` list is unused.

This PR removes it to avoid the warning.

```console
When reading rules content: 1 warnings:
list falco_hostnetwork_images not refered to by any rule/macro/list
```

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2022-01-24 15:03:12 +01:00
Andrea Terzolo
18c7b6500d refactor: remove apt-config from debian_packages monitoring 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: karthikc911 <ckinnovative@gmail.com>
 2022-01-20 11:07:47 +01:00
Lorenzo Susini
6319be8146 update(rules): Add containerd socket to sensitive_mount macro 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2021-12-21 16:53:57 +01:00
Angelo Puglisi
f035829ca2 fix(rules): typo in Create Symlink Over Sensitive Files rule output 
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
 2021-12-13 20:05:33 +01:00
Calvin Bui
cd471a78db re-add double empty newline 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Calvin Bui
65969c30f9 Add ECR repository to rules 
Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>
 2021-12-10 10:27:33 +01:00
Jason Dellaluce
2a00a4d853 rules: adding support to openat2 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2021-12-06 19:12:14 +01:00
Erick Cheng
205a8fd23b Move wget and curl to own rule 
Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
 2021-11-29 17:42:40 +01:00