github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-02-21 06:02:30 +00:00
Code Issues Projects Releases Wiki Activity
3,020 Commits 123 Branches 184 Tags
b759e77fda697d9782aa9004d53680e5a8b798ce
Commit Graph

659 Commits

Author SHA1 Message Date
Stefano
b378c3a77d Add darryk10 as rules OWNERS as reviewer 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-07-21 17:42:07 +02:00
Jason Dellaluce
0cab9ba6ed chore(OWNERS): remove duplicates in reviewers 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-07-20 10:39:56 +02:00
Alessandro Brucato
c40d1a5141 Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
409ca4382e Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
a71a635b7e Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Alessandro Brucato
07024a2e0f Update rules/falco_rules.yaml 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>

Co-authored-by: schie <77834235+darryk10@users.noreply.github.com>
 2022-07-13 11:54:23 +02:00
Brucedh
6feeaee0cd Added exception to Launch Privileged Container 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-07-13 11:54:23 +02:00
Ravi Ranjan
c078f7c21d Falco Rules/Conditions Updates 
Signed-off-by: Ravi Ranjan <ravi.ranjan@elastisys.com>
 2022-07-12 12:08:38 +02:00
Leonardo Grasso
b6245d77c7 update(rules): lower priority to noisy rule (after the dup improvement) 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-06-23 18:12:24 +02:00
Aldo Lacuku
d90421387f update(rules): add macro for dup syscalls 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-23 10:06:13 +02:00
Aldo Lacuku
07b4d5a47a fix(rules): use exit event in reverse shell detection rule 
In some cases the rule is not triggered when a reverse shell is spawned.
That's because in the rule we are checking that the file descriptor passed
as argument to the dup functions is of type socket and its fd number is "0, 1, or 2"
and the event direction is "enter".
The following event does not trigger the rule: dup2(socket_fd, STDIN_FILENO);
But using the exit event the rule is triggered.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-06-23 10:06:13 +02:00
Kaizhe Huang
8a1f43f284 remove kaizhe from falco rule owner 
Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
 2022-06-22 22:16:21 -05:00
joon
625201f9f6 Add Java compatibility note 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
 2022-06-14 17:01:12 +02:00
joon
583ac4192c rule(Java Process Class Download): detect potential successful log4shell exploitation 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
 2022-06-14 17:01:12 +02:00
stephanmiehe
c782655a53 Fix rule linting 
Signed-off-by: Stephan Miehe <stephanmiehe@github.com>
 2022-06-10 13:58:42 +02:00
Matan Monitz
9f163f3fe0 Update rules/falco_rules.yaml 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Matan Monitz <mmonitz@gmail.com>
 2022-05-28 10:13:30 +02:00
Matan Monitz
4c95c717d2 known_shell_spawn_cmdlines - lighttpd 
Signed-off-by: Matan Monitz <mmonitz@gmail.com>
 2022-05-28 10:13:30 +02:00
beryxz
54a2f7bdaa rule(macro net_miner_pool): additional syscall for detection 
Signed-off-by: beryxz <coppi.lore@gmail.com>
 2022-05-28 09:29:30 +02:00
Brad Clark
9d41b0a151 use endswith ash_history to catch both bash and ash 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Brad Clark
b9bcf79035 rule(macro truncate_shell_history): include .ash_history 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Brad Clark
3cca4c23cc rule(macro modify_shell_history): include .ash_history 
Signed-off-by: Brad Clark <bdashrad@gmail.com>
 2022-05-14 07:55:29 +02:00
Leonardo Grasso
d4f76f1f93 update!: moving out plugins ruleset files 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-12 18:28:34 +02:00
Leonardo Grasso
65de03aa29 update(rules): remove plugins ruleset files 
Plugins' rules files now lives in their repositories. See https://github.com/falcosecurity/plugins/pull/98

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-05-12 18:28:34 +02:00
Stefano
3e603188d4 Changed field in thread.cap_effective 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
c3bcf604a5 Changed Rule focus to be broader then just a specific CVE 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
2e2b13236b Fixed CVE number 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Stefano
24bd1abc43 Added new rule for CVE-2022-4092 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-05-12 14:42:34 +02:00
Sebastien Le Digabel
2bc4fec33c rule(Anonymous Request Allowed): exclude {/livez, /readyz} 
Fixes #1794.

/livez and /readyz don't require authentication and can generate a lot
of noise if the cluster is checked by an anonymous external
system.

Some k8s systems have those endpoints required to be anonymous, as per this
[link to an OpenShift
setup](http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_api_server_anonymous_auth).

Signed-off-by: Sebastien Le Digabel <sledigabel@gmail.com>
 2022-05-04 13:04:29 +02:00
Jason Dellaluce
67d2fe45a5 refactor: add k8saudit plugin and adapt config, tests, and rulesets 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-04-29 20:47:19 +02:00
Lorenzo Susini
9fb9215dbf new(rule): excessively capable containers 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <khuang@aurora.tech>
 2022-04-29 07:35:50 +02:00
Furkan
990a8fd6d5 update(rules): k8s: secret get detection 
Signed-off-by: Furkan <furkan.turkal@trendyol.com>
 2022-04-28 11:33:00 +02:00
Leonardo Grasso
b4d9261ce2 build: define "falco" component 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-04-22 09:41:56 +02:00
Mateusz Gozdek
1fdfbd3a3d Fix more typos 
Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
 2022-04-20 12:21:27 +02:00
Clemence Saussez
af96a930eb rules(allowed_kube_namespace_image_list): add container threat detection image 
Signed-off-by: Clemence Saussez <clemence@zen.ly>
 2022-04-15 10:52:58 +02:00
Clemence Saussez
5d65671d3a rules(falco_privileged_images): add container threat detection image 
Signed-off-by: Clemence Saussez <clemence@zen.ly>
 2022-04-15 10:52:58 +02:00
Stefano
d3383b4b23 Fixed ouput Rules K8s Serviceaccount Created/Deleted 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: AlbertoPellitteri <alberto.pellitteri@sysdig.com>
 2022-04-15 10:49:58 +02:00
Stefano
65435d4418 Removed use cases not triggering 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Brucedh <alessandro.brucato@sysdig.com>
Co-authored-by: AlbertoPellitteri <alberto.pellitteri@sysdig.com>
 2022-04-13 10:03:25 +02:00
Lorenzo Susini
4343fe8a8b new(rules/k8s_audit): add rules to detect pods sharing host pid and IPC namespaces 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-04-11 18:29:19 +02:00
Stefano
36bd07d82d Fix spaces 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-04-01 19:38:40 +02:00
Stefano
bcff88922a Added eks_allowed_k8s_users list to whitelist EKS users 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Alberto Pellitteri <alberto.pellitteri@sysdig.com>
 2022-04-01 19:38:40 +02:00
Stefano
1988f3b0be Disabled by default noisy rules 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
 2022-03-29 17:39:25 +02:00
schie
64f0cefab0 Update rules/okta_rules.yaml 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Thomas Labarussias <issif+github@gadz.org>
 2022-03-29 17:39:25 +02:00
schie
48041a517b Update rules/okta_rules.yaml 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Thomas Labarussias <issif+github@gadz.org>
 2022-03-29 17:39:25 +02:00
Stefano
6a1492a828 Added okta_rules.yaml 
Signed-off-by: darryk10<stefano.chierici@sysdig.com>
 2022-03-29 17:39:25 +02:00
Leonardo Grasso
5023851000 chore(rules): remove leftover 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-03-25 13:02:28 +01:00
Matt Moyer
36acd6dfbf Add user_known_mount_in_privileged_containers 
This adds a new macro `user_known_mount_in_privileged_containers` which
allows the easier user-defined exclusions for the "Mount Launched in
Privileged Container" rule.

This would be cleaner with the exclusions feature, but this feature
is not used in the default ruleset yet, if I understand correctly.

Signed-off-by: Matt Moyer <mmoyer@figma.com>
 2022-03-17 10:50:56 +01:00
Claudio Vellage
4705a92c49 Allow to whitelist config modifiers 
Signed-off-by: Claudio Vellage <claudio.vellage@pm.me>
 2022-03-15 22:32:59 +01:00
Josh Soref
e8aac31890 spelling: themselves 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
9a314d9443 spelling: privileged 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00
Josh Soref
53c77ea6b5 spelling: https://cryptoioc.ch 
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
 2022-03-01 16:30:24 +01:00