docs: CHANGELOG for Falco 0.29.1 changeset

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>

CHANGELOG.md

@@ -1,5 +1,28 @@
 # Change Log
 
+## v0.29.1
+
+Released on 2021-06-29
+
+### Major Changes
+
+
+### Minor Changes
+
+* update: bump the Falco engine version to version 9 [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+
+### Rule Changes
+
+* rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+* rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+* rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+* rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+
+### Non user-facing changes
+
+* docs(release.md): update steps [[#1684](https://github.com/falcosecurity/falco/pull/1684)] - [@maxgio92](https://github.com/maxgio92
+
+
 ## v0.29.0
 
 Released on 2021-06-21

RELEASE.md

@@ -77,6 +77,10 @@ Now assume `x.y.z` is the new version.
     | `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z`             |
     | `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z`                 |
 
+    <changelog>
+
+    <!-- Substitute <changelog> with the one generated by [rn2md](https://github.com/leodido/rn2md) -->
+
     ### Statistics
 
     | Merged PRs      | Number |
@@ -111,3 +115,4 @@ Announce the new release to the world!
 - Publish a blog on [Falco website](https://github.com/falcosecurity/falco-website) ([example](https://github.com/falcosecurity/falco-website/blob/master/content/en/blog/falco-0-28-1.md))
 - Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
 - Let folks in the slack #falco channel know about a new release came out
+- IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)

rules/falco_rules.yaml

@@ -15,10 +15,10 @@
 # limitations under the License.
 #
 
-# The latest Falco Engine version is 8 if you want to
-# use exceptions. However the default rules file does not
-# use them so we stick with 7 for compatibility.
-- required_engine_version: 7
+# The latest Falco Engine version is 9.
+# Starting with version 8, the Falco engine supports exceptions.
+# However the Falco rules file does not use them by default.
+- required_engine_version: 9
 
 # Currently disabled as read/write are ignored syscalls. The nearly
 # similar open_write/open_read check for files being opened for
@@ -1753,13 +1753,13 @@
 - macro: allowed_aws_ecr_registry_root_for_eks
   condition: >
     (container.image.repository startswith "602401143452.dkr.ecr" or
-     container.image.repository startswith "877085696533.dkr.ecr" or 
-     container.image.repository startswith "800184023465.dkr.ecr" or 
-     container.image.repository startswith "602401143452.dkr.ecr" or 
+     container.image.repository startswith "877085696533.dkr.ecr" or
+     container.image.repository startswith "800184023465.dkr.ecr" or
+     container.image.repository startswith "602401143452.dkr.ecr" or
      container.image.repository startswith "918309763551.dkr.ecr" or
-     container.image.repository startswith "961992271922.dkr.ecr" or 
+     container.image.repository startswith "961992271922.dkr.ecr" or
      container.image.repository startswith "590381155156.dkr.ecr" or
-     container.image.repository startswith "558608220178.dkr.ecr" or 
+     container.image.repository startswith "558608220178.dkr.ecr" or
      container.image.repository startswith "151742754352.dkr.ecr" or
      container.image.repository startswith "013241004608.dkr.ecr")
 
@@ -3003,7 +3003,7 @@
 - rule: Linux Kernel Module Injection Detected
   desc: Detect kernel module was injected (from container).
   condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules)
-  output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args)
+  output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)
   priority: WARNING
   tags: [process]
 
@@ -3027,7 +3027,7 @@
 # A privilege escalation to root through heap-based buffer overflow
 - rule: Sudo Potential Privilege Escalation
   desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.
-  condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
+  condition: spawned_process and user.uid != 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
   output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
   priority: CRITICAL
   tags: [filesystem, mitre_privilege_escalation]
@@ -3056,6 +3056,24 @@
   priority: WARNING
   tags: [container, cis, mitre_lateral_movement]
 
+- macro: consider_userfaultfd_activities
+  condition: (always_true)
+
+- list: user_known_userfaultfd_processes
+  items: []
+
+- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
+  desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
+  condition: >
+    consider_userfaultfd_activities and
+    evt.type = userfaultfd and
+    user.uid != 0 and
+    (evt.rawres >= 0 or evt.res != -1) and
+    not proc.name in (user_known_userfaultfd_processes)
+  output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid process=%proc.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  priority: CRITICAL
+  tags: [syscall, mitre_defense_evasion]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.

userspace/engine/falco_engine_version.h

@@ -16,7 +16,7 @@ limitations under the License.
 
 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (8)
+#define FALCO_ENGINE_VERSION (9)
 
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used