mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
f7893fbd14
The trace file traces-positive/run-shell-untrusted.scap has an old execve event number (PPME_SYSCALL_EXECVE_18), which was replaced by PPME_SYSCALL_EXECVE_19 in 2018. Given the changes in https://github.com/falcosecurity/libs/pull/94, these events are now skipped. So change the test to note that *no* events will be detected. As a bit of context, event numbers won't be changing any longer--a change around the same time 298fbde8029020ce3fbddd07e2910b59cc402b8b allowed for extending existing events to add new parameters instead of having to define a new event number just to add a new parameter. So the notion of "old events" should not exist for any event created after mid-to-late 2018. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
167 lines
4.7 KiB
YAML
167 lines
4.7 KiB
YAML
#
|
|
# Copyright (C) 2020 The Falco Authors.
|
|
#
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
has_json_output: !mux
|
|
yes:
|
|
json_output: True
|
|
no:
|
|
json_output: False
|
|
|
|
traces: !mux
|
|
change-thread-namespace:
|
|
trace_file: traces-positive/change-thread-namespace.scap
|
|
detect: False
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "Change thread namespace": 0
|
|
|
|
container-privileged:
|
|
trace_file: traces-positive/container-privileged.scap
|
|
detect: True
|
|
detect_level: INFO
|
|
detect_counts:
|
|
- "Launch Privileged Container": 3
|
|
|
|
container-sensitive-mount:
|
|
trace_file: traces-positive/container-sensitive-mount.scap
|
|
detect: True
|
|
detect_level: INFO
|
|
detect_counts:
|
|
- "Launch Sensitive Mount Container": 3
|
|
|
|
create-files-below-dev:
|
|
trace_file: traces-positive/create-files-below-dev.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Create files below dev": 1
|
|
|
|
db-program-spawned-process:
|
|
trace_file: traces-positive/db-program-spawned-process.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "DB program spawned process": 1
|
|
|
|
falco-event-generator:
|
|
trace_file: traces-positive/falco-event-generator.scap
|
|
detect: True
|
|
detect_level: [ERROR, WARNING, INFO, NOTICE, DEBUG]
|
|
detect_counts:
|
|
- "Write below binary dir": 1
|
|
- "Read sensitive file untrusted": 3
|
|
- "Run shell untrusted": 1
|
|
- "Write below rpm database": 1
|
|
- "Write below etc": 1
|
|
- "System procs network activity": 1
|
|
- "Mkdir binary dirs": 1
|
|
- "System user interactive": 1
|
|
- "DB program spawned process": 1
|
|
- "Non sudo setuid": 1
|
|
- "Create files below dev": 1
|
|
- "Modify binary dirs": 2
|
|
- "Change thread namespace": 0
|
|
|
|
mkdir-binary-dirs:
|
|
trace_file: traces-positive/mkdir-binary-dirs.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Mkdir binary dirs": 1
|
|
|
|
modify-binary-dirs:
|
|
trace_file: traces-positive/modify-binary-dirs.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Modify binary dirs": 1
|
|
|
|
non-sudo-setuid:
|
|
trace_file: traces-positive/non-sudo-setuid.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "Non sudo setuid": 1
|
|
|
|
read-sensitive-file-after-startup:
|
|
trace_file: traces-positive/read-sensitive-file-after-startup.scap
|
|
detect: True
|
|
detect_level: WARNING
|
|
detect_counts:
|
|
- "Read sensitive file untrusted": 1
|
|
- "Read sensitive file trusted after startup": 1
|
|
|
|
read-sensitive-file-untrusted:
|
|
trace_file: traces-positive/read-sensitive-file-untrusted.scap
|
|
detect: True
|
|
detect_level: WARNING
|
|
detect_counts:
|
|
- "Read sensitive file untrusted": 1
|
|
|
|
# This should *not* generate any falco alerts as of the changes in
|
|
# https://github.com/falcosecurity/libs/pull/94--the execve event in
|
|
# this trace file is PPME_SYSCALL_EXECVE_18, which was deprecated by
|
|
# PPME_SYSCALL_EXECVE_19 in 2018.
|
|
#
|
|
# This activity in this trace file overlaps with the activity in
|
|
# falco-event-generator.scap so the rule is still being tested.
|
|
run-shell-untrusted:
|
|
trace_file: traces-positive/run-shell-untrusted.scap
|
|
detect: False
|
|
detect_level: DEBUG
|
|
|
|
system-binaries-network-activity:
|
|
trace_file: traces-positive/system-binaries-network-activity.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "System procs network activity": 1
|
|
|
|
system-user-interactive:
|
|
trace_file: traces-positive/system-user-interactive.scap
|
|
detect: True
|
|
detect_level: INFO
|
|
detect_counts:
|
|
- "System user interactive": 1
|
|
|
|
user-mgmt-binaries:
|
|
trace_file: traces-positive/user-mgmt-binaries.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "User mgmt binaries": 1
|
|
|
|
write-binary-dir:
|
|
trace_file: traces-positive/write-binary-dir.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Write below binary dir": 4
|
|
|
|
write-etc:
|
|
trace_file: traces-positive/write-etc.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Write below etc": 1
|
|
|
|
write-rpm-database:
|
|
trace_file: traces-positive/write-rpm-database.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Write below rpm database": 1
|