cleanup(rules): initially tag all rules disabled by default w/ maturi…

…ty_sandbox level Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
falcosecurity · Jul 14, 2023 · 49ade64 · 49ade64
1 parent 144820c
commit 49ade64
Showing 1 changed file with 31 additions and 30 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -15,6 +15,13 @@
 # limitations under the License.
 #
 
+# Information about rules tags and fields can be found here: https://falco.org/docs/rules/#tags-for-current-falco-ruleset
+# The initial item in the `tags` fields reflects the maturity level of the rules introduced upon the proposal https://github.com/falcosecurity/rules/blob/main/proposals/20230605-rules-adoption-management-maturity-framework.md
+# `tags` fields also include information about the type of workload inspection (host and/or container), and Mitre Attack killchain phases and Mitre TTP code(s)
+# Mitre Attack References:
+# [1] https://attack.mitre.org/tactics/enterprise/
+# [2] https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
+
 # Starting with version 8, the Falco engine supports exceptions.
 # However the Falco rules file does not use them by default.
 - required_engine_version: 17
@@ -27,12 +34,6 @@
 # - macro: read
 #   condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory))
 
-# Information about rules tags and fields can be found here: https://falco.org/docs/rules/#tags-for-current-falco-ruleset
-# `tags` fields also include information about the type of workload inspection, Mitre Attack killchain phases and Mitre TTP code(s)
-# Mitre Attack References:
-# [1] https://attack.mitre.org/tactics/enterprise/
-# [2] https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
-
 - macro: open_write
   condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)
 
@@ -382,7 +383,7 @@
   enabled: false
   output: Disallowed SSH Connection (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
   priority: NOTICE
-  tags: [host, container, network, mitre_command_and_control, mitre_lateral_movement, T1021.004]
+  tags: [maturity_sandbox, host, container, network, mitre_command_and_control, mitre_lateral_movement, T1021.004]
 
 # These rules and supporting macros are more of an example for how to
 # use the fd.*ip and fd.*ip.name fields to match connection
@@ -412,7 +413,7 @@
   enabled: false
   output: Disallowed outbound connection destination (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
   priority: NOTICE
-  tags: [host, container, network, mitre_command_and_control, TA0011]
+  tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011]
 
 - list: allowed_inbound_source_ipaddrs
   items: ['"127.0.0.1"']
@@ -433,7 +434,7 @@
   enabled: false
   output: Disallowed inbound connection source (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
   priority: NOTICE
-  tags: [host, container, network, mitre_command_and_control, TA0011]
+  tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011]
 
 - list: bash_config_filenames
   items: [.bashrc, .bash_profile, .bash_history, .bash_login, .bash_logout, .inputrc, .profile]
@@ -494,7 +495,7 @@
     a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
-  tags: [host, container, filesystem, mitre_discovery, T1546.004]
+  tags: [maturity_sandbox, host, container, filesystem, mitre_discovery, T1546.004]
 
 - macro: user_known_cron_jobs
   condition: (never_true)
@@ -511,7 +512,7 @@
     file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tags: [host, container, filesystem, mitre_persistence, T1053.003]
+  tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1053.003]
 
 # Use this to test whether the event occurred within a container.
 
@@ -1002,7 +1003,7 @@
     ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid
     command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)
   priority: ERROR
-  tags: [host, container, filesystem, mitre_discovery, T1005]
+  tags: [maturity_sandbox, host, container, filesystem, mitre_discovery, T1005]
 
 - list: safe_etc_dirs
   items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d. /etc/alertmanager]
@@ -1606,7 +1607,7 @@
     Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid
     parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
   priority: NOTICE
-  tags: [host, container, process, mitre_privilege_escalation, mitre_lateral_movement, T1611]
+  tags: [maturity_sandbox, host, container, process, mitre_privilege_escalation, mitre_lateral_movement, T1611]
 
 # The binaries in this list and their descendents are *not* allowed
 # spawn shells. This includes the binaries spawning shells directly as
@@ -2191,7 +2192,7 @@
     Program run with disallowed HTTP_PROXY environment variable
     (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)
   priority: NOTICE
-  tags: [host, container, users, mitre_command_and_control, T1090, T1204]
+  tags: [maturity_sandbox, host, container, users, mitre_command_and_control, T1090, T1204]
 
 # In some environments, any attempt by a interpreted program (perl,
 # python, ruby, etc) to listen for incoming connections or perform
@@ -2207,7 +2208,7 @@
     Interpreted program received/listened for network traffic
     (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
-  tags: [host, container, network, mitre_exfiltration, TA0011]
+  tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011]
 
 - rule: Interpreted procs outbound network activity
   desc: Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)
@@ -2218,7 +2219,7 @@
     Interpreted program performed outgoing network connection
     (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
-  tags: [host, container, network, mitre_exfiltration, TA0011]
+  tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011]
 
 - list: openvpn_udp_ports
   items: [1194, 1197, 1198, 8080, 9201]
@@ -2257,7 +2258,7 @@
     Unexpected UDP Traffic Seen
     (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
   priority: NOTICE
-  tags: [host, container, network, mitre_exfiltration, TA0011]
+  tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011]
 
 # With the current restriction on system calls handled by falco
 # (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't
@@ -2396,7 +2397,7 @@
   output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline pid=%proc.pid connection=%fd.name %container.info image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   enabled: false
-  tags: [network, aws, container, mitre_discovery, T1565]
+  tags: [maturity_sandbox, network, aws, container, mitre_discovery, T1565]
 
 
 # This rule is not enabled by default, since this rule is for cloud environment(GCP, AWS and Azure) only.
@@ -2413,7 +2414,7 @@
   enabled: false
   output: Outbound connection to cloud instance metadata service (command=%proc.cmdline pid=%proc.pid connection=%fd.name %container.info image=%container.image.repository:%container.image.tag)
   priority: NOTICE
-  tags: [network, container, mitre_discovery, T1565]
+  tags: [maturity_sandbox, network, container, mitre_discovery, T1565]
 
 # Containers from IBM Cloud
 - list: ibm_cloud_containers
@@ -2740,7 +2741,7 @@
     command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tags: [host, container, process, users, mitre_persistence, T1548.001]
+  tags: [maturity_sandbox, host, container, process, users, mitre_persistence, T1548.001]
 
 - list: exclude_hidden_directories
   items: [/root/.cassandra]
@@ -2763,7 +2764,7 @@
     file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tags: [host, container, filesystem, mitre_persistence, T1564.001]
+  tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1564.001]
 
 - list: remote_file_copy_binaries
   items: [rsync, scp, sftp, dcp]
@@ -2912,7 +2913,7 @@
   enabled: false
   output: Outbound connection to IP/Port flagged by https://cryptoioc.ch (command=%proc.cmdline pid=%proc.pid port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
   priority: CRITICAL
-  tags: [host, container, network, mitre_execution, T1496]
+  tags: [maturity_sandbox, host, container, network, mitre_execution, T1496]
 
 - rule: Detect crypto miners using the Stratum protocol
   desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp'
@@ -2996,7 +2997,7 @@
      image=%container.image.repository namespace=%k8s.ns.name
      fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
   priority: WARNING
-  tags: [container, network, mitre_discovery, T1046]
+  tags: [maturity_sandbox, container, network, mitre_discovery, T1046]
 
 - list: allowed_image
   items: [] # add image to monitor, i.e.: bitnami/nginx
@@ -3032,7 +3033,7 @@
     (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
     image=%container.image.repository)
   priority: WARNING
-  tags: [container, network, mitre_discovery, TA0011]
+  tags: [maturity_sandbox, container, network, mitre_discovery, TA0011]
 
 - macro: user_known_stand_streams_redirect_activities
   condition: (never_true)
@@ -3076,7 +3077,7 @@
   enabled: false
   output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
   priority: ERROR
-  tags: [container, process, filesystem, mitre_execution, T1059]
+  tags: [maturity_sandbox, container, process, filesystem, mitre_execution, T1059]
 
 # ****************************************************************************
 # * "Container Drift Detected (open+create)" requires FALCO_ENGINE_VERSION 6 *
@@ -3094,7 +3095,7 @@
   enabled: false
   output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
   priority: ERROR
-  tags: [container, process, filesystem, mitre_execution, T1059]
+  tags: [maturity_sandbox, container, process, filesystem, mitre_execution, T1059]
 
 - list: c2_server_ip_list
   items: []
@@ -3134,7 +3135,7 @@
   output: Outbound connection to C2 server (c2_domain=%fd.sip.name c2_addr=%fd.sip command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
   priority: WARNING
   enabled: false
-  tags: [host, container, network, mitre_command_and_control, TA0011]
+  tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011]
 
 - list: allowed_container_images_loading_kernel_module
   items: []
@@ -3166,7 +3167,7 @@
   enabled: false
   output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
   priority: INFO
-  tags: [container, process, users, mitre_execution, T1610]
+  tags: [maturity_sandbox, container, process, users, mitre_execution, T1610]
 
 # This rule helps detect CVE-2021-3156:
 # A privilege escalation to root through heap-based buffer overflow
@@ -3295,7 +3296,7 @@
   output: Java process class file download (user=%user.name user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type connection=%fd.name server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto process=%proc.name command=%proc.cmdline pid=%proc.pid parent=%proc.pname buffer=%evt.buffer container_id=%container.id image=%container.image.repository)
   priority: CRITICAL
   enabled: false
-  tags: [host, container, process, mitre_initial_access, T1190]
+  tags: [maturity_sandbox, host, container, process, mitre_initial_access, T1190]
 
 - list: docker_binaries
   items: [docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe, docker-compose, docker-entrypoi, docker-runc-cur, docker-current, dockerd-current]
@@ -3311,7 +3312,7 @@
   output: >
     Detect Potential Container Breakout Exploit (CVE-2019-5736) (user=%user.name process=%proc.name file=%fd.name cmdline=%proc.cmdline pid=%proc.pid %container.info)
   priority: WARNING
-  tags: [container, filesystem, mitre_initial_access, T1611]
+  tags: [maturity_sandbox, container, filesystem, mitre_initial_access, T1611]
 
 - list: known_binaries_to_read_environment_variables_from_proc_files
   items: [scsi_id, argoexec]