From 694adf59e0e4dd1fc4b00e72bf3588e1f9755e4a Mon Sep 17 00:00:00 2001 From: incertum Date: Fri, 31 Mar 2023 14:06:22 -0700 Subject: [PATCH] fix(rules)!: require explicit accept4 reference, overlapping syscall names deprecated A major refactor of Falco now exposes each syscall Falco's libs supports to the end user :) At the same time we deprecate overlapping syscall names, see https://github.com/falcosecurity/falco/issues/2443#issuecomment-1471289452 Official support starts with Falco 0.35.0 Co-authored-by: Jason Dellaluce Co-authored-by: Andrea Terzolo Co-authored-by: Federico Di Pierro Signed-off-by: incertum --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 1a0c2a3dd..15501fc25 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -321,7 +321,7 @@ # Network - macro: inbound condition: > - (((evt.type in (accept,listen) and evt.dir=<) or + (((evt.type in (accept,accept4,listen) and evt.dir=<) or (evt.type in (recvfrom,recvmsg) and evt.dir=< and fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and (fd.typechar = 4 or fd.typechar = 6) and @@ -345,7 +345,7 @@ # for efficiency. - macro: inbound_outbound condition: > - ((((evt.type in (accept,listen,connect) and evt.dir=<)) and + ((((evt.type in (accept,accept4,listen,connect) and evt.dir=<)) and (fd.typechar = 4 or fd.typechar = 6)) and (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))