cleanup(rules): initial tagging of stable rules round3

[incertum]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

What this PR does / why we need it:

Third round of initially tagging rules w/ maturity_stable.

• enhanced desc
• more complete output fields
• cleanup of tags if applicable
• add new maturity_stable tag

@LucaGuerra @loresuso @jasondellaluce

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[github-actions]

Rules files suggestions

falco_rules.yaml

Comparing 5268907ba451d41390a9734c1688bd354c13851c with latest tag falco-rules-1.0.1

Major changes:

• Rule Directory traversal monitored file read has less tags than before
• Rule Read sensitive file trusted after startup has less tags than before
• Rule Read sensitive file untrusted has less tags than before
• Rule Create Symlink Over Sensitive Files has less tags than before
• Rule Create Hardlink Over Sensitive Files has less tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
• Rule Linux Kernel Module Injection Detected has less tags than before

Patch changes:

• Rule Disallowed SSH Connection has more tags than before
• Rule Unexpected outbound connection destination has more tags than before
• Rule Unexpected inbound connection source has more tags than before
• Rule Read Shell Configuration File has more tags than before
• Rule Schedule Cron Jobs has more tags than before
• Rule Directory traversal monitored file read changed its output fields
• Rule Directory traversal monitored file read has more tags than before
• Rule Read ssh information has more tags than before
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file trusted after startup has more tags than before
• Rule Read sensitive file untrusted changed its output fields
• Rule Read sensitive file untrusted has more tags than before
• Rule Change thread namespace has more tags than before
• Rule Terminal shell in container changed its output fields
• Rule Terminal shell in container has more tags than before
• Rule Program run with disallowed http proxy env has more tags than before
• Rule Interpreted procs inbound network activity has more tags than before
• Rule Interpreted procs outbound network activity has more tags than before
• Rule Unexpected UDP Traffic has more tags than before
• Rule Contact EC2 Instance Metadata Service From Container has more tags than before
• Rule Contact cloud metadata service from container has more tags than before
• Rule Netcat Remote Code Execution in Container changed its output fields
• Rule Netcat Remote Code Execution in Container has more tags than before
• Rule Set Setuid or Setgid bit has more tags than before
• Rule Create Hidden Files or Directories has more tags than before
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Symlink Over Sensitive Files has more tags than before
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files has more tags than before
• Rule Detect outbound connections to common miner pool ports has more tags than before
• Rule Network Connection outside Local Subnet has more tags than before
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
• Rule Container Drift Detected (chmod) has more tags than before
• Rule Container Drift Detected (open+create) has more tags than before
• Rule Outbound Connection to C2 Servers has more tags than before
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Linux Kernel Module Injection Detected has more tags than before
• Rule Container Run as Root User has more tags than before
• Rule Java Process Class File Download has more tags than before
• Rule Modify Container Entrypoint has more tags than before
• Rule Drop and execute new binary in container changed its output fields
• Rule Drop and execute new binary in container has more tags than before

[LucaGuerra]

This one sounds a bit noisy. Do you think the default exception list is comprehensive enough to be considered stable?

[incertum]

Answering here for both. I would say it's ok for now. At the same time added a note to the tracking ticket and we can tune them in a follow up PR? These rules have been around for a very long time and they are commonly referred to in tutorials.

On the flip side some template macros for custom sensitive files would make sense as well to address FNs?

[LucaGuerra]

Agree! Thanks for this!

[LucaGuerra]

This one did sound a little bit noisy but I see that the list of programs that are involved is limited (server, db, ...). Makes sense to me.

[poiana]

LGTM label has been added.

Git tree hash: a7fa7d45f51a29cc73c38ca955f6afecbe1ee185

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: incertum, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [LucaGuerra,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment