Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cleanup(rules): initial tagging of stable rules round4 #110

Merged
merged 2 commits into from
Jul 26, 2023

Conversation

incertum
Copy link
Contributor

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

What this PR does / why we need it:

Fourth round of initially tagging rules w/ maturity_stable.

  • enhanced desc
  • more complete output fields
  • cleanup of tags if applicable
  • add new maturity_stable tag

@LucaGuerra @loresuso @jasondellaluce

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Includes:
* enhanced desc
* more complete output fields
* cleanup of tags if applicable
* add new maturity_stable tag

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Java applications very often have a custom process name, therefore
proc.name or proc.pname are not well suited for rules conditions to
determine java applications, use 'proc.exe endswith java' instead,
same for proc.pexe etc.

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
@github-actions
Copy link

Rules files suggestions

falco_rules.yaml

Comparing bdc6f37353d718022f5eed32629ef1e09d8ac45f with latest tag falco-rules-1.0.1

Major changes:

  • Rule Directory traversal monitored file read has less tags than before
  • Rule Read sensitive file trusted after startup has less tags than before
  • Rule Read sensitive file untrusted has less tags than before
  • Rule Remove Bulk Data from Disk has less tags than before
  • Rule Create Symlink Over Sensitive Files has less tags than before
  • Rule Create Hardlink Over Sensitive Files has less tags than before
  • Rule Packet socket created in container has less tags than before
  • Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
  • Rule Linux Kernel Module Injection Detected has less tags than before
  • Rule Debugfs Launched in Privileged Container has less tags than before
  • Rule Detect release_agent File Container Escapes has less tags than before
  • Rule PTRACE attached to process has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before
  • Rule Unexpected outbound connection destination has more tags than before
  • Rule Unexpected inbound connection source has more tags than before
  • Rule Read Shell Configuration File has more tags than before
  • Rule Schedule Cron Jobs has more tags than before
  • Rule Directory traversal monitored file read changed its output fields
  • Rule Directory traversal monitored file read has more tags than before
  • Rule Read ssh information has more tags than before
  • Rule Read sensitive file trusted after startup changed its output fields
  • Rule Read sensitive file trusted after startup has more tags than before
  • Rule Read sensitive file untrusted changed its output fields
  • Rule Read sensitive file untrusted has more tags than before
  • Rule Change thread namespace has more tags than before
  • Rule Run shell untrusted changed its output fields
  • Rule Run shell untrusted has more tags than before
  • Rule System user interactive changed its output fields
  • Rule System user interactive has more tags than before
  • Rule Terminal shell in container changed its output fields
  • Rule Terminal shell in container has more tags than before
  • Rule Program run with disallowed http proxy env has more tags than before
  • Rule Interpreted procs inbound network activity has more tags than before
  • Rule Interpreted procs outbound network activity has more tags than before
  • Rule Unexpected UDP Traffic has more tags than before
  • Rule Contact EC2 Instance Metadata Service From Container has more tags than before
  • Rule Contact cloud metadata service from container has more tags than before
  • Rule Contact K8S API Server From Container changed its output fields
  • Rule Contact K8S API Server From Container has more tags than before
  • Rule Netcat Remote Code Execution in Container changed its output fields
  • Rule Netcat Remote Code Execution in Container has more tags than before
  • Rule Clear Log Activities changed its output fields
  • Rule Clear Log Activities has more tags than before
  • Rule Remove Bulk Data from Disk changed its output fields
  • Rule Remove Bulk Data from Disk has more tags than before
  • Rule Set Setuid or Setgid bit has more tags than before
  • Rule Create Hidden Files or Directories has more tags than before
  • Rule Create Symlink Over Sensitive Files changed its output fields
  • Rule Create Symlink Over Sensitive Files has more tags than before
  • Rule Create Hardlink Over Sensitive Files changed its output fields
  • Rule Create Hardlink Over Sensitive Files has more tags than before
  • Rule Detect outbound connections to common miner pool ports has more tags than before
  • Rule Packet socket created in container changed its output fields
  • Rule Packet socket created in container has more tags than before
  • Rule Network Connection outside Local Subnet has more tags than before
  • Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
  • Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
  • Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
  • Rule Container Drift Detected (chmod) has more tags than before
  • Rule Container Drift Detected (open+create) has more tags than before
  • Rule Outbound Connection to C2 Servers has more tags than before
  • Rule Linux Kernel Module Injection Detected changed its output fields
  • Rule Linux Kernel Module Injection Detected has more tags than before
  • Rule Container Run as Root User has more tags than before
  • Rule Debugfs Launched in Privileged Container changed its output fields
  • Rule Debugfs Launched in Privileged Container has more tags than before
  • Rule Detect release_agent File Container Escapes changed its output fields
  • Rule Detect release_agent File Container Escapes has more tags than before
  • Rule Java Process Class File Download has more tags than before
  • Rule Modify Container Entrypoint has more tags than before
  • Rule PTRACE attached to process changed its output fields
  • Rule PTRACE attached to process has more tags than before
  • Rule PTRACE anti-debug attempt changed its output fields
  • Rule PTRACE anti-debug attempt has more tags than before
  • Rule Drop and execute new binary in container changed its output fields
  • Rule Drop and execute new binary in container has more tags than before

@@ -1522,7 +1522,7 @@
condition: (proc.aname[2]=rabbitmqctl and proc.cmdline startswith "sh -c ")

- macro: run_by_appdynamics
condition: (proc.pname=java and proc.pcmdline startswith "java -jar -Dappdynamics")
condition: (proc.pexe endswith java and proc.pcmdline contains " -jar -Dappdynamics")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks odd at first but at least we're guarded from processes that change their name and it doesn't introduce a false positive (I mean, unless we have something called stuff-java and has the same CLI options as these tools, which is very unlikely.

Copy link
Contributor

@LucaGuerra LucaGuerra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@poiana
Copy link

poiana commented Jul 26, 2023

LGTM label has been added.

Git tree hash: 7a5f79dcf64c1732770030e1f63973d9a0dcdeb5

@poiana
Copy link

poiana commented Jul 26, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: incertum, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [LucaGuerra,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 8ea38c8 into falcosecurity:main Jul 26, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants