cleanup(rules): initial tagging of stable rules round4

rules/falco_rules.yaml

@@ -1522,7 +1522,7 @@
   condition: (proc.aname[2]=rabbitmqctl and proc.cmdline startswith "sh -c ")
 
 - macro: run_by_appdynamics
-  condition: (proc.pname=java and proc.pcmdline startswith "java -jar -Dappdynamics")
+  condition: (proc.pexe endswith java and proc.pcmdline contains " -jar -Dappdynamics")
 
 - macro: user_known_db_spawned_processes
   condition: (never_true)
@@ -1627,31 +1627,31 @@
     ]
 
 - macro: parent_java_running_zookeeper
-  condition: (proc.pname=java and proc.pcmdline contains org.apache.zookeeper.server)
+  condition: (proc.pexe endswith java and proc.pcmdline contains org.apache.zookeeper.server)
 
 - macro: parent_java_running_kafka
-  condition: (proc.pname=java and proc.pcmdline contains kafka.Kafka)
+  condition: (proc.pexe endswith java and proc.pcmdline contains kafka.Kafka)
 
 - macro: parent_java_running_elasticsearch
-  condition: (proc.pname=java and proc.pcmdline contains org.elasticsearch.bootstrap.Elasticsearch)
+  condition: (proc.pexe endswith java and proc.pcmdline contains org.elasticsearch.bootstrap.Elasticsearch)
 
 - macro: parent_java_running_activemq
-  condition: (proc.pname=java and proc.pcmdline contains activemq.jar)
+  condition: (proc.pexe endswith java and proc.pcmdline contains activemq.jar)
 
 - macro: parent_java_running_cassandra
-  condition: (proc.pname=java and (proc.pcmdline contains "-Dcassandra.config.loader" or proc.pcmdline contains org.apache.cassandra.service.CassandraDaemon))
+  condition: (proc.pexe endswith java and (proc.pcmdline contains "-Dcassandra.config.loader" or proc.pcmdline contains org.apache.cassandra.service.CassandraDaemon))
 
 - macro: parent_java_running_jboss_wildfly
-  condition: (proc.pname=java and proc.pcmdline contains org.jboss)
+  condition: (proc.pexe endswith java and proc.pcmdline contains org.jboss)
 
 - macro: parent_java_running_glassfish
-  condition: (proc.pname=java and proc.pcmdline contains com.sun.enterprise.glassfish)
+  condition: (proc.pexe endswith java and proc.pcmdline contains com.sun.enterprise.glassfish)
 
 - macro: parent_java_running_hadoop
-  condition: (proc.pname=java and proc.pcmdline contains org.apache.hadoop)
+  condition: (proc.pexe endswith java and proc.pcmdline contains org.apache.hadoop)
 
 - macro: parent_java_running_datastax
-  condition: (proc.pname=java and proc.pcmdline contains com.datastax)
+  condition: (proc.pexe endswith java and proc.pcmdline contains com.datastax)
 
 - macro: nginx_starting_nginx
   condition: (proc.pname=nginx and proc.cmdline contains "/usr/sbin/nginx -c /etc/nginx/nginx.conf")
@@ -1698,7 +1698,7 @@
 #
 # Like for node, we make this case opt-in.
 - macro: possibly_parent_java_running_tomcat
-  condition: (never_true and proc.pname=java and proc.pcmdline contains org.apache.catalina.startup.Bootstrap)
+  condition: (never_true and proc.pexe endswith java and proc.pcmdline contains org.apache.catalina.startup.Bootstrap)
 
 - macro: protected_shell_spawner
   condition: >
@@ -1723,7 +1723,13 @@
 # (the ./run and ./finish scripts), but the processes runsv can not
 # spawn shells.
 - rule: Run shell untrusted
-  desc: an attempt to spawn a shell below a non-shell application. Specific applications are monitored.
+  desc: > 
+    An attempt to spawn a shell below a non-shell application. The non-shell applications that are monitored are defined in the 'protected_shell_spawner' macro, 
+    with 'protected_shell_spawning_binaries' being the list you can easily customize. For Java parent processes, please note that Java often has a custom process name. 
+    Therefore, rely more on 'proc.exe' to define Java applications. This rule can be noisier, as you can see in the exhaustive existing tuning. However, given it is 
+    very behavior-driven and broad, it is universally relevant to catch general Remote Code Execution (RCE). Allocate time to tune this rule for your use cases and 
+    reduce noise. Tuning suggestions include looking at the duration of the parent process ('proc.ppid.duration') to define your long-running app processes. Checking 
+    for newer fields such as 'proc.vpgid.name' and 'proc.vpgid.exe' instead of the direct parent process being a non-shell application could make the rule more robust.
   condition: >
     spawned_process
     and shell_procs
@@ -1755,11 +1761,12 @@
     and not run_by_appdynamics
     and not user_shell_container_exclusions
   output: >
-    Shell spawned by untrusted binary (user=%user.name user_loginuid=%user.loginuid shell=%proc.name parent=%proc.pname
-    cmdline=%proc.cmdline pid=%proc.pid pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
-    aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)
+    Shell spawned by untrusted binary (user=%user.name uid=%user.uid user_loginuid=%user.loginuid shell=%proc.name parent=%proc.pname  
+    parent_exe=%proc.pexe parent_exepath=%proc.pexepath cmdline=%proc.cmdline pid=%proc.pid pcmdline=%proc.pcmdline gparent=%proc.aname[2] 
+    ggparent=%proc.aname[3] aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] terminal=%proc.tty  
+    exe_flags=%evt.arg.flags container_id=%container.id image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority: DEBUG
-  tags: [host, container, process, shell, mitre_execution, T1059.004]
+  tags: [maturity_stable, host, container, process, shell, mitre_execution, T1059.004]
 
 - macro: allowed_openshift_registry_root
   condition: >
@@ -2060,11 +2067,22 @@
 #  priority: WARNING
 
 - rule: System user interactive
-  desc: an attempt to run interactive commands by a system (i.e. non-login) user
+  desc: > 
+    System (e.g. non-login) users spawning new processes. Can add custom service users (e.g. 'apache' or 'mysqld').
+    'Interactive' is defined as new processes as descendants of an ssh session or login process. Consider further tuning 
+    by only looking at processes in a terminal / tty (proc.tty != 0). A newer field 'proc.is_vpgid_leader' could be of help 
+    to distinguish if the process was 'directly' executed, for instance, in a tty, or executed as a descendant process in the 
+    same process group, which, for example, is the case when subprocesses are spawned from a script. Consider this rule 
+    as a great template rule to monitor interactive accesses to your systems more broadly. However, such a custom rule would be 
+    unique to your environment. The rule 'Terminal shell in container' that fires when using 'kubectl exec' is more Kubernetes 
+    relevant, whereas this one could be more interesting for the underlying host.
   condition: spawned_process and system_users and interactive and not user_known_system_user_login
-  output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)"
+  output: > 
+    System user ran an interactive command (user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath 
+    parent=%proc.pname command=%proc.cmdline exe_flags=%evt.arg.flags pid=%proc.pid terminal=%proc.tty container_id=%container.id 
+    image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority: INFO
-  tags: [host, container, users, mitre_execution, T1059]
+  tags: [maturity_stable, host, container, users, mitre_execution, T1059]
 
 # In some cases, a shell is expected to be run in a container. For example, configuration
 # management software may do this, which is expected.
@@ -2655,18 +2673,23 @@
               container.image.repository endswith "containernetworking/azure-npm")
 
 - rule: Clear Log Activities
-  desc: Detect clearing of critical log files
+  desc: > 
+    Detect clearing of critical access log files, typically done to erase evidence that could be attributed to an adversary's 
+    actions. To effectively customize and operationalize this detection, check for potentially missing log file destinations 
+    relevant to your environment, and adjust the profiled containers you wish not to be alerted on.
   condition: >
     open_write and
     access_log_files and
     evt.arg.flags contains "O_TRUNC" and
     not trusted_logging_images and
     not allowed_clear_log_files
   output: >
-    Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository)
+    Log files were tampered (user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath 
+    parent=%proc.pname command=%proc.cmdline pid=%proc.pid file=%fd.name exe_flags=%evt.arg.flags container_id=%container.id 
+    image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority:
     WARNING
-  tags: [host, container, filesystem, mitre_defense_evasion, T1070]
+  tags: [maturity_stable, host, container, filesystem, mitre_defense_evasion, T1070]
 
 - list: data_remove_commands
   items: [shred, mkfs, mke2fs]
@@ -2678,13 +2701,17 @@
   condition: (never_true)
 
 - rule: Remove Bulk Data from Disk
-  desc: Detect process running to clear bulk data from disk
+  desc: > 
+    Detect a process running to clear bulk data from disk with the intention to destroy data, possibly interrupting availability 
+    to systems. Profile your environment and use user_known_remove_data_activities to tune this rule.
   condition: spawned_process and clear_data_procs and not user_known_remove_data_activities
   output: >
-    Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)
+    Bulk data has been removed from disk (user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath 
+    parent=%proc.pname command=%proc.cmdline pid=%proc.pid file=%fd.name exe_flags=%evt.arg.flags container_id=%container.id 
+    image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority:
     WARNING
-  tags: [host, container, process, filesystem, mitre_persistence, T1485]
+  tags: [maturity_stable, host, container, process, filesystem, mitre_impact, T1485]
 
 # here `ash_history` will match both `bash_history` and `ash_history`
 - macro: modify_shell_history
@@ -2994,11 +3021,17 @@
   items: []
 
 - rule: Packet socket created in container
-  desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker.
+  desc: > 
+    Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing 
+    and privilege escalation (CVE-2020-14386) by an attacker. Noise can be reduced by using the user_known_packet_socket_binaries
+    template list.
   condition: evt.type=socket and evt.arg[0] contains AF_PACKET and container and not proc.name in (user_known_packet_socket_binaries)
-  output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  output: > 
+    Packet socket was created in a container (user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath 
+    parent=%proc.pname command=%proc.cmdline pid=%proc.pid socket_info=%evt.args container_id=%container.id 
+    image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority: NOTICE
-  tags: [container, network, mitre_discovery, T1046]
+  tags: [maturity_stable, container, network, mitre_credential_access, T1557.002]
 
 # Namespaces where the rule is enforce
 - list: namespace_scope_network_only_subnet