Skip to content

Commit

Permalink
cleanup(rules); transition rule 'BPF Program Not Profiled' to maturit…
Browse files Browse the repository at this point in the history
…y incubating

Signed-off-by: Melissa Kilby <[email protected]>
  • Loading branch information
incertum committed May 19, 2024
1 parent 29c41c4 commit 3157249
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 21 deletions.
21 changes: 21 additions & 0 deletions rules/falco-incubating_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1284,3 +1284,24 @@
output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline (process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
priority: WARNING
tags: [maturity_incubating, host, container]

- list: bpf_profiled_binaries
items: [falco, bpftool, systemd]

- macro: bpf_profiled_procs
condition: (proc.name in (bpf_profiled_binaries))

- rule: BPF Program Not Profiled
desc: >
BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This
rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment.
However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the
time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=BPF_PROG_LOAD) in the enter event. If you also want to log
whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field.
condition: >
evt.type=bpf and evt.dir=>
and evt.arg.cmd=BPF_PROG_LOAD
and not bpf_profiled_procs
output: BPF Program Not Profiled (bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
priority: NOTICE
tags: [maturity_sandbox, host, container, mitre_persistence, TA0003]
21 changes: 0 additions & 21 deletions rules/falco-sandbox_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1706,27 +1706,6 @@
priority: WARNING
tags: [maturity_sandbox, container, filesystem, mitre_initial_access, T1611]

- list: bpf_profiled_binaries
items: [falco, bpftool, systemd]

- macro: bpf_profiled_procs
condition: (proc.name in (bpf_profiled_binaries))

- rule: BPF Program Not Profiled
desc: >
BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This
rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment.
However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the
time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=5) in the enter event. If you also want to log
whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field.
condition: >
evt.type=bpf and evt.dir=>
and evt.arg.cmd=BPF_PROG_LOAD
and not bpf_profiled_procs
output: BPF Program Not Profiled (bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
priority: NOTICE
tags: [maturity_sandbox, host, container, mitre_persistence, TA0003]

- list: known_decode_payload_containers
items: []

Expand Down

0 comments on commit 3157249

Please sign in to comment.