Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cleanup(rules): initial tagging of stable rules round1 #106

Merged
merged 2 commits into from
Jul 24, 2023
Merged

cleanup(rules): initial tagging of stable rules round1 #106

merged 2 commits into from
Jul 24, 2023

Conversation

incertum
Copy link
Contributor

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

What this PR does / why we need it:

First round of initially tagging rules w/ maturity_stable.

  • enhanced desc
  • more complete output fields
  • cleanup of tags if applicable
  • add new maturity_stable tag

@LucaGuerra @loresuso @jasondellaluce

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

@poiana poiana added kind/cleanup dco-signoff: yes kind/documentation Improvements or additions to documentation labels Jul 20, 2023
@poiana poiana requested review from Kaizhe and leodido July 20, 2023 23:51
incertum
incertum commented Jul 21, 2023
View reviewed changes
rules/falco_rules.yaml
condition: >
spawned_process and container and
((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or
((proc.name = "nc" and (proc.cmdline contains " -e" or proc.cmdline contains " -c")) or
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixing noise, see #33

@leogr leogr mentioned this pull request Jul 21, 2023
Closed
@incertum
cleanup(rules): initial tagging of stable rules round1
8a664e4 
Includes:
* enhanced desc
* more complete output fields
* cleanup of tags if applicable
* add new maturity_stable tag

Signed-off-by: Melissa Kilby <[email protected]>
@incertum
cleanup(rules): reduce string mismatching in 'Netcat Remote Code Exec…
3ccb05c 
…ution in Container'

Signed-off-by: Melissa Kilby <[email protected]>
@github-actions
Copy link

Rules files suggestions

falco_rules.yaml

Comparing 70914a9b5973142e3a30aa9c9db3a115568a0a20 with latest tag falco-rules-1.0.1

Major changes:

  • Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
  • Rule Linux Kernel Module Injection Detected has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before
  • Rule Unexpected outbound connection destination has more tags than before
  • Rule Unexpected inbound connection source has more tags than before
  • Rule Read Shell Configuration File has more tags than before
  • Rule Schedule Cron Jobs has more tags than before
  • Rule Read ssh information has more tags than before
  • Rule Change thread namespace has more tags than before
  • Rule Terminal shell in container changed its output fields
  • Rule Terminal shell in container has more tags than before
  • Rule Program run with disallowed http proxy env has more tags than before
  • Rule Interpreted procs inbound network activity has more tags than before
  • Rule Interpreted procs outbound network activity has more tags than before
  • Rule Unexpected UDP Traffic has more tags than before
  • Rule Contact EC2 Instance Metadata Service From Container has more tags than before
  • Rule Contact cloud metadata service from container has more tags than before
  • Rule Netcat Remote Code Execution in Container changed its output fields
  • Rule Netcat Remote Code Execution in Container has more tags than before
  • Rule Set Setuid or Setgid bit has more tags than before
  • Rule Create Hidden Files or Directories has more tags than before
  • Rule Detect outbound connections to common miner pool ports has more tags than before
  • Rule Network Connection outside Local Subnet has more tags than before
  • Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
  • Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
  • Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
  • Rule Container Drift Detected (chmod) has more tags than before
  • Rule Container Drift Detected (open+create) has more tags than before
  • Rule Outbound Connection to C2 Servers has more tags than before
  • Rule Linux Kernel Module Injection Detected changed its output fields
  • Rule Linux Kernel Module Injection Detected has more tags than before
  • Rule Container Run as Root User has more tags than before
  • Rule Java Process Class File Download has more tags than before
  • Rule Modify Container Entrypoint has more tags than before
  • Rule Drop and execute new binary in container changed its output fields
  • Rule Drop and execute new binary in container has more tags than before

LucaGuerra
LucaGuerra reviewed Jul 24, 2023
View reviewed changes
rules/falco_rules.yaml
proc.cwd=%proc.cwd terminal=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid
proc.vpid=%proc.vpid evt.res=%evt.res)
priority: CRITICAL
tags: [maturity_stable, container, process, mitre_persistence, TA0003]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<3

LucaGuerra
LucaGuerra approved these changes Jul 24, 2023
View reviewed changes
Copy link
Contributor

@LucaGuerra LucaGuerra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this 🙏 I agree with this subset as they are either less prone to FPs or interesting pieces of information to have properly marked with priority NOTICE

@poiana poiana added the lgtm label Jul 24, 2023
@poiana
Copy link

poiana commented Jul 24, 2023

LGTM label has been added.

Git tree hash: d1775651ee0f57a7c19d212af52c6bef31dab609

@poiana
Copy link

poiana commented Jul 24, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: incertum, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [LucaGuerra,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 0d0e333 into falcosecurity:main Jul 24, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LucaGuerra LucaGuerra LucaGuerra approved these changes

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

@leodido leodido Awaiting requested review from leodido

Assignees

@LucaGuerra LucaGuerra

Labels
approved area/rules dco-signoff: yes kind/cleanup kind/documentation Improvements or additions to documentation lgtm size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@incertum @poiana @LucaGuerra