cleanup(rules): transition rule BPF Program Not Profiled to maturity incubating
#246
Conversation
poiana
added
kind/cleanup
dco-signoff: yes
area/rules
area/maturity-incubating
| BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This | ||
| rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment. | ||
| However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the | ||
| time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=BPF_PROG_LOAD) in the enter event. If you also want to log |
There was a problem hiding this comment.
also fixed docs as it's now cmd=BPF_PROG_LOAD and not 5 anymore.
There was a problem hiding this comment.
This requires an engine version bump if I'm not mistaken, meaning also a major version bump for the incubating file
There was a problem hiding this comment.
Right, forgot about it, great callout Luca!
Rules files suggestionsfalco-incubating_rules.yamlComparing Minor changes:
Patch changes:
falco-sandbox_rules.yamlComparing Major changes:
Minor changes:
Patch changes:
|
…y incubating Signed-off-by: Melissa Kilby <[email protected]>
incertum
force-pushed
the
bpf-rule-to-incubating
branch
from
3157249
to
865a450
Compare
Rules files suggestionsfalco-incubating_rules.yamlComparing Minor changes:
Patch changes:
falco-sandbox_rules.yamlComparing Major changes:
Minor changes:
Patch changes:
|
…VE-2024-3094)' Signed-off-by: Melissa Kilby <[email protected]>
| @@ -1283,4 +1283,25 @@ | |||
| (fd.name contains "liblzma.so.5.6.0" or fd.name contains "liblzma.so.5.6.1") | |||
| output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline (process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) | |||
| priority: WARNING | |||
| tags: [maturity_incubating, host, container] | |||
| tags: [maturity_incubating, host, container, mitre_initial_access, T1556] | |||
There was a problem hiding this comment.
Rules files suggestionsfalco-incubating_rules.yamlComparing Minor changes:
Patch changes:
falco-sandbox_rules.yamlComparing Major changes:
Minor changes:
Patch changes:
|
Signed-off-by: Melissa Kilby <[email protected]>
Rules files suggestionsfalco-incubating_rules.yamlComparing Minor changes:
Patch changes:
falco-sandbox_rules.yamlComparing Major changes:
Minor changes:
Patch changes:
|
|
LGTM label has been added. Git tree hash: 896a7bc3dc0ed60a86e437b7c0f083b97bcf8571
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: darryk10, incertum, LucaGuerra The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…y incubating
What type of PR is this?
/kind cleanup
Any specific area of the project related to this PR?
/area rules
Proposed rule maturity level
/area maturity-incubating
What this PR does / why we need it:
cleanup(rules): transition rule
BPF Program Not Profiledto maturity incubating as it is considered a critical baseline detection.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: