new(rules): Exfiltrating Artifacts via Kubernetes Control Plane

[incertum]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

Many of the existing rules focus on sensitive files in the traditional Linux sense, which might not align well with containerized applications.

Moreover, exfiltrating artifacts from for example Kubernetes goes beyond just the usual ways of malware, interactive access or RCE. It also involves the control plane, which attackers can target if they've gained unauthorized access, such as through stolen credentials. For instance, they might use commands like kubectl cp. However, this kind of activity isn't expected to be the norm in production settings. This presents an opportunity to create a broad rule that can catch such behavior without having to individually profile application-specific secrets or artifacts that attackers might try to lift from the container's file system, if applicable.

See #138.

This new rule could not only benefit from feedback, but also expanded testing.

@darryk10 @loresuso @LucaGuerra

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[poiana]

@incertum: The label(s) area/maturity-incubating cannot be applied, because the repository doesn't have them.

In response to this:

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

Many of the existing rules focus on sensitive files in the traditional Linux sense, which might not align well with containerized applications.

Moreover, exfiltrating artifacts from for example Kubernetes goes beyond just the usual ways of malware, interactive access or RCE. It also involves the control plane, which attackers can target if they've gained unauthorized access, such as through stolen credentials. For instance, they might use commands like kubectl cp. However, this kind of activity isn't expected to be the norm in production settings. This presents an opportunity to create a broad rule that can catch such behavior without having to individually profile application-specific secrets or artifacts that attackers might try to lift from the container's file system, if applicable.

See #138.

This new rule could not only benefit from feedback, but also expanded testing.

@darryk10 @loresuso @LucaGuerra

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Rules files suggestions

falco_rules.yaml

Comparing 60ca6012d9daefdc6be7913ec425a5806561ed7e with latest tag falco-rules-1.0.1

Major changes:

• Rule Disallowed SSH Connection has less tags than before
• Rule Schedule Cron Jobs has less tags than before
• Rule Update Package Repository has less tags than before
• Rule Directory traversal monitored file read has less tags than before
• Rule Read ssh information has less tags than before
• Rule Read sensitive file trusted after startup has less tags than before
• Rule Read sensitive file untrusted has less tags than before
• Rule Modify binary dirs has less tags than before
• Rule Change thread namespace has less tags than before
• Rule Launch Privileged Container has less tags than before
• Rule Launch Excessively Capable Container has less tags than before
• Rule Launch Sensitive Mount Container has less tags than before
• Rule System procs network activity has less tags than before
• Rule Program run with disallowed http proxy env has less tags than before
• Rule User mgmt binaries has less tags than before
• Rule Create files below dev has less tags than before
• Rule Contact EC2 Instance Metadata Service From Container has less tags than before
• Rule Unexpected K8s NodePort Connection has been disabled at default
• Rule Launch Suspicious Network Tool in Container has less tags than before
• Rule Launch Suspicious Network Tool on Host has less tags than before
• Rule Remove Bulk Data from Disk has less tags than before
• Rule Set Setuid or Setgid bit has less tags than before
• Rule Create Hidden Files or Directories has less tags than before
• Rule Launch Remote File Copy Tools in Container has less tags than before
• Rule Create Symlink Over Sensitive Files has less tags than before
• Rule Create Hardlink Over Sensitive Files has less tags than before
• Rule Detect outbound connections to common miner pool ports has less tags than before
• Rule Detect crypto miners using the Stratum protocol has less tags than before
• Rule Packet socket created in container has less tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
• Rule Linux Kernel Module Injection Detected has less tags than before
• Rule Debugfs Launched in Privileged Container has less tags than before
• Rule Mount Launched in Privileged Container has less tags than before
• Rule Detect release_agent File Container Escapes has less tags than before
• Rule Read environment variable from /proc files has less tags than before
• Rule PTRACE attached to process has less tags than before
• Rule Execution from /dev/shm has less tags than before

Minor changes:

• Rule Exfiltrating Artifacts via Kubernetes Control Plane (kubectl cp) has been added
• Macro monitored_containers_namespaces_kubectl_cp has been added
• Macro system_level_side_effect_artifacts_kubectl_cp has been added

Patch changes:

• Rule Disallowed SSH Connection changed its output fields
• Rule Disallowed SSH Connection has more tags than before
• Rule Unexpected outbound connection destination changed its output fields
• Rule Unexpected outbound connection destination has more tags than before
• Rule Unexpected inbound connection source changed its output fields
• Rule Unexpected inbound connection source has more tags than before
• Rule Modify Shell Configuration File changed its output fields
• Rule Modify Shell Configuration File has more tags than before
• Rule Read Shell Configuration File changed its output fields
• Rule Read Shell Configuration File has more tags than before
• Rule Schedule Cron Jobs changed its output fields
• Rule Schedule Cron Jobs has more tags than before
• Rule Update Package Repository changed its output fields
• Rule Update Package Repository has more tags than before
• Rule Write below binary dir changed its output fields
• Rule Write below binary dir has more tags than before
• Rule Write below monitored dir changed its output fields
• Rule Write below monitored dir has more tags than before
• Rule Directory traversal monitored file read changed its output fields
• Rule Directory traversal monitored file read has more tags than before
• Rule Read ssh information changed its output fields
• Rule Read ssh information has more tags than before
• Rule Write below etc changed its output fields
• Rule Write below etc has more tags than before
• Rule Write below root changed its output fields
• Rule Write below root has more tags than before
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file trusted after startup has more tags than before
• Rule Read sensitive file untrusted changed its output fields
• Rule Read sensitive file untrusted has more tags than before
• Rule Write below rpm database changed its output fields
• Rule Write below rpm database has more tags than before
• Rule DB program spawned process changed its output fields
• Rule DB program spawned process has more tags than before
• Rule Modify binary dirs changed its output fields
• Rule Modify binary dirs has more tags than before
• Rule Mkdir binary dirs changed its output fields
• Rule Mkdir binary dirs has more tags than before
• Rule Change thread namespace changed its output fields
• Rule Change thread namespace has more tags than before
• Rule Run shell untrusted changed its output fields
• Rule Run shell untrusted has more tags than before
• Rule Run shell untrusted has a more urgent priority than before
• Rule Launch Privileged Container changed its output fields
• Rule Launch Privileged Container has more tags than before
• Rule Launch Excessively Capable Container changed its output fields
• Rule Launch Excessively Capable Container has more tags than before
• Rule Launch Sensitive Mount Container changed its output fields
• Rule Launch Sensitive Mount Container has more tags than before
• Rule Launch Disallowed Container changed its output fields
• Rule Launch Disallowed Container has more tags than before
• Rule System user interactive changed its output fields
• Rule System user interactive has more tags than before
• Rule Terminal shell in container has more tags than before
• Rule System procs network activity changed its output fields
• Rule System procs network activity has more tags than before
• Rule Program run with disallowed http proxy env changed its output fields
• Rule Program run with disallowed http proxy env has more tags than before
• Rule Interpreted procs inbound network activity changed its output fields
• Rule Interpreted procs inbound network activity has more tags than before
• Rule Interpreted procs outbound network activity changed its output fields
• Rule Interpreted procs outbound network activity has more tags than before
• Rule Unexpected UDP Traffic changed its output fields
• Rule Unexpected UDP Traffic has more tags than before
• Rule Non sudo setuid changed its output fields
• Rule Non sudo setuid has more tags than before
• Rule User mgmt binaries changed its output fields
• Rule User mgmt binaries has more tags than before
• Rule Create files below dev changed its output fields
• Rule Create files below dev has more tags than before
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container has more tags than before
• Rule Contact cloud metadata service from container changed its output fields
• Rule Contact cloud metadata service from container has more tags than before
• Rule Contact K8S API Server From Container changed its output fields
• Rule Contact K8S API Server From Container has more tags than before
• Rule Unexpected K8s NodePort Connection changed its output fields
• Rule Unexpected K8s NodePort Connection has more tags than before
• Rule Launch Package Management Process in Container changed its output fields
• Rule Launch Package Management Process in Container has more tags than before
• Rule Netcat Remote Code Execution in Container changed its output fields
• Rule Netcat Remote Code Execution in Container has more tags than before
• Rule Launch Suspicious Network Tool in Container changed its output fields
• Rule Launch Suspicious Network Tool in Container has more tags than before
• Rule Launch Suspicious Network Tool on Host changed its output fields
• Rule Launch Suspicious Network Tool on Host has more tags than before
• Rule Search Private Keys or Passwords changed its output fields
• Rule Search Private Keys or Passwords has more tags than before
• Rule Clear Log Activities changed its output fields
• Rule Clear Log Activities has more tags than before
• Rule Remove Bulk Data from Disk changed its output fields
• Rule Remove Bulk Data from Disk has more tags than before
• Rule Delete or rename shell history changed its output fields
• Rule Delete or rename shell history has more tags than before
• Rule Delete Bash History changed its output fields
• Rule Delete Bash History has more tags than before
• Rule Set Setuid or Setgid bit changed its output fields
• Rule Set Setuid or Setgid bit has more tags than before
• Rule Create Hidden Files or Directories changed its output fields
• Rule Create Hidden Files or Directories has more tags than before
• Rule Launch Remote File Copy Tools in Container changed its output fields
• Rule Launch Remote File Copy Tools in Container has more tags than before
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Symlink Over Sensitive Files has more tags than before
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files has more tags than before
• Rule Detect outbound connections to common miner pool ports changed its output fields
• Rule Detect outbound connections to common miner pool ports has more tags than before
• Rule Detect crypto miners using the Stratum protocol changed its output fields
• Rule Detect crypto miners using the Stratum protocol has more tags than before
• Rule The docker client is executed in a container changed its output fields
• Rule The docker client is executed in a container has more tags than before
• Rule Packet socket created in container changed its output fields
• Rule Packet socket created in container has more tags than before
• Rule Network Connection outside Local Subnet changed its output fields
• Rule Network Connection outside Local Subnet has more tags than before
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port changed its output fields
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
• Rule Container Drift Detected (chmod) changed its output fields
• Rule Container Drift Detected (chmod) has more tags than before
• Rule Container Drift Detected (open+create) changed its output fields
• Rule Container Drift Detected (open+create) has more tags than before
• Rule Outbound Connection to C2 Servers changed its output fields
• Rule Outbound Connection to C2 Servers has more tags than before
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Linux Kernel Module Injection Detected has more tags than before
• Rule Container Run as Root User changed its output fields
• Rule Container Run as Root User has more tags than before
• Rule Sudo Potential Privilege Escalation changed its output fields
• Rule Sudo Potential Privilege Escalation has more tags than before
• Rule Debugfs Launched in Privileged Container changed its output fields
• Rule Debugfs Launched in Privileged Container has more tags than before
• Rule Mount Launched in Privileged Container changed its output fields
• Rule Mount Launched in Privileged Container has more tags than before
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process changed its output fields
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has more tags than before
• Rule Launch Ingress Remote File Copy Tools in Container changed its output fields
• Rule Launch Ingress Remote File Copy Tools in Container has more tags than before
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) changed its output fields
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has more tags than before
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule Detect release_agent File Container Escapes has more tags than before
• Rule Java Process Class File Download changed its output fields
• Rule Java Process Class File Download has more tags than before
• Rule Modify Container Entrypoint changed its output fields
• Rule Modify Container Entrypoint has more tags than before
• Rule Read environment variable from /proc files changed its output fields
• Rule Read environment variable from /proc files has more tags than before
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE attached to process has more tags than before
• Rule PTRACE anti-debug attempt changed its output fields
• Rule PTRACE anti-debug attempt has more tags than before
• Rule Find AWS Credentials changed its output fields
• Rule Find AWS Credentials has more tags than before
• Rule Execution from /dev/shm changed its output fields
• Rule Execution from /dev/shm has more tags than before
• Rule Drop and execute new binary in container changed its output fields
• Rule Drop and execute new binary in container has more tags than before

[leogr]

Just added the missing labels

/area maturity-incubating

[github-actions]

Rules files suggestions

falco_rules.yaml

Comparing f097b8683e7e0bf05000679a139da175bf3fd737 with latest tag falco-rules-1.0.1

Major changes:

• Rule Delete Bash History has been removed
• Macro consider_network_tools_on_host has been removed
• Macro always_true has been removed
• Rule Disallowed SSH Connection has less tags than before
• Rule Schedule Cron Jobs has less tags than before
• Rule Update Package Repository has less tags than before
• Rule Directory traversal monitored file read has less tags than before
• Rule Read ssh information has less tags than before
• Rule Read sensitive file trusted after startup has less tags than before
• Rule Read sensitive file untrusted has less tags than before
• Rule Modify binary dirs has less tags than before
• Rule Change thread namespace has less tags than before
• Rule Launch Privileged Container has less tags than before
• Rule Launch Excessively Capable Container has less tags than before
• Rule Launch Sensitive Mount Container has less tags than before
• Rule System procs network activity has less tags than before
• Rule Program run with disallowed http proxy env has less tags than before
• Rule User mgmt binaries has less tags than before
• Rule Create files below dev has less tags than before
• Rule Contact EC2 Instance Metadata Service From Container has less tags than before
• Rule Unexpected K8s NodePort Connection has been disabled at default
• Rule Launch Suspicious Network Tool in Container has less tags than before
• Rule Launch Suspicious Network Tool on Host has been disabled at default
• Rule Launch Suspicious Network Tool on Host has less tags than before
• Rule Remove Bulk Data from Disk has less tags than before
• Rule Set Setuid or Setgid bit has less tags than before
• Rule Create Hidden Files or Directories has less tags than before
• Rule Launch Remote File Copy Tools in Container has less tags than before
• Rule Create Symlink Over Sensitive Files has less tags than before
• Rule Create Hardlink Over Sensitive Files has less tags than before
• Rule Detect outbound connections to common miner pool ports has less tags than before
• Rule Detect crypto miners using the Stratum protocol has less tags than before
• Rule Packet socket created in container has less tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
• Rule Linux Kernel Module Injection Detected has less tags than before
• Rule Debugfs Launched in Privileged Container has less tags than before
• Rule Mount Launched in Privileged Container has less tags than before
• Rule Detect release_agent File Container Escapes has less tags than before
• Rule Read environment variable from /proc files has less tags than before
• Rule PTRACE attached to process has less tags than before
• Rule Execution from /dev/shm has less tags than before

Minor changes:

• Rule Exfiltrating Artifacts via Kubernetes Control Plane has been added
• Macro system_level_side_effect_artifacts_kubectl_cp has been added

Patch changes:

• Rule Disallowed SSH Connection changed its output fields
• Rule Disallowed SSH Connection has more tags than before
• Rule Unexpected outbound connection destination changed its output fields
• Rule Unexpected outbound connection destination has more tags than before
• Rule Unexpected inbound connection source changed its output fields
• Rule Unexpected inbound connection source has more tags than before
• Rule Modify Shell Configuration File changed its output fields
• Rule Modify Shell Configuration File has more tags than before
• Rule Read Shell Configuration File changed its output fields
• Rule Read Shell Configuration File has more tags than before
• Rule Schedule Cron Jobs changed its output fields
• Rule Schedule Cron Jobs has more tags than before
• Rule Update Package Repository changed its output fields
• Rule Update Package Repository has more tags than before
• Rule Write below binary dir changed its output fields
• Rule Write below binary dir has more tags than before
• Rule Write below monitored dir changed its output fields
• Rule Write below monitored dir has more tags than before
• Rule Directory traversal monitored file read changed its output fields
• Rule Directory traversal monitored file read has more tags than before
• Rule Read ssh information changed its output fields
• Rule Read ssh information has more tags than before
• Rule Write below etc changed its output fields
• Rule Write below etc has more tags than before
• Rule Write below root changed its output fields
• Rule Write below root has more tags than before
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file trusted after startup has more tags than before
• Rule Read sensitive file untrusted changed its output fields
• Rule Read sensitive file untrusted has more tags than before
• Rule Write below rpm database changed its output fields
• Rule Write below rpm database has more tags than before
• Rule DB program spawned process changed its output fields
• Rule DB program spawned process has more tags than before
• Rule Modify binary dirs changed its output fields
• Rule Modify binary dirs has more tags than before
• Rule Mkdir binary dirs changed its output fields
• Rule Mkdir binary dirs has more tags than before
• Rule Change thread namespace changed its output fields
• Rule Change thread namespace has more tags than before
• Rule Run shell untrusted changed its output fields
• Rule Run shell untrusted has more tags than before
• Rule Run shell untrusted has a more urgent priority than before
• Rule Launch Privileged Container changed its output fields
• Rule Launch Privileged Container has more tags than before
• Rule Launch Excessively Capable Container changed its output fields
• Rule Launch Excessively Capable Container has more tags than before
• Rule Launch Sensitive Mount Container changed its output fields
• Rule Launch Sensitive Mount Container has more tags than before
• Rule Launch Disallowed Container changed its output fields
• Rule Launch Disallowed Container has more tags than before
• Rule System user interactive changed its output fields
• Rule System user interactive has more tags than before
• Rule Terminal shell in container has more tags than before
• Rule System procs network activity changed its output fields
• Rule System procs network activity has more tags than before
• Rule Program run with disallowed http proxy env changed its output fields
• Rule Program run with disallowed http proxy env has more tags than before
• Rule Interpreted procs inbound network activity changed its output fields
• Rule Interpreted procs inbound network activity has more tags than before
• Rule Interpreted procs outbound network activity changed its output fields
• Rule Interpreted procs outbound network activity has more tags than before
• Rule Unexpected UDP Traffic changed its output fields
• Rule Unexpected UDP Traffic has more tags than before
• Rule Non sudo setuid changed its output fields
• Rule Non sudo setuid has more tags than before
• Rule User mgmt binaries changed its output fields
• Rule User mgmt binaries has more tags than before
• Rule Create files below dev changed its output fields
• Rule Create files below dev has more tags than before
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container has more tags than before
• Rule Contact cloud metadata service from container has been enabled at default
• Rule Contact cloud metadata service from container changed its output fields
• Rule Contact cloud metadata service from container has more tags than before
• Rule Contact K8S API Server From Container changed its output fields
• Rule Contact K8S API Server From Container has more tags than before
• Rule Unexpected K8s NodePort Connection changed its output fields
• Rule Unexpected K8s NodePort Connection has more tags than before
• Rule Launch Package Management Process in Container changed its output fields
• Rule Launch Package Management Process in Container has more tags than before
• Rule Netcat Remote Code Execution in Container changed its output fields
• Rule Netcat Remote Code Execution in Container has more tags than before
• Rule Launch Suspicious Network Tool in Container changed its output fields
• Rule Launch Suspicious Network Tool in Container has more tags than before
• Rule Launch Suspicious Network Tool on Host changed its output fields
• Rule Launch Suspicious Network Tool on Host has more tags than before
• Rule Search Private Keys or Passwords changed its output fields
• Rule Search Private Keys or Passwords has more tags than before
• Rule Clear Log Activities changed its output fields
• Rule Clear Log Activities has more tags than before
• Rule Remove Bulk Data from Disk changed its output fields
• Rule Remove Bulk Data from Disk has more tags than before
• Rule Delete or rename shell history changed its output fields
• Rule Delete or rename shell history has more tags than before
• Rule Set Setuid or Setgid bit changed its output fields
• Rule Set Setuid or Setgid bit has more tags than before
• Rule Create Hidden Files or Directories changed its output fields
• Rule Create Hidden Files or Directories has more tags than before
• Rule Launch Remote File Copy Tools in Container changed its output fields
• Rule Launch Remote File Copy Tools in Container has more tags than before
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Symlink Over Sensitive Files has more tags than before
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files has more tags than before
• Rule Detect outbound connections to common miner pool ports changed its output fields
• Rule Detect outbound connections to common miner pool ports has more tags than before
• Rule Detect crypto miners using the Stratum protocol changed its output fields
• Rule Detect crypto miners using the Stratum protocol has more tags than before
• Rule The docker client is executed in a container changed its output fields
• Rule The docker client is executed in a container has more tags than before
• Rule Packet socket created in container changed its output fields
• Rule Packet socket created in container has more tags than before
• Rule Network Connection outside Local Subnet changed its output fields
• Rule Network Connection outside Local Subnet has more tags than before
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port changed its output fields
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
• Rule Container Drift Detected (chmod) changed its output fields
• Rule Container Drift Detected (chmod) has more tags than before
• Rule Container Drift Detected (open+create) changed its output fields
• Rule Container Drift Detected (open+create) has more tags than before
• Rule Outbound Connection to C2 Servers changed its output fields
• Rule Outbound Connection to C2 Servers has more tags than before
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Linux Kernel Module Injection Detected has more tags than before
• Rule Container Run as Root User changed its output fields
• Rule Container Run as Root User has more tags than before
• Rule Sudo Potential Privilege Escalation changed its output fields
• Rule Sudo Potential Privilege Escalation has more tags than before
• Rule Debugfs Launched in Privileged Container changed its output fields
• Rule Debugfs Launched in Privileged Container has more tags than before
• Rule Mount Launched in Privileged Container changed its output fields
• Rule Mount Launched in Privileged Container has more tags than before
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process changed its output fields
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has more tags than before
• Rule Launch Ingress Remote File Copy Tools in Container changed its output fields
• Rule Launch Ingress Remote File Copy Tools in Container has more tags than before
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) changed its output fields
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has more tags than before
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule Detect release_agent File Container Escapes has more tags than before
• Rule Java Process Class File Download changed its output fields
• Rule Java Process Class File Download has more tags than before
• Rule Modify Container Entrypoint changed its output fields
• Rule Modify Container Entrypoint has more tags than before
• Rule Read environment variable from /proc files changed its output fields
• Rule Read environment variable from /proc files has more tags than before
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE attached to process has more tags than before
• Rule PTRACE anti-debug attempt changed its output fields
• Rule PTRACE anti-debug attempt has more tags than before
• Rule Find AWS Credentials changed its output fields
• Rule Find AWS Credentials has more tags than before
• Rule Execution from /dev/shm changed its output fields
• Rule Execution from /dev/shm has more tags than before
• Rule Drop and execute new binary in container changed its output fields
• Rule Drop and execute new binary in container has more tags than before

[github-actions]

Rules files suggestions

falco_rules.yaml

Comparing f097b8683e7e0bf05000679a139da175bf3fd737 with latest tag falco-rules-1.0.1

Major changes:

• Rule Delete Bash History has been removed
• Macro consider_network_tools_on_host has been removed
• Macro always_true has been removed
• Rule Disallowed SSH Connection has less tags than before
• Rule Schedule Cron Jobs has less tags than before
• Rule Update Package Repository has less tags than before
• Rule Directory traversal monitored file read has less tags than before
• Rule Read ssh information has less tags than before
• Rule Read sensitive file trusted after startup has less tags than before
• Rule Read sensitive file untrusted has less tags than before
• Rule Modify binary dirs has less tags than before
• Rule Change thread namespace has less tags than before
• Rule Launch Privileged Container has less tags than before
• Rule Launch Excessively Capable Container has less tags than before
• Rule Launch Sensitive Mount Container has less tags than before
• Rule System procs network activity has less tags than before
• Rule Program run with disallowed http proxy env has less tags than before
• Rule User mgmt binaries has less tags than before
• Rule Create files below dev has less tags than before
• Rule Contact EC2 Instance Metadata Service From Container has less tags than before
• Rule Unexpected K8s NodePort Connection has been disabled at default
• Rule Launch Suspicious Network Tool in Container has less tags than before
• Rule Launch Suspicious Network Tool on Host has been disabled at default
• Rule Launch Suspicious Network Tool on Host has less tags than before
• Rule Remove Bulk Data from Disk has less tags than before
• Rule Set Setuid or Setgid bit has less tags than before
• Rule Create Hidden Files or Directories has less tags than before
• Rule Launch Remote File Copy Tools in Container has less tags than before
• Rule Create Symlink Over Sensitive Files has less tags than before
• Rule Create Hardlink Over Sensitive Files has less tags than before
• Rule Detect outbound connections to common miner pool ports has less tags than before
• Rule Detect crypto miners using the Stratum protocol has less tags than before
• Rule Packet socket created in container has less tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
• Rule Linux Kernel Module Injection Detected has less tags than before
• Rule Debugfs Launched in Privileged Container has less tags than before
• Rule Mount Launched in Privileged Container has less tags than before
• Rule Detect release_agent File Container Escapes has less tags than before
• Rule Read environment variable from /proc files has less tags than before
• Rule PTRACE attached to process has less tags than before
• Rule Execution from /dev/shm has less tags than before

Minor changes:

• Rule Exfiltrating Artifacts via Kubernetes Control Plane has been added
• Macro system_level_side_effect_artifacts_kubectl_cp has been added

Patch changes:

• Rule Disallowed SSH Connection changed its output fields
• Rule Disallowed SSH Connection has more tags than before
• Rule Unexpected outbound connection destination changed its output fields
• Rule Unexpected outbound connection destination has more tags than before
• Rule Unexpected inbound connection source changed its output fields
• Rule Unexpected inbound connection source has more tags than before
• Rule Modify Shell Configuration File changed its output fields
• Rule Modify Shell Configuration File has more tags than before
• Rule Read Shell Configuration File changed its output fields
• Rule Read Shell Configuration File has more tags than before
• Rule Schedule Cron Jobs changed its output fields
• Rule Schedule Cron Jobs has more tags than before
• Rule Update Package Repository changed its output fields
• Rule Update Package Repository has more tags than before
• Rule Write below binary dir changed its output fields
• Rule Write below binary dir has more tags than before
• Rule Write below monitored dir changed its output fields
• Rule Write below monitored dir has more tags than before
• Rule Directory traversal monitored file read changed its output fields
• Rule Directory traversal monitored file read has more tags than before
• Rule Read ssh information changed its output fields
• Rule Read ssh information has more tags than before
• Rule Write below etc changed its output fields
• Rule Write below etc has more tags than before
• Rule Write below root changed its output fields
• Rule Write below root has more tags than before
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file trusted after startup has more tags than before
• Rule Read sensitive file untrusted changed its output fields
• Rule Read sensitive file untrusted has more tags than before
• Rule Write below rpm database changed its output fields
• Rule Write below rpm database has more tags than before
• Rule DB program spawned process changed its output fields
• Rule DB program spawned process has more tags than before
• Rule Modify binary dirs changed its output fields
• Rule Modify binary dirs has more tags than before
• Rule Mkdir binary dirs changed its output fields
• Rule Mkdir binary dirs has more tags than before
• Rule Change thread namespace changed its output fields
• Rule Change thread namespace has more tags than before
• Rule Run shell untrusted changed its output fields
• Rule Run shell untrusted has more tags than before
• Rule Run shell untrusted has a more urgent priority than before
• Rule Launch Privileged Container changed its output fields
• Rule Launch Privileged Container has more tags than before
• Rule Launch Excessively Capable Container changed its output fields
• Rule Launch Excessively Capable Container has more tags than before
• Rule Launch Sensitive Mount Container changed its output fields
• Rule Launch Sensitive Mount Container has more tags than before
• Rule Launch Disallowed Container changed its output fields
• Rule Launch Disallowed Container has more tags than before
• Rule System user interactive changed its output fields
• Rule System user interactive has more tags than before
• Rule Terminal shell in container has more tags than before
• Rule System procs network activity changed its output fields
• Rule System procs network activity has more tags than before
• Rule Program run with disallowed http proxy env changed its output fields
• Rule Program run with disallowed http proxy env has more tags than before
• Rule Interpreted procs inbound network activity changed its output fields
• Rule Interpreted procs inbound network activity has more tags than before
• Rule Interpreted procs outbound network activity changed its output fields
• Rule Interpreted procs outbound network activity has more tags than before
• Rule Unexpected UDP Traffic changed its output fields
• Rule Unexpected UDP Traffic has more tags than before
• Rule Non sudo setuid changed its output fields
• Rule Non sudo setuid has more tags than before
• Rule User mgmt binaries changed its output fields
• Rule User mgmt binaries has more tags than before
• Rule Create files below dev changed its output fields
• Rule Create files below dev has more tags than before
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container has more tags than before
• Rule Contact cloud metadata service from container has been enabled at default
• Rule Contact cloud metadata service from container changed its output fields
• Rule Contact cloud metadata service from container has more tags than before
• Rule Contact K8S API Server From Container changed its output fields
• Rule Contact K8S API Server From Container has more tags than before
• Rule Unexpected K8s NodePort Connection changed its output fields
• Rule Unexpected K8s NodePort Connection has more tags than before
• Rule Launch Package Management Process in Container changed its output fields
• Rule Launch Package Management Process in Container has more tags than before
• Rule Netcat Remote Code Execution in Container changed its output fields
• Rule Netcat Remote Code Execution in Container has more tags than before
• Rule Launch Suspicious Network Tool in Container changed its output fields
• Rule Launch Suspicious Network Tool in Container has more tags than before
• Rule Launch Suspicious Network Tool on Host changed its output fields
• Rule Launch Suspicious Network Tool on Host has more tags than before
• Rule Search Private Keys or Passwords changed its output fields
• Rule Search Private Keys or Passwords has more tags than before
• Rule Clear Log Activities changed its output fields
• Rule Clear Log Activities has more tags than before
• Rule Remove Bulk Data from Disk changed its output fields
• Rule Remove Bulk Data from Disk has more tags than before
• Rule Delete or rename shell history changed its output fields
• Rule Delete or rename shell history has more tags than before
• Rule Set Setuid or Setgid bit changed its output fields
• Rule Set Setuid or Setgid bit has more tags than before
• Rule Create Hidden Files or Directories changed its output fields
• Rule Create Hidden Files or Directories has more tags than before
• Rule Launch Remote File Copy Tools in Container changed its output fields
• Rule Launch Remote File Copy Tools in Container has more tags than before
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Symlink Over Sensitive Files has more tags than before
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files has more tags than before
• Rule Detect outbound connections to common miner pool ports changed its output fields
• Rule Detect outbound connections to common miner pool ports has more tags than before
• Rule Detect crypto miners using the Stratum protocol changed its output fields
• Rule Detect crypto miners using the Stratum protocol has more tags than before
• Rule The docker client is executed in a container changed its output fields
• Rule The docker client is executed in a container has more tags than before
• Rule Packet socket created in container changed its output fields
• Rule Packet socket created in container has more tags than before
• Rule Network Connection outside Local Subnet changed its output fields
• Rule Network Connection outside Local Subnet has more tags than before
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port changed its output fields
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
• Rule Container Drift Detected (chmod) changed its output fields
• Rule Container Drift Detected (chmod) has more tags than before
• Rule Container Drift Detected (open+create) changed its output fields
• Rule Container Drift Detected (open+create) has more tags than before
• Rule Outbound Connection to C2 Servers changed its output fields
• Rule Outbound Connection to C2 Servers has more tags than before
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Linux Kernel Module Injection Detected has more tags than before
• Rule Container Run as Root User changed its output fields
• Rule Container Run as Root User has more tags than before
• Rule Sudo Potential Privilege Escalation changed its output fields
• Rule Sudo Potential Privilege Escalation has more tags than before
• Rule Debugfs Launched in Privileged Container changed its output fields
• Rule Debugfs Launched in Privileged Container has more tags than before
• Rule Mount Launched in Privileged Container changed its output fields
• Rule Mount Launched in Privileged Container has more tags than before
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process changed its output fields
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process has more tags than before
• Rule Launch Ingress Remote File Copy Tools in Container changed its output fields
• Rule Launch Ingress Remote File Copy Tools in Container has more tags than before
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) changed its output fields
• Rule Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) has more tags than before
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule Detect release_agent File Container Escapes has more tags than before
• Rule Java Process Class File Download changed its output fields
• Rule Java Process Class File Download has more tags than before
• Rule Modify Container Entrypoint changed its output fields
• Rule Modify Container Entrypoint has more tags than before
• Rule Read environment variable from /proc files changed its output fields
• Rule Read environment variable from /proc files has more tags than before
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE attached to process has more tags than before
• Rule PTRACE anti-debug attempt changed its output fields
• Rule PTRACE anti-debug attempt has more tags than before
• Rule Find AWS Credentials changed its output fields
• Rule Find AWS Credentials has more tags than before
• Rule Execution from /dev/shm changed its output fields
• Rule Execution from /dev/shm has more tags than before
• Rule Drop and execute new binary in container changed its output fields
• Rule Drop and execute new binary in container has more tags than before

[leogr]

Hey @incertum

could you rebase this PR, please?

[darryk10]

Hi @incertum I agree on the use case and it's something we need in the ruleset. I also agree on keeping the rule in incubating level and disable by default for now. Let's evaluate the noise.
LGTM!

[poiana]

LGTM label has been added.

Git tree hash: 5e8154ca31c0edc8b0be016dcc62475b61085e23

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: darryk10, incertum, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [incertum,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment