cleanup(rules); transition rule 'BPF Program Not Profiled' to maturit…

…y incubating Signed-off-by: Melissa Kilby <[email protected]>
falcosecurity · May 19, 2024 · 3157249 · 3157249
1 parent 29c41c4
commit 3157249
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 21 deletions.
diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
@@ -1284,3 +1284,24 @@
   output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline (process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: WARNING
   tags: [maturity_incubating, host, container]
+
+- list: bpf_profiled_binaries
+  items: [falco, bpftool, systemd]
+
+- macro: bpf_profiled_procs
+  condition: (proc.name in (bpf_profiled_binaries))
+
+- rule: BPF Program Not Profiled
+  desc: > 
+    BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This 
+    rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment. 
+    However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the 
+    time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=BPF_PROG_LOAD) in the enter event. If you also want to log 
+    whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field.
+  condition: >
+    evt.type=bpf and evt.dir=> 
+    and evt.arg.cmd=BPF_PROG_LOAD
+    and not bpf_profiled_procs
+  output: BPF Program Not Profiled (bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
+  priority: NOTICE
+  tags: [maturity_sandbox, host, container, mitre_persistence, TA0003]
diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml
@@ -1706,27 +1706,6 @@
   priority: WARNING
   tags: [maturity_sandbox, container, filesystem, mitre_initial_access, T1611]
 
-- list: bpf_profiled_binaries
-  items: [falco, bpftool, systemd]
-
-- macro: bpf_profiled_procs
-  condition: (proc.name in (bpf_profiled_binaries))
-
-- rule: BPF Program Not Profiled
-  desc: > 
-    BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This 
-    rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment. 
-    However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the 
-    time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=5) in the enter event. If you also want to log 
-    whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field.
-  condition: >
-    evt.type=bpf and evt.dir=> 
-    and evt.arg.cmd=BPF_PROG_LOAD
-    and not bpf_profiled_procs
-  output: BPF Program Not Profiled (bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
-  priority: NOTICE
-  tags: [maturity_sandbox, host, container, mitre_persistence, TA0003]
-
 - list: known_decode_payload_containers
   items: []