updated falco rules files

Signed-off-by: h4l0gen <[email protected]>
falcosecurity · Mar 22, 2024 · 49c2cb1 · 49c2cb1
1 parent bbded34
commit 49c2cb1
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 26 deletions.
diff --git a/rules/falco-deprecated_rules.yaml b/rules/falco-deprecated_rules.yaml
@@ -32,7 +32,7 @@
 
 # Starting with version 8, the Falco engine supports exceptions.
 # However the Falco rules file does not use them by default.
----
+
 required_engine_version: '0.31.0'
 
 # This macro `never_true` is used as placeholder for

diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
@@ -319,7 +319,8 @@
     terminal=%proc.tty %container.info)
   priority:
     WARNING
-  tags: [maturity_incubating, host, container, filesystem, mitre_persistence,
+  tags: [
+    maturity_incubating, host, container, filesystem, mitre_persistence,
     T1546.004]
 
 - macro: user_known_cron_jobs
@@ -1000,7 +1001,7 @@
     and not run_by_sumologic_securefiles
     and not run_by_yum
     and not run_by_ms_oms
-    and not run_by_google_accounts_daemon 
+    and not run_by_google_accounts_daemon
     and not chage_list
     and not user_known_user_management_activities
   output: User management binary command run outside of container
@@ -1077,7 +1078,8 @@
     user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: NOTICE
-  tags: [maturity_incubating, network, aws, container, mitre_credential_access,
+  tags: [
+    maturity_incubating, network, aws, container, mitre_credential_access,
     T1552.005]
 
 # This rule is not enabled by default, since this rule is for
@@ -1111,7 +1113,8 @@
   tags: [maturity_incubating, network, container, mitre_discovery, T1565]
 
 - list: network_tool_binaries
-  items: [nc, ncat, netcat, nmap, dig, tcpdump, tshark, ngrep, telnet,
+  items: [
+    nc, ncat, netcat, nmap, dig, tcpdump, tshark, ngrep, telnet,
     mitmproxy, socat, zmap]
 
 - macro: network_tool_procs
@@ -1298,7 +1301,8 @@
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority:
     NOTICE
-  tags: [maturity_incubating, host, container, process, users,
+  tags: [
+    maturity_incubating, host, container, process, users,
     mitre_privilege_escalation, T1548.001]
 
 - list: remote_file_copy_binaries

diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml
@@ -1920,7 +1920,8 @@
     proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline
     terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: CRITICAL
-  tags: [maturity_sandbox, host, container, filesystem, users,
+  tags: [
+    maturity_sandbox, host, container, filesystem, users,
     mitre_privilege_escalation, T1548.003]
 
 - list: user_known_userfaultfd_processes
@@ -1996,8 +1997,8 @@
 - list: docker_binaries
   items: [
     docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe,
-     docker-compose, docker-entrypoi, docker-runc-cur, docker-current,
-     dockerd-current]
+    docker-compose, docker-entrypoi, docker-runc-cur, docker-current,
+    dockerd-current]
 
 - macro: docker_procs
   condition: proc.name in (docker_binaries)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -198,7 +198,8 @@
          abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb]
 
 - list: deb_binaries
-  items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt,
+  items: [
+    dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt,
     apt-get, aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova,
     apt-key, apt-listchanges, unattended-upgr, apt-add-reposit, apt-cache,
     apt.systemd.dai
@@ -209,7 +210,8 @@
 # The truncated dpkg-preconfigu is intentional, process names are
 # truncated at the falcosecurity-libs level.
 - list: package_mgmt_binaries
-  items: [rpm_binaries, deb_binaries, update-alternat, gem, npm,
+  items: [
+    rpm_binaries, deb_binaries, update-alternat, gem, npm,
     python_package_managers,
     sane-utils.post, alternatives, chef-client, apk, snapd]
 
@@ -250,8 +252,8 @@
   ]
 
 - list: sensitive_file_names
-  items: >
-    [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
+  items: [
+    /etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
 
 - list: sensitive_directory_names
   items: [/, /etc, /etc/, /root, /root/]
@@ -305,7 +307,7 @@
 
 - macro: ansible_running_python
   condition: >
-  (proc.name in (python, pypy, python3) and proc.cmdline contains ansible)
+    (proc.name in (python, pypy, python3) and proc.cmdline contains ansible)
 
 # Qualys seems to run a variety of shell subprocesses, at various
 # levels. This checks at a few levels without the cost of a full
@@ -766,7 +768,8 @@ condition: >
     command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
     %container.info)
   priority: NOTICE
-  tags: [maturity_stable, host, container, process, shell,
+  tags: [
+    maturity_stable, host, container, process, shell,
     mitre_execution, T1059.004]
 
 # These images are allowed both to run with --privileged and to mount
@@ -780,7 +783,8 @@ condition: >
   items: []
 
 - list: sematext_images
-  items: [docker.io/sematext/sematext-agent-docker,
+  items: [
+    docker.io/sematext/sematext-agent-docker,
     docker.io/sematext/agent,
     docker.io/sematext/logagent,
     registry.access.redhat.com/sematext/sematext-agent-docker,
@@ -894,7 +898,8 @@ condition: >
      parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
      exe_flags=%evt.arg.flags %container.info)
   priority: INFO
-  tags: [maturity_stable, host, container, users, mitre_execution,
+  tags: [
+    maturity_stable, host, container, users, mitre_execution,
     T1059, NIST_800-53_AC-2]
 
 # In some cases, a shell is expected to be run in a container.
@@ -1133,14 +1138,14 @@ condition: >
   priority:
     WARNING
   tags: [maturity_stable, host, container, process,
-        filesystem, mitre_credential_access, T1552.001]
+         filesystem, mitre_credential_access, T1552.001]
 
 - list: log_directories
   items: [/var/log, /dev/log]
 
 - list: log_files
   items: [syslog, auth.log, secure, kern.log, cron, user.log,
-         dpkg.log, last.log, yum.log, access_log, mysql.log, mysqld.log]
+          dpkg.log, last.log, yum.log, access_log, mysql.log, mysqld.log]
 
 - macro: access_log_files
   condition: (fd.directory in (log_directories) or fd.filename in (log_files))
@@ -1191,7 +1196,7 @@ condition: >
   priority:
     WARNING
   tags: [maturity_stable, host, container, filesystem,
-        mitre_defense_evasion, T1070, NIST_800-53_AU-10]
+         mitre_defense_evasion, T1070, NIST_800-53_AU-10]
 
 - list: data_remove_commands
   items: [shred, mkfs, mke2fs]
@@ -1220,7 +1225,7 @@ condition: >
   priority:
     WARNING
   tags: [maturity_stable, host, container, process, filesystem, mitre_impact,
-    T1485]
+         T1485]
 
 - rule: Create Symlink Over Sensitive Files
   desc: >
@@ -1239,7 +1244,7 @@ condition: >
     command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: WARNING
   tags: [maturity_stable, host, container, filesystem, mitre_credential_access,
-    T1555]
+         T1555]
 
 - rule: Create Hardlink Over Sensitive Files
   desc: >
@@ -1257,7 +1262,7 @@ condition: >
     command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: WARNING
   tags: [maturity_stable, host, container, filesystem, mitre_credential_access,
-    T1555]
+         T1555]
 
 - list: user_known_packet_socket_binaries
   items: []
@@ -1372,7 +1377,7 @@ condition: >
     exe_flags=%evt.arg.flags %container.info)
   priority: WARNING
   tags: [maturity_stable, container, cis, process,
-    mitre_privilege_escalation, T1611]
+         mitre_privilege_escalation, T1611]
 
 - rule: Detect release_agent File Container Escapes
   desc: >
@@ -1393,10 +1398,11 @@ condition: >
     command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: CRITICAL
   tags: [maturity_stable, container, process, mitre_privilege_escalation,
-    T1611]
+         T1611]
 
 - list: docker_binaries
-  items: [docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe,
+  items: [
+    docker, dockerd, containerd-shim, "runc:[1:CHILD]", pause, exe,
     docker-compose, docker-entrypoi, docker-runc-cur, docker-current,
     dockerd-current]