changes according to line-length<130 and modifiers are removed

Signed-off-by: h4l0gen <[email protected]>
falcosecurity · Jun 30, 2024 · 81a4b92 · 81a4b92
1 parent 1a5a515
commit 81a4b92
Show file tree

Hide file tree

Showing 4 changed files with 1,172 additions and 1,959 deletions.
diff --git a/rules/falco-deprecated_rules.yaml b/rules/falco-deprecated_rules.yaml
@@ -20,15 +20,13 @@
 # The initial item in the `tags` fields reflects the maturity level of
 # the rules introduced upon the proposal
 # Proposal: Rules Adoption Management Maturity Framework
-# URL: https://github.com/falcosecurity/rules/blob/main/
-# proposals/20230605-rules-adoption-management-maturity-framework.md
+# URL: https://github.com/falcosecurity/rules/blob/main/proposals/20230605-rules-adoption-management-maturity-framework.md
 # `tags` fields also include information about the type of
 # workload inspection (host and/or container), and Mitre Attack killchain
 # phases and Mitre TTP code(s)
 # Mitre Attack References:
 # [1] https://attack.mitre.org/tactics/enterprise/
-# [2] https://raw.githubusercontent.com/mitre/cti/master/
-#     enterprise-attack/enterprise-attack.json
+# [2] https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
 
 # Starting with version 8, the Falco engine supports exceptions.
 # However the Falco rules file does not use them by default.
@@ -55,23 +53,22 @@
   items: ['"10.0.0.0/8"', '"172.16.0.0/12"', '"192.168.0.0/16"']
 
 - macro: outbound
-  condition: >
+  condition:
     (((evt.type = connect and evt.dir=<) or
-      (evt.type in (sendto,sendmsg) and evt.dir=< and
-      fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
-    (fd.typechar = 4 or fd.typechar = 6) and
-    (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and
-      not fd.snet in (rfc_1918_addresses)) and
-    (evt.rawres >= 0 or evt.res = EINPROGRESS))
+      (evt.type in (sendto,sendmsg) and evt.dir=< and fd.l4proto != tcp and
+       fd.connected=false and fd.name_changed=true)) and
+     (fd.typechar = 4 or fd.typechar = 6) and
+     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and
+     (evt.rawres >= 0 or evt.res = EINPROGRESS))
 
 # Very similar to inbound/outbound, but combines the tests together
 # for efficiency.
 - macro: inbound_outbound
-  condition: >
+  condition:
     ((((evt.type in (accept,accept4,listen,connect) and evt.dir=<)) and
-    (fd.typechar = 4 or fd.typechar = 6)) and
-    (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
-    (evt.rawres >= 0 or evt.res = EINPROGRESS))
+      (fd.typechar = 4 or fd.typechar = 6)) and
+     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
+     (evt.rawres >= 0 or evt.res = EINPROGRESS))
 
 - macro: ssh_port
   condition: (fd.sport=22)
@@ -90,30 +87,22 @@
   condition: (never_true)
 
 - rule: Disallowed SSH Connection
-  desc: >
-    Detect any new SSH connection on port 22 to a host other than
-    those in an allowed list of hosts. This rule absolutely requires
-    profiling your environment beforehand. Network-based rules are extremely
-    crucial in any security program, as they can often provide the only
-    definitive evidence. However, effectively operationalizing them can be
-    challenging due to the potential for noise.
-  condition: >
+  desc:
+    Detect any new SSH connection on port 22 to a host other than those in an allowed list of hosts. This rule absolutely requires
+    profiling your environment beforehand. Network-based rules are extremely crucial in any security program, as they can often
+    provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for
+    noise.
+  condition:
     inbound_outbound
     and ssh_port
     and not allowed_ssh_hosts
   enabled: false
-  output: >
-    Disallowed SSH Connection
-    (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type
-    fd_proto=fd.l4proto evt_type=%evt.type user=%user.name
-    user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name
-    proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline
-    terminal=%proc.tty %container.info)
+  output: Disallowed SSH Connection
+    (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name
+    user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
+    command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: NOTICE
-  tags: [
-    maturity_deprecated, host, container, network,
-    mitre_latera_movement, T1021.004
-  ]
+  tags: [maturity_deprecated, host, container, network, mitre_latera_movement, T1021.004]
 
 # These rules and supporting macros are more of an example for how to
 # use the fd.*ip and fd.*ip.name fields to match connection
@@ -134,32 +123,24 @@
   items: [google.com, www.yahoo.com]
 
 - rule: Unexpected outbound connection destination
-  desc: >
-    Detect any outbound connection to a destination outside of an allowed
-    set of ips, networks, or domain names. This rule absolutely requires
-    profiling your environment beforehand. Network-based rules are extremely
-    crucial in any security program, as they can often provide the only
-    definitive evidence. However, effectively operationalizing them can be
-    challenging due to the potential for noise.
-  condition: >
+  desc:
+    Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names.
+    This rule absolutely requires profiling your environment beforehand. Network-based rules are extremely
+    crucial in any security program, as they can often provide the only definitive evidence. However, effectively
+    operationalizing them can be challenging due to the potential for noise.
+  condition:
     outbound
     and not ((fd.sip in (allowed_outbound_destination_ipaddrs)) or
             (fd.snet in (allowed_outbound_destination_networks)) or
             (fd.sip.name in (allowed_outbound_destination_domains)))
   enabled: false
-  output: >
-    Disallowed outbound connection destination
-    (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type
-    fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid
-    user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath
-    parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
-    %container.info)
+  output: Disallowed outbound connection destination
+    (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type
+    user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath
+    parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
 
   priority: NOTICE
-  tags: [
-    maturity_deprecated, host, container, network,
-    mitre_command_and_control, TA0011
-  ]
+  tags: [maturity_deprecated, host, container, network, mitre_command_and_control, TA0011]
 # Use this to test whether the event occurred within a container.
 # When displaying container information in the output field, use
 # %container.info, without any leading term (file=%fd.name
@@ -195,36 +176,25 @@
 # # test again that it fires.
 
 - rule: Outbound or Inbound Traffic not to Authorized Server Process and Port
-  desc: >
-    Detect traffic to an unauthorized server process and port within
-    pre-defined containers. This rule absolutely requires profiling
-    your environment beforehand and also necessitates adjusting the
-    list of containers to which this rule will be applied. The current
-    expression logic will never evaluate to true unless the list is
-    populated. Network-based rules are extremely crucial in any
-    security program, as they can often provide the only definitive
-    evidence. However, effectively operationalizing them can be
-    challenging due to the potential for noise. Notably, this rule is
-    challenging to operationalize.
-  condition: >
+  desc:
+    Detect traffic to an unauthorized server process and port within pre-defined containers. This rule absolutely requires
+    profiling your environment beforehand and also necessitates adjusting the list of containers to which this rule will be
+    applied. The current expression logic will never evaluate to true unless the list is populated. Network-based rules are
+    extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively
+    operationalizing them can be challenging due to the potential for noise. Notably, this rule is challenging to operationalize.
+  condition:
     inbound_outbound
     and container
     and container.image.repository in (allowed_image)
     and not proc.name in (authorized_server_binary)
     and not fd.sport in (authorized_server_port)
   enabled: false
-  output: >
-    Network connection outside authorized port and binary
-    (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type
-    fd_proto=fd.l4proto evt_type=%evt.type user=%user.name
-    user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name
-    proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline
-    terminal=%proc.tty %container.info)
+  output: Network connection outside authorized port and binary
+    (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name
+    user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
+    command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: WARNING
-  tags: [
-    maturity_deprecated, container, network, mitre_discovery, TA0011,
-    NIST_800-53_CM-7
-  ]
+  tags: [maturity_deprecated, container, network, mitre_discovery, TA0011, NIST_800-53_CM-7]
 
 - list: c2_server_ip_list
   items: []
@@ -233,31 +203,20 @@
   items: []
 
 - rule: Outbound Connection to C2 Servers
-  desc: >
-    Detect outbound connections to command and control servers using a list
-    of IP addresses and fully qualified domain names (FQDNs). This rule
-    absolutely requires profiling your environment beforehand and also
-    necessitates adjusting the template lists. The current expression logic
-    will never evaluate to true unless the lists are populated. Network-based
-    rules are extremely crucial in any security program, as they can often
-    provide the only definitive evidence.However, effectively operationalizing
-    them can be challenging due to the potential for noise. Notably, this rule
-    is challenging to operationalize.
-  condition: >
+  desc:
+    Detect outbound connections to command and control servers using a list of IP addresses and fully qualified domain names
+    (FQDNs). This rule absolutely requires profiling your environment beforehand and also necessitates adjusting the template
+    lists. The current expression logic will never evaluate to true unless the lists are populated. Network-based rules are
+    extremely crucial in any security program, as they can often provide the only definitive evidence.However, effectively
+    operationalizing them can be challenging due to the potential for noise. Notably, this rule is challenging to operationalize.
+  condition:
     outbound
     and ((fd.sip in (c2_server_ip_list)) or
         (fd.sip.name in (c2_server_fqdn_list)))
-  output: >
-    Outbound connection to C2 server
-    (c2_domain=%fd.sip.name c2_addr=%fd.sip
-    connection=%fd.name lport=%fd.lport rport=%fd.rport
-    fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type
-    user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
-    process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
-    command=%proc.cmdline terminal=%proc.tty %container.info)
+  output: Outbound connection to C2 server
+    (c2_domain=%fd.sip.name c2_addr=%fd.sip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type
+    fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
+    process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: WARNING
   enabled: false
-  tags: [
-    maturity_deprecated, host, container, network,
-    mitre_command_and_control, TA0011
-  ]
+  tags: [maturity_deprecated, host, container, network, mitre_command_and_control, TA0011]