diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index 4aeabe8c..a0730a11 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -1284,3 +1284,24 @@ output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline (process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) priority: WARNING tags: [maturity_incubating, host, container] + +- list: bpf_profiled_binaries + items: [falco, bpftool, systemd] + +- macro: bpf_profiled_procs + condition: (proc.name in (bpf_profiled_binaries)) + +- rule: BPF Program Not Profiled + desc: > + BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This + rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment. + However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the + time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=BPF_PROG_LOAD) in the enter event. If you also want to log + whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field. + condition: > + evt.type=bpf and evt.dir=> + and evt.arg.cmd=BPF_PROG_LOAD + and not bpf_profiled_procs + output: BPF Program Not Profiled (bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) + priority: NOTICE + tags: [maturity_incubating, host, container, mitre_persistence, TA0003] diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml index dd0e44fb..c3a17da9 100644 --- a/rules/falco-sandbox_rules.yaml +++ b/rules/falco-sandbox_rules.yaml @@ -1706,27 +1706,6 @@ priority: WARNING tags: [maturity_sandbox, container, filesystem, mitre_initial_access, T1611] -- list: bpf_profiled_binaries - items: [falco, bpftool, systemd] - -- macro: bpf_profiled_procs - condition: (proc.name in (bpf_profiled_binaries)) - -- rule: BPF Program Not Profiled - desc: > - BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This - rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment. - However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the - time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=5) in the enter event. If you also want to log - whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field. - condition: > - evt.type=bpf and evt.dir=> - and evt.arg.cmd=BPF_PROG_LOAD - and not bpf_profiled_procs - output: BPF Program Not Profiled (bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) - priority: NOTICE - tags: [maturity_sandbox, host, container, mitre_persistence, TA0003] - - list: known_decode_payload_containers items: []