Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cleanup(rules): transition rule BPF Program Not Profiled to maturity incubating #246

Merged
merged 3 commits into from
May 20, 2024
Merged

cleanup(rules): transition rule BPF Program Not Profiled to maturity incubating #246

merged 3 commits into from
May 20, 2024

Conversation

incertum
Copy link
Contributor

…y incubating

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

cleanup(rules): transition rule BPF Program Not Profiled to maturity incubating as it is considered a critical baseline detection.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

@poiana poiana requested review from darryk10 and Kaizhe May 19, 2024 16:04
incertum
incertum commented May 19, 2024
View reviewed changes
rules/falco-incubating_rules.yaml
BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This
rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment.
However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the
time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=BPF_PROG_LOAD) in the enter event. If you also want to log
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also fixed docs as it's now cmd=BPF_PROG_LOAD and not 5 anymore.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This requires an engine version bump if I'm not mistaken, meaning also a major version bump for the incubating file

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, forgot about it, great callout Luca!

@github-actions GitHub Actions
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing a5cdda161ced45373427b2306929eabe5e1b0918 with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added
  • Rule BPF Program Not Profiled has been added
  • Macro bpf_profiled_procs has been added
  • List bpf_profiled_binaries has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing a5cdda161ced45373427b2306929eabe5e1b0918 with latest tag falco-sandbox-rules-3.0.1

Major changes:

  • Rule BPF Program Not Profiled has been removed
  • Macro bpf_profiled_procs has been removed
  • List bpf_profiled_binaries has been removed

Minor changes:

  • Macro etckeeper_activities has been added
  • Macro etckeeper has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed

@github-actions GitHub Actions
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing b386c4c606d787bee02dd61d808cf3ba172249b3 with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule BPF Program Not Profiled has been added
  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added
  • Macro bpf_profiled_procs has been added
  • List bpf_profiled_binaries has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing b386c4c606d787bee02dd61d808cf3ba172249b3 with latest tag falco-sandbox-rules-3.0.1

Major changes:

  • Rule BPF Program Not Profiled has been removed
  • Macro bpf_profiled_procs has been removed
  • List bpf_profiled_binaries has been removed

Minor changes:

  • Macro etckeeper_activities has been added
  • Macro etckeeper has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed

incertum
incertum commented May 19, 2024
View reviewed changes
rules/falco-incubating_rules.yaml
@@ -1283,4 +1283,25 @@
(fd.name contains "liblzma.so.5.6.0" or fd.name contains "liblzma.so.5.6.1")
output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline (process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
priority: WARNING
tags: [maturity_incubating, host, container]
tags: [maturity_incubating, host, container, mitre_initial_access, T1556]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@darryk10 @loresuso @LucaGuerra

@github-actions GitHub Actions
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing ac0c8a8e62c83bbd96d5f8e052f58c476183e951 with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added
  • Rule BPF Program Not Profiled has been added
  • Macro bpf_profiled_procs has been added
  • List bpf_profiled_binaries has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing ac0c8a8e62c83bbd96d5f8e052f58c476183e951 with latest tag falco-sandbox-rules-3.0.1

Major changes:

  • Rule BPF Program Not Profiled has been removed
  • Macro bpf_profiled_procs has been removed
  • List bpf_profiled_binaries has been removed

Minor changes:

  • Macro etckeeper_activities has been added
  • Macro etckeeper has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed

@github-actions GitHub Actions
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing e32191a236e49bf935e7e6d4261cb00459c39947 with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule BPF Program Not Profiled has been added
  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added
  • Macro bpf_profiled_procs has been added
  • List bpf_profiled_binaries has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing e32191a236e49bf935e7e6d4261cb00459c39947 with latest tag falco-sandbox-rules-3.0.1

Major changes:

  • Rule BPF Program Not Profiled has been removed
  • Macro bpf_profiled_procs has been removed
  • List bpf_profiled_binaries has been removed

Minor changes:

  • Macro etckeeper_activities has been added
  • Macro etckeeper has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed

darryk10
darryk10 approved these changes May 20, 2024
View reviewed changes
Copy link
Contributor

@darryk10 darryk10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @incertum, totally agree with this change!
LGTM

@poiana poiana added the lgtm label May 20, 2024
@poiana
Copy link

poiana commented May 20, 2024

LGTM label has been added.

Git tree hash: 896a7bc3dc0ed60a86e437b7c0f083b97bcf8571

@poiana
Copy link

poiana commented May 20, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: darryk10, incertum, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [LucaGuerra,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 59bf03b into falcosecurity:main May 20, 2024
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LucaGuerra LucaGuerra LucaGuerra approved these changes

@darryk10 darryk10 darryk10 approved these changes

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

Assignees

@LucaGuerra LucaGuerra

@darryk10 darryk10

Labels
approved area/maturity-incubating See the Rules Maturity Framework area/rules dco-signoff: yes kind/cleanup lgtm size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@incertum @poiana @LucaGuerra @darryk10