falcosecurity
/
rules
mirror of https://github.com/falcosecurity/rules.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: falcosecurity:falco-rules-3.2.0
Branches Tags
falcosecurity:main
falcosecurity:dependabot/github_actions/actions-0b2e37a4c7
falcosecurity:release/falco-rules-3.0.x
falcosecurity:release/falco-rules-1.0.x
falcosecurity:release/falco-rules-0.1.x
falcosecurity:LucaGuerra-patch-1
falcosecurity:chore/rules-with-history
falcosecurity:falco-incubating-rules-5.0.1
falcosecurity:falco-sandbox-rules-5.0.1
falcosecurity:falco-rules-4.0.0
falcosecurity:falco-sandbox-rules-5.0.0
falcosecurity:falco-incubating-rules-5.0.0
falcosecurity:falco-rules-4.0.0-rc1
falcosecurity:falco-sandbox-rules-4.1.0
falcosecurity:falco-sandbox-rules-4.0.1
falcosecurity:falco-rules-3.2.0
falcosecurity:falco-incubating-rules-4.0.1
falcosecurity:falco-rules-3.1.0
falcosecurity:falco-incubating-rules-4.0.0
falcosecurity:falco-sandbox-rules-4.0.0
falcosecurity:falco-sandbox-rules-3.0.1
falcosecurity:falco-rules-3.0.1
falcosecurity:falco-incubating-rules-3.0.1
falcosecurity:falco-rules-3.0.0
falcosecurity:falco-deprecated-rules-3.0.0-rc1
falcosecurity:falco-incubating-rules-3.0.0-rc1
falcosecurity:falco-incubating-rules-3.0.0
falcosecurity:falco-deprecated-rules-3.0.0
falcosecurity:falco-rules-3.0.0-rc1
falcosecurity:falco-sandbox-rules-3.0.0-rc1
falcosecurity:falco-sandbox-rules-3.0.0
falcosecurity:falco-rules-2.0.0
falcosecurity:falco-incubating-rules-2.0.0
falcosecurity:falco-sandbox-rules-2.0.0
falcosecurity:falco-rules-1.0.2
falcosecurity:falco-rules-1.0.2-rc1
falcosecurity:falco-deprecated-rules-2.0.0-rc2
falcosecurity:falco-incubating-rules-2.0.0-rc1
falcosecurity:falco-rules-2.0.0-rc1
falcosecurity:falco-sandbox-rules-2.0.0-rc1
falcosecurity:falco-deprecated-rules-2.0.0-rc1
falcosecurity:falco-rules-1.0.1
falcosecurity:falco-rules-1.0.0
falcosecurity:falco-rules-1.0.0-rc1
falcosecurity:falco-rules-0.1.0
falcosecurity:falco-rules-0.1.0-rc1
falcosecurity:application-rules-0.1.0
...
compare: falcosecurity:main
Branches Tags
falcosecurity:dependabot/github_actions/actions-0b2e37a4c7
falcosecurity:main
falcosecurity:release/falco-rules-3.0.x
falcosecurity:release/falco-rules-1.0.x
falcosecurity:release/falco-rules-0.1.x
falcosecurity:LucaGuerra-patch-1
falcosecurity:chore/rules-with-history
falcosecurity:falco-incubating-rules-5.0.1
falcosecurity:falco-sandbox-rules-5.0.1
falcosecurity:falco-rules-4.0.0
falcosecurity:falco-sandbox-rules-5.0.0
falcosecurity:falco-incubating-rules-5.0.0
falcosecurity:falco-rules-4.0.0-rc1
falcosecurity:falco-sandbox-rules-4.1.0
falcosecurity:falco-sandbox-rules-4.0.1
falcosecurity:falco-rules-3.2.0
falcosecurity:falco-incubating-rules-4.0.1
falcosecurity:falco-rules-3.1.0
falcosecurity:falco-incubating-rules-4.0.0
falcosecurity:falco-sandbox-rules-4.0.0
falcosecurity:falco-sandbox-rules-3.0.1
falcosecurity:falco-rules-3.0.1
falcosecurity:falco-incubating-rules-3.0.1
falcosecurity:falco-rules-3.0.0
falcosecurity:falco-deprecated-rules-3.0.0-rc1
falcosecurity:falco-incubating-rules-3.0.0-rc1
falcosecurity:falco-incubating-rules-3.0.0
falcosecurity:falco-deprecated-rules-3.0.0
falcosecurity:falco-rules-3.0.0-rc1
falcosecurity:falco-sandbox-rules-3.0.0-rc1
falcosecurity:falco-sandbox-rules-3.0.0
falcosecurity:falco-rules-2.0.0
falcosecurity:falco-incubating-rules-2.0.0
falcosecurity:falco-sandbox-rules-2.0.0
falcosecurity:falco-rules-1.0.2
falcosecurity:falco-rules-1.0.2-rc1
falcosecurity:falco-deprecated-rules-2.0.0-rc2
falcosecurity:falco-incubating-rules-2.0.0-rc1
falcosecurity:falco-rules-2.0.0-rc1
falcosecurity:falco-sandbox-rules-2.0.0-rc1
falcosecurity:falco-deprecated-rules-2.0.0-rc1
falcosecurity:falco-rules-1.0.1
falcosecurity:falco-rules-1.0.0
falcosecurity:falco-rules-1.0.0-rc1
falcosecurity:falco-rules-0.1.0
falcosecurity:falco-rules-0.1.0-rc1
falcosecurity:application-rules-0.1.0

29 Commits
falco-rule ... main

Author SHA1 Message Date
Leonardo Di Giovanna be3800132f docs(OWNERS): add `ekoops` as approver 
Signed-off-by: Leonardo Di Giovanna <41296180+ekoops@users.noreply.github.com>
 2025-07-23 11:14:33 +02:00
dependabot[bot] 120881647a build(deps): Bump sigstore/cosign-installer in the actions group 
Bumps the actions group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `sigstore/cosign-installer` from 3.8.2 to 3.9.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v3.8.2...v3.9.0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 3.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-18 15:33:04 +02:00
Leonardo Di Giovanna d0be92e53e ci: add additional Falco releases to be tested 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-06-17 14:37:45 +02:00
Federico Di Pierro 488e6f8f0c fix(rules): fixed `container_started` macro adapting to new container plugin. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-17 12:44:44 +02:00
Melissa Kilby 4d51b1813f doc(OWNERS): move incertum (Melissa Kilby) to emeritus_approvers 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-06-09 11:51:54 +02:00
dependabot[bot] b4437c492f build(deps): Bump astral-sh/setup-uv from 5.4.1 to 6.1.0 
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 5.4.1 to 6.1.0.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](0c5e2b8115...f0ec1fc3b3)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-23 19:33:48 +02:00
Dirk Marwinski cb17833316 Allow new sshd-session binary to read sensitive files 
Signed-off-by: Dirk Marwinski <dirk.marwinski@sap.com>
 2025-05-22 10:29:39 +02:00
dependabot[bot] 4ccf111c36 build(deps): Bump sigstore/cosign-installer 
Bumps the actions group with 1 update in the / directory: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `sigstore/cosign-installer` from 3.8.1 to 3.8.2
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v3.8.1...v3.8.2)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 3.8.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-14 11:06:34 +02:00
Federico Di Pierro ae6ed41a7a cleanup(rules): drop parentheses around args in rule outputs. 
Use a pipe instead to divide args from rule title.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-13 14:54:29 +02:00
Federico Di Pierro 277b28eb98 update(ci): only keep master as FALCO_VERSION. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-13 14:36:29 +02:00
Federico Di Pierro 4f6510b909 chore(rules): require latest 0.2.2 container plugin version. 
Also, require Falco 0.41.0 rule engine version (0.50.0).
Finally, bumped copyright year.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-13 14:36:29 +02:00
Federico Di Pierro 6f8c46deb5 cleanup(rules): drop `%container.info` from default ruleset too. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-13 14:36:29 +02:00
Federico Di Pierro f8fb73a3eb update(rules): require container plugin. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-13 14:36:29 +02:00
Federico Di Pierro 3e74a466ae fix(rules): add `conmon` to `container_entrypoint` macro. 
This fixes detection of "Terminal shell in container" for podman running with crun.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-05-12 14:32:22 +02:00
Mykhailo 15bb0fea8c rules: add uv to python_package_managers list 
This commit updates the Falco rules by adding uv to the python_package_managers list. The uv package manager, a tool for managing Python packages, was previously not accounted for in our detection rules. By adding uv to the list, we enable Falco to accurately identify processes spawned by this package manager.

Signed-off-by: Mykhailo <61192136+shellsession@users.noreply.github.com>
 2025-05-08 17:29:57 +02:00
dependabot[bot] 75a39c1dee build(deps): Bump astral-sh/setup-uv in the actions group 
Bumps the actions group with 1 update: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv).


Updates `astral-sh/setup-uv` from 5.4.0 to 5.4.1
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](22695119d7...0c5e2b8115)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-04-15 10:27:39 +02:00
dependabot[bot] ce46d23f61 build(deps): Bump astral-sh/setup-uv in the actions group 
Bumps the actions group with 1 update: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv).


Updates `astral-sh/setup-uv` from 5.3.1 to 5.4.0
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](f94ec6bedd...22695119d7)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-04-02 11:01:15 +02:00
dependabot[bot] 371e43167e build(deps): Bump astral-sh/setup-uv in the actions group 
Bumps the actions group with 1 update: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv).


Updates `astral-sh/setup-uv` from 5.3.0 to 5.3.1
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](1edb52594c...f94ec6bedd)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-03-11 11:32:35 +01:00
Kyle Fazzari 8e4ed0c27d rules: add support for k3s to containerd_activities macro 
K3s is a stripped down version of Kubernetes that bundles dependencies
within it, including containerd. It puts containerd files (sockets,
tmpmounts, snapshotter overlayfs, etc.) in namespaced, non-standard
locations in an attempt to not interfere with a system-wide containerd
installation. As a result, the "Clear Log Activities" rule triggers
warnings for the bundled containerd. Fix that by including K3s'
non-standard paths in the containerd_activities macro.

Signed-off-by: Kyle Fazzari <kyrofa@ubuntu.com>
 2025-03-02 09:27:47 +01:00
dependabot[bot] 1d2c6b1f0b build(deps): Bump the actions group across 1 directory with 2 updates 
Bumps the actions group with 2 updates in the / directory: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) and [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `astral-sh/setup-uv` from 5.2.2 to 5.3.0
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](4db96194c3...1edb52594c)

Updates `sigstore/cosign-installer` from 3.8.0 to 3.8.1
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v3.8.0...v3.8.1)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-24 18:09:17 +01:00
Luca Guerra 47843ac872 fix(ci): update python deps used in github pages 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-02-19 15:48:44 +01:00
Luca Guerra 740f8783e0 fix(ci): use falcosecurity/falco instead of falcosecurity/falco-no-driver 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2025-02-19 12:40:43 +01:00
Yutong Sun 4633f290ad rules: add runc to known_memfd_execution_binaries 
Signed-off-by: Yutong Sun <yutongsu@amazon.com>
 2025-02-17 16:02:34 +01:00
dependabot[bot] d8415c1bc1 build(deps): Bump sigstore/cosign-installer in the actions group 
Bumps the actions group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `sigstore/cosign-installer` from 3.7.0 to 3.8.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v3.7.0...v3.8.0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-02-05 17:51:23 +01:00
Federico Di Pierro 8eef0097ca chore(ci): added Falco 0.40.0 (plus 0.39.1 and 0.39.2 that were missing) to FALCO_VERSIONS. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-01-29 11:09:38 +01:00
jordyb6 abf6637e0a Update(sandbox): Add Netcat/Socat Remote Code Execution on Host rule 
Signed-off-by: jordyb6 <129943902+jordyb6@users.noreply.github.com>
 2025-01-15 11:10:49 +01:00
Trần Đức Phú 283a62f464 fix: fix typo safe_etc_dirs 
Signed-off-by: Trần Đức Phú <30786617+Phu96@users.noreply.github.com>
 2024-10-23 08:44:07 +02:00
dependabot[bot] 407e99721f build(deps): Bump sigstore/cosign-installer in the actions group 
Bumps the actions group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `sigstore/cosign-installer` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v3.6.0...v3.7.0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-10-08 17:27:09 +02:00
Aldo Lacuku e38fb3f6a7 update(ci): add 0.39.0 as supported version 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2024-10-02 15:44:41 +02:00
14 changed files with 347 additions and 163 deletions
Show Stats Expand all files Collapse all files

6
.github/FALCO_VERSIONS vendored
View File

@ -1,4 +1,4 @@
master master
0.38.0 0.41.2
0.38.1 0.41.1
0.38.2 0.41.0

1
.github/scripts/.python-version vendored Normal file
View File

@ -0,0 +1 @@
3.12

11
.github/scripts/pyproject.toml vendored Normal file
View File

@ -0,0 +1,11 @@
[project]
name = "scripts"
version = "0.1.0"
description = "GHA scripts to publish pages"
readme = ""
requires-python = ">=3.12"
dependencies = [
"pandas>=2.2.3",
"pyyaml>=6.0.2",
"tabulate>=0.9.0",
]

3
.github/scripts/requirements.txt vendored
View File

@ -1,3 +0,0 @@
pandas==2.2.2
pyyaml==6.0.2
tabulate==0.9.0

166
.github/scripts/uv.lock vendored Normal file
View File

@ -0,0 +1,166 @@
version = 1
revision = 1
requires-python = ">=3.12"
[[package]]
name = "numpy"
version = "2.2.3"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/fb/90/8956572f5c4ae52201fdec7ba2044b2c882832dcec7d5d0922c9e9acf2de/numpy-2.2.3.tar.gz", hash = "sha256:dbdc15f0c81611925f382dfa97b3bd0bc2c1ce19d4fe50482cb0ddc12ba30020", size = 20262700 }
wheels = [
{ url = "https://files.pythonhosted.org/packages/43/ec/43628dcf98466e087812142eec6d1c1a6c6bdfdad30a0aa07b872dc01f6f/numpy-2.2.3-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:12c045f43b1d2915eca6b880a7f4a256f59d62df4f044788c8ba67709412128d", size = 20929458 },
{ url = "https://files.pythonhosted.org/packages/9b/c0/2f4225073e99a5c12350954949ed19b5d4a738f541d33e6f7439e33e98e4/numpy-2.2.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:87eed225fd415bbae787f93a457af7f5990b92a334e346f72070bf569b9c9c95", size = 14115299 },
{ url = "https://files.pythonhosted.org/packages/ca/fa/d2c5575d9c734a7376cc1592fae50257ec95d061b27ee3dbdb0b3b551eb2/numpy-2.2.3-cp312-cp312-macosx_14_0_arm64.whl", hash = "sha256:712a64103d97c404e87d4d7c47fb0c7ff9acccc625ca2002848e0d53288b90ea", size = 5145723 },
{ url = "https://files.pythonhosted.org/packages/eb/dc/023dad5b268a7895e58e791f28dc1c60eb7b6c06fcbc2af8538ad069d5f3/numpy-2.2.3-cp312-cp312-macosx_14_0_x86_64.whl", hash = "sha256:a5ae282abe60a2db0fd407072aff4599c279bcd6e9a2475500fc35b00a57c532", size = 6678797 },
{ url = "https://files.pythonhosted.org/packages/3f/19/bcd641ccf19ac25abb6fb1dcd7744840c11f9d62519d7057b6ab2096eb60/numpy-2.2.3-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5266de33d4c3420973cf9ae3b98b54a2a6d53a559310e3236c4b2b06b9c07d4e", size = 14067362 },
{ url = "https://files.pythonhosted.org/packages/39/04/78d2e7402fb479d893953fb78fa7045f7deb635ec095b6b4f0260223091a/numpy-2.2.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3b787adbf04b0db1967798dba8da1af07e387908ed1553a0d6e74c084d1ceafe", size = 16116679 },
{ url = "https://files.pythonhosted.org/packages/d0/a1/e90f7aa66512be3150cb9d27f3d9995db330ad1b2046474a13b7040dfd92/numpy-2.2.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:34c1b7e83f94f3b564b35f480f5652a47007dd91f7c839f404d03279cc8dd021", size = 15264272 },
{ url = "https://files.pythonhosted.org/packages/dc/b6/50bd027cca494de4fa1fc7bf1662983d0ba5f256fa0ece2c376b5eb9b3f0/numpy-2.2.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:4d8335b5f1b6e2bce120d55fb17064b0262ff29b459e8493d1785c18ae2553b8", size = 17880549 },
{ url = "https://files.pythonhosted.org/packages/96/30/f7bf4acb5f8db10a96f73896bdeed7a63373137b131ca18bd3dab889db3b/numpy-2.2.3-cp312-cp312-win32.whl", hash = "sha256:4d9828d25fb246bedd31e04c9e75714a4087211ac348cb39c8c5f99dbb6683fe", size = 6293394 },
{ url = "https://files.pythonhosted.org/packages/42/6e/55580a538116d16ae7c9aa17d4edd56e83f42126cb1dfe7a684da7925d2c/numpy-2.2.3-cp312-cp312-win_amd64.whl", hash = "sha256:83807d445817326b4bcdaaaf8e8e9f1753da04341eceec705c001ff342002e5d", size = 12626357 },
{ url = "https://files.pythonhosted.org/packages/0e/8b/88b98ed534d6a03ba8cddb316950fe80842885709b58501233c29dfa24a9/numpy-2.2.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:7bfdb06b395385ea9b91bf55c1adf1b297c9fdb531552845ff1d3ea6e40d5aba", size = 20916001 },
{ url = "https://files.pythonhosted.org/packages/d9/b4/def6ec32c725cc5fbd8bdf8af80f616acf075fe752d8a23e895da8c67b70/numpy-2.2.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:23c9f4edbf4c065fddb10a4f6e8b6a244342d95966a48820c614891e5059bb50", size = 14130721 },
{ url = "https://files.pythonhosted.org/packages/20/60/70af0acc86495b25b672d403e12cb25448d79a2b9658f4fc45e845c397a8/numpy-2.2.3-cp313-cp313-macosx_14_0_arm64.whl", hash = "sha256:a0c03b6be48aaf92525cccf393265e02773be8fd9551a2f9adbe7db1fa2b60f1", size = 5130999 },
{ url = "https://files.pythonhosted.org/packages/2e/69/d96c006fb73c9a47bcb3611417cf178049aae159afae47c48bd66df9c536/numpy-2.2.3-cp313-cp313-macosx_14_0_x86_64.whl", hash = "sha256:2376e317111daa0a6739e50f7ee2a6353f768489102308b0d98fcf4a04f7f3b5", size = 6665299 },
{ url = "https://files.pythonhosted.org/packages/5a/3f/d8a877b6e48103733ac224ffa26b30887dc9944ff95dffdfa6c4ce3d7df3/numpy-2.2.3-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8fb62fe3d206d72fe1cfe31c4a1106ad2b136fcc1606093aeab314f02930fdf2", size = 14064096 },
{ url = "https://files.pythonhosted.org/packages/e4/43/619c2c7a0665aafc80efca465ddb1f260287266bdbdce517396f2f145d49/numpy-2.2.3-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:52659ad2534427dffcc36aac76bebdd02b67e3b7a619ac67543bc9bfe6b7cdb1", size = 16114758 },
{ url = "https://files.pythonhosted.org/packages/d9/79/ee4fe4f60967ccd3897aa71ae14cdee9e3c097e3256975cc9575d393cb42/numpy-2.2.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:1b416af7d0ed3271cad0f0a0d0bee0911ed7eba23e66f8424d9f3dfcdcae1304", size = 15259880 },
{ url = "https://files.pythonhosted.org/packages/fb/c8/8b55cf05db6d85b7a7d414b3d1bd5a740706df00bfa0824a08bf041e52ee/numpy-2.2.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:1402da8e0f435991983d0a9708b779f95a8c98c6b18a171b9f1be09005e64d9d", size = 17876721 },
{ url = "https://files.pythonhosted.org/packages/21/d6/b4c2f0564b7dcc413117b0ffbb818d837e4b29996b9234e38b2025ed24e7/numpy-2.2.3-cp313-cp313-win32.whl", hash = "sha256:136553f123ee2951bfcfbc264acd34a2fc2f29d7cdf610ce7daf672b6fbaa693", size = 6290195 },
{ url = "https://files.pythonhosted.org/packages/97/e7/7d55a86719d0de7a6a597949f3febefb1009435b79ba510ff32f05a8c1d7/numpy-2.2.3-cp313-cp313-win_amd64.whl", hash = "sha256:5b732c8beef1d7bc2d9e476dbba20aaff6167bf205ad9aa8d30913859e82884b", size = 12619013 },
{ url = "https://files.pythonhosted.org/packages/a6/1f/0b863d5528b9048fd486a56e0b97c18bf705e88736c8cea7239012119a54/numpy-2.2.3-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:435e7a933b9fda8126130b046975a968cc2d833b505475e588339e09f7672890", size = 20944621 },
{ url = "https://files.pythonhosted.org/packages/aa/99/b478c384f7a0a2e0736177aafc97dc9152fc036a3fdb13f5a3ab225f1494/numpy-2.2.3-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:7678556eeb0152cbd1522b684dcd215250885993dd00adb93679ec3c0e6e091c", size = 14142502 },
{ url = "https://files.pythonhosted.org/packages/fb/61/2d9a694a0f9cd0a839501d362de2a18de75e3004576a3008e56bdd60fcdb/numpy-2.2.3-cp313-cp313t-macosx_14_0_arm64.whl", hash = "sha256:2e8da03bd561504d9b20e7a12340870dfc206c64ea59b4cfee9fceb95070ee94", size = 5176293 },
{ url = "https://files.pythonhosted.org/packages/33/35/51e94011b23e753fa33f891f601e5c1c9a3d515448659b06df9d40c0aa6e/numpy-2.2.3-cp313-cp313t-macosx_14_0_x86_64.whl", hash = "sha256:c9aa4496fd0e17e3843399f533d62857cef5900facf93e735ef65aa4bbc90ef0", size = 6691874 },
{ url = "https://files.pythonhosted.org/packages/ff/cf/06e37619aad98a9d03bd8d65b8e3041c3a639be0f5f6b0a0e2da544538d4/numpy-2.2.3-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f4ca91d61a4bf61b0f2228f24bbfa6a9facd5f8af03759fe2a655c50ae2c6610", size = 14036826 },
{ url = "https://files.pythonhosted.org/packages/0c/93/5d7d19955abd4d6099ef4a8ee006f9ce258166c38af259f9e5558a172e3e/numpy-2.2.3-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:deaa09cd492e24fd9b15296844c0ad1b3c976da7907e1c1ed3a0ad21dded6f76", size = 16096567 },
{ url = "https://files.pythonhosted.org/packages/af/53/d1c599acf7732d81f46a93621dab6aa8daad914b502a7a115b3f17288ab2/numpy-2.2.3-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:246535e2f7496b7ac85deffe932896a3577be7af8fb7eebe7146444680297e9a", size = 15242514 },
{ url = "https://files.pythonhosted.org/packages/53/43/c0f5411c7b3ea90adf341d05ace762dad8cb9819ef26093e27b15dd121ac/numpy-2.2.3-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:daf43a3d1ea699402c5a850e5313680ac355b4adc9770cd5cfc2940e7861f1bf", size = 17872920 },
{ url = "https://files.pythonhosted.org/packages/5b/57/6dbdd45ab277aff62021cafa1e15f9644a52f5b5fc840bc7591b4079fb58/numpy-2.2.3-cp313-cp313t-win32.whl", hash = "sha256:cf802eef1f0134afb81fef94020351be4fe1d6681aadf9c5e862af6602af64ef", size = 6346584 },
{ url = "https://files.pythonhosted.org/packages/97/9b/484f7d04b537d0a1202a5ba81c6f53f1846ae6c63c2127f8df869ed31342/numpy-2.2.3-cp313-cp313t-win_amd64.whl", hash = "sha256:aee2512827ceb6d7f517c8b85aa5d3923afe8fc7a57d028cffcd522f1c6fd082", size = 12706784 },
]
[[package]]
name = "pandas"
version = "2.2.3"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "numpy" },
{ name = "python-dateutil" },
{ name = "pytz" },
{ name = "tzdata" },
]
sdist = { url = "https://files.pythonhosted.org/packages/9c/d6/9f8431bacc2e19dca897724cd097b1bb224a6ad5433784a44b587c7c13af/pandas-2.2.3.tar.gz", hash = "sha256:4f18ba62b61d7e192368b84517265a99b4d7ee8912f8708660fb4a366cc82667", size = 4399213 }
wheels = [
{ url = "https://files.pythonhosted.org/packages/17/a3/fb2734118db0af37ea7433f57f722c0a56687e14b14690edff0cdb4b7e58/pandas-2.2.3-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:b1d432e8d08679a40e2a6d8b2f9770a5c21793a6f9f47fdd52c5ce1948a5a8a9", size = 12529893 },
{ url = "https://files.pythonhosted.org/packages/e1/0c/ad295fd74bfac85358fd579e271cded3ac969de81f62dd0142c426b9da91/pandas-2.2.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:a5a1595fe639f5988ba6a8e5bc9649af3baf26df3998a0abe56c02609392e0a4", size = 11363475 },
{ url = "https://files.pythonhosted.org/packages/c6/2a/4bba3f03f7d07207481fed47f5b35f556c7441acddc368ec43d6643c5777/pandas-2.2.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:5de54125a92bb4d1c051c0659e6fcb75256bf799a732a87184e5ea503965bce3", size = 15188645 },
{ url = "https://files.pythonhosted.org/packages/38/f8/d8fddee9ed0d0c0f4a2132c1dfcf0e3e53265055da8df952a53e7eaf178c/pandas-2.2.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fffb8ae78d8af97f849404f21411c95062db1496aeb3e56f146f0355c9989319", size = 12739445 },
{ url = "https://files.pythonhosted.org/packages/20/e8/45a05d9c39d2cea61ab175dbe6a2de1d05b679e8de2011da4ee190d7e748/pandas-2.2.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:6dfcb5ee8d4d50c06a51c2fffa6cff6272098ad6540aed1a76d15fb9318194d8", size = 16359235 },
{ url = "https://files.pythonhosted.org/packages/1d/99/617d07a6a5e429ff90c90da64d428516605a1ec7d7bea494235e1c3882de/pandas-2.2.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:062309c1b9ea12a50e8ce661145c6aab431b1e99530d3cd60640e255778bd43a", size = 14056756 },
{ url = "https://files.pythonhosted.org/packages/29/d4/1244ab8edf173a10fd601f7e13b9566c1b525c4f365d6bee918e68381889/pandas-2.2.3-cp312-cp312-win_amd64.whl", hash = "sha256:59ef3764d0fe818125a5097d2ae867ca3fa64df032331b7e0917cf5d7bf66b13", size = 11504248 },
{ url = "https://files.pythonhosted.org/packages/64/22/3b8f4e0ed70644e85cfdcd57454686b9057c6c38d2f74fe4b8bc2527214a/pandas-2.2.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:f00d1345d84d8c86a63e476bb4955e46458b304b9575dcf71102b5c705320015", size = 12477643 },
{ url = "https://files.pythonhosted.org/packages/e4/93/b3f5d1838500e22c8d793625da672f3eec046b1a99257666c94446969282/pandas-2.2.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:3508d914817e153ad359d7e069d752cdd736a247c322d932eb89e6bc84217f28", size = 11281573 },
{ url = "https://files.pythonhosted.org/packages/f5/94/6c79b07f0e5aab1dcfa35a75f4817f5c4f677931d4234afcd75f0e6a66ca/pandas-2.2.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:22a9d949bfc9a502d320aa04e5d02feab689d61da4e7764b62c30b991c42c5f0", size = 15196085 },
{ url = "https://files.pythonhosted.org/packages/e8/31/aa8da88ca0eadbabd0a639788a6da13bb2ff6edbbb9f29aa786450a30a91/pandas-2.2.3-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f3a255b2c19987fbbe62a9dfd6cff7ff2aa9ccab3fc75218fd4b7530f01efa24", size = 12711809 },
{ url = "https://files.pythonhosted.org/packages/ee/7c/c6dbdb0cb2a4344cacfb8de1c5808ca885b2e4dcfde8008266608f9372af/pandas-2.2.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:800250ecdadb6d9c78eae4990da62743b857b470883fa27f652db8bdde7f6659", size = 16356316 },
{ url = "https://files.pythonhosted.org/packages/57/b7/8b757e7d92023b832869fa8881a992696a0bfe2e26f72c9ae9f255988d42/pandas-2.2.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:6374c452ff3ec675a8f46fd9ab25c4ad0ba590b71cf0656f8b6daa5202bca3fb", size = 14022055 },
{ url = "https://files.pythonhosted.org/packages/3b/bc/4b18e2b8c002572c5a441a64826252ce5da2aa738855747247a971988043/pandas-2.2.3-cp313-cp313-win_amd64.whl", hash = "sha256:61c5ad4043f791b61dd4752191d9f07f0ae412515d59ba8f005832a532f8736d", size = 11481175 },
{ url = "https://files.pythonhosted.org/packages/76/a3/a5d88146815e972d40d19247b2c162e88213ef51c7c25993942c39dbf41d/pandas-2.2.3-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:3b71f27954685ee685317063bf13c7709a7ba74fc996b84fc6821c59b0f06468", size = 12615650 },
{ url = "https://files.pythonhosted.org/packages/9c/8c/f0fd18f6140ddafc0c24122c8a964e48294acc579d47def376fef12bcb4a/pandas-2.2.3-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:38cf8125c40dae9d5acc10fa66af8ea6fdf760b2714ee482ca691fc66e6fcb18", size = 11290177 },
{ url = "https://files.pythonhosted.org/packages/ed/f9/e995754eab9c0f14c6777401f7eece0943840b7a9fc932221c19d1abee9f/pandas-2.2.3-cp313-cp313t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:ba96630bc17c875161df3818780af30e43be9b166ce51c9a18c1feae342906c2", size = 14651526 },
{ url = "https://files.pythonhosted.org/packages/25/b0/98d6ae2e1abac4f35230aa756005e8654649d305df9a28b16b9ae4353bff/pandas-2.2.3-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1db71525a1538b30142094edb9adc10be3f3e176748cd7acc2240c2f2e5aa3a4", size = 11871013 },
{ url = "https://files.pythonhosted.org/packages/cc/57/0f72a10f9db6a4628744c8e8f0df4e6e21de01212c7c981d31e50ffc8328/pandas-2.2.3-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:15c0e1e02e93116177d29ff83e8b1619c93ddc9c49083f237d4312337a61165d", size = 15711620 },
{ url = "https://files.pythonhosted.org/packages/ab/5f/b38085618b950b79d2d9164a711c52b10aefc0ae6833b96f626b7021b2ed/pandas-2.2.3-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:ad5b65698ab28ed8d7f18790a0dc58005c7629f227be9ecc1072aa74c0c1d43a", size = 13098436 },
]
[[package]]
name = "python-dateutil"
version = "2.9.0.post0"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "six" },
]
sdist = { url = "https://files.pythonhosted.org/packages/66/c0/0c8b6ad9f17a802ee498c46e004a0eb49bc148f2fd230864601a86dcf6db/python-dateutil-2.9.0.post0.tar.gz", hash = "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3", size = 342432 }
wheels = [
{ url = "https://files.pythonhosted.org/packages/ec/57/56b9bcc3c9c6a792fcbaf139543cee77261f3651ca9da0c93f5c1221264b/python_dateutil-2.9.0.post0-py2.py3-none-any.whl", hash = "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427", size = 229892 },
]
[[package]]
name = "pytz"
version = "2025.1"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/5f/57/df1c9157c8d5a05117e455d66fd7cf6dbc46974f832b1058ed4856785d8a/pytz-2025.1.tar.gz", hash = "sha256:c2db42be2a2518b28e65f9207c4d05e6ff547d1efa4086469ef855e4ab70178e", size = 319617 }
wheels = [
{ url = "https://files.pythonhosted.org/packages/eb/38/ac33370d784287baa1c3d538978b5e2ea064d4c1b93ffbd12826c190dd10/pytz-2025.1-py2.py3-none-any.whl", hash = "sha256:89dd22dca55b46eac6eda23b2d72721bf1bdfef212645d81513ef5d03038de57", size = 507930 },
]
[[package]]
name = "pyyaml"
version = "6.0.2"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/54/ed/79a089b6be93607fa5cdaedf301d7dfb23af5f25c398d5ead2525b063e17/pyyaml-6.0.2.tar.gz", hash = "sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e", size = 130631 }
wheels = [
{ url = "https://files.pythonhosted.org/packages/86/0c/c581167fc46d6d6d7ddcfb8c843a4de25bdd27e4466938109ca68492292c/PyYAML-6.0.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab", size = 183873 },
{ url = "https://files.pythonhosted.org/packages/a8/0c/38374f5bb272c051e2a69281d71cba6fdb983413e6758b84482905e29a5d/PyYAML-6.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725", size = 173302 },
{ url = "https://files.pythonhosted.org/packages/c3/93/9916574aa8c00aa06bbac729972eb1071d002b8e158bd0e83a3b9a20a1f7/PyYAML-6.0.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5", size = 739154 },
{ url = "https://files.pythonhosted.org/packages/95/0f/b8938f1cbd09739c6da569d172531567dbcc9789e0029aa070856f123984/PyYAML-6.0.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425", size = 766223 },
{ url = "https://files.pythonhosted.org/packages/b9/2b/614b4752f2e127db5cc206abc23a8c19678e92b23c3db30fc86ab731d3bd/PyYAML-6.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476", size = 767542 },
{ url = "https://files.pythonhosted.org/packages/d4/00/dd137d5bcc7efea1836d6264f049359861cf548469d18da90cd8216cf05f/PyYAML-6.0.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48", size = 731164 },
{ url = "https://files.pythonhosted.org/packages/c9/1f/4f998c900485e5c0ef43838363ba4a9723ac0ad73a9dc42068b12aaba4e4/PyYAML-6.0.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b", size = 756611 },
{ url = "https://files.pythonhosted.org/packages/df/d1/f5a275fdb252768b7a11ec63585bc38d0e87c9e05668a139fea92b80634c/PyYAML-6.0.2-cp312-cp312-win32.whl", hash = "sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4", size = 140591 },
{ url = "https://files.pythonhosted.org/packages/0c/e8/4f648c598b17c3d06e8753d7d13d57542b30d56e6c2dedf9c331ae56312e/PyYAML-6.0.2-cp312-cp312-win_amd64.whl", hash = "sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8", size = 156338 },
{ url = "https://files.pythonhosted.org/packages/ef/e3/3af305b830494fa85d95f6d95ef7fa73f2ee1cc8ef5b495c7c3269fb835f/PyYAML-6.0.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba", size = 181309 },
{ url = "https://files.pythonhosted.org/packages/45/9f/3b1c20a0b7a3200524eb0076cc027a970d320bd3a6592873c85c92a08731/PyYAML-6.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1", size = 171679 },
{ url = "https://files.pythonhosted.org/packages/7c/9a/337322f27005c33bcb656c655fa78325b730324c78620e8328ae28b64d0c/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133", size = 733428 },
{ url = "https://files.pythonhosted.org/packages/a3/69/864fbe19e6c18ea3cc196cbe5d392175b4cf3d5d0ac1403ec3f2d237ebb5/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484", size = 763361 },
{ url = "https://files.pythonhosted.org/packages/04/24/b7721e4845c2f162d26f50521b825fb061bc0a5afcf9a386840f23ea19fa/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5", size = 759523 },
{ url = "https://files.pythonhosted.org/packages/2b/b2/e3234f59ba06559c6ff63c4e10baea10e5e7df868092bf9ab40e5b9c56b6/PyYAML-6.0.2-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc", size = 726660 },
{ url = "https://files.pythonhosted.org/packages/fe/0f/25911a9f080464c59fab9027482f822b86bf0608957a5fcc6eaac85aa515/PyYAML-6.0.2-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652", size = 751597 },
{ url = "https://files.pythonhosted.org/packages/14/0d/e2c3b43bbce3cf6bd97c840b46088a3031085179e596d4929729d8d68270/PyYAML-6.0.2-cp313-cp313-win32.whl", hash = "sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183", size = 140527 },
{ url = "https://files.pythonhosted.org/packages/fa/de/02b54f42487e3d3c6efb3f89428677074ca7bf43aae402517bc7cca949f3/PyYAML-6.0.2-cp313-cp313-win_amd64.whl", hash = "sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563", size = 156446 },
]
[[package]]
name = "scripts"
version = "0.1.0"
source = { virtual = "." }
dependencies = [
{ name = "pandas" },
{ name = "pyyaml" },
{ name = "tabulate" },
]
[package.metadata]
requires-dist = [
{ name = "pandas", specifier = ">=2.2.3" },
{ name = "pyyaml", specifier = ">=6.0.2" },
{ name = "tabulate", specifier = ">=0.9.0" },
]
[[package]]
name = "six"
version = "1.17.0"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/94/e7/b2c673351809dca68a0e064b6af791aa332cf192da575fd474ed7d6f16a2/six-1.17.0.tar.gz", hash = "sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81", size = 34031 }
wheels = [
{ url = "https://files.pythonhosted.org/packages/b7/ce/149a00dd41f10bc29e5921b496af8b574d8413afcd5e30dfa0ed46c2cc5e/six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274", size = 11050 },
]
[[package]]
name = "tabulate"
version = "0.9.0"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/ec/fe/802052aecb21e3797b8f7902564ab6ea0d60ff8ca23952079064155d1ae1/tabulate-0.9.0.tar.gz", hash = "sha256:0095b12bf5966de529c0feb1fa08671671b3368eec77d7ef7ab114be2c068b3c", size = 81090 }
wheels = [
{ url = "https://files.pythonhosted.org/packages/40/44/4a5f08c96eb108af5cb50b41f76142f0afa346dfa99d5296fe7202a11854/tabulate-0.9.0-py3-none-any.whl", hash = "sha256:024ca478df22e9340661486f85298cff5f6dcdba14f3813e8830015b9ed1948f", size = 35252 },
]
[[package]]
name = "tzdata"
version = "2025.1"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/43/0f/fa4723f22942480be4ca9527bbde8d43f6c3f2fe8412f00e7f5f6746bc8b/tzdata-2025.1.tar.gz", hash = "sha256:24894909e88cdb28bd1636c6887801df64cb485bd593f2fd83ef29075a81d694", size = 194950 }
wheels = [
{ url = "https://files.pythonhosted.org/packages/0f/dd/84f10e23edd882c6f968c21c2434fe67bd4a528967067515feca9e611e5e/tzdata-2025.1-py2.py3-none-any.whl", hash = "sha256:7e127113816800496f027041c570f50bcd464a020098a3b6b199517772303639", size = 346762 },
]

19
.github/workflows/pages.yaml vendored
View File

@ -19,28 +19,25 @@ jobs:
url: ${{ steps.deployment.outputs.page_url }} url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: actions/setup-python@v5 - name: Install uv
with: uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v5
python-version: 3.x
- name: Generate updated inventory - name: Generate updated inventory
run: | run: |
pip install -r .github/scripts/requirements.txt cd .github/scripts/
python .github/scripts/rules_overview_generator.py --rules_dir=rules > docs/index.md uv run rules_overview_generator.py --rules_dir=../../rules > ../../docs/index.md
- name: Disable Table Of Content for overview - name: Disable Table Of Content for overview
run: | run: |
sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/index.md sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/index.md
- run: pip install mkdocs mkdocs-material - run: uvx --with mkdocs-material mkdocs build
- run: mkdocs build - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
- uses: actions/upload-pages-artifact@v3
with: with:
path: 'site' path: 'site'
- id: deployment - id: deployment
uses: actions/deploy-pages@v4 uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

2
.github/workflows/release.yaml vendored
View File

@ -58,7 +58,7 @@ jobs:
# Create a signature of the rules artifact as OCI artifact # Create a signature of the rules artifact as OCI artifact
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@v3.6.0 uses: sigstore/cosign-installer@v3.9.0
- name: Login with cosign - name: Login with cosign
run: cosign login $OCI_REGISTRY --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }} run: cosign login $OCI_REGISTRY --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }}

4
.github/workflows/rules.yaml vendored
View File

@ -88,7 +88,7 @@ jobs:
run: | run: |
build/checker/rules-check \ build/checker/rules-check \
validate \ validate \
--falco-image="falcosecurity/falco-no-driver:${{ matrix.falco-version }}" \ --falco-image="falcosecurity/falco:${{ matrix.falco-version }}" \
-r ${{ matrix.rules-file }} -r ${{ matrix.rules-file }}
check-version: check-version:
@ -136,7 +136,7 @@ jobs:
"${{ matrix.rules-file }}" \ "${{ matrix.rules-file }}" \
result.txt \ result.txt \
build/checker/rules-check \ build/checker/rules-check \
"falcosecurity/falco-no-driver:$FALCO_VERSION" "falcosecurity/falco:$FALCO_VERSION"
if [ -s result.txt ]; then if [ -s result.txt ]; then
echo "comment_file=result.txt" >> $GITHUB_OUTPUT echo "comment_file=result.txt" >> $GITHUB_OUTPUT
fi fi

3
OWNERS
View File

@ -5,7 +5,7 @@ approvers:
- fededp - fededp
- andreagit97 - andreagit97
- lucaguerra - lucaguerra
- incertum - ekoops
reviewers: reviewers:
- leodido - leodido
- kaizhe - kaizhe
@ -13,3 +13,4 @@ reviewers:
- loresuso - loresuso
emeritus_approvers: emeritus_approvers:
- kaizhe - kaizhe
- incertum

2
build/checker/cmd/common.go
View File

@ -23,7 +23,7 @@ import (
"strings" "strings"
) )
const defaultFalcoDockerImage = "falcosecurity/falco-no-driver:master" const defaultFalcoDockerImage = "falcosecurity/falco:master"
const defaultFalcoDockerEntrypoint = "/usr/bin/falco" const defaultFalcoDockerEntrypoint = "/usr/bin/falco"

23
rules/falco-deprecated_rules.yaml
View File

@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
# Copyright (C) 2023 The Falco Authors. # Copyright (C) 2025 The Falco Authors.
# #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
@ -25,7 +25,11 @@
# Starting with version 8, the Falco engine supports exceptions. # Starting with version 8, the Falco engine supports exceptions.
# However the Falco rules file does not use them by default. # However the Falco rules file does not use them by default.
- required_engine_version: 0.31.0 - required_engine_version: 0.50.0
- required_plugin_versions:
- name: container
version: 0.2.2
# This macro `never_true` is used as placeholder for tuning negative logical sub-expressions, for example # This macro `never_true` is used as placeholder for tuning negative logical sub-expressions, for example
# - macro: allowed_ssh_hosts # - macro: allowed_ssh_hosts
@ -87,7 +91,7 @@
and ssh_port and ssh_port
and not allowed_ssh_hosts and not allowed_ssh_hosts
enabled: false enabled: false
output: Disallowed SSH Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Disallowed SSH Connection | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_deprecated, host, container, network, mitre_lateral_movement, T1021.004] tags: [maturity_deprecated, host, container, network, mitre_lateral_movement, T1021.004]
@ -121,16 +125,11 @@
(fd.snet in (allowed_outbound_destination_networks)) or (fd.snet in (allowed_outbound_destination_networks)) or
(fd.sip.name in (allowed_outbound_destination_domains))) (fd.sip.name in (allowed_outbound_destination_domains)))
enabled: false enabled: false
output: Disallowed outbound connection destination (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Disallowed outbound connection destination | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_deprecated, host, container, network, mitre_command_and_control, TA0011] tags: [maturity_deprecated, host, container, network, mitre_command_and_control, TA0011]
# Use this to test whether the event occurred within a container. # Use this to test whether the event occurred within a container.
# When displaying container information in the output field, use
# %container.info, without any leading term (file=%fd.name
# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name
# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change
# based on the context and whether or not -pk/-pm/-pc was specified on
# the command line.
- macro: container - macro: container
condition: (container.id != host) condition: (container.id != host)
@ -169,7 +168,7 @@
and not proc.name in (authorized_server_binary) and not proc.name in (authorized_server_binary)
and not fd.sport in (authorized_server_port) and not fd.sport in (authorized_server_port)
enabled: false enabled: false
output: Network connection outside authorized port and binary (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Network connection outside authorized port and binary | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_deprecated, container, network, mitre_discovery, TA0011, NIST_800-53_CM-7] tags: [maturity_deprecated, container, network, mitre_discovery, TA0011, NIST_800-53_CM-7]
@ -190,7 +189,7 @@
outbound outbound
and ((fd.sip in (c2_server_ip_list)) or and ((fd.sip in (c2_server_ip_list)) or
(fd.sip.name in (c2_server_fqdn_list))) (fd.sip.name in (c2_server_fqdn_list)))
output: Outbound connection to C2 server (c2_domain=%fd.sip.name c2_addr=%fd.sip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Outbound connection to C2 server | c2_domain=%fd.sip.name c2_addr=%fd.sip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
enabled: false enabled: false
tags: [maturity_deprecated, host, container, network, mitre_command_and_control, TA0011] tags: [maturity_deprecated, host, container, network, mitre_command_and_control, TA0011]

85
rules/falco-incubating_rules.yaml
View File

@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
# Copyright (C) 2023 The Falco Authors. # Copyright (C) 2025 The Falco Authors.
# #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
@ -25,7 +25,11 @@
# Starting with version 8, the Falco engine supports exceptions. # Starting with version 8, the Falco engine supports exceptions.
# However the Falco rules file does not use them by default. # However the Falco rules file does not use them by default.
- required_engine_version: 0.35.0 - required_engine_version: 0.50.0
- required_plugin_versions:
- name: container
version: 0.2.2
- macro: open_write - macro: open_write
condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0) condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)
@ -265,7 +269,7 @@
and not proc.name in (shell_binaries) and not proc.name in (shell_binaries)
and not exe_running_docker_save and not exe_running_docker_save
and not user_known_shell_config_modifiers and not user_known_shell_config_modifiers
output: A shell configuration file has been modified (file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: A shell configuration file has been modified | file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: priority:
WARNING WARNING
tags: [maturity_incubating, host, container, filesystem, mitre_persistence, T1546.004] tags: [maturity_incubating, host, container, filesystem, mitre_persistence, T1546.004]
@ -281,27 +285,18 @@
((open_write and fd.name startswith /etc/cron) or ((open_write and fd.name startswith /etc/cron) or
(spawned_process and proc.name = "crontab")) (spawned_process and proc.name = "crontab"))
and not user_known_cron_jobs and not user_known_cron_jobs
output: Cron jobs were scheduled to run (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Cron jobs were scheduled to run | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: priority:
NOTICE NOTICE
tags: [maturity_incubating, host, container, filesystem, mitre_execution, T1053.003] tags: [maturity_incubating, host, container, filesystem, mitre_execution, T1053.003]
# Use this to test whether the event occurred within a container. # Use this to test whether the event occurred within a container.
#
# When displaying container information in the output field, use
# %container.info, without any leading term (file=%fd.name
# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name
# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change
# based on the context and whether or not -pk/-pm/-pc was specified on
# the command line.
- macro: container - macro: container
condition: (container.id != host) condition: (container.id != host)
- macro: container_started - macro: container_started
condition: > condition: >
((evt.type = container or (spawned_process and proc.vpid=1 and container)
(spawned_process and proc.vpid=1)) and
container.image.repository != incomplete)
- list: cron_binaries - list: cron_binaries
items: [anacron, cron, crond, crontab] items: [anacron, cron, crond, crontab]
@ -377,7 +372,7 @@
and (user_ssh_directory or fd.name startswith /root/.ssh) and (user_ssh_directory or fd.name startswith /root/.ssh)
and not user_known_read_ssh_information_activities and not user_known_read_ssh_information_activities
and not proc.name in (ssh_binaries) and not proc.name in (ssh_binaries)
output: ssh-related file/directory read by non-ssh program (file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: ssh-related file/directory read by non-ssh program | file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_incubating, host, container, filesystem, mitre_collection, T1005] tags: [maturity_incubating, host, container, filesystem, mitre_collection, T1005]
@ -401,7 +396,7 @@
and not proc.name in (db_server_binaries) and not proc.name in (db_server_binaries)
and not postgres_running_wal_e and not postgres_running_wal_e
and not user_known_db_spawned_processes and not user_known_db_spawned_processes
output: Database-related program spawned process other than itself (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Database-related program spawned process other than itself | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, host, container, process, database, mitre_execution, T1190] tags: [maturity_incubating, host, container, process, database, mitre_execution, T1190]
@ -442,7 +437,7 @@
and not calico_node and not calico_node
and not weaveworks_scope and not weaveworks_scope
and not user_known_change_thread_namespace_activities and not user_known_change_thread_namespace_activities
output: Namespace change (setns) by unexpected program (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Namespace change (setns) by unexpected program | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, host, container, process, mitre_privilege_escalation, T1611] tags: [maturity_incubating, host, container, process, mitre_privilege_escalation, T1611]
@ -456,7 +451,7 @@
evt.type=unshare and evt.dir=< evt.type=unshare and evt.dir=<
and container and container
and not thread.cap_permitted contains CAP_SYS_ADMIN and not thread.cap_permitted contains CAP_SYS_ADMIN
output: Change namespace privileges via unshare (res=%evt.res evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Change namespace privileges via unshare | res=%evt.res evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, container, mitre_privilege_escalation, T1611] tags: [maturity_incubating, container, mitre_privilege_escalation, T1611]
@ -613,12 +608,11 @@
seen as more suspicious, prompting a closer inspection. seen as more suspicious, prompting a closer inspection.
condition: > condition: >
container_started container_started
and container
and container.privileged=true and container.privileged=true
and not falco_privileged_containers and not falco_privileged_containers
and not user_privileged_containers and not user_privileged_containers
and not redhat_image and not redhat_image
output: Privileged container started (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Privileged container started | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: INFO priority: INFO
tags: [maturity_incubating, container, cis, mitre_execution, T1610, PCI_DSS_10.2.5] tags: [maturity_incubating, container, cis, mitre_execution, T1610, PCI_DSS_10.2.5]
@ -643,11 +637,10 @@
raise suspicion, prompting closer scrutiny. raise suspicion, prompting closer scrutiny.
condition: > condition: >
container_started container_started
and container
and excessively_capable_container and excessively_capable_container
and not falco_privileged_containers and not falco_privileged_containers
and not user_privileged_containers and not user_privileged_containers
output: Excessively capable container started (cap_permitted=%thread.cap_permitted evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Excessively capable container started | cap_permitted=%thread.cap_permitted evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: INFO priority: INFO
tags: [maturity_incubating, container, cis, mitre_execution, T1610] tags: [maturity_incubating, container, cis, mitre_execution, T1610]
@ -668,7 +661,7 @@
and not proc.name in (known_system_procs_network_activity_binaries) and not proc.name in (known_system_procs_network_activity_binaries)
and not login_doing_dns_lookup and not login_doing_dns_lookup
and not user_expected_system_procs_network_activity_conditions and not user_expected_system_procs_network_activity_conditions
output: Known system binary sent/received network traffic (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Known system binary sent/received network traffic | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, host, network, process, mitre_execution, T1059] tags: [maturity_incubating, host, network, process, mitre_execution, T1059]
@ -707,7 +700,7 @@
and http_proxy_procs and http_proxy_procs
and proc.env icontains HTTP_PROXY and proc.env icontains HTTP_PROXY
and not allowed_ssh_proxy_env and not allowed_ssh_proxy_env
output: Curl or wget run with disallowed HTTP_PROXY environment variable (env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Curl or wget run with disallowed HTTP_PROXY environment variable | env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, host, container, users, mitre_execution, T1204] tags: [maturity_incubating, host, container, users, mitre_execution, T1204]
@ -747,7 +740,7 @@
inbound_outbound inbound_outbound
and fd.l4proto=udp and fd.l4proto=udp
and not expected_udp_traffic and not expected_udp_traffic
output: Unexpected UDP Traffic Seen (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Unexpected UDP Traffic Seen | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, host, container, network, mitre_exfiltration, TA0011] tags: [maturity_incubating, host, container, network, mitre_exfiltration, TA0011]
@ -799,7 +792,7 @@
and not java_running_sdjagent and not java_running_sdjagent
and not nrpe_becoming_nagios and not nrpe_becoming_nagios
and not user_known_non_sudo_setuid_conditions and not user_known_non_sudo_setuid_conditions
output: Unexpected setuid call by non-sudo, non-root program (arg_uid=%evt.arg.uid evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Unexpected setuid call by non-sudo, non-root program | arg_uid=%evt.arg.uid evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, host, container, users, mitre_privilege_escalation, T1548.001] tags: [maturity_incubating, host, container, users, mitre_privilege_escalation, T1548.001]
@ -831,7 +824,7 @@
and not run_by_google_accounts_daemon and not run_by_google_accounts_daemon
and not chage_list and not chage_list
and not user_known_user_management_activities and not user_known_user_management_activities
output: User management binary command run outside of container (gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: User management binary command run outside of container | gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, host, users, software_mgmt, mitre_persistence, T1098] tags: [maturity_incubating, host, users, software_mgmt, mitre_persistence, T1098]
@ -859,7 +852,7 @@
and not fd.name in (allowed_dev_files) and not fd.name in (allowed_dev_files)
and not fd.name startswith /dev/tty and not fd.name startswith /dev/tty
and not user_known_create_files_below_dev_activities and not user_known_create_files_below_dev_activities
output: File created below /dev by untrusted program (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: File created below /dev by untrusted program | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_incubating, host, filesystem, mitre_persistence, T1543] tags: [maturity_incubating, host, filesystem, mitre_persistence, T1543]
@ -886,7 +879,7 @@
and container and container
and fd.sip="169.254.169.254" and fd.sip="169.254.169.254"
and not ec2_metadata_containers and not ec2_metadata_containers
output: Outbound connection to EC2 instance metadata service (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Outbound connection to EC2 instance metadata service | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, network, aws, container, mitre_credential_access, T1552.005] tags: [maturity_incubating, network, aws, container, mitre_credential_access, T1552.005]
@ -907,7 +900,7 @@
and fd.sip="169.254.169.254" and fd.sip="169.254.169.254"
and not user_known_metadata_access and not user_known_metadata_access
enabled: true enabled: true
output: Outbound connection to cloud instance metadata service (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Outbound connection to cloud instance metadata service | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, network, container, mitre_discovery, T1565] tags: [maturity_incubating, network, container, mitre_discovery, T1565]
@ -946,7 +939,7 @@
and not package_mgmt_ancestor_procs and not package_mgmt_ancestor_procs
and not user_known_package_manager_in_container and not user_known_package_manager_in_container
and not pkg_mgmt_in_kube_proxy and not pkg_mgmt_in_kube_proxy
output: Package management process launched in container (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Package management process launched in container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: ERROR priority: ERROR
tags: [maturity_incubating, container, process, software_mgmt, mitre_persistence, T1505] tags: [maturity_incubating, container, process, software_mgmt, mitre_persistence, T1505]
@ -963,7 +956,7 @@
and container and container
and network_tool_procs and network_tool_procs
and not user_known_network_tool_activities and not user_known_network_tool_activities
output: Network tool launched in container (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Network tool launched in container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, container, network, process, mitre_execution, T1059] tags: [maturity_incubating, container, network, process, mitre_execution, T1059]
@ -977,7 +970,7 @@
and not container and not container
and network_tool_procs and network_tool_procs
and not user_known_network_tool_activities and not user_known_network_tool_activities
output: Network tool launched on host (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags) output: Network tool launched on host | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, host, network, process, mitre_execution, T1059] tags: [maturity_incubating, host, network, process, mitre_execution, T1059]
@ -1023,7 +1016,7 @@
(modify_shell_history or truncate_shell_history) (modify_shell_history or truncate_shell_history)
and not var_lib_docker_filepath and not var_lib_docker_filepath
and not proc.name in (docker_binaries) and not proc.name in (docker_binaries)
output: Shell history deleted or renamed (file=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Shell history deleted or renamed | file=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: priority:
WARNING WARNING
tags: [maturity_incubating, host, container, process, filesystem, mitre_defense_evasion, T1070] tags: [maturity_incubating, host, container, process, filesystem, mitre_defense_evasion, T1070]
@ -1054,7 +1047,7 @@
and not proc.name in (user_known_chmod_applications) and not proc.name in (user_known_chmod_applications)
and not exe_running_docker_save and not exe_running_docker_save
and not user_known_set_setuid_or_setgid_bit_conditions and not user_known_set_setuid_or_setgid_bit_conditions
output: Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Setuid or setgid bit is set via chmod | fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: priority:
NOTICE NOTICE
tags: [maturity_incubating, host, container, process, users, mitre_privilege_escalation, T1548.001] tags: [maturity_incubating, host, container, process, users, mitre_privilege_escalation, T1548.001]
@ -1079,7 +1072,7 @@
and container and container
and remote_file_copy_procs and remote_file_copy_procs
and not user_known_remote_file_copy_activities and not user_known_remote_file_copy_activities
output: Remote file copy tool launched in container (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Remote file copy tool launched in container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, container, network, process, mitre_exfiltration, T1020] tags: [maturity_incubating, container, network, process, mitre_exfiltration, T1020]
@ -1109,7 +1102,7 @@
and container and container
and k8s.ns.name in (namespace_scope_network_only_subnet) and k8s.ns.name in (namespace_scope_network_only_subnet)
and not network_local_subnet and not network_local_subnet
output: Network connection outside local subnet (fd_rip_name=%fd.rip.name fd_lip_name=%fd.lip.name fd_cip_name=%fd.cip.name fd_sip_name=%fd.sip.name connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Network connection outside local subnet | fd_rip_name=%fd.rip.name fd_lip_name=%fd.lip.name fd_cip_name=%fd.cip.name fd_sip_name=%fd.sip.name connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_incubating, container, network, mitre_discovery, T1046, PCI_DSS_6.4.2] tags: [maturity_incubating, container, network, mitre_discovery, T1046, PCI_DSS_6.4.2]
@ -1143,7 +1136,7 @@
and not known_gke_mount_in_privileged_containers and not known_gke_mount_in_privileged_containers
and not known_aks_mount_in_privileged_containers and not known_aks_mount_in_privileged_containers
and not user_known_mount_in_privileged_containers and not user_known_mount_in_privileged_containers
output: Mount was executed inside a privileged container (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Mount was executed inside a privileged container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: WARNING priority: WARNING
tags: [maturity_incubating, container, cis, filesystem, mitre_privilege_escalation, T1611] tags: [maturity_incubating, container, cis, filesystem, mitre_privilege_escalation, T1611]
@ -1175,7 +1168,7 @@
and container and container
and (ingress_remote_file_copy_procs or curl_download) and (ingress_remote_file_copy_procs or curl_download)
and not user_known_ingress_remote_file_copy_activities and not user_known_ingress_remote_file_copy_activities
output: Ingress remote file copy tool launched in container (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Ingress remote file copy tool launched in container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, container, network, process, mitre_command_and_control, TA0011] tags: [maturity_incubating, container, network, process, mitre_command_and_control, TA0011]
@ -1196,7 +1189,7 @@
and container and container
and (fd.name glob /proc/*/environ) and (fd.name glob /proc/*/environ)
and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files) and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files)
output: Environment variables were retrieved from /proc files (file=%fd.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Environment variables were retrieved from /proc files | file=%fd.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_incubating, container, filesystem, process, mitre_discovery, T1083] tags: [maturity_incubating, container, filesystem, process, mitre_discovery, T1083]
@ -1211,7 +1204,7 @@
# We also let runc:[1:CHILD] count as the parent process, which can occur # We also let runc:[1:CHILD] count as the parent process, which can occur
# when we lose events and lose track of state. # when we lose events and lose track of state.
- macro: container_entrypoint - macro: container_entrypoint
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], runc, docker-runc, exe, docker-runc-cur, containerd-shim, systemd, crio)) condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], runc, docker-runc, exe, docker-runc-cur, containerd-shim, systemd, crio, conmon))
- macro: system_level_side_effect_artifacts_kubectl_cp - macro: system_level_side_effect_artifacts_kubectl_cp
condition: (fd.name startswith /etc or condition: (fd.name startswith /etc or
@ -1235,7 +1228,7 @@
and container_entrypoint and container_entrypoint
and proc.tty=0 and proc.tty=0
and not system_level_side_effect_artifacts_kubectl_cp and not system_level_side_effect_artifacts_kubectl_cp
output: Exfiltrating Artifacts via Kubernetes Control Plane (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Exfiltrating Artifacts via Kubernetes Control Plane | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, container, filesystem, mitre_exfiltration, TA0010] tags: [maturity_incubating, container, filesystem, mitre_exfiltration, TA0010]
@ -1252,7 +1245,7 @@
and (user_ssh_directory or fd.name startswith /root/.ssh) and (user_ssh_directory or fd.name startswith /root/.ssh)
and fd.name endswith authorized_keys and fd.name endswith authorized_keys
and not proc.name in (ssh_binaries) and not proc.name in (ssh_binaries)
output: Adding ssh keys to authorized_keys (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty) output: Adding ssh keys to authorized_keys | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_incubating, host, filesystem, mitre_persistence, T1098.004] tags: [maturity_incubating, host, filesystem, mitre_persistence, T1098.004]
@ -1271,7 +1264,7 @@
spawned_process spawned_process
and glibc_tunables_env and glibc_tunables_env
enabled: true enabled: true
output: Process run with suspect environment variable which could be attempting privilege escalation (env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Process run with suspect environment variable which could be attempting privilege escalation | env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, host, container, users, mitre_privilege_escalation, TA0004] tags: [maturity_incubating, host, container, users, mitre_privilege_escalation, TA0004]
@ -1281,7 +1274,7 @@
open_read and open_read and
proc.name=sshd and proc.name=sshd and
(fd.name contains "liblzma.so.5.6.0" or fd.name contains "liblzma.so.5.6.1") (fd.name contains "liblzma.so.5.6.0" or fd.name contains "liblzma.so.5.6.1")
output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline (process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline | process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: WARNING priority: WARNING
tags: [maturity_incubating, host, container, mitre_initial_access, T1556] tags: [maturity_incubating, host, container, mitre_initial_access, T1556]
@ -1302,6 +1295,6 @@
evt.type=bpf and evt.dir=> evt.type=bpf and evt.dir=>
and (evt.arg.cmd=5 or evt.arg.cmd=BPF_PROG_LOAD) and (evt.arg.cmd=5 or evt.arg.cmd=BPF_PROG_LOAD)
and not bpf_profiled_procs and not bpf_profiled_procs
output: BPF Program Not Profiled (bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: BPF Program Not Profiled | bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_incubating, host, container, mitre_persistence, TA0003] tags: [maturity_incubating, host, container, mitre_persistence, TA0003]

99
rules/falco-sandbox_rules.yaml
View File

@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
# Copyright (C) 2023 The Falco Authors. # Copyright (C) 2025 The Falco Authors.
# #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
@ -25,7 +25,11 @@
# Starting with version 8, the Falco engine supports exceptions. # Starting with version 8, the Falco engine supports exceptions.
# However the Falco rules file does not use them by default. # However the Falco rules file does not use them by default.
- required_engine_version: 0.35.0 - required_engine_version: 0.50.0
- required_plugin_versions:
- name: container
version: 0.2.2
# Currently disabled as read/write are ignored syscalls. The nearly # Currently disabled as read/write are ignored syscalls. The nearly
# similar open_write/open_read check for files being opened for # similar open_write/open_read check for files being opened for
@ -269,7 +273,7 @@
(fd.cnet in (allowed_inbound_source_networks)) or (fd.cnet in (allowed_inbound_source_networks)) or
(fd.cip.name in (allowed_inbound_source_domains))) (fd.cip.name in (allowed_inbound_source_domains)))
enabled: false enabled: false
output: Disallowed inbound connection source (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Disallowed inbound connection source | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011] tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011]
@ -312,26 +316,18 @@
fd.directory in (shell_config_directories)) fd.directory in (shell_config_directories))
and not proc.name in (shell_binaries) and not proc.name in (shell_binaries)
enabled: false enabled: false
output: A shell configuration file was read by a non-shell program (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: A shell configuration file was read by a non-shell program | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: priority:
WARNING WARNING
tags: [maturity_sandbox, host, container, filesystem, mitre_discovery, T1546.004] tags: [maturity_sandbox, host, container, filesystem, mitre_discovery, T1546.004]
# Use this to test whether the event occurred within a container. # Use this to test whether the event occurred within a container.
# When displaying container information in the output field, use
# %container.info, without any leading term (file=%fd.name
# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name
# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change
# based on the context and whether or not -pk/-pm/-pc was specified on
# the command line.
- macro: container - macro: container
condition: (container.id != host) condition: (container.id != host)
- macro: container_started - macro: container_started
condition: > condition: >
((evt.type = container or (spawned_process and proc.vpid=1 and container)
(spawned_process and proc.vpid=1)) and
container.image.repository != incomplete)
# Possible scripts run by sshkit # Possible scripts run by sshkit
- list: sshkit_script_binaries - list: sshkit_script_binaries
@ -601,7 +597,7 @@
and not package_mgmt_ancestor_procs and not package_mgmt_ancestor_procs
and not exe_running_docker_save and not exe_running_docker_save
and not user_known_update_package_registry and not user_known_update_package_registry
output: Repository files get updated (newpath=%evt.arg.newpath file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Repository files get updated | newpath=%evt.arg.newpath file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: priority:
NOTICE NOTICE
tags: [maturity_sandbox, host, container, filesystem, mitre_execution, T1072] tags: [maturity_sandbox, host, container, filesystem, mitre_execution, T1072]
@ -626,7 +622,7 @@
and not python_running_get_pip and not python_running_get_pip
and not python_running_ms_oms and not python_running_ms_oms
and not user_known_write_below_binary_dir_activities and not user_known_write_below_binary_dir_activities
output: File below a known binary directory opened for writing (file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: File below a known binary directory opened for writing | file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1543] tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1543]
@ -681,12 +677,12 @@
and not google_accounts_daemon_writing_ssh and not google_accounts_daemon_writing_ssh
and not cloud_init_writing_ssh and not cloud_init_writing_ssh
and not user_known_write_monitored_dir_conditions and not user_known_write_monitored_dir_conditions
output: File below a monitored directory opened for writing (file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: File below a monitored directory opened for writing | file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1543] tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1543]
- list: safe_etc_dirs - list: safe_etc_dirs
items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d. /etc/alertmanager] items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d, /etc/alertmanager]
- macro: fluentd_writing_conf_files - macro: fluentd_writing_conf_files
condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf)) condition: (proc.name=start-fluentd and fd.name in (/etc/fluent/fluent.conf, /etc/td-agent/td-agent.conf))
@ -983,7 +979,7 @@
profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system
changes, including compliance-related cases. changes, including compliance-related cases.
condition: write_etc_common condition: write_etc_common
output: File below /etc opened for writing (file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: File below /etc opened for writing | file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1098] tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1098]
@ -1086,7 +1082,7 @@
and not known_root_conditions and not known_root_conditions
and not user_known_write_root_conditions and not user_known_write_root_conditions
and not user_known_write_below_root_activities and not user_known_write_below_root_activities
output: File below / or /root opened for writing (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: File below / or /root opened for writing | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, TA0003] tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, TA0003]
@ -1115,7 +1111,7 @@
and not exe_running_docker_save and not exe_running_docker_save
and not amazon_linux_running_python_yum and not amazon_linux_running_python_yum
and not user_known_write_rpm_database_activities and not user_known_write_rpm_database_activities
output: rpm database opened for writing by a non-rpm program (file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: rpm database opened for writing by a non-rpm program | file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_sandbox, host, container, filesystem, software_mgmt, mitre_persistence, T1072] tags: [maturity_sandbox, host, container, filesystem, software_mgmt, mitre_persistence, T1072]
@ -1134,7 +1130,7 @@
and not package_mgmt_procs and not package_mgmt_procs
and not exe_running_docker_save and not exe_running_docker_save
and not user_known_modify_bin_dir_activities and not user_known_modify_bin_dir_activities
output: File below known binary directory renamed/removed (file=%fd.name pcmdline=%proc.pcmdline evt_args=%evt.args evt_type=%evt.type evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: File below known binary directory renamed/removed | file=%fd.name pcmdline=%proc.pcmdline evt_args=%evt.args evt_type=%evt.type evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_sandbox, host, container, filesystem, mitre_defense_evasion, T1222.002] tags: [maturity_sandbox, host, container, filesystem, mitre_defense_evasion, T1222.002]
@ -1153,7 +1149,7 @@
and not package_mgmt_procs and not package_mgmt_procs
and not user_known_mkdir_bin_dir_activities and not user_known_mkdir_bin_dir_activities
and not exe_running_docker_save and not exe_running_docker_save
output: Directory below known binary directory created (directory=%evt.arg.path evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Directory below known binary directory created | directory=%evt.arg.path evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1222.002] tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1222.002]
@ -1267,11 +1263,10 @@
varies based on your environment. varies based on your environment.
condition: > condition: >
container_started container_started
and container
and sensitive_mount and sensitive_mount
and not falco_sensitive_mount_containers and not falco_sensitive_mount_containers
and not user_sensitive_mount_containers and not user_sensitive_mount_containers
output: Container with sensitive mount started (mounts=%container.mounts evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Container with sensitive mount started | mounts=%container.mounts evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: INFO priority: INFO
tags: [maturity_sandbox, container, cis, mitre_execution, T1610] tags: [maturity_sandbox, container, cis, mitre_execution, T1610]
@ -1294,9 +1289,8 @@
this can be challenging to manage. this can be challenging to manage.
condition: > condition: >
container_started container_started
and container
and not allowed_containers and not allowed_containers
output: Container started and not in allowed list (evt_type=%evt.type user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Container started and not in allowed list | evt_type=%evt.type user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_sandbox, container, mitre_lateral_movement, T1610] tags: [maturity_sandbox, container, mitre_lateral_movement, T1610]
@ -1313,7 +1307,7 @@
inbound inbound
and interpreted_procs and interpreted_procs
enabled: false enabled: false
output: Interpreted program received/listened for network traffic (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Interpreted program received/listened for network traffic | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011] tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011]
@ -1326,7 +1320,7 @@
outbound outbound
and interpreted_procs and interpreted_procs
enabled: false enabled: false
output: Interpreted program performed outgoing network connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Interpreted program performed outgoing network connection | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011] tags: [maturity_sandbox, host, container, network, mitre_exfiltration, TA0011]
@ -1352,7 +1346,7 @@
and fd.sport <= 32767 and fd.sport <= 32767
and not nodeport_containers and not nodeport_containers
enabled: false enabled: false
output: Unexpected K8s NodePort Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Unexpected K8s NodePort Connection | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_sandbox, network, k8s, container, mitre_persistence, T1205.001, NIST_800-53_AC-6] tags: [maturity_sandbox, network, k8s, container, mitre_persistence, T1205.001, NIST_800-53_AC-6]
@ -1376,7 +1370,7 @@
and not user_known_create_hidden_file_activities and not user_known_create_hidden_file_activities
and not exe_running_docker_save and not exe_running_docker_save
enabled: false enabled: false
output: Hidden file or directory created (file=%fd.name newpath=%evt.arg.newpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Hidden file or directory created | file=%fd.name newpath=%evt.arg.newpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: priority:
NOTICE NOTICE
tags: [maturity_sandbox, host, container, filesystem, mitre_defense_evasion, T1564.001] tags: [maturity_sandbox, host, container, filesystem, mitre_defense_evasion, T1564.001]
@ -1487,7 +1481,7 @@
net_miner_pool net_miner_pool
and not trusted_images_query_miner_domain_dns and not trusted_images_query_miner_domain_dns
enabled: false enabled: false
output: Outbound connection to IP/Port flagged by https://cryptoioc.ch (ip=%fd.rip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Outbound connection to IP/Port flagged by https://cryptoioc.ch | ip=%fd.rip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: CRITICAL priority: CRITICAL
tags: [maturity_sandbox, host, container, network, mitre_impact, T1496] tags: [maturity_sandbox, host, container, network, mitre_impact, T1496]
@ -1501,7 +1495,7 @@
proc.cmdline contains "stratum2+tcp" or proc.cmdline contains "stratum2+tcp" or
proc.cmdline contains "stratum+ssl" or proc.cmdline contains "stratum+ssl" or
proc.cmdline contains "stratum2+ssl") proc.cmdline contains "stratum2+ssl")
output: Possible miner running (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Possible miner running | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: CRITICAL priority: CRITICAL
tags: [maturity_sandbox, host, container, process, mitre_impact, T1496] tags: [maturity_sandbox, host, container, process, mitre_impact, T1496]
@ -1538,7 +1532,7 @@
and container and container
and not user_known_k8s_client_container_parens and not user_known_k8s_client_container_parens
and proc.name in (k8s_client_binaries) and proc.name in (k8s_client_binaries)
output: Kubernetes Client Tool Launched in Container (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Kubernetes Client Tool Launched in Container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: WARNING priority: WARNING
tags: [maturity_sandbox, container, mitre_execution, T1610] tags: [maturity_sandbox, container, mitre_execution, T1610]
@ -1571,7 +1565,7 @@
and not runc_writing_var_lib_docker and not runc_writing_var_lib_docker
and not user_known_container_drift_activities and not user_known_container_drift_activities
enabled: false enabled: false
output: Drift detected (chmod), new executable created in a container (filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Drift detected (chmod), new executable created in a container | filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_sandbox, container, process, filesystem, mitre_execution, T1059] tags: [maturity_sandbox, container, process, filesystem, mitre_execution, T1059]
@ -1591,7 +1585,7 @@
and not runc_writing_var_lib_docker and not runc_writing_var_lib_docker
and not user_known_container_drift_activities and not user_known_container_drift_activities
enabled: false enabled: false
output: Drift detected (open+create), new executable created in a container (filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Drift detected (open+create), new executable created in a container | filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: ERROR priority: ERROR
tags: [maturity_sandbox, container, process, filesystem, mitre_execution, T1059] tags: [maturity_sandbox, container, process, filesystem, mitre_execution, T1059]
@ -1615,7 +1609,7 @@
and user.uid=0 and user.uid=0
and not user_known_run_as_root_container and not user_known_run_as_root_container
enabled: false enabled: false
output: Container launched with root user privilege (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Container launched with root user privilege | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: INFO priority: INFO
tags: [maturity_sandbox, container, process, users, mitre_execution, T1610] tags: [maturity_sandbox, container, process, users, mitre_execution, T1610]
@ -1632,7 +1626,7 @@
and (proc.name=sudoedit or proc.name = sudo) and (proc.name=sudoedit or proc.name = sudo)
and (proc.args contains -s or proc.args contains -i or proc.args contains --login) and (proc.args contains -s or proc.args contains -i or proc.args contains --login)
and (proc.args contains "\ " or proc.args endswith \) and (proc.args contains "\ " or proc.args endswith \)
output: Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: CRITICAL priority: CRITICAL
tags: [maturity_sandbox, host, container, filesystem, users, mitre_privilege_escalation, T1548.003] tags: [maturity_sandbox, host, container, filesystem, users, mitre_privilege_escalation, T1548.003]
@ -1648,7 +1642,7 @@
and user.uid != 0 and user.uid != 0
and (evt.rawres >= 0 or evt.res != -1) and (evt.rawres >= 0 or evt.res != -1)
and not proc.name in (user_known_userfaultfd_processes) and not proc.name in (user_known_userfaultfd_processes)
output: An userfaultfd syscall was successfully executed by an unprivileged user (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: An userfaultfd syscall was successfully executed by an unprivileged user | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: CRITICAL priority: CRITICAL
tags: [maturity_sandbox, host, container, process, mitre_defense_evasion, TA0005] tags: [maturity_sandbox, host, container, process, mitre_defense_evasion, TA0005]
@ -1664,7 +1658,7 @@
and user.uid != 0 and user.uid != 0
and proc.name=pkexec and proc.name=pkexec
and proc.args = '' and proc.args = ''
output: Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (args=%proc.args evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) | args=%proc.args evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: CRITICAL priority: CRITICAL
tags: [maturity_sandbox, host, container, process, users, mitre_privilege_escalation, TA0004] tags: [maturity_sandbox, host, container, process, users, mitre_privilege_escalation, TA0004]
@ -1680,7 +1674,7 @@
condition: > condition: >
java_network_read java_network_read
and evt.buffer bcontains cafebabe and evt.buffer bcontains cafebabe
output: Java process class file download (server_ip=%fd.sip server_port=%fd.sport connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Java process class file download | server_ip=%fd.sip server_port=%fd.sport connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: CRITICAL priority: CRITICAL
enabled: false enabled: false
tags: [maturity_sandbox, host, container, process, mitre_initial_access, T1190] tags: [maturity_sandbox, host, container, process, mitre_initial_access, T1190]
@ -1702,7 +1696,7 @@
and not docker_procs and not docker_procs
and not proc.cmdline = "runc:[1:CHILD] init" and not proc.cmdline = "runc:[1:CHILD] init"
enabled: false enabled: false
output: Detect Potential Container Breakout Exploit (CVE-2019-5736) (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Detect Potential Container Breakout Exploit (CVE-2019-5736) | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_sandbox, container, filesystem, mitre_initial_access, T1611] tags: [maturity_sandbox, container, filesystem, mitre_initial_access, T1611]
@ -1725,7 +1719,7 @@
and container and container
and base64_decoding and base64_decoding
and not container.image.repository in (known_decode_payload_containers) and not container.image.repository in (known_decode_payload_containers)
output: Decoding Payload in Container (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Decoding Payload in Container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: INFO priority: INFO
tags: [maturity_sandbox, container, process, mitre_command_and_control, T1132] tags: [maturity_sandbox, container, process, mitre_command_and_control, T1132]
- list: recon_binaries - list: recon_binaries
@ -1748,6 +1742,25 @@
and recon_binaries_procs and recon_binaries_procs
and proc.tty != 0 and proc.tty != 0
and proc.is_vpgid_leader=true and proc.is_vpgid_leader=true
output: Basic Interactive Reconnaissance (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Basic Interactive Reconnaissance | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_sandbox, host, container, process, mitre_reconnaissance, TA0043] tags: [maturity_sandbox, host, container, process, mitre_reconnaissance, TA0043]
- rule: Netcat/Socat Remote Code Execution on Host
desc: >
Netcat/Socat Program runs on host that allows remote code execution and may be utilized
as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/.
These programs are of higher relevance as they are commonly installed on UNIX-like operating systems.
condition: >
spawned_process
and not container
and ((proc.name = "nc" and (proc.cmdline contains "-e" or
proc.cmdline contains "-c")) or
(proc.name = "ncat" and (proc.args contains "--sh-exec" or
proc.args contains "--exec" or proc.args contains "-e " or
proc.args contains "-c " or proc.args contains "--lua-exec")) or
(proc.name = 'socat' and (proc.args contains "EXEC" or
proc.args contains "SYSTEM")))
output: Netcat/Socat runs on host that allows remote code execution | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: WARNING
tags: [maturity_sandbox, host, network, process, mitre_execution, T1059]

86
rules/falco_rules.yaml
View File

@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
# Copyright (C) 2023 The Falco Authors. # Copyright (C) 2025 The Falco Authors.
# #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
@ -25,7 +25,11 @@
# Starting with version 8, the Falco engine supports exceptions. # Starting with version 8, the Falco engine supports exceptions.
# However the Falco rules file does not use them by default. # However the Falco rules file does not use them by default.
- required_engine_version: 0.31.0 - required_engine_version: 0.50.0
- required_plugin_versions:
- name: container
version: 0.2.2
# Currently disabled as read/write are ignored syscalls. The nearly # Currently disabled as read/write are ignored syscalls. The nearly
# similar open_write/open_read check for files being opened for # similar open_write/open_read check for files being opened for
@ -159,7 +163,7 @@
apt-listchanges, unattended-upgr, apt-add-reposit, apt-cache, apt.systemd.dai apt-listchanges, unattended-upgr, apt-add-reposit, apt-cache, apt.systemd.dai
] ]
- list: python_package_managers - list: python_package_managers
items: [pip, pip3, conda] items: [pip, pip3, conda, uv]
# The truncated dpkg-preconfigu is intentional, process names are # The truncated dpkg-preconfigu is intentional, process names are
# truncated at the falcosecurity-libs level. # truncated at the falcosecurity-libs level.
@ -217,12 +221,6 @@
condition: (proc.duration <= 5000000000) condition: (proc.duration <= 5000000000)
# Use this to test whether the event occurred within a container. # Use this to test whether the event occurred within a container.
# When displaying container information in the output field, use
# %container.info, without any leading term (file=%fd.name
# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name
# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change
# based on the context and whether or not -pk/-pm/-pc was specified on
# the command line.
- macro: container - macro: container
condition: (container.id != host) condition: (container.id != host)
@ -330,7 +328,7 @@
and directory_traversal and directory_traversal
and not proc.pname in (shell_binaries) and not proc.pname in (shell_binaries)
enabled: true enabled: true
output: Read monitored file via directory traversal (file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Read monitored file via directory traversal | file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555] tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555]
@ -356,7 +354,7 @@
and not proc_is_new and not proc_is_new
and proc.name!="sshd" and proc.name!="sshd"
and not user_known_read_sensitive_files_activities and not user_known_read_sensitive_files_activities
output: Sensitive file opened for reading by trusted program after startup (file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Sensitive file opened for reading by trusted program after startup | file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555] tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555]
@ -365,7 +363,8 @@
iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update, vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport, pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd,
sshd-session
] ]
# Add conditions to this macro (probably in a separate file, # Add conditions to this macro (probably in a separate file,
@ -428,7 +427,7 @@
and not linux_bench_reading_etc_shadow and not linux_bench_reading_etc_shadow
and not user_known_read_sensitive_files_activities and not user_known_read_sensitive_files_activities
and not user_read_sensitive_file_containers and not user_read_sensitive_file_containers
output: Sensitive file opened for reading by non-trusted program (file=%fd.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Sensitive file opened for reading by non-trusted program | file=%fd.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555] tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555]
@ -600,7 +599,7 @@
and not rabbitmqctl_running_scripts and not rabbitmqctl_running_scripts
and not run_by_appdynamics and not run_by_appdynamics
and not user_shell_container_exclusions and not user_shell_container_exclusions
output: Shell spawned by untrusted binary (parent_exe=%proc.pexe parent_exepath=%proc.pexepath pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Shell spawned by untrusted binary | parent_exe=%proc.pexe parent_exepath=%proc.pexepath pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_stable, host, container, process, shell, mitre_execution, T1059.004] tags: [maturity_stable, host, container, process, shell, mitre_execution, T1059.004]
@ -674,14 +673,14 @@
# We also let runc:[1:CHILD] count as the parent process, which can occur # We also let runc:[1:CHILD] count as the parent process, which can occur
# when we lose events and lose track of state. # when we lose events and lose track of state.
- macro: container_entrypoint - macro: container_entrypoint
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], runc, docker-runc, exe, docker-runc-cur, containerd-shim, systemd, crio)) condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], runc, docker-runc, exe, docker-runc-cur, containerd-shim, systemd, crio, conmon))
- macro: user_known_system_user_login - macro: user_known_system_user_login
condition: (never_true) condition: (never_true)
# Anything run interactively by root # Anything run interactively by root
# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
# output: "Interactive root (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)" # output: "Interactive root | %user.name %proc.name %evt.dir %evt.type %evt.args %fd.name"
# priority: WARNING # priority: WARNING
- rule: System user interactive - rule: System user interactive
desc: > desc: >
@ -698,7 +697,7 @@
and system_users and system_users
and interactive and interactive
and not user_known_system_user_login and not user_known_system_user_login
output: System user ran an interactive command (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: System user ran an interactive command | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: INFO priority: INFO
tags: [maturity_stable, host, container, users, mitre_execution, T1059, NIST_800-53_AC-2] tags: [maturity_stable, host, container, users, mitre_execution, T1059, NIST_800-53_AC-2]
@ -721,7 +720,7 @@
and proc.tty != 0 and proc.tty != 0
and container_entrypoint and container_entrypoint
and not user_expected_terminal_shell_in_container_conditions and not user_expected_terminal_shell_in_container_conditions
output: A shell was spawned in a container with an attached terminal (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: A shell was spawned in a container with an attached terminal | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: NOTICE priority: NOTICE
tags: [maturity_stable, container, shell, mitre_execution, T1059] tags: [maturity_stable, container, shell, mitre_execution, T1059]
@ -831,7 +830,7 @@
and k8s_api_server and k8s_api_server
and not k8s_containers and not k8s_containers
and not user_known_contact_k8s_api_server_activities and not user_known_contact_k8s_api_server_activities
output: Unexpected connection to K8s API Server from container (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Unexpected connection to K8s API Server from container | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_stable, container, network, k8s, mitre_discovery, T1565] tags: [maturity_stable, container, network, k8s, mitre_discovery, T1565]
@ -851,7 +850,7 @@
proc.args contains "--exec" or proc.args contains "-e " or proc.args contains "--exec" or proc.args contains "-e " or
proc.args contains "-c " or proc.args contains "--lua-exec")) proc.args contains "-c " or proc.args contains "--lua-exec"))
) )
output: Netcat runs inside container that allows remote code execution (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Netcat runs inside container that allows remote code execution | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: WARNING priority: WARNING
tags: [maturity_stable, container, network, process, mitre_execution, T1059] tags: [maturity_stable, container, network, process, mitre_execution, T1059]
@ -893,7 +892,7 @@
proc.args contains "id_ecdsa" proc.args contains "id_ecdsa"
) )
)) ))
output: Grep private keys or passwords activities found (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Grep private keys or passwords activities found | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: priority:
WARNING WARNING
tags: [maturity_stable, host, container, process, filesystem, mitre_credential_access, T1552.001] tags: [maturity_stable, host, container, process, filesystem, mitre_credential_access, T1552.001]
@ -919,7 +918,9 @@
- macro: containerd_activities - macro: containerd_activities
condition: (proc.name=containerd and (fd.name startswith "/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/" or condition: (proc.name=containerd and (fd.name startswith "/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/" or
fd.name startswith "/var/lib/containerd/tmpmounts/")) fd.name startswith "/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots" or
fd.name startswith "/var/lib/containerd/tmpmounts/" or
fd.name startswith "/var/lib/rancher/k3s/agent/containerd/tmpmounts/"))
- rule: Clear Log Activities - rule: Clear Log Activities
desc: > desc: >
@ -933,7 +934,7 @@
and not containerd_activities and not containerd_activities
and not trusted_logging_images and not trusted_logging_images
and not allowed_clear_log_files and not allowed_clear_log_files
output: Log files were tampered (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Log files were tampered | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: priority:
WARNING WARNING
tags: [maturity_stable, host, container, filesystem, mitre_defense_evasion, T1070, NIST_800-53_AU-10] tags: [maturity_stable, host, container, filesystem, mitre_defense_evasion, T1070, NIST_800-53_AU-10]
@ -955,7 +956,7 @@
spawned_process spawned_process
and clear_data_procs and clear_data_procs
and not user_known_remove_data_activities and not user_known_remove_data_activities
output: Bulk data has been removed from disk (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Bulk data has been removed from disk | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: priority:
WARNING WARNING
tags: [maturity_stable, host, container, process, filesystem, mitre_impact, T1485] tags: [maturity_stable, host, container, process, filesystem, mitre_impact, T1485]
@ -968,7 +969,7 @@
condition: > condition: >
create_symlink create_symlink
and (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names)) and (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
output: Symlinks created over sensitive files (target=%evt.arg.target linkpath=%evt.arg.linkpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Symlinks created over sensitive files | target=%evt.arg.target linkpath=%evt.arg.linkpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555] tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555]
@ -980,7 +981,7 @@
condition: > condition: >
create_hardlink create_hardlink
and (evt.arg.oldpath in (sensitive_file_names)) and (evt.arg.oldpath in (sensitive_file_names))
output: Hardlinks created over sensitive files (target=%evt.arg.oldpath linkpath=%evt.arg.newpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Hardlinks created over sensitive files | target=%evt.arg.oldpath linkpath=%evt.arg.newpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555] tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555]
@ -997,7 +998,7 @@
and container and container
and evt.arg.domain contains AF_PACKET and evt.arg.domain contains AF_PACKET
and not proc.name in (user_known_packet_socket_binaries) and not proc.name in (user_known_packet_socket_binaries)
output: Packet socket was created in a container (socket_info=%evt.args connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Packet socket was created in a container | socket_info=%evt.args connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_stable, container, network, mitre_credential_access, T1557.002] tags: [maturity_stable, container, network, mitre_credential_access, T1557.002]
@ -1030,7 +1031,7 @@
and evt.rawres in (0, 1, 2) and evt.rawres in (0, 1, 2)
and fd.type in ("ipv4", "ipv6") and fd.type in ("ipv4", "ipv6")
and not user_known_stand_streams_redirect_activities and not user_known_stand_streams_redirect_activities
output: Redirect stdout/stdin to network connection (gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] fd.sip=%fd.sip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Redirect stdout/stdin to network connection | gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] fd.sip=%fd.sip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_stable, container, network, process, mitre_execution, T1059] tags: [maturity_stable, container, network, process, mitre_execution, T1059]
@ -1047,7 +1048,7 @@
and container and container
and thread.cap_effective icontains sys_module and thread.cap_effective icontains sys_module
and not container.image.repository in (allowed_container_images_loading_kernel_module) and not container.image.repository in (allowed_container_images_loading_kernel_module)
output: Linux Kernel Module injection from container (parent_exepath=%proc.pexepath gparent=%proc.aname[2] gexepath=%proc.aexepath[2] module=%proc.args res=%evt.res evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Linux Kernel Module injection from container | parent_exepath=%proc.pexepath gparent=%proc.aname[2] gexepath=%proc.aexepath[2] module=%proc.args res=%evt.res evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_stable, host, container, process, mitre_persistence, TA0003] tags: [maturity_stable, host, container, process, mitre_persistence, TA0003]
@ -1060,7 +1061,7 @@
and container and container
and container.privileged=true and container.privileged=true
and proc.name=debugfs and proc.name=debugfs
output: Debugfs launched started in a privileged container (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Debugfs launched started in a privileged container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: WARNING priority: WARNING
tags: [maturity_stable, container, cis, process, mitre_privilege_escalation, T1611] tags: [maturity_stable, container, cis, process, mitre_privilege_escalation, T1611]
@ -1075,7 +1076,7 @@
and fd.name endswith release_agent and fd.name endswith release_agent
and (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE)
and thread.cap_effective contains CAP_SYS_ADMIN and thread.cap_effective contains CAP_SYS_ADMIN
output: Detect an attempt to exploit a container escape using release_agent file (file=%fd.name cap_effective=%thread.cap_effective evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Detect an attempt to exploit a container escape using release_agent file | file=%fd.name cap_effective=%thread.cap_effective evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: CRITICAL priority: CRITICAL
tags: [maturity_stable, container, process, mitre_privilege_escalation, T1611] tags: [maturity_stable, container, process, mitre_privilege_escalation, T1611]
@ -1107,7 +1108,7 @@
ptrace_attach_or_injection ptrace_attach_or_injection
and proc_name_exists and proc_name_exists
and not known_ptrace_procs and not known_ptrace_procs
output: Detected ptrace PTRACE_ATTACH attempt (proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Detected ptrace PTRACE_ATTACH attempt | proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING
tags: [maturity_stable, host, container, process, mitre_privilege_escalation, T1055.008] tags: [maturity_stable, host, container, process, mitre_privilege_escalation, T1055.008]
@ -1120,7 +1121,7 @@
evt.type=ptrace and evt.dir=> evt.type=ptrace and evt.dir=>
and evt.arg.request contains PTRACE_TRACEME and evt.arg.request contains PTRACE_TRACEME
and proc_name_exists and proc_name_exists
output: Detected potential PTRACE_TRACEME anti-debug attempt (proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Detected potential PTRACE_TRACEME anti-debug attempt | proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_stable, host, container, process, mitre_defense_evasion, T1622] tags: [maturity_stable, host, container, process, mitre_defense_evasion, T1622]
@ -1142,7 +1143,7 @@
spawned_process spawned_process
and ((grep_commands and private_aws_credentials) or and ((grep_commands and private_aws_credentials) or
(proc.name = "find" and proc.args endswith ".aws/credentials")) (proc.name = "find" and proc.args endswith ".aws/credentials"))
output: Detected AWS credentials search activity (proc_pcmdline=%proc.pcmdline proc_cwd=%proc.cwd group_gid=%group.gid group_name=%group.name user_loginname=%user.loginname evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Detected AWS credentials search activity | proc_pcmdline=%proc.pcmdline proc_cwd=%proc.cwd group_gid=%group.gid group_name=%group.name user_loginname=%user.loginname evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: WARNING priority: WARNING
tags: [maturity_stable, host, container, process, aws, mitre_credential_access, T1552] tags: [maturity_stable, host, container, process, aws, mitre_credential_access, T1552]
@ -1161,7 +1162,7 @@
(shell_procs and proc.args startswith "/dev/shm") or (shell_procs and proc.args startswith "/dev/shm") or
(proc.cwd startswith "/dev/shm/" and proc.args startswith "./" )) (proc.cwd startswith "/dev/shm/" and proc.args startswith "./" ))
and not container.image.repository in (falco_privileged_images, trusted_images) and not container.image.repository in (falco_privileged_images, trusted_images)
output: File execution detected from /dev/shm (evt_res=%evt.res file=%fd.name proc_cwd=%proc.cwd proc_pcmdline=%proc.pcmdline user_loginname=%user.loginname group_gid=%group.gid group_name=%group.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: File execution detected from /dev/shm | evt_res=%evt.res file=%fd.name proc_cwd=%proc.cwd proc_pcmdline=%proc.pcmdline user_loginname=%user.loginname group_gid=%group.gid group_name=%group.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: WARNING priority: WARNING
tags: [maturity_stable, host, container, mitre_execution, T1059.004] tags: [maturity_stable, host, container, mitre_execution, T1059.004]
@ -1188,7 +1189,7 @@
and proc.is_exe_upper_layer=true and proc.is_exe_upper_layer=true
and not container.image.repository in (known_drop_and_execute_containers) and not container.image.repository in (known_drop_and_execute_containers)
and not known_drop_and_execute_activities and not known_drop_and_execute_activities
output: Executing binary not part of base image (proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2] proc_exe_ino_ctime=%proc.exe_ino.ctime proc_exe_ino_mtime=%proc.exe_ino.mtime proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Executing binary not part of base image | proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2] proc_exe_ino_ctime=%proc.exe_ino.ctime proc_exe_ino_mtime=%proc.exe_ino.mtime proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: CRITICAL priority: CRITICAL
tags: [maturity_stable, container, process, mitre_persistence, TA0003, PCI_DSS_11.5.1] tags: [maturity_stable, container, process, mitre_persistence, TA0003, PCI_DSS_11.5.1]
@ -1225,15 +1226,20 @@
and proc.exe endswith ssh and proc.exe endswith ssh
and fd.l4proto=tcp and fd.l4proto=tcp
and ssh_non_standard_ports_network and ssh_non_standard_ports_network
output: Disallowed SSH Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) output: Disallowed SSH Connection | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: NOTICE priority: NOTICE
tags: [maturity_stable, host, container, network, process, mitre_execution, T1059] tags: [maturity_stable, host, container, network, process, mitre_execution, T1059]
- list: known_memfd_execution_binaries - list: known_memfd_execution_binaries
items: [] items: [runc]
- macro: known_memfd_execution_processes - macro: known_memfd_execution_processes
condition: (proc.name in (known_memfd_execution_binaries)) condition: >
(proc.name in (known_memfd_execution_binaries))
or (proc.pname in (known_memfd_execution_binaries))
or (proc.exepath = "memfd:runc_cloned:/proc/self/exe")
or (proc.exe = "memfd:runc_cloned:/proc/self/exe")
- rule: Fileless execution via memfd_create - rule: Fileless execution via memfd_create
desc: > desc: >
@ -1245,6 +1251,6 @@
spawned_process spawned_process
and proc.is_exe_from_memfd=true and proc.is_exe_from_memfd=true
and not known_memfd_execution_processes and not known_memfd_execution_processes
output: Fileless execution via memfd_create (container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) output: Fileless execution via memfd_create | container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
priority: CRITICAL priority: CRITICAL
tags: [maturity_stable, host, container, process, mitre_defense_evasion, T1620] tags: [maturity_stable, host, container, process, mitre_defense_evasion, T1620]