falcosecurity
/
rules
mirror of https://github.com/falcosecurity/rules.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: falcosecurity:falco-rules-4.0.0
Branches Tags
falcosecurity:main
falcosecurity:dependabot/github_actions/actions-0b2e37a4c7
falcosecurity:release/falco-rules-3.0.x
falcosecurity:release/falco-rules-1.0.x
falcosecurity:release/falco-rules-0.1.x
falcosecurity:LucaGuerra-patch-1
falcosecurity:chore/rules-with-history
falcosecurity:falco-incubating-rules-5.0.1
falcosecurity:falco-sandbox-rules-5.0.1
falcosecurity:falco-rules-4.0.0
falcosecurity:falco-sandbox-rules-5.0.0
falcosecurity:falco-incubating-rules-5.0.0
falcosecurity:falco-rules-4.0.0-rc1
falcosecurity:falco-sandbox-rules-4.1.0
falcosecurity:falco-sandbox-rules-4.0.1
falcosecurity:falco-rules-3.2.0
falcosecurity:falco-incubating-rules-4.0.1
falcosecurity:falco-rules-3.1.0
falcosecurity:falco-incubating-rules-4.0.0
falcosecurity:falco-sandbox-rules-4.0.0
falcosecurity:falco-sandbox-rules-3.0.1
falcosecurity:falco-rules-3.0.1
falcosecurity:falco-incubating-rules-3.0.1
falcosecurity:falco-rules-3.0.0
falcosecurity:falco-deprecated-rules-3.0.0-rc1
falcosecurity:falco-incubating-rules-3.0.0-rc1
falcosecurity:falco-incubating-rules-3.0.0
falcosecurity:falco-deprecated-rules-3.0.0
falcosecurity:falco-rules-3.0.0-rc1
falcosecurity:falco-sandbox-rules-3.0.0-rc1
falcosecurity:falco-sandbox-rules-3.0.0
falcosecurity:falco-rules-2.0.0
falcosecurity:falco-incubating-rules-2.0.0
falcosecurity:falco-sandbox-rules-2.0.0
falcosecurity:falco-rules-1.0.2
falcosecurity:falco-rules-1.0.2-rc1
falcosecurity:falco-deprecated-rules-2.0.0-rc2
falcosecurity:falco-incubating-rules-2.0.0-rc1
falcosecurity:falco-rules-2.0.0-rc1
falcosecurity:falco-sandbox-rules-2.0.0-rc1
falcosecurity:falco-deprecated-rules-2.0.0-rc1
falcosecurity:falco-rules-1.0.1
falcosecurity:falco-rules-1.0.0
falcosecurity:falco-rules-1.0.0-rc1
falcosecurity:falco-rules-0.1.0
falcosecurity:falco-rules-0.1.0-rc1
falcosecurity:application-rules-0.1.0
..
compare: falcosecurity:main
Branches Tags
falcosecurity:dependabot/github_actions/actions-0b2e37a4c7
falcosecurity:main
falcosecurity:release/falco-rules-3.0.x
falcosecurity:release/falco-rules-1.0.x
falcosecurity:release/falco-rules-0.1.x
falcosecurity:LucaGuerra-patch-1
falcosecurity:chore/rules-with-history
falcosecurity:falco-incubating-rules-5.0.1
falcosecurity:falco-sandbox-rules-5.0.1
falcosecurity:falco-rules-4.0.0
falcosecurity:falco-sandbox-rules-5.0.0
falcosecurity:falco-incubating-rules-5.0.0
falcosecurity:falco-rules-4.0.0-rc1
falcosecurity:falco-sandbox-rules-4.1.0
falcosecurity:falco-sandbox-rules-4.0.1
falcosecurity:falco-rules-3.2.0
falcosecurity:falco-incubating-rules-4.0.1
falcosecurity:falco-rules-3.1.0
falcosecurity:falco-incubating-rules-4.0.0
falcosecurity:falco-sandbox-rules-4.0.0
falcosecurity:falco-sandbox-rules-3.0.1
falcosecurity:falco-rules-3.0.1
falcosecurity:falco-incubating-rules-3.0.1
falcosecurity:falco-rules-3.0.0
falcosecurity:falco-deprecated-rules-3.0.0-rc1
falcosecurity:falco-incubating-rules-3.0.0-rc1
falcosecurity:falco-incubating-rules-3.0.0
falcosecurity:falco-deprecated-rules-3.0.0
falcosecurity:falco-rules-3.0.0-rc1
falcosecurity:falco-sandbox-rules-3.0.0-rc1
falcosecurity:falco-sandbox-rules-3.0.0
falcosecurity:falco-rules-2.0.0
falcosecurity:falco-incubating-rules-2.0.0
falcosecurity:falco-sandbox-rules-2.0.0
falcosecurity:falco-rules-1.0.2
falcosecurity:falco-rules-1.0.2-rc1
falcosecurity:falco-deprecated-rules-2.0.0-rc2
falcosecurity:falco-incubating-rules-2.0.0-rc1
falcosecurity:falco-rules-2.0.0-rc1
falcosecurity:falco-sandbox-rules-2.0.0-rc1
falcosecurity:falco-deprecated-rules-2.0.0-rc1
falcosecurity:falco-rules-1.0.1
falcosecurity:falco-rules-1.0.0
falcosecurity:falco-rules-1.0.0-rc1
falcosecurity:falco-rules-0.1.0
falcosecurity:falco-rules-0.1.0-rc1
falcosecurity:application-rules-0.1.0

5 Commits
falco-rule ... main

Author SHA1 Message Date
Leonardo Di Giovanna be3800132f docs(OWNERS): add `ekoops` as approver 
Signed-off-by: Leonardo Di Giovanna <41296180+ekoops@users.noreply.github.com>
 2025-07-23 11:14:33 +02:00
dependabot[bot] 120881647a build(deps): Bump sigstore/cosign-installer in the actions group 
Bumps the actions group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `sigstore/cosign-installer` from 3.8.2 to 3.9.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v3.8.2...v3.9.0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 3.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-18 15:33:04 +02:00
Leonardo Di Giovanna d0be92e53e ci: add additional Falco releases to be tested 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-06-17 14:37:45 +02:00
Federico Di Pierro 488e6f8f0c fix(rules): fixed `container_started` macro adapting to new container plugin. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-06-17 12:44:44 +02:00
Melissa Kilby 4d51b1813f doc(OWNERS): move incertum (Melissa Kilby) to emeritus_approvers 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2025-06-09 11:51:54 +02:00
5 changed files with 8 additions and 12 deletions
Show Stats Expand all files Collapse all files

3
.github/FALCO_VERSIONS vendored
View File

@ -1 +1,4 @@
master master
0.41.2
0.41.1
0.41.0

2
.github/workflows/release.yaml vendored
View File

@ -58,7 +58,7 @@ jobs:
# Create a signature of the rules artifact as OCI artifact # Create a signature of the rules artifact as OCI artifact
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@v3.8.2 uses: sigstore/cosign-installer@v3.9.0
- name: Login with cosign - name: Login with cosign
run: cosign login $OCI_REGISTRY --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }} run: cosign login $OCI_REGISTRY --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }}

3
OWNERS
View File

@ -5,7 +5,7 @@ approvers:
- fededp - fededp
- andreagit97 - andreagit97
- lucaguerra - lucaguerra
- incertum - ekoops
reviewers: reviewers:
- leodido - leodido
- kaizhe - kaizhe
@ -13,3 +13,4 @@ reviewers:
- loresuso - loresuso
emeritus_approvers: emeritus_approvers:
- kaizhe - kaizhe
- incertum

6
rules/falco-incubating_rules.yaml
View File

@ -296,9 +296,7 @@
- macro: container_started - macro: container_started
condition: > condition: >
((evt.type = container or (spawned_process and proc.vpid=1 and container)
(spawned_process and proc.vpid=1)) and
container.image.repository != incomplete)
- list: cron_binaries - list: cron_binaries
items: [anacron, cron, crond, crontab] items: [anacron, cron, crond, crontab]
@ -610,7 +608,6 @@
seen as more suspicious, prompting a closer inspection. seen as more suspicious, prompting a closer inspection.
condition: > condition: >
container_started container_started
and container
and container.privileged=true and container.privileged=true
and not falco_privileged_containers and not falco_privileged_containers
and not user_privileged_containers and not user_privileged_containers
@ -640,7 +637,6 @@
raise suspicion, prompting closer scrutiny. raise suspicion, prompting closer scrutiny.
condition: > condition: >
container_started container_started
and container
and excessively_capable_container and excessively_capable_container
and not falco_privileged_containers and not falco_privileged_containers
and not user_privileged_containers and not user_privileged_containers

6
rules/falco-sandbox_rules.yaml
View File

@ -327,9 +327,7 @@
- macro: container_started - macro: container_started
condition: > condition: >
((evt.type = container or (spawned_process and proc.vpid=1 and container)
(spawned_process and proc.vpid=1)) and
container.image.repository != incomplete)
# Possible scripts run by sshkit # Possible scripts run by sshkit
- list: sshkit_script_binaries - list: sshkit_script_binaries
@ -1265,7 +1263,6 @@
varies based on your environment. varies based on your environment.
condition: > condition: >
container_started container_started
and container
and sensitive_mount and sensitive_mount
and not falco_sensitive_mount_containers and not falco_sensitive_mount_containers
and not user_sensitive_mount_containers and not user_sensitive_mount_containers
@ -1292,7 +1289,6 @@
this can be challenging to manage. this can be challenging to manage.
condition: > condition: >
container_started container_started
and container
and not allowed_containers and not allowed_containers
output: Container started and not in allowed list | evt_type=%evt.type user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty output: Container started and not in allowed list | evt_type=%evt.type user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
priority: WARNING priority: WARNING