updated

Signed-off-by: h4l0gen <ks3913688@gmail.com>
falcosecurity · Mar 24, 2024 · 5bc91ec · 5bc91ec
1 parent b86d70e
commit 5bc91ec
Show file tree

Hide file tree

Showing 4 changed files with 171 additions and 170 deletions.
diff --git a/rules/falco-deprecated_rules.yaml b/rules/falco-deprecated_rules.yaml
@@ -111,8 +111,8 @@
     terminal=%proc.tty %container.info)
   priority: NOTICE
   tags: [
-      maturity_deprecated, host, container, network,
-      mitre_latera_movement, T1021.004
+    maturity_deprecated, host, container, network,
+    mitre_latera_movement, T1021.004
   ]
 
 # These rules and supporting macros are more of an example for how to
@@ -157,9 +157,9 @@
 
   priority: NOTICE
   tags: [
-      maturity_deprecated, host, container, network,
-      mitre_command_and_control, TA0011
-    ]
+    maturity_deprecated, host, container, network,
+    mitre_command_and_control, TA0011
+  ]
 # Use this to test whether the event occurred within a container.
 # When displaying container information in the output field, use
 # %container.info, without any leading term (file=%fd.name
@@ -222,9 +222,9 @@
     terminal=%proc.tty %container.info)
   priority: WARNING
   tags: [
-      maturity_deprecated, container, network, mitre_discovery, TA0011,
-      NIST_800-53_CM-7
-    ]
+    maturity_deprecated, container, network, mitre_discovery, TA0011,
+    NIST_800-53_CM-7
+  ]
 
 - list: c2_server_ip_list
   items: []
@@ -258,6 +258,6 @@
   priority: WARNING
   enabled: false
   tags: [
-      maturity_deprecated, host, container, network,
-      mitre_command_and_control, TA0011
-    ]
+    maturity_deprecated, host, container, network,
+    mitre_command_and_control, TA0011
+  ]
diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
@@ -319,9 +319,9 @@
   priority:
     WARNING
   tags: [
-      maturity_incubating, host, container, filesystem, mitre_persistence,
-      T1546.004
-    ]
+    maturity_incubating, host, container, filesystem, mitre_persistence,
+    T1546.004
+  ]
 
 - macro: user_known_cron_jobs
   condition: (never_true)
@@ -343,9 +343,9 @@
   priority:
     NOTICE
   tags: [
-      maturity_incubating, host, container, filesystem, mitre_execution,
-      T1053.003
-    ]
+    maturity_incubating, host, container, filesystem, mitre_execution,
+    T1053.003
+  ]
 
 # Use this to test whether the event occurred within a container.
 #
@@ -454,8 +454,8 @@
      terminal=%proc.tty %container.info)
   priority: ERROR
   tags: [
-      maturity_incubating, host, container, filesystem, mitre_collection, T1005
-    ]
+    maturity_incubating, host, container, filesystem, mitre_collection, T1005
+  ]
 
 - macro: calico_node
   condition: >
@@ -492,9 +492,9 @@
     exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, host, container, process, database, mitre_execution,
-      T1190
-    ]
+    maturity_incubating, host, container, process, database, mitre_execution,
+    T1190
+  ]
 
 # This list allows for easy additions to the set of commands allowed
 # to change thread namespace without having to copy and override the
@@ -548,9 +548,9 @@
     terminal=%proc.tty %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, host, container, process,
-      mitre_privilege_escalation, T1611
-    ]
+    maturity_incubating, host, container, process,
+    mitre_privilege_escalation, T1611
+  ]
 
 - rule: Change namespace privileges via unshare
   desc: >
@@ -751,8 +751,8 @@
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: INFO
   tags: [
-      maturity_incubating, container, cis, mitre_execution, T1610, PCI_DSS_10.2.5
-    ]
+    maturity_incubating, container, cis, mitre_execution, T1610, PCI_DSS_10.2.5
+  ]
 
 # These capabilities were used in the past to escape from containers
 - macro: excessively_capable_container
@@ -910,8 +910,8 @@
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, host, container, network, mitre_exfiltration, TA0011
-    ]
+    maturity_incubating, host, container, network, mitre_exfiltration, TA0011
+  ]
 
 - macro: somebody_becoming_themselves
   condition: >
@@ -973,9 +973,9 @@
     terminal=%proc.tty %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, host, container, users,
-      mitre_privilege_escalation, T1548.001
-    ]
+    maturity_incubating, host, container, users,
+    mitre_privilege_escalation, T1548.001
+  ]
 
 - macro: user_known_user_management_activities
   condition: (never_true)
@@ -1020,9 +1020,9 @@
     exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, host, users, software_mgmt, mitre_persistence,
-      T1098
-    ]
+    maturity_incubating, host, users, software_mgmt, mitre_persistence,
+    T1098
+  ]
 
 - list: allowed_dev_files
   items: [
@@ -1088,9 +1088,9 @@
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, network, aws, container, mitre_credential_access,
-      T1552.005
-    ]
+    maturity_incubating, network, aws, container, mitre_credential_access,
+    T1552.005
+  ]
 
 # This rule is not enabled by default, since this rule is for
 # cloud environment(GCP, AWS and Azure) only.
@@ -1172,9 +1172,9 @@
     exe_flags=%evt.arg.flags %container.info)
   priority: ERROR
   tags: [
-      maturity_incubating, container, process, software_mgmt,
-      mitre_persistence, T1505
-    ]
+    maturity_incubating, container, process, software_mgmt,
+    mitre_persistence, T1505
+  ]
 
 - macro: user_known_network_tool_activities
   condition: (never_true)
@@ -1199,8 +1199,8 @@
     exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, container, network, process, mitre_execution, T1059
-    ]
+    maturity_incubating, container, network, process, mitre_execution, T1059
+  ]
 
 - rule: Launch Suspicious Network Tool on Host
   desc: >
@@ -1275,9 +1275,9 @@
   priority:
     WARNING
   tags: [
-      maturity_incubating, host, container, process, filesystem,
-      mitre_defense_evasion, T1070
-    ]
+    maturity_incubating, host, container, process, filesystem,
+    mitre_defense_evasion, T1070
+  ]
 
 - list: user_known_chmod_applications
   items: [hyperkube, kubelet, k3s-agent]
@@ -1317,9 +1317,9 @@
   priority:
     NOTICE
   tags: [
-      maturity_incubating, host, container, process, users,
-      mitre_privilege_escalation, T1548.001
-    ]
+    maturity_incubating, host, container, process, users,
+    mitre_privilege_escalation, T1548.001
+  ]
 
 - list: remote_file_copy_binaries
   items: [rsync, scp, sftp, dcp]
@@ -1349,9 +1349,9 @@
     exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, container, network, process, mitre_exfiltration,
-      T1020
-    ]
+    maturity_incubating, container, network, process, mitre_exfiltration,
+    T1020
+  ]
 
 # Namespaces where the rule is enforce
 - list: namespace_scope_network_only_subnet
@@ -1392,9 +1392,9 @@
     terminal=%proc.tty %container.info)
   priority: WARNING
   tags: [
-      maturity_incubating, container, network, mitre_discovery, T1046,
-      PCI_DSS_6.4.2
-    ]
+    maturity_incubating, container, network, mitre_discovery, T1046,
+    PCI_DSS_6.4.2
+  ]
 
 - macro: mount_info
   condition: (proc.args="" or proc.args intersects ("-V", "-l", "-h"))
@@ -1442,9 +1442,9 @@
     exe_flags=%evt.arg.flags %container.info)
   priority: WARNING
   tags: [
-      maturity_incubating, container, cis, filesystem,
-      mitre_privilege_escalation, T1611
-    ]
+    maturity_incubating, container, cis, filesystem,
+    mitre_privilege_escalation, T1611
+  ]
 
 - list: ingress_remote_file_copy_binaries
   items: [wget]
@@ -1482,9 +1482,9 @@
     exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, container, network, process,
-      mitre_command_and_control, TA0011
-    ]
+    maturity_incubating, container, network, process,
+    mitre_command_and_control, TA0011
+  ]
 
 - list: docker_binaries
   items: [
@@ -1517,9 +1517,9 @@
     terminal=%proc.tty %container.info)
   priority: WARNING
   tags: [
-      maturity_incubating, container, filesystem, process,
-      mitre_discovery, T1083
-    ]
+    maturity_incubating, container, filesystem, process,
+    mitre_discovery, T1083
+  ]
 
 # The steps libcontainer performs to set up the root program
 # for a container are:
@@ -1567,8 +1567,8 @@
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, container, filesystem, mitre_exfiltration, TA0010
-    ]
+    maturity_incubating, container, filesystem, mitre_exfiltration, TA0010
+  ]
 
 - rule: Adding ssh keys to authorized_keys
   desc: >
@@ -1619,6 +1619,6 @@
     exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
   tags: [
-      maturity_incubating, host, container, users, mitre_privilege_escalation,
-      TA0004
-    ]
+    maturity_incubating, host, container, users, mitre_privilege_escalation,
+    TA0004
+  ]