Falco Rules Changelog

Falco rules are used in the Sysdig Secure Policy Editor.

Commit Date

Rule Notes

Version of the Falco Rules Installer (On-Prem)

September 08, 2022

Rule Changes

  • Added additional exceptions to aid in addressing false positives: Suspicious Kernel Parameter Modification.

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

Removed the following rules from default policies:Scripting Language Execution below dev.

0.85.0

August 24, 2022

Rule Changes

  • New rules:Share RDS Snapshot with Foreign Account

  • Rule tuning for the following:

    • PTRACE anti-debug attempt

    • Suspicious Cron Modification

    • Suspicious Java Child Processes

    • Create Symlink Over Sensitive Files

    • Netcat Remote Code Execution in Container

    • eBPF Program Loaded into Kernel

  • Updated IoCs Ruleset with new findings.

0.83.0

August 19, 2022

Rule Changes

  • Fixed the output for two PTRACE rules.

  • Added additional conditions to improve detections for Delete/rename Bash History.

  • Enable the do_unexpected_udp_checkmacro.

  • Added the new rule: GCP Firewall Remote Access from Internet. It detects remote access ports allowed through the firewall from the public internet (0.0.0.0/0).

Auto-Tuner Exception Updates

  • Added additional exceptions for Privileged Shell Inside Container.

  • Added Azure core image to the exception, Suspicious Cron Modification.

0.82.0

Aug 11, 2022

Rule Changes

  • Added Azure rule: Azure RDP Access Is Allowed from The Internet

  • Updated auto-tuner exceptions to reduce excessive noise:

    • Change Resource Record Sets (AWS)

    • Create Hidden Files or Directories

    • Describe Instances (AWS)

    • GCP Delete Compute VM Instance

    • GCP Operation by a Non-corporate Account

    • List Buckets (AWS)

    • Non sudo setuid

    • Root User Executing AWS Command

    • Run shell untrusted

    • The docker client is executed in a container

    • User mgmt binaries

  • Updated IoCs Ruleset with new findings.

  • Default Policy Changes

    Added new rules: Azure RDP Access Is Allowed from The Internet

0.81.2

Aug 05, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Linux Kernel Module Injection Detected

    • eBPF Program Loaded into Kernel

    • Privileged Shell Spawned Inside Container

  • Added the following new rules:

    • GPG Key Reconnaissance

    • Create Access Key for User

  • Extended the condition of the following rules:

    • Base64-encoded Python Script Execution

    • nsenter Container Escape

  • Updated IoCs Ruleset with new findings.

  • Default Policy Changes

    Added new rules to default policies.

    • nsenter Container Escape

    • GPG Key Reconnaissance

    • Create Access Key for User

0.80.1

July 26, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Non sudo setuid

    • Set Setuid or Setgid bit

    • eBPF Program Loaded into Kernel

  • Added the following new rules:

    • PTRACE anti-debug attempt

    • PTRACE attached to process

    • Detect reconnaissance scripts

    • Detect malicious cmdlines

    • GCP Create DNS Record

    • GCP Create DNS Zone

    • GCP Delete DNS Record

    • GCP Update DNS Record

    • GCP Update DNS Zone

    • GCP Cloud Armor Blocked Connection

    • GCP Cloud IDS Alert

    • Delete AWS user (SSO)

  • Updated the following rule: Reconnaissance attempt to find SUID binaries

  • Updated the following lists: falco_privileged_images

  • Updated IoCs Ruleset with new findings.

  • Default Policy Changes

    Added new rules to default policies.

0.79.2

July 08, 2022

Rule Changes

  • Restored the following missing rule: nsenter Container Escape

  • Cleaned up the following duplicate macro: falco_sensitive_mount_containers

  • Adjusted the following eBPF rule: eBPF Program Loaded into Kernel

  • Updated IoCs Ruleset with new findings.

  • Updated all the Cloudtrail rules to add ARNs to output.

Default Policy Changes

Modified to work with both old default_policies and managed default_policies.

0.77.0

July 01, 2022

Rule Changes

Added Miner IP Pool Threat Intelligence: Detect outbound connections to common miner pool ports

0.76.1

June 30, 2022

Rule Changes

  • Added additional exceptions : Linux Kernel Module Injection Detected

  • Created the following new rules:

    • GCP App Engine Firewall Rule Deleted

    • GCP App Engine Firewall Rule Updated

    • GCP Create Cloud Function v2 Not Using Latest Runtime

    • GCP Create Cloud Function v2

    • GCP Compute Firewall Rule Deleted

    • GCP Compute Firewall Rule Updated

    • GCP Delete Compute VM Instance

    • GCP Update Cloud Function v2

    • Malicious Environment Variable in Spawned Process

    • nsenter Container Escape

  • Updated the following GCP rules:

    • GCP Create Cloud Function Not Using Latest Runtime

    • GCP Create Cloud Function

    • GCP Create DLP Job

    • GCP Delete DLP Job

    • GCP Paused DLP Job

    • GCP Suspicious IP Inbound Request

    • GCP Update Cloud Function

    • GCP Updated DLP Job

  • Added CIS tag to rules related to CIS Docker Security Benchmark controls:

    • Container Run as Root User

    • Disallowed SSH Connection

    • Launch Privileged Container

    • Launch Root User Container

    • Launch Sensitive Mount Container

    • Mount Launched in Privileged Container

    • Privileged Shell Spawned Inside Container

    • Reconnaissance attempt to find SUID binaries

    • The docker client is executed in a container

    • Write below root

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

Added the following rules to the default policy:

  • GCP App Engine Firewall Rule Deleted

  • GCP Compute Firewall Rule Deleted

  • Malicious Environment Variable in Spawned Process

  • nsenter Container Escape

0.76.0

June 24, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Create Symlink Over Sensitive Files

    • Execution of binary using ld-linux

    • Run shell untrusted

  • Modified the following macros:

    • truncate_shell_history

    • modify_shell_history

  • Extended the condition of the rule, Detect crypto miners using the Stratum protocol , to improve detection capabilites

  • New rules created:

    • Launch malicious container image

    • GCP Suspicious IP Inbound Request

    • GCP Allow Public Access to Bucket

    • GCP KMS Schedule Key Deletion

    • GCP Create DLP Job

    • GCP Delete DLP Job

    • GCP Update DLP Job

    • GCP Paused DLP Job

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

  • Added the following rule to the default policy, IoCs Malware Activity: Launch malicious container image

  • Added the following rules to the default policy, Sysdig GCP Best Practices:

    • GCP Suspicious IP Inbound Request

    • GCP Allow Public Access to Bucket

    • GCP KMS Schedule Key Deletion

    • GCP Delete DLP Job

    • GCP Paused DLP Job

0.75.0

June 17, 2022

Rule Changes

  • Added the following new rules:

    • AWS Suspicious IP Inbound Request

    • eBPF Program Loaded into Kernel

  • Modified the following rules:

    • Symlink over Sensitive Files

    • Container Drift rules (with new exceptions)

  • Updated the macro: sysdig_commercial_images. It now contains two new KSPM images.

  • Add the new macro ti_anon_ips  for Tor source IPs.

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

  • Added the new rule,  AWS Suspicious IP Inbound Request to the Sysdig AWS Best Practices policy.

  • Added the new rule, eBPF Program Loaded into Kernel  to the Suspicious Container Activity policy.

0.74.3

June 03, 2022

Rule Changes

  • Added a new rule: Suspicious Java Child Processes

  • Updated the package_mgmt_procs macro to detect package management process with python

  • Updated some exceptions in the rule,Change thread namespace

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

Added the new rule, Suspicious Java Child Processes,to the IoCs Malware Activity

0.72.0

May 26, 2022

Rule Changes

  • Added the following new rules:

    • Reconnaissance attempt to find SUID binaries

    • Suspicious Home Directory Creation

  • Modified exceptions to reduce noise:

    • Change thread namespace

    • Contact cloud metadata service from container

    • DB program spawned process

    • K8s ConfigMap Created

    • K8s ConfigMap Deleted

    • K8s Serviceaccount Created

    • Netcat Remote Code Execution in Container

    • Privileged Shell Spawned Inside Container

    • Set Setuid or Setgid bit

    • System ClusterRole Modified/Deleted

    • Write below monitored dir

    • Write below root

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

  • Added the following new policies:

    • Reconnaissance attempt to find SUID binaries

    • Suspicious Home Directory Creation

0.70.3

May 20, 2022

Rule Changes

  • Added additional exceptions to the following rules to aid in addressing false positives:

    • Set Setuid or Setgid bit

    • Execution from /tmp

  • Fixed the condition of the following rules:

    • Execution from /tmp

    • Execution from /dev/shm

  • Updated IoCs Ruleset with new findings.

0.69.0

May 13, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Run shell untrusted

    • Launch Privileged Container

    • Container Run as Root User

    • Write below root

    • Write below rpm database

    • DB program spawned process

    • Privileged Shell Spawned Inside Container

    • Launch Suspicious Network Tool in Container

    • Remove Bulk Data from Disk

    • Set Setuid or Setgid bit

    • Packet socket created in container

    • Execution from /tmp

  • Created the new rule, Possible Backdoor using BPF. This rule triggers if process was seen attaching a BPF filter on a network socket, this could indicate packet sniffing for use in a backdoor such as BPFDoor. Network diagnostic tools may also trigger this rule.

  • Created the new rule, Execution of binary using ld-linux. This method can be used to execute programs that do not have the exec bit set and may possibly evade detection measures.

  • Fixed the condition of the following rules:

    • Write below binary dir

    • Set Setuid or Setgid bit

  • Updated IoCs Ruleset with new findings

Default Policy Changes

    • Added the new rule,  Possible Backdoor using BPF to the Notable Network Activity policy. Write below binary dir

    • Added the new rule,  Execution of binary using ld-linux to the IoCs Malware Activity policy.

0.68.1

May 6, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Modify binary dirs

    • Redirect STDOUT/STDIN to Network Connection in Container

    • Container Run as Root User

    • Execution from /tmp

  • Created the new rule Tampering with Security Software in Container. This rule detects common techniques by threat actors to disable runtime security software.

  • Created the new rule Detect outbound connections to TOR Entry Nodes. This rule detects when clients reach the TOR network through its entry nodes. NOTE: This is an EXPERIMENTAL rule and only contains a subset of TOR entry nodes. It will be improved upon in the future.

  • Fixed the condition of the following rule: Execution from /tmp

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

  • Moved the rule Redirect STDOUT/STDIN to Network Connection in Container to the Notable Container Activity default policy

  • Added the new rule Tampering with Security Software in Container to the Suspicious Container Activity default policy

  • Added the new rule Detect outbound connections to TOR Entry Nodes to the IoCs Malware Activity default policy

0.67.1

April 28, 2022

Rule Changes

  • Added new rule file, threat_intelligence_feed.yaml , with lists and macros directly updated by Sysdig Threat Research Team.

  • Updated the following list: sysdig_commercial_images

  • Updated IoCs Ruleset with new findings.

  • Updated Falco rules conditions:

    • Execution from /tmp

    • Execution from /dev/shm

    • Network Connection outside Local Subnet

  • Added additional exceptions to aid in addressing false positives:

    • Execution from /tmp

    • Create Symlink Over Sensitive Files

    • Change thread namespace

    • DB program spawned process  

    • Suspicious Cron Modification

0.66.1

April 21, 2022

Rule Changes

  • Added a new AWS Cloudtrail rule: Create RDS DB Instance with Public Access

  • Added the following Falco rules:

    • Base64-encoded Shell Script Execution
    • Execution from /dev/shm
  • Added additional exceptions to aid in addressing false positives:

    • Service Account Created in Kube Namespace
    • K8s Serviceaccount Created
  • Modified to add a list of malicious IPs: Outbound Connection to C2 Servers

  • Updated IoCs Ruleset with new findings

Default Policy Changes

  • Added the following:

    • Base64-encoded Shell Script Execution
    • Execution from /dev/shm
  • Moved to enabled policy: Outbound Connection to C2 Servers

0. 65.1

April 18, 2022

Rule Changes

Added additional exceptions to the following rules to aid in addressing false positives:

  • Change thread namespace

  • Create Symlink Over Sensitive Files

  • Container Run as Root User

  • DB program spawned process

  • Privileged Shell Spawned Inside Container

  • Run shell untrusted

  • Set Setuid or Setgid bit

  • Write below etc

0.65.0

April 17, 2022

Rule Changes

Added additional exceptions to the following rules to aid in addressing false positives: Privileged Shell Spawned Inside Container

0.64.1

April 15, 2022

Rule Changes

  • Added additional exceptions to the following rules to aid in addressing false positives:

    • Packet socket created in container

    • Change thread namespace

    • Run shell untrusted

    • Container Run as Root User

  • Created the new rule Base64-encoded Python Script Execution. This rule detects base64-encoded Python scripts on command line arguments. Base64 can be used to encode binary data for transfer to ASCII-only command lines. Attackers can leverage this technique in various exploits to load shellcode and evade detection.

  • Fixed the output of the following rules:

    • K8s Serviceaccount Created

    • K8s Serviceaccount Deleted

    • Updated IoCs Ruleset with new findings

Rule Changes

  • Added the Base64-encoded Python Script Execution  rule to the IoCs Malware Activity default policy

  • Added the Launch Ingress Remote File Copy Tools in Container rule to the Notable Container Activity default policy

  • Created the new default policy,  Known Exploit Detection. This policy embedes the rules that can identify potential exploits of well-known CVEs.

0.64.0

April 12, 2022

Rule Changes

  • Added additional exceptions to the following rules to aid in addressing false positives:

    • Schedule Cron Jobs

    • Set Setuid or Setgid bit

    • Create Symlink Over Sensitive Files

  • Disable the Unprivileged Delegation of Page Faults Handling to a Userspace Process rule removing its condition.

0.63.0

April 09, 2022

Rule Changes

  • Updated the following rules:

    • Simple output changes to the Detect outbound connections to common miner pool portscode> rule.

    • Updated priority and included additional cron paths for the Create Symlink Over Sensitive Files rule.

    • Updated IoCs Ruleset with new findings

  • The following new rules have been introduced.

    • Privileged Shell Spawned Inside Container. This rule detects a root shell being opened by a compromised process for interaction by the attack

    • Debugfs Launched in Privileged Container. This rule detects file system debugger, debugfs, launched inside a privileged container which might lead to container escape.

    • Mount Launched in Privileged Container. This rule detects file system mount occurrence inside a privileged container which might lead to container escape.

    • Unprivileged Delegation of Page Faults Handling to a Userspace Process. This rule detects a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs

    • Launch Ingress Remote File Copy Tools in Container. This rule detects ingress remote file copy tools launched in a container. For example, curl and wget.

    • Suspicious Cron Modification. This rule detects direct writes to cron job files.

Default Policy Changes

  • Policy: Notable Filesystem Changes

    • added the Suspicious Cron Modification rule.

    Policy: Suspicious Container Activity

    • Added the Debugfs Launched in Privileged Container rule.

    • Added the Unprivileged Delegation of Page Faults Handling to a Userspace Process rule.

    Policy: Suspicious Lateral Movement Activity to Cloud

    • Added the Mount Launched in Privileged Container rule.

    Policy: Unexpected Spawned Processes

    • Added the Privileged Shell Spawned Inside Container rule.

0.62.1

April 06, 2022

Rule Changes

Reduce noise for the rulesWrite below monitored dir and write below etc by adding additional exceptions.

0.62.0

March 18, 2022

Rule Changes

  • Updated the Launch Root User Container condition rule.

  • Updated the following lists to address false positive :

    • miner_domains

    • allowed_k8s_users

  • Updated some exceptions in the  Schedule Cron Jobs rule.

  • Created the sssd_writing_krb  macro from the new release of OSS Falco.

  • Updated IoCs Ruleset with new findings.

  • Updated the following macros based on the changes in Falco OS:

    • modify_shell_history

    • truncate_shell_history

    • write_etc_common

Default Policy Changes

  • TheIoCs Malware Activity policy has been updated.

    • Malicious filenames writtenadded.

    • Malicious process detected removed.

  • Removed some rules from Notable Filesystem Changes policy:

    • Write below etc

    • Write below root

    • Write below rpm database

    • Write below binary dir

  • Removed one rule from the Notable Container Activity policy: Change thread namespace

0.59.2

March 10, 2022

Rule Changes

  • Exclude ptp and dp from the Change thread namespacerule.

  • Exclude self from the K8s Serviceaccount Created rule.

  • Exclude known cron writers from the Schedule Cron Jobs rule.

  • Updated the IoCs Ruleset with new findings.

0.58.1

March 06, 2022

Rule Changes

  • Add additional exceptions to aid in addressing false positive for rules:

    • Schedule Cron Jobs

    • Non sudo setuid

    • Launch Privileged Container

    • K8s Serviceaccount Created

  • Updated the following macros baed on the changes in Falco OS:aws_eks_core_images

  • Updated IoCs Ruleset with new findings.

0.57.2

March 03, 2022

Rule Changes

Fixed exception to aid in addressing false positives for rules: Contact K8S API Server From Container

0.56.5

March 01, 2022

Rule Changes

  • Update rule: DB program spawned process

  • Create macro:pgbackrest_info_childs

0.56.4

February 18, 2022

Rule Changes

  • Add additional exceptions to older agent versions to aid in addressing false positive for rules:

    • Modify Shell Configuration File

    • Modify Shell Configuration File

    • Write below etc

    • Write below rpm database

    • DB program spawned process

    • Clear Log Activities

    • Launch Root User Container

  • Updated the following macros based on the changes in Falco OS:

    • containerd_shell_modify

    • tanium_client_running_python

    • postgres_running_pgbackrest

    • proc_file_suffix

    • known_redirect_procs

  • Updated the following lists to address false positives:

    • known_setuid_binaries

    • known_k8s_api_programs

    • gke_trusted_images_launch_root_list

  • Updated IoCs Ruleset with new findings.

0.55.2

February 10, 2022

Rule Changes

  • Add additional exceptions to older agent versions to aid in addressing false positive for rules:

    • Change thread namespace

    • Write below rpm database

    • Write below root

    • Clear Log Activities

    • Launch Root User Container

  • Updated the following macros based on the changes in Falco OS:

    • parent_python_running_sdchecks

    • python_running_sdchecks

    • exe_sysdig

    • tanium_client_running_python

    • sysdig_dragent

    • trusted_logging_images

  • Updated the following lists based on the changes in Falco OS:

    • sysdig_commercial_images

    • allowed_dev_files

    • user_known_chmod_applications

    • miner_domains

  • Updated IoCs Ruleset with new findings.

0.54.3

February 07, 2022

Rule Changes

    Add additional exceptions to older agent versions to aid in addressing false positive for rules: Launch Root User Container

0.53.4

February 04, 2022

Rule Changes

  • Add additional exceptions to older agent versions to aid in addressing false positive for rules:

    • Modify Shell Configuration File

    • Write below etc

    • Write below root

    • Read sensitive file trusted after startup

    • Change thread namespace

    • Launch Suspicious Network Tool in Container

    • Redirect STDOUT/STDIN to Network Connection in Container

  • Updated the following macros based on the changes in Falco OS:

    • spawned_process

    • sensitive_mount

  • Updated the following lists based on the changes in Falco OS:

    • falco_hostnetwork_images

    • deb_binaries

    • known_sa_list

    • falco_sensitive_mount_images

  • Updated the following lists to address false positives:

    • db_server_binaries

    • user_known_chmod_applications

  • Updated IoCs Ruleset with new findings.

0.53.3

January 29, 2022

Rule Changes

  • Add additional exceptions to older agent versions to aid in addressing false positives for rules:Write below etc.

  • Updated IoCs Ruleset with new findings.

  • Add new rules:

    • Modify ld.so.preload

    • Polkit Local Privilege Escalation Vulnerability(CVE-2021-4034)

0.52.0

January 21, 2022

Rule Changes

Updated IoCs Ruleset with new findings.

0.51.1

January 14, 2022

Rule Changes

  • Created a new AWS Rule: Read Object through AWSSupportServiceRolePolicy Assumed Role.

  • Updated tags for AWS Rule:AWS Command Executed on Unused Region.

  • Updated tags for the following GCP Rules:

    • GCP Invitation Sent to Non-corporate Account

    • GCP Create User-managed Service Account Key

    • GCP Create GCP-managed Service Account Key

    • GCP Create Cloud Function Not Using Latest Runtime

    • GCP Set Bucket IAM Policy

    • GCP Create Bucket

0.50.5

December 16, 2021

Rule Changes

  • Add a new rule:Malicious C2 IPs or domains exploiting log4j: detect connections with malicious IPs involved in log4j exploitation.

  • Updated IoCs Ruleset with new findings

0.49.2

January 03, 2022

Rule Changes

  • Created a new AWS Rule: Read Object through AWSSupportServiceRolePolicy Assumed Role.

  • Updated tags for AWS Rule:AWS Command Executed on Unused Region.

  • Updated tags for the following GCP Rules:

    • GCP Invitation Sent to Non-corporate Account

    • GCP Create User-managed Service Account Key

    • GCP Create GCP-managed Service Account Key

    • GCP Create Cloud Function Not Using Latest Runtime

    • GCP Set Bucket IAM Policy

    • GCP Create Bucket

0.48.0

December 06, 2021

Rule Changes

  • Add a new rule:Find AWS Credentials: Find or grep AWS credentials in host or container.

  • Add additional exceptions formats to aid in addressing false positives for rules: K8s ConfigMap Deleted.

  • Updated IoCs Ruleset with new findings

0.46.2

November 30, 2021

Rule Changes

  • Add additional exceptions formats to aid in addressing false positives for rules: Create Sensitive Mount Pod.

  • Updated IoCs Ruleset with new findings

0.46.0

November 22, 2021

Rule Changes

  • Created a new GCP Rule: GCP Create Cloud Function

  • Create following Azure Rules:

    • Azure Remember MFA for User Access on Devices

    • Azure Users Can Consent to Apps Accessing Company Data on Their Behalf

    • Azure Deactivate MFA for User Access

    • Azure Container ACL Modified

  • Add additional exceptions formats to aid in addressing false positives for rules:

    • Modify Shell Configuration File

    • Launch Privileged Container

    • Container Run as Root Users

  • Updated IoCs Ruleset with new findings

  • Updated AWS, Azure,and GCP tags

0.45.1

November 16, 2021

Rule Changes

Updated IoCs Ruleset with new findings.

0.44.1

November 15, 2021

Rule Changes

  • Added new rule for AWS Cloudtrail: Create Lambda Function Using Unsupported Runtime

  • Modified rule for AWS Cloudtrail:Run Instances with Non-standard Imagenow checks the image ID from aws.ec2.imageID instead of getting this value from respondeElements/instanceSet/items using jevt

0.44.0

November 11, 2021

Rule Changes

Added new tags to the following rules:

  • GCP Delete Resources from the PCI Blueprint Environment

  • GCP Create KMS Key Without Rotation

  • GCP Remove KMS Key Rotation

  • GCP Delete DNS Zone

  • GCP Delete GKE Node Pool

  • GCP Delete Router

  • GCP Delete GKE IAM Role

  • GCP Delete VPC Network

  • GCP Delete GKE Subnetwork

0.43.2

November 5, 2021

Rule Changes

Added new tags to existent rules for MITRE and NIST categories.

0.43.1

October 29, 2021

Rule Changes

  • Added new tags to the following rules:

    • Modify RDS Snapshot Attribute

    • Modify Image Attribute

    • Modify Snapshot Attribute

    • Detect outbound connections to common miner pool ports

    • Detect crypto miners using the Stratum protocol

  • Updated Malware IoCs with the new findings.

0.42.0

October 20, 2021

Rule Changes

Add additional exceptions formats to aid in addressing false positives for rules:

  • Modify Shell Configuration File

  • Run shell untrusted

  • Launch Sensitive Mount Container

  • Outbound or Inbound Traffic not to Authorized Server Process and Port

  • Create Sensitive Mount Pod

  • Create NodePort Service

  • Attach/Exec Pod

  • Service Account Created in Kube Namespace

  • System ClusterRole Modified/Deleted

Default Policy Changes

Lowered Severity to INFO for the following policies:

  • All K8s User Modifications

  • All K8s Object Modifications

0.41.0

October 11, 2021

Rule Changes

  • Add additional exceptions formats to aid in addressing false positives for rules:

    • Modify binary dirs

    • Clear Log Activities

    • Remove Bulk Data from Disk

    • Create HostNetwork Pod

    • Launch Suspicious Network Tool in Container

  • Added three new Falco rules to detect Malware:

    • Malicious IPs or domains detected on command line

    • Malicious binary detected

    • Malicious process detected

Default Policy Changes

Added New Policy IoCs Malware Activity

0.40.0

October 07, 2021

Rule Changes

  • Changed inbound_outbound macro condition.

  • Add additional exceptions formats to aid in addressing false positives for rules:

    • Write below etc

    • Read sensitive file untrusted

    • Search Private Keys or Passwords

    • Disallowed K8s User

    • K8s Deployment Created

    • K8s Deployment Deleted

    • K8s Service Created

    • K8s Service Deleted

    • K8s ConfigMap Created

    • K8s ConfigMap Deleted

    • K8s Namespace Created

    • K8s Namespace Deleted

    • K8s Serviceaccount Created

    • K8s Serviceaccount Deleted

    • K8s Role/Clusterrole Created

    • K8s Role/Clusterrole Deleted

    • K8s Role/Clusterrolebinding Created

    • K8s Role/Clusterrolebinding Deleted

0.39.0

September 23, 2021

Rule Changes

Changed net_miner_pool macro used in the Detect outbound connections to common miner pool ports rule.

0.37.1

September 21, 2021

Rule Changes

Add additional exceptions formats to aid in addressing false positives for rules: Non sudo setuid rule.

0.37.0

August 26, 2021

Rule Changes

  • Added the following rules:

    • Console Login Through Assume Role

    • AWS Command Executed by Untrusted User

    • Console Login Success

    • Console Login Success From Untrusted IP

    • Delete AWS user

    • Remove AWS User from Group

    • Put Object in Watched Bucket

    • Read Object in Watched Bucket

  • Added new lists:

    • trusted_aws_users

    • watched_buckets

  • Updated rules:

    • Console Login Without MFA now does not fire on assumed role

    • Console Root Login Without MFA now does not fire on assumed role

    • Add AWS User to Group now outputs the user added to the group

0.36.0

POSTPONED August 20, 2021

POSTPONED Rule Changes

  • Added a new rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process

  • Update the list:

    • sysdig_commercial_images

    • falco_hostnetwork_images

  • Updated the macro: interactive macro updated checking the tty state. The interactive session is with proc.tty != 0

POSTPONED 0.35.0

August 13, 2021

Rule Changes

Added additional exceptions formats to aid in addressing false positive for the rules:

  • Launch Package Management Process in Container

  • Terminal shell in container

  • The docker client is executed in a container

Updated the list: sysdig_commercial_images

Updated the macro: interactive macro updated checking the tty state. The interactive session is with proc.tty != 0

0.34.0

August 02, 2021

Rules Changes

Add additional exceptions formats to aid in addressing false positive for rules:

  • DB program spawned process Rule

  • Change thread namespace

  • The docker client is executed in a container

  • Launch Suspicious Network Tool in Container Rule

0.33.0

July 27, 2021

Default Policy Changes

Enable the Sysdig GCP Best Practices policy by default.

0.32.0

July 25, 2021

Rule Changes

  • GCP events were consumed directly from the protoPayload, which removed some fields that are used and are not part of the protoPayload itself. All the rules that use jevt.value are updated now to reference protoPayload in the root path. It is a breaking change for GCP rules, and you are required to use cloud-connector versions above v0.8.0.

  • Updated GCP rules to use protoPayload JSON path. Affected rules:

    • GCP Create API Keys for a Project

    • GCP Delete Bucket

    • GCP Create Bucket

    • GCP List Buckets

    • GCP List Bucket Objects

    • GCP Put Bucket ACL

    • GCP Set Bucket IAM Policy

    • GCP Update Bucket

    • GCP Create Cloud Function Not Using Latest Runtime

    • GCP Create Cloud Function

    • CloudRun Create Service

    • CloudRun Replace Service

    • GCP Create a Default VPC Network

    • GCP Disable Subnet Flow Logs

    • GCP Enable Connecting to Serial Ports for a VM Instance

    • GCP Creation of a VM Instance with IP Forwarding Enabled

    • GCP Suspected Disable of OS Login in a VM Instance

    • GCP Enable Project-wide SSH keys for a VM Instance

    • GCP Shield Disabled for a VM Instance

    • GCP Create or Patch DNS Zone without DNSSEC

    • GCP Describe Instance

    • GCP Command Executed on Unused Region

    • GCP Create GCP-managed Service Account Key

    • GCP Create User-managed Service Account Key

    • GCP Invitation Sent to Non-corporate Account

    • GCP Operation by a Non-corporate Account

    • GCP Super Admin Executing Command

    • GCP Update, Disable or Delete Sink

    • GCP Monitoring Alert Deleted

    • GCP Monitoring Alert Updated

    • GCP Disable Automatic Backups for a Cloud SQL Instance

    • GCP Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance

  • Added a new rule: GCP Set a Public IP for a Cloud SQL Instance

0.31.0

July 22, 2021

No rule changes. No default policy changes.

Fix a defect related to installing rules for older backend versions (Sysdig 4.0.*).

0.30.0

July 20, 2021

Default Policy Changes

  • Sysdig AWS Best Practices severity is now set to 'medium'

  • Sysdig GCP Best Practices severity is now set to 'medium'

0.29.0

July 19, 2021

Rule Changes

Add additional exceptions formats to aid in addressing false positive for rules:

  • DB program spawned process Rule

  • Change thread namespace

  • The docker client is executed in a container

0.28.0

July 16, 2021

Default Policy Changes

Disabled Access Cryptomining Network Policy by default

0.27.0

July 15, 2021

Rule Changes

Add additional exceptions formats to aid in addressing false positive for rules:

  • Run shell untrusted

  • DB program spawned process

  • Change thread namespace

0.26.0

July 11, 2021

Default Policy Changes

Rule changes have been applied in the following default policies:

  • Suspicious Package Management Changes

  • Notable Filesystem Changes

  • Suspicious Filesystem Reads Policy

  • Suspicious Filesystem Changes

  • User Management Changes

  • Disallowed Network Activity

  • Inadvised Container Activity

  • Disallowed Container Activity

  • Suspicious Container Activity

New default policies created:

  • Suspicious Lateral Movement Activity to Cloud

  • Notable Network Activity

Default policies removed:

  • Suspicious Package Management Changes

  • Suspicious Filesystem Reads Policy

  • User Management Changes

  • Disallowed Network Activity

  • Disallowed Container Activity

  • Inadvised Container Activity

Existent policies status changes:

Access AcceCryptomining Network enabled by Default

0.25.0

July 01, 2021

Rule Changes

Add additional exceptions formats to aid in addressing false proofs for rules:

  • Netcat Remote Code Execution in Container

  • Launch Sensitive Mount Container

  • Redirect STDOUT/STDIN to Network Connection in Container

0.24.0

June 25, 2021

Rule Changes

Add additional exceptions formats to aid in addressing false proofs for rules:

  • Write below root

  • Change thread namespace

0.23.0

June 22, 2021

Rule Changes

Add additional exceptions formats for rules:

  • Change thread namespace

  • Create Privileged Pod

  • Modify Shell Configuration File

  • Write below binary dir

  • Launch Privileged Container

  • The docker client is executed in a container

  • ClusterRole With Wildcard Created

  • Create HostNetwork Pod

  • Service Account Created in Kube Namespace

  • K8s Role/Clusterrole Created

  • K8s Role/Clusterrole Deleted

  • K8s Role/Clusterrolebinding Created

  • Netcat Remote Code Execution in Container

  • Delete Bash History

  • ClusterRole With Write Privileges Created

  • Clear Log Activities

  • Modify binary dirs

  • Unexpected outbound connection destination

  • Unexpected UDP Traffic

0.22.0

June 19, 2021

A new policy, Sysdig GCP Best Practices, has been added.

Rule Changes

New GCP Rules have been added for AuditLog:

  • GCP Create API Keys for a Project

  • GCP Create Bucket

  • GCP Delete Bucket

  • GCP List Buckets

  • GCP List Bucket Objects

  • GCP Put Bucket ACL

  • GCP Set Bucket IAM Policy

  • GCP Update Bucket

  • GCP Create Cloud Function Not Using Latest Runtime

  • GCP Create Cloud Function

  • GCP Update Cloud Function

  • CloudRun Create Service

  • CloudRun Replace Service

  • GCP Create a Default VPC Network

  • GCP Disable Subnet Flow Logs

  • GCP Enable Connecting to Serial Ports for a VM Instance

  • GCP Creation of a VM Instance with IP Forwarding Enabled

  • GCP Suspected Disable of OS Login in a VM Instance

  • GCP Enable Project-wide SSH keys for a VM InstanceGCP Shield Disabled for a VM Instance

  • GCP Create or Patch DNS Zone without DNSSEC

  • GCP Describe Instance

  • GCP Command Executed on Unused Region

  • GCP Create GCP-managed Service Account Key

  • GCP Create User-managed Service Account Key

  • GCP Invitation Sent to Non-corporate Account

  • GCP Operation by a Non-corporate Account

  • GCP Super Admin Executing Command

  • GCP Update, Disable or Delete SinkGCP Monitoring Alert Deleted

  • GCP Monitoring Alert Updated

  • GCP Disable Automatic Backups for a Cloud SQL Instance

  • GCP Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance

0.21.0

June 17, 2021

Fixed a defect in v0.20.3. The fix is for the detection of older backend versions when looking for accounts scheduled for deletion.

0.20.4

June 17, 2021

Skip accounts scheduled for deletion when verifying Falco rules compatibility.

0.20.3

June 16, 2021

Rule Changes

Add additional exceptions formats to allow addressing false positives for rules:

  • Launch Package Management Process in Container

  • Set Setuid or Setgid bit

  • Terminal shell in container

0.20.2

June 11, 2021

Rules Changes

Add additional exceptions formats to help address false positives for rules:

  • Run shell untrusted

  • Set Setuid or Setgid bit

0.20.1

June 03, 2021

Rule Changes

  • The Non sudo setuid rule: Add macmnsvc (mcafee service host) to set of programs that are allowed to setuid.

  • The Launch Suspicious Network Tool in Container rule: Add another zookeeper image pattern that's allowed to run network tools.

  • The Clear Log Activities rule: Add another fluentd image as allowed to clear log files.

  • Add additional exceptions formats to aid in addressing false positives for rules:

    • System procs network activity

    • K8s Serviceaccount Created

    • K8s Serviceaccount Deleted

    • K8s Role/Clusterrole Created

    • K8s Role/Clusterrole Deleted

0.20.0

June 01, 2021

Rule Changes

  • The Read Sensitive File Untrusted rule:

    • Allow clamscan to read sensitive files

    • Allow db2ckpw (IBM DB2 Credential Checker) to read sensitive files

  • The Launch Suspicious Network Tool in Container rule: Add another zookeeper image that is allowed to run nc inside a container.

  • Add additional exception patterns for the following rules:

    • Launch Package Management Process in Container

    • K8s Serviceaccount Created

    • K8s Serviceaccount Deleted

    • K8s Role/Clusterrole Created

    • K8s Role/Clusterrole Deleted

0.19.0

May 26, 2021

Rule Changes

  • Add additional Qualys binaries as exceptions for rules:

    • Read sensitive file untrusted

    • User mgmt binaries

    • Write below etc

  • The Write below etc rule:

    • Allow newrelic to write below /root/newrelic instead of specific files

    • Allow nessuscli write state file

    • Allow masvc to write below /etc/ma.d/

    • Allow grafana to write state

  • The Write below root rule : Add an additional cmdline writing to exec.fifo.

  • The DB program spawned process rule: Allow sqlplus spawn oracle.

  • Add additional sets of exception fields for rules:

    • Write below monitored dir

    • The docker client is executed in a container

0.18.0

May 25, 2021

The Sysdig AWS Best Practices policy no longer includes the Logged in without Using MFA rule.

Rule Changes

  • Add five new rules for AWS Cloudtrail events.

  • Disable the AWS Cloudtrail rule, Logged in without Using MFA.

  • The Read Sensitive File Untrusted rule: Let the TaniumEndpoint agent read additional sensitive files.

  • The Write below root rule, docker_writing_state macro: Allow for paths that simply specify a path below an implied / or /root of current working directory.

  • The DB program spawned process rule: Add additional allowed Postgres backup utilities.

  • The Write below root rule:

    • Use a more flexible string match against the /exec.fifo paths.

    • Allow newrelic CLI to write to CLI log file.

    • Allow the docker cleanup image utility to write state files below /.

  • The Write below rpm database rule: Allow tanium endpoint script to write to the rpm database.

  • The Contact K8S API Server From Container rule: Add another fluent-bit program that is allowed to contact the API Server.

0.17.0

May 20, 2021

Rule Changes

Added exception to the following to address false positives:

  • The Non sudo setuid rule: Let swiagent read setuid.

  • The Read sensitive file untrusted rule:

    • Let refresh-mcollec (tive-metadata), part of puppet, read sensitive files.

    • Let puppet directly read sensitive files.

    • Let Tanium endpoint read sensitive files.

    • Let ir_agent (rapid7 agent) read sensitive files.

  • The Write below root rule:

    • Add an additional command line pattern for Cassandra to allow writes to /root/.cassandra.

    • Add additional exec.fifo path below root for runc.

    • Let docker write to certain files below /. It is part of some docker-in-docker setups.

    • Let Tanium joval write to /root/.jOVAL/.

  • The Change thread namespace rule:

    • Add an additional weaveworks/kured process name.

    • Let avinetworks/se images run programs that can change thread namespaces.

  • The System procs network activity rule : Add an additional exception pattern.

  • The User mgmt binaries: Let refresh-mcollec (tive-metadata), part of puppet, run user management binaries.

  • The Contact K8S API Server From Container rule: Let fluent-bit images run programs to contact the API server.

  • The Launch Suspicious Network Tool in Container rule: Let certain Openshift images run dig to perform DNS lookups.

  • The Clear Log Activities rule: Let certain Workinggrafana-related images clear log files in the container.

0.16.0

May 19, 2021

Rule Changes

Additional exception fields are added to the following rules to aid in customization:

  • K8s Secret Created

  • K8s Secret Deleted

0.15.1

May 18, 2021

Rule Changes

  • The Detect outbound connections to common miner pool ports rule: Add additional known miner domains.

  • Add additional exception fields to the following rules to aid customization:

    • Modify Shell Configuration File

    • Write below monitored dir

    • Write below etc

    • Write below root

    • Write below rpm database

    • Launch Privileged Container

    • Launch Sensitive Mount Container

    • Terminal shell in container

    • System procs network activity

    • Launch Suspicious Network Tool in Container

    • Set Setuid or Setgid bit

    • Launch Remote File Copy Tools in Container

    • The docker client is executed in a container

    • Disallowed K8s User

    • Create Privileged Pod

    • Create Sensitive Mount Pod

    • Create HostNetwork Pod

    • Attach/Exec Pod

    • Pod Created in Kube Namespace

    • Service Account Created in Kube Namespace

    • ClusterRole With Wildcard Created

    • K8s Secret Created

    • K8s Secret Deleted

  • The Change thread namespace rule: Add an additional exception for the Sysdig agent.

  • The Pod created in the Kube Namespace rule: Allow users starting with "system:" to create pods in the kube-system/kube-public namespaces.

  • The Read sensitive file untrusted rule: Allow puppet to run scripts that might read sensitive files.

  • The Write below root rule: Add an additional way to detect Cassandra to allow writes to /root/.cassandra.

  • The Change thread namespace rule: Allow Weaveworks Kured (Kubernetes Reboot Daemon) to change thread namespaces.

0.15.0

May 17, 2021

Rule Changes

  • Add rpmdb_verify as an RPM Package Management program. This affects the following rules:

    • Update Package Repository

    • Write below binary dir

    • Write below monitored dir

    • Write below etc

    • Read sensitive file untrusted

    • Modify binary dirs

    • Mkdir binary dirs

    • Run shell untrusted

    • Package management process ran inside container

  • Write below etc: Add haproxy-ingress as a program that can write below /etc/haproxy.

  • Change thread namespace: Allow images ending with /ext-cilium-startup-script to change namespaces.

  • Launch Suspicious Network Tool in Container: Allow images ending with sysdig/cassandra and bitnami/zookeeper to run network tools inside containers.

  • Set setuid or setgid bit: Allow the images in the sysdig_commercial_images list to include applications with setuid/setgid binaries.

0.14.0

May 05, 2021

Rule Changes

Add a macro to allow backward compatibility for using older pre-exceptions rules content.

0.13.2

May 05, 2021

Rule Changes

Remove the aws_cloudtrail rule named Create Internet-facing AWS Public Facing Load Balancer without Required Tags from the previous release that uses features yet to be released.

0.13.1

May 04, 2021

Added the Launch Root User Container rule to the Notable Container Activity policy.

Rule Changes

  • All Rules with the source, aws_cloudtrail: Switch from using jevt.value[/path] to aws.xxx to extract information out of aws_cloudtrail events.

  • A new rule, Launch Root User Container , has been added. It matches when a container is started and is configured to run as root. This works for Docker and CRI-O container runtimes, but not for Openshift 4.x, which does not make the necessary information available.

  • Macro spawned_process: Consider only successful executables. For example, where the return value is 0. This affects the following rules:

    • Schedule Cron Jobs

    • DB program spawned process

    • Run shell untrusted

    • System user interactive

    • Terminal shell in container

    • Program run with disallowed http proxy env

    • User mgmt binaries

    • Launch Package Management Process in Container

    • Netcat Remote Code Execution in Container

    • Launch Suspicious Network Tool in Container

    • Launch Suspicious Network Tool on Host

    • Search Private Keys or Passwords

    • Remove Bulk Data from Disk

    • Delete Bash History

    • Launch Remote File Copy Tools in Container

    • Detect crypto miners using the Stratum protocol

    • The docker client is executed in a container

    • Linux Kernel Module Injection Detected

    • Container Run as Root User

      This could affect the following rules if they are triggered based on an exec() process rather than a container-started event.

    • Launch Privileged Container

    • Launch Sensitive Mount Container

    • Launch Disallowed Container

    • Launch Root User Container

0.13.0

April 09, 2021

Rule Changes

Restore several old macros and lists that are no longer used by any of the default rules, but might be used by some users' local rules.

0.12.2

April 05, 2021

Fixed a defect that could prevent deploying rules to several older Sysdig backend versions.

0.12.1

March 31, 2021

Rule Changes

Added new versions of falco_rules.yaml/k8s_audit_rules.yaml that uses exceptions instead of collections of macros and long condition strings. The rules coverage should be identical to older versions.

0.12.0

March 19, 2021

Fixed minor problems with the rules installation script.

0.11.1

March 11, 2021

Rule Changes

Added 164 rules that detect suspicious/anomalous/notable behavior from a stream of AWS CloudTrail events. This requires a Sysdig backend that supports policy types and running the Cloud Connector for Secure for cloud..

For a full list of rules for different AWS services, see CloudTrail Rules for Secure for Cloud.

Default Policy Changes

The new policy, Sysdig AWS Best Practices, includes 41 of the above rules that Sysdig recommends using for the AWS environments.

0.11.0

February 9, 2021

Rule Changes

  • rule Change thread namespace: Let cilium nsenter

  • rule Change thread namespace: Let dynatrace setns

  • rule Change thread namespace: Let sysdig agent setns (the process name was changed recently)

  • rule Clear Log Activities: Allow fluentd to write/access log files in a container

  • macro exe_running_docker_save: Added support for Crio setting up containers. This affects several rules including:

    • Modify Shell Configuration File

    • Update Package Repository

    • Write below binary dir

    • Write below monitored dir

    • Write below etc

    • Write below root

    • Write below rpm database

    • Modify binary dirs

    • mkdir binary dirs

    • Set Setuid or Setgid bit

    • Create Hidden Files or Directories

  • rule Launch Package Management Process in Container: Let sysdig node-image-analyzer run rpm

0.10.5

December 14, 2020

Rule Changes

  • Add a new rule, Container Run as Root User ,to the Inadvised Container Activity policy.

  • Add crio and multus to the user_known_change_thread_namespace_binaries list

0.10.4

December 1, 2020

Rule Changes

  • Ensure that falco_rules_local.yaml is evaluated against all the default files.

  • Ensure that the logs clearly show which files are being evaluated.

0.10.3

November 16, 2020

Rule Changes

  • Add the new rule, Linux Kernel Module Injection Detected,  to the  Notable Filesystem Changes policy.

  • Add the  multipath_writing_conf macro as an exception in the Write below etc rule.

  • Add the chage_list macro as exception in the User mgmt binaries rule

  • Update compliance tags.

0.10.2

October 14, 2020

Add CSRF token protection.

Rule Changes

Add a new rule, Outbound Connection to C2 Servers, to the Disallowed Network Activity policy.

0.10.1

September 30, 2020

Rule Changes

  • Write below root: Similar to the rules that rely on a process name for exceptions, events will not be triggered if the process name is missing. For example, "".

  • Delete or rename shell history. Ignore docker programs that would prevent modifying shell history, when the path is expressed within the container filesystem (/.bash_history) and host filesystem (/var/lib/docker/overlay/.../.bash_history).

  • All Rules: Changes to the tags to add NIST 800-53 and SOC2 tags:

    • Renamed previous NIST 800-190 tags to use the prefix NIST_800-190_.

    • Fixed rule names for some Kubernetes rules.

0.10.0

September 23, 2020

Rule Changes

  • Launch Sensitive Mount Container: Change image matching to correctly identify Sysdig images as compared to names starting with "sysdig..."

  • Detect shell history deletion: Ignore paths below /var/lib/docker. For example, the container filesystem overlay images that are removed when a container is removed.

  • The Packet socket created in container rule is now enabled by default.

0.9.1

September 10, 2020

Rule Changes

  • All Rules: Add user.loginuid as an output field. This uid is generally unchanging across sudo/su commands, and can more reliably identify users.

  • Launch Privileged Container: Add additional images that can run with privileged=true.

  • Launch Sensitive Mount Container: Fix a typo that allows docker.io/sysdig/agent-slim to perform sensitive mounts.

  • Read sensitive file untrusted: Allow linux-bench to read sensitive files containing user information.

  • Update Package Repository: Restrict checks to files below known package management directories.

  • Write below etc: Add exceptions related to calico within containers.

  • Write below root: Allow mysqlsh write to /root/.mysqlsh .

  • Read sensitive file untrusted: Allow google_oslogin_{control} read sensitive files.

  • Change thread namespace: Trigger only when the process name is known.

  • Create HostNetwork Pod: Allow several images related to GKE + default metrics/routing services run with hostnetwork=true.

  • Disallowed Kubernetes User: Add several known Kubernetes users to allowed list.

  • Pod Created in Kube Namespace: Allow several images related to GKE + default metrics/routing services run in kube-system/kube-public namespaces.

  • System ClusterRole Modified/Deleted: Allow modifications to the role system:managed-certificate-controller.

0.9.0

September 08, 2020

Added support for updating Falco rules across multiple accounts in an on-prem setup.

0.8.3

August 17, 2020

Rule Changes

  • Created a new rule, EphemeralContainers Created for the Suspicious K8s Activity policy.

  • Replace the endswith operator when checking with an image repository.

  • Whitelisted sysdig/agent and sysdig/agent-slim . They are not available with the open-source Falco Rules.

  • Whitelisted dockerd-current and docker-current in the exe_running_docker_save macro.

0.8.2

August 03, 2020

Rule Changes

Add the k8s_image_list  list to the  trusted_pod macro

0.8.1

July 27, 2020

Rule Changes

  • Move the Write below root rule from the Suspicious Filesystem Changes policy to the Notable Filesystem Changes policy

  • Delete the NIST 800-190 Application Container Security Guide policy

  • Delete the Payment Card Industry Data Security Standard (PCI DSS) policy

  • Add a new macro, user_read_sensitive_file_containers for the Read sensitive file untrusted rule

  • Add docker.io/falcosecurity/falco to the falco_privileged_images list

  • Add kubernetes-admin to the allowed_k8s_users list

0.8.0

July 20, 2020

Rule Changes

  • Disable Disallowed K8s Activity policy

  • Add placeholder macros for multiple rules

  • Fix the root_dir macro

  • Add snapd to the package_mgmt_binaries list

  • Add zmap to the network_tool_binaries list

  • Whitelist protokube, dockerd, tini, and aws in the change thread namespace rule

  • Add sysdig/agent-slim and sysdig/node-image-analyzer images to the user_trusted_containers macro

  • Add kube-apiserver-healthcheck to the allowed_k8s_users list

0.7.9

July 7, 2020

  • Remove unnecessary logging.

  • Add a new flag, --saas

0.7.8

July 1, 2020

Handle an improper error.

0.7.7

June 25, 2020

Disable rule Container Drift Detected (chmod) by default

0.7.6

June 23, 2020

Update rule Container Drift Detected (open+create) to avoid warning

0.7.5

June 22, 2020

Rule Changes

Added two new rules: Container Drift Detected (chmod) and Container Drift Detected (open+create) to policy Suspicious Container Activity

The Container Drift Detected (open+create)  rule is disabled until an agent is released that supports the new evt.is_open_exec filter.

Updated macros bin_dir_mkdir and bin_dir_rename using evt.arg.path instead of evt.arg

Added placeholder macro user_known_write_below_binary_dir_activities to rule Write below binary dir

Fixed rule Anonymous Request Allowed to update the auth decision with ka.auth.decision=allow instead of ka.auth.decision!=reject

0.7.4

May 28, 2020

Rule Changes

Write below etc: Added lvs as a logical volume writing program that can write below /etc/lvm.

Clear Log Activities: Allowed additional Fluentd images to write to log file directories.

Set Setuid or Setgid bit: Added macro user_known_set_setuid_or_setgid_bit_conditionsthat makes it easier to add locally provided exceptions.

Launch Remote File Copy Tools in Container: Fixed the use of the list remote_file_copy_binaries so the list items are included.

The docker client is executed in a container: Now allow hcp-tunnelfront to run kubectl in containers.

Disallowed K8s User: Added vertical pod autoscaler programs as known Kubernetes users.

0.7.3

May 5, 2020

Rule Changes

For a brief time, Falco rules/macros had fields with k8s.* in them. These fields do not work in Sysdig Secure, so the relevant macros have been rewritten to omit them:

  • calico_writing_state

  • user_known_metadata_access

  • k8s_containers

  • user_known_k8s_client_container

0.7.2

May 1, 2020

Rule Changes

  • Add new rule Redirect stdout/stdin to network connection in container to policy Suspicious Container Activity

  • Add new rules Network Connection outside Local Subnet and Outbound or Inbound Traffic not to Authorized Server Process and Port to policy Suspicious Network Activity

  • Add new rules K8s Secret Created and K8s Secret Deleted to policy All K8s Object Modifications

  • Add rules Untrusted Node Successfully Joined the Cluster and Untrusted Node Unsuccessfully Tried to Join the Cluster to policy Suspicious K8s Activit

  • Add rule Full K8s Administrative Access to policy Suspicious K8s User Activity

  • Add rule Ingress Object without TLS Certificate Created to policy Inadvised K8s Activity

  • Check dsc_host in macro ms_oms_writing_conf

  • Add macros mcafee_writing_cma_d and avinetworks_supervisor_writing_ssh as exceptions in rule Write below etc

  • Add macro runc_writing_exec_fifo as exception in rule Write below root

  • Use "pmatch" instead of "in" operator to check known files under root directory

  • Update rule Change thread namespace to check exit event only

  • Add macro known_system_procs_network_activity_binaries for rule System procs network activity

0.7.1

April 9, 2020

Rule Changes

  • Add PCI/NIST tags to the following rules:

    • Disallowed SSH Connection

    • Unexpected outbound connection destination

    • Unexpected inbound connection source

    • Write below binary dir

    • Write below monitored dir

    • Write below etc

    • Write below root

    • Read sensitive file untrusted

    • DB program spawned process

    • Modify binary dirs

    • Mkdir binary dirs

    • Change thread namespace

    • Launch Privileged Container

    • Launch Sensitive Mount Container

    • Launch Disallowed Container

    • Terminal shell in container

    • Unexpected UDP Traffic

    • Create files below dev

    • Contact K8S API Server From Container

    • Unexpected K8s NodePort Connection

    • Search Private Keys or Passwords

    • Clear Log Activities

    • Create Symlink Over Sensitive Files

    • Detect crypto miners using the Stratum protocol

  • Write below etc:

    • Add "dsc_host" as a MS OMS program

    • Let McAfee write to /etc/cma.d

    • Let AVI Networks supervisor write somessh cfg files

    • Allow writes to /etc/pki from OpenShift secrets dir

  • Write below root:

    • Let runc write to /exec.fifo

  • Change thread namespace

    • Only allow Kubernetes/Docker programs to use setns directly on the host

    • Let children of kubelet/hyperkube use setns

  • Run shell untrusted

    • Let Puma reactor spawn shells

  • Detect outbound connections to common miner pool ports

    • When attempting to resolve crypto mining hostnames, exclude hosts that resolve to localhost/rfc1918 ips

Default Policy Changes

  • Remove the default Policy Launch Privileged Container.

    The rule it used is also in the existing default policy Inadvised Container Activity, so there's no change in rule coverage.

  • New default policies Payment Card Industry Data Security Standard (PCI DSS) and NIST 800-190 Application Container Security Guide, which are disabled by default, contain rules specifically related to PCI and NIST standards.

0.7.0

Dec 9, 2019

Expand allowed_k8s_users list with default users created by Kops

Add macro calico_writing_envvars to whitelist of rule Write below etc

Update operators with intersect

Add calico/node in the falco_privlieged_image list

Add amazon/amazon-ecs-agent in falco_sensitive_mounts_image list

Add hyperkube to the whitelist of rule

Set Setuid or Setgit bit

Add docker-runc-cur to container_entrypoint macro

Add a rule to detect Kubernetes client tool in container

Add rules Contact cloud metadata service from container and Packet socket created in container to policy Suspicious Container Activity

Update macro exe_running_docker_save

Add exe_running_docker_save as exception to rules Modify Shell Configuration File, and Update Package Repository

Create macro automount_using_mtab and add it as exception to rule Write below etc

Update macro k8s_api_server with Kubernetes headless service name

Add placeholder macro user_known_package_manager_in_container to rule Launch Package Management Process in Container

Add kubelet to list user_known_chmod_applications

Create macro user_known_k8s_client_container and add it as exception to rule The docker client is executed in a container

Add more directories to Sensitive mounts rules

0.6.0

Oct 9, 2019

Add rule Delete or rename shell history (a better version of Delete Bash History) to policy Suspicious Filesystem Changes

Add rule Detect crypto miners using the Stratum protocol to policy Suspicious Container Activity

Add a new policy, Access Cryptomining Network ,with a new rule Detect outbound connections to common miner pool ports associated (disabled by default)

Add new macros chmod and modify_repositories

Enhance rules Update Package Repository, Set Setuid or Setgid bit, and Create Hidden Files or Directories

Add imagefluent/fluentd-kubernetes-daemonset to macro trusted_logging_images

0.5.0

Aug 21, 2019

Update rule Update Package Repository with modify action

Update rule Delete Bash History with more bash history files

Update rule Set Setuid or Setgid bit using system calls instead of process name

Update rule Create Hidden Files or Directories with modify action

0.4.9

Aug 1, 2019

Add /exec.fifo to known_root_files macro (GKE)

Add macro amazon_linux_running_python_yum as exception in rule Write below rpm database (Amazon Linux 2)

Add docker.io/google/cadvisor and docker.io/prom/node-exporter to list falco_sensitive_mount_images

0.4.8

July 23, 2019

Add image k8s.gcr.io/kube-proxy to list falco_privileged_images

Add runc to macro container_entrypoint

Add macro trusted_logging_images for rule Clear Log Activities

Add image docker.io/netdata/netdata to list falco_sensitive_mount_images

0.4.7

July 1, 2019

Add placeholder for user macro

Add rfc 1918 addresses

Add image prometheus-node-exporter to macro openshift_image

Add weaveworks_scope macro used by rule Change thread namespace

0.4.6

June 20, 2019

Add whitelist to rules Change thread namespace and Non sudo setuid

0.4.5

June 17, 2019

Add trusted_container macro back

0.4.4

June 13, 2019

Extend macro mkdir with syscall mkdirat

Add placeholder for whitelist in rule Clear Log Activities

Add docker.io/ to the trusted images list

Add container.id and image in the rule output, except those rules with "not container" in condition

0.4.3

June 6, 2019

Remove image check from rancher_write_conf macro

Remove healthcheck from rancher_writing_conf

Update nginx_writing_conf macro

0.3.7

June 5, 2019

Updated macro container_started

IBM Cloud Kubernetes Service is a hosted Kubernetes from IBM

Allow Ansible to run using Python 3

Fix egrep rule and ncat rule

Add Sematext Monitoring & Logging agents to trusted Kubernetes containers

0.3.6

May 30, 2019

Add rules: remote file copy in container, create symlink over sensitive files

In macro prometheus_conf_writing_conf, use startswith instead of =

0.3.5

Apr 18, 2019

Add MITRE tags to existing rules

Add new MITRE rules mainly for persistence category

0.3.4



Last modified September 23, 2022