2019 Archive

2019 Archive of released Falco Rules.

Commit Date

Rule Notes

Version of the Falco Rules Installer (On-Prem)

Dec 9, 2019

Expand allowed_k8s_users list with default users created by Kops

Add macro calico_writing_envvars to whitelist of rule Write below etc

Update operators with intersect

Add calico/node in the falco_privlieged_image list

Add amazon/amazon-ecs-agent in falco_sensitive_mounts_image list

Add hyperkube to the whitelist of rule

Set Setuid or Setgit bit

Add docker-runc-cur to container_entrypoint macro

Add a rule to detect Kubernetes client tool in container

Add rules Contact cloud metadata service from container and Packet socket created in container to policy Suspicious Container Activity

Update macro exe_running_docker_save

Add exe_running_docker_save as exception to rules Modify Shell Configuration File, and Update Package Repository

Create macro automount_using_mtab and add it as exception to rule Write below etc

Update macro k8s_api_server with Kubernetes headless service name

Add placeholder macro user_known_package_manager_in_container to rule Launch Package Management Process in Container

Add kubelet to list user_known_chmod_applications

Create macro user_known_k8s_client_container and add it as exception to rule The docker client is executed in a container

Add more directories to Sensitive mounts rules


Oct 9, 2019

Add rule Delete or rename shell history (a better version of Delete Bash History) to policy Suspicious Filesystem Changes

Add rule Detect crypto miners using the Stratum protocol to policy Suspicious Container Activity

Add a new policy, Access Cryptomining Network ,with a new rule Detect outbound connections to common miner pool ports associated (disabled by default)

Add new macros chmod and modify_repositories

Enhance rules Update Package Repository, Set Setuid or Setgid bit, and Create Hidden Files or Directories

Add imagefluent/fluentd-kubernetes-daemonset to macro trusted_logging_images


Aug 21, 2019

Update rule Update Package Repository with modify action

Update rule Delete Bash History with more bash history files

Update rule Set Setuid or Setgid bit using system calls instead of process name

Update rule Create Hidden Files or Directories with modify action


Aug 1, 2019

Add /exec.fifo to known_root_files macro (GKE)

Add macro amazon_linux_running_python_yum as exception in rule Write below rpm database (Amazon Linux 2)

Add docker.io/google/cadvisor and docker.io/prom/node-exporter to list falco_sensitive_mount_images


July 23, 2019

Add image k8s.gcr.io/kube-proxy to list falco_privileged_images

Add runc to macro container_entrypoint

Add macro trusted_logging_images for rule Clear Log Activities

Add image docker.io/netdata/netdata to list falco_sensitive_mount_images


July 1, 2019

Add placeholder for user macro

Add rfc 1918 addresses

Add image prometheus-node-exporter to macro openshift_image

Add weaveworks_scope macro used by rule Change thread namespace


June 20, 2019

Add whitelist to rules Change thread namespace and Non sudo setuid


June 17, 2019

Add trusted_container macro back


June 13, 2019

Extend macro mkdir with syscall mkdirat

Add placeholder for whitelist in rule Clear Log Activities

Add docker.io/ to the trusted images list

Add container.id and image in the rule output, except those rules with "not container" in condition


June 6, 2019

Remove image check from rancher_write_conf macro

Remove healthcheck from rancher_writing_conf

Update nginx_writing_conf macro


June 5, 2019

Updated macro container_started

IBM Cloud Kubernetes Service is a hosted Kubernetes from IBM

Allow Ansible to run using Python 3

Fix egrep rule and ncat rule

Add Sematext Monitoring & Logging agents to trusted Kubernetes containers


May 30, 2019

Add rules: remote file copy in container, create symlink over sensitive files

In macro prometheus_conf_writing_conf, use startswith instead of =


Apr 18, 2019

Add MITRE tags to existing rules

Add new MITRE rules mainly for persistence category