Falco Rules Changelog

Falco rules are used in the Sysdig Secure Policy Editor.

Commit Date

Rule Notes

Version of Falco Rules Installer (On-Prem)

June 25, 2020

Disable rule Container Drift Detected (chmod) by default

0.7.6

June 23, 2020

Update rule Container Drift Detected (open+create) to avoid warning

0.7.5

June 22, 2020

Rule Changes

Added two new rules: Container Drift Detected (chmod) and Container Drift Detected (open+create) to policy Suspicious Container Activity

Note

The Container Drift Detected (open+create)  rule is disabled until an agent is released that supports the new evt.is_open_exec filter.

Updated macros bin_dir_mkdir and bin_dir_rename using evt.arg.path instead of evt.arg

Added placeholder macro user_known_write_below_binary_dir_activities to rule Write below binary dir

Fixed rule Anonymous Request Allowed to update the auth decision with ka.auth.decision=allow instead of ka.auth.decision!=reject

0.7.4

May 28, 2020

Rule Changes

Write below etc: Added lvs as a logical volume writing program that can write below /etc/lvm.

Clear Log Activities: Allowed additional Fluentd images to write to log file directories.

Set Setuid or Setgid bit: Added macro user_known_set_setuid_or_setgid_bit_conditionsthat makes it easier to add locally provided exceptions.

Launch Remote File Copy Tools in Container: Fixed the use of the list remote_file_copy_binaries so the list items are included.

The docker client is executed in a container: Now allow hcp-tunnelfront to run kubectl in containers.

Disallowed K8s User: Added vertical pod autoscaler programs as known Kubernetes users.

0.7.3

May 5, 2020

Rule Changes

For a brief time, Falco rules/macros had fields with k8s.* in them. These fields do not work in Sysdig Secure, so the relevant macros have been rewritten to omit them:

  • calico_writing_state

  • user_known_metadata_access

  • k8s_containers

  • user_known_k8s_client_container

0.7.2

May 1, 2020

Rule Changes

  • Add new rule Redirect stdout/stdin to network connection in container to policy Suspicious Container Activity

  • Add new rules Network Connection outside Local Subnet and Outbound or Inbound Traffic not to Authorized Server Process and Port to policy Suspicious Network Activity

  • Add new rules K8s Secret Created and K8s Secret Deleted to policy All K8s Object Modifications

  • Add rules Untrusted Node Successfully Joined the Cluster and Untrusted Node Unsuccessfully Tried to Join the Cluster to policy Suspicious K8s Activit

  • Add rule Full K8s Administrative Access to policy Suspicious K8s User Activity

  • Add rule Ingress Object without TLS Certificate Created to policy Inadvised K8s Activity

  • Check dsc_host in macro ms_oms_writing_conf

  • Add macros mcafee_writing_cma_d and avinetworks_supervisor_writing_ssh as exceptions in rule Write below etc

  • Add macro runc_writing_exec_fifo as exception in rule Write below root

  • Use "pmatch" instead of "in" operator to check known files under root directory.

  • Update rule Change thread namespace to check exit event only.

  • Add macro known_system_procs_network_activity_binaries for rule System procs network activity

0.7.1

April 9, 2020

Rule Changes

  • Add PCI/NIST tags to the following rules:

    • Disallowed SSH Connection

    • Unexpected outbound connection destination

    • Unexpected inbound connection source

    • Write below binary dir

    • Write below monitored dir

    • Write below etc

    • Write below root

    • Read sensitive file untrusted

    • DB program spawned process

    • Modify binary dirs

    • Mkdir binary dirs

    • Change thread namespace

    • Launch Privileged Container

    • Launch Sensitive Mount Container

    • Launch Disallowed Container

    • Terminal shell in container

    • Unexpected UDP Traffic

    • Create files below dev

    • Contact K8S API Server From Container

    • Unexpected K8s NodePort Connection

    • Search Private Keys or Passwords

    • Clear Log Activities

    • Create Symlink Over Sensitive Files

    • Detect crypto miners using the Stratum protocol

  • Write below etc:

    • Add "dsc_host" as a MS OMS program

    • Let McAfee write to /etc/cma.d

    • Let AVI Networks supervisor write somessh cfg files

    • Allow writes to /etc/pki from OpenShift secrets dir

  • Write below root:

    • Let runc write to /exec.fifo

  • Change thread namespace

    • Only allow Kubernetes/Docker programs to use setns directly on the host

    • Let children of kubelet/hyperkube use setns

  • Run shell untrusted

    • Let Puma reactor spawn shells

  • Detect outbound connections to common miner pool ports

    • When attempting to resolve crypto mining hostnames, exclude hosts that resolve to localhost/rfc1918 ips

Default Policy Changes

  • Remove the default Policy Launch Privileged Container.

    The rule it used is also in the existing default policy Inadvised Container Activity, so there's no change in rule coverage.

  • New default policies Payment Card Industry Data Security Standard (PCI DSS) and NIST 800-190 Application Container Security Guide, which are disabled by default, contain rules specifically related to PCI and NIST standards.

0.7.0

Dec 9, 2019

Expand allowed_k8s_users list with default users created by Kops

Add macro calico_writing_envvars to whitelist of rule Write below etc

Update operators with intersect

Add calico/node in the falco_privlieged_image list

Add amazon/amazon-ecs-agent in falco_sensitive_mounts_image list

Add hyperkube to the whitelist of rule

Set Setuid or Setgit bit

Add docker-runc-cur to container_entrypoint macro

Add a rule to detect Kubernetes client tool in container

Add rules Contact cloud metadata service from container and Packet socket created in container to policy Suspicious Container Activity

Update macro exe_running_docker_save

Add exe_running_docker_save as exception to rules Modify Shell Configuration File, and Update Package Repository

Create macro automount_using_mtab and add it as exception to rule Write below etc

Update macro k8s_api_server with Kubernetes headless service name

Add placeholder macro user_known_package_manager_in_container to rule Launch Package Management Process in Container

Add kubelet to list user_known_chmod_applications

Create macro user_known_k8s_client_container and add it as exception to rule The docker client is executed in a container

Add more directories to Sensitive mounts rules

0.6.0

Oct 9, 2019

Add rule Delete or rename shell history (a better version of Delete Bash History) to policy Suspicious Filesystem Changes

Add rule Detect crypto miners using the Stratum protocol to policy Suspicious Container Activity

Add a new policy, Access Cryptomining Network ,with a new rule Detect outbound connections to common miner pool ports associated (disabled by default)

Add new macros chmod and modify_repositories

Enhance rules Update Package Repository, Set Setuid or Setgid bit, and Create Hidden Files or Directories

Add imagefluent/fluentd-kubernetes-daemonset to macro trusted_logging_images

0.5.0

Aug 21, 2019

Update rule Update Package Repository with modify action

Update rule Delete Bash History with more bash history files

Update rule Set Setuid or Setgid bit using system calls instead of process name

Update rule Create Hidden Files or Directories with modify action

0.4.9

Aug 1, 2019

Add /exec.fifo to known_root_files macro (GKE)

Add macro amazon_linux_running_python_yum as exception in rule Write below rpm database (Amazon Linux 2)

Add docker.io/google/cadvisor and docker.io/prom/node-exporter to list falco_sensitive_mount_images

0.4.8

July 23, 2019

Add image k8s.gcr.io/kube-proxy to list falco_privileged_images

Add runc to macro container_entrypoint

Add macro trusted_logging_images for rule Clear Log Activities

Add image docker.io/netdata/netdata to list falco_sensitive_mount_images

0.4.7

July 1, 2019

Add placeholder for user macro

Add rfc 1918 addresses

Add image prometheus-node-exporter to macro openshift_image

Add weaveworks_scope macro used by rule Change thread namespace

0.4.6

June 20, 2019

Add whitelist to rules Change thread namespace and Non sudo setuid

0.4.5

June 17, 2019

Add trusted_container macro back

0.4.4

June 13, 2019

Extend macro mkdir with syscall mkdirat

Add placeholder for whitelist in rule Clear Log Activities

Add docker.io/ to the trusted images list

Add container.id and image in the rule output, except those rules with "not container" in condition

0.4.3

June 6, 2019

Remove image check from rancher_write_conf macro

Remove healthcheck from rancher_writing_conf

Update nginx_writing_conf macro

0.3.7

June 5, 2019

Updated macro container_started

IBM Cloud Kubernetes Service is a hosted Kubernetes from IBM

Allow Ansible to run using Python 3

Fix egrep rule and ncat rule

Add Sematext Monitoring & Logging agents to trusted Kubernetes containers

0.3.6

May 30, 2019

Add rules: remote file copy in container, create symlink over sensitive files

In macro prometheus_conf_writing_conf, use startswith instead of =

0.3.5

Apr 18, 2019

Add MITRE tags to existing rules

Add new MITRE rules mainly for persistence category

0.3.4