Skip to content

v0.12.0

Latest
Compare
Choose a tag to compare
@leogr leogr released this 02 Oct 10:26
· 7 commits to main since this release

Changelog

  • f0a403c increase timeout for syscall.DisallowedSSHConnectionNonStandardPort
  • 3604216 update(events): disable PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse
  • 1958474 update(events): disable JavaProcessClassFileDownload
  • 490b030 use setup-go v3 gh action with go v1.23.1
  • fca56f5 rename files to be consistent with rules names
  • 89782de prevent zombie processes
  • 552829c move randomString() to a separate file, allowing build on macos
  • 93df6eb fix: Enhance Falco syscall events triggering and reliability
  • 7b0dab5 Added an event for default stable rule Detect release_agent File Container Escapes
  • 8356c82 Fix: Updated function name to the correct rule name
  • 3b014d2 Added an event for polkit local privilege escalation ulnerability
  • 298059d Added an event for default rule sudo potential privilege escalation
  • 7b41014 docs(OWNERS): add alacuku (Aldo Lacuku) to approvers
  • 883cdf3 Update events/syscall/mount_launched_in_privileged_container.go
  • be5fe89 adding event for this rule
  • c2adca2 adding an event on interpreted procs inbound network activity
  • ebc6f6c adding an event on modify container entrypoint
  • 9a20da3 adding an event on triggering rule
  • 7b0b5b9 adding an event on interpreted procs outbound network activity
  • 7a5a8b8 adding event on triggering this rule
  • f032e36 adding an event on packet_socket_created_in_container
  • 4309660 adding an event
  • dc15f1f Fix: os.Mkdir("/dev") instead if os.Mkdir("/dev/shm")
  • d2d4264 adding an event for disallowed_ssh_connection_non_standard_port
  • c2b6f3c adding an event on reading environment variable from /proc files
  • 40ac2b5 Fix: Ptrace call is detached after a ptrace call with traceme argument from child process
  • d3adfc5 Added an event for default stable rule ptrace anti debug attempt
  • 5f70ab6 Added documentation for the skipping actions due non-supported context
  • 692bafe Refactor: use return.ErrSkipped to skip actions due to non supported context or prerequisite
  • 939b3e0 update(pkg/runner/helper): SpawnAsWithSymlink and SpawnAs to copy the binary
  • b09fc0f Create a new binary by copying it form existing binary instead of creating a new binary
  • cba5af9 Added an event for default stable rule Drop and execute new binary in container
  • 7bc50fb more explained comment on why to use IP 169.254.169.254
  • a29607a adding comment on clarification of IP address
  • 630b95c updated comment
  • 4acde13 corrected an indentation error
  • ed1efff Update contact_cloud_metadata_service_from_container.go
  • 375da50 adding an event for contact cloud metadata service from container
  • e1c841c Fix: Event-generator executable is loaded into memory instead of go binary
  • 1102265 Event-generator executable path is now available to actions
  • d2ef0d6 Debris removed after functionreturn
  • a98f78b Added an event for fileless execution via memfd create
  • 17bacf7 Fix: Created a unique file under tmp dir
  • 6d91778 Added an event for default rule Container Drift Detected open+create
  • 8d53da5 Fix: Set execute permission on file via writefile instead of chmod
  • 9a3a784 Refactor command execution to use a dynamic script path and also added comments
  • 4489ba0 Create /dev/shm if not exists and Remove debris at end
  • 13276c2 Changing the condition to trigger falco rule
  • 8bc0b8d Code size reduced
  • d2a92d1 Created script file in dev shm folder if not exists
  • f1768f7 Added an event for default stable rule execution from dev shm
  • 4a1ca52 Update and rename launch_remote_file_copy_tool_in_container.go to launch_remote_file_copy_tools_in_container.go
  • 86b0004 Update launch_remote_file_copy_tool_in_container.go
  • fa8fd82 adding event on launch remote file copy tool in container
  • cda10d7 Fix: Create a unique temp file instead of using any random file name
  • 785aed5 Fix: Changed the function name according to name conventions in documentation
  • ab00990 Added an event for default rule set setuid or set setgid bit
  • 179be5f Refactor: Create a unique temp directory and changed function name
  • a973e7a created a directory and syslog file inside it
  • c04f57d Added an event for default stable rule clear log activities
  • def1cf1 Update unexpected_udp_traffic.go
  • e3ebb1f adding event on unexpected_udp_traffic
  • 20591ad chore: don't log inside DoNothing helper
  • 6b986b8 chore: fix copyright year
  • 8477547 update(events/helper): add the DoNothing helper
  • 2925790 Refactor: Just set execute permission on empty file is enough trigger the rule
  • a33421a Code size reduced
  • 27407a9 Added an event for default rule Container drift detected using chmod
  • 54e91ae Update netcat_remote_code_execution_in_container.go
  • 62cd476 adding event on netcat rce in container
  • 2250ff8 Fix: Updated comments for better understanding
  • 2a3d1bf Added an event for default stable rule PTRACE attached to process
  • 46d371f Update launch_suspicious_network_tool_in_container.go
  • e44be53 Rename launch_network_tool.go to launch_suspicious_network_tool_in_container.go
  • 16a1f14 Update launch_network_tool.go
  • a042219 Update launch_network_tool.go
  • dde0c94 adding an event of launching network tool
  • 786ea1c User uid is set to non zero when generating the event
  • 8a7d857 Added an event for default rule UnprivilegedDelegationofPageFaultsHandlingtoaUserspaceProcess
  • 2953f26 Switch to a new user such that username is not equal to _apt
  • f3b30db Added an event for Launch Package Management Process In Container
  • 9a0747d Update debugfs_launched_in_privilleged_container.go
  • 1d911a9 Update debugfs_launched_in_privilleged_container.go
  • ab58b70 event on debugfs launched in privilleged container
  • 5566085 Fix: Use MkdirTemp instead of Mkdir to create a unique temp directory
  • 44ce6f1 Now file is created by event generator and reads the shell configuration file
  • 53df01f Added an event for default rule read shell configuration file
  • d5a7eee Added an event for default stable rule find aws credentials
  • 34fb4c3 Fix: Rule triggers irrsepective of command successful or not
  • 7770275 Added an event for default rule Detect crypto miners using the Stratum protocol
  • d507f85 Fix: First look whether curl exists or not
  • 545c1f4 Refactor: Now http_proxy env variable set only for curl command not for entire event generator
  • 8e60661 HTTP_PROXY env variable value is reverted to its original value after function return
  • 4ef79f5 Added an event for default rule program run with diallowed http proxy env
  • 4c28e17 Fix: createSshDirectoryUnderHome also returns a cleanup function
  • 52df26e Fix: Helper function name changed
  • 0833a43 Refactored code by using a helper function CreateSshDirectoryUnderHome to remove code redundancy
  • adab5f3 Refactored ReadSshInformation function to improve directory creation logic
  • f569b18 Remove the created directory at end
  • 75dea5d Uncommented a line
  • 1ecb03f Reduced code size
  • 0ecd93a Using temporary data by creating them and removing them after completion
  • 3f5c815 Added an event for adding ssh keys to authorized keys
  • cb4f3c9 Refactor: createSshDirectoryUnderHome also returns a cleanup function
  • 47cb7b1 Fix: No need to export internal utilities
  • 71393e2 Fix: Event should be diabled by default as it is not a stable rule event
  • 72ac96a Fix: There is no need of for loop as MkdirTemp internally does it
  • fc57631 Added an helper function to create .ssh directory inside home
  • 9f9bb47 Refactored ReadSshInformation function to improve directory creation logic
  • 8599629 Remove the created directory at end
  • ceef898 Using temporary data by creating them and removing them after completion
  • 141a455 Added event for default rule read ssh information
  • 767157d Update modify_shell_configuration_file.go
  • 5e65be2 Update modify_shell_configuration_file.go
  • ddbadae Update modify_shell_configuration_file.go
  • 34c6228 Update modify_shell_configuration_file.go
  • 6bc3c4b adding an event for modifying shell configuration file
  • e048d5c Update events/syscall/delete_or_rename_shell_history.go
  • 9942d9f Update delete_or_rename_shell_history.go
  • 66b7a90 Update delete_or_rename_shell_history.go
  • 6f649c4 Update delete_or_rename_shell_history.go
  • 71b5d77 adding an event of deleting bash history
  • d96836b Fix: First look whether kubectl exists or not
  • 1a0b4ac Added an event for default rule kubernetes client tool launched in container
  • de7c8ef Fix: wget is just enough to trigger the rule
  • 3975d83 Added an event for default rule launch ingress remote file copy tools inside container
  • 2cc987e Update decoding_payload_in_container.go
  • 9c6f486 Update decoding_payload_in_container.go
  • 9067d37 adding event on triggering rule
  • 55cf1af Update and rename change_namespace_privillege_using_unshare.go to change_namespace_privileges_via_unshare.go
  • 06a5c5b Update events/syscall/change_namespace_privillege_using_unshare.go
  • 5e0be23 Update change_namespace_privillege_using_unshare.go
  • 825468b adding an event on change_namespace_privilleges_using_unshare
  • 2f37d9a Update events/syscall/potential_local_privillege_escalation_via_env_var_misuse.go
  • 7592c8e Rename potential_local_privillege_escalation_via_env_var_misuse to potential_local_privillege_escalation_via_env_var_misuse.go
  • 6ba1c8e event on potential local privillefe escalation via env var misuse
  • efc5b17 Update events/syscall/launch_suspicious_network_tool_on_host.go
  • df80b6f Update launch_suspicious_network_tool_on_host.go
  • 77e19ca Rename launch_network_tool_on_host.go to launch_suspicious_network_tool_on_host.go
  • 098d0b3 adding event on launch network tool on host
  • 5a84d24 docs(events/README.md): update conventions
  • d691c7c Fixed some more broken links
  • d205623 Fix broken link by replacing it with valid url
  • cde96d9 fix(events/syscall/remove_bulk_data_from_disk): no new variables on left side of :=
  • 93c2ee7 No need to return error and updated comments
  • 4f36422 Updated comments
  • 0baee1e Added comments for explaination
  • 76c3685 Shred a file instead of directory
  • f76044e Update remove_bulk_data_from_disk.go
  • fb626a4 Clean up the temp directory
  • 3814b5a Added event for default stable rule remove bulk data from disk
  • ade98bb Added event for default rule create hidden file or directory
  • ddf4731 falco: create hardlink over sensitive file event added
  • 9abd1ec Removed debris at end
  • 3a21093 Creates directory if it doesnt exist
  • ecddc6e Type in file name
  • bd6a3fd Added event for the default rule WriteBelowMonitoredDir
  • b1c871e Added event for default rule write_below_root
  • 35ff9c5 Corrected a typo
  • 31789dc build: upgrade deps