Changelog
- f0a403c increase timeout for syscall.DisallowedSSHConnectionNonStandardPort
- 3604216 update(events): disable PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse
- 1958474 update(events): disable JavaProcessClassFileDownload
- 490b030 use setup-go v3 gh action with go v1.23.1
- fca56f5 rename files to be consistent with rules names
- 89782de prevent zombie processes
- 552829c move randomString() to a separate file, allowing build on macos
- 93df6eb fix: Enhance Falco syscall events triggering and reliability
- 7b0dab5 Added an event for default stable rule Detect release_agent File Container Escapes
- 8356c82 Fix: Updated function name to the correct rule name
- 3b014d2 Added an event for polkit local privilege escalation ulnerability
- 298059d Added an event for default rule sudo potential privilege escalation
- 7b41014 docs(OWNERS): add alacuku (Aldo Lacuku) to approvers
- 883cdf3 Update events/syscall/mount_launched_in_privileged_container.go
- be5fe89 adding event for this rule
- c2adca2 adding an event on interpreted procs inbound network activity
- ebc6f6c adding an event on modify container entrypoint
- 9a20da3 adding an event on triggering rule
- 7b0b5b9 adding an event on interpreted procs outbound network activity
- 7a5a8b8 adding event on triggering this rule
- f032e36 adding an event on packet_socket_created_in_container
- 4309660 adding an event
- dc15f1f Fix: os.Mkdir("/dev") instead if os.Mkdir("/dev/shm")
- d2d4264 adding an event for disallowed_ssh_connection_non_standard_port
- c2b6f3c adding an event on reading environment variable from /proc files
- 40ac2b5 Fix: Ptrace call is detached after a ptrace call with traceme argument from child process
- d3adfc5 Added an event for default stable rule ptrace anti debug attempt
- 5f70ab6 Added documentation for the skipping actions due non-supported context
- 692bafe Refactor: use return.ErrSkipped to skip actions due to non supported context or prerequisite
- 939b3e0 update(pkg/runner/helper): SpawnAsWithSymlink and SpawnAs to copy the binary
- b09fc0f Create a new binary by copying it form existing binary instead of creating a new binary
- cba5af9 Added an event for default stable rule Drop and execute new binary in container
- 7bc50fb more explained comment on
why to use IP 169.254.169.254
- a29607a adding comment on clarification of IP address
- 630b95c updated comment
- 4acde13 corrected an indentation error
- ed1efff Update contact_cloud_metadata_service_from_container.go
- 375da50 adding an event for contact cloud metadata service from container
- e1c841c Fix: Event-generator executable is loaded into memory instead of go binary
- 1102265 Event-generator executable path is now available to actions
- d2ef0d6 Debris removed after functionreturn
- a98f78b Added an event for fileless execution via memfd create
- 17bacf7 Fix: Created a unique file under tmp dir
- 6d91778 Added an event for default rule Container Drift Detected open+create
- 8d53da5 Fix: Set execute permission on file via writefile instead of chmod
- 9a3a784 Refactor command execution to use a dynamic script path and also added comments
- 4489ba0 Create /dev/shm if not exists and Remove debris at end
- 13276c2 Changing the condition to trigger falco rule
- 8bc0b8d Code size reduced
- d2a92d1 Created script file in dev shm folder if not exists
- f1768f7 Added an event for default stable rule execution from dev shm
- 4a1ca52 Update and rename launch_remote_file_copy_tool_in_container.go to launch_remote_file_copy_tools_in_container.go
- 86b0004 Update launch_remote_file_copy_tool_in_container.go
- fa8fd82 adding event on launch remote file copy tool in container
- cda10d7 Fix: Create a unique temp file instead of using any random file name
- 785aed5 Fix: Changed the function name according to name conventions in documentation
- ab00990 Added an event for default rule set setuid or set setgid bit
- 179be5f Refactor: Create a unique temp directory and changed function name
- a973e7a created a directory and syslog file inside it
- c04f57d Added an event for default stable rule clear log activities
- def1cf1 Update unexpected_udp_traffic.go
- e3ebb1f adding event on unexpected_udp_traffic
- 20591ad chore: don't log inside DoNothing helper
- 6b986b8 chore: fix copyright year
- 8477547 update(events/helper): add the DoNothing helper
- 2925790 Refactor: Just set execute permission on empty file is enough trigger the rule
- a33421a Code size reduced
- 27407a9 Added an event for default rule Container drift detected using chmod
- 54e91ae Update netcat_remote_code_execution_in_container.go
- 62cd476 adding event on netcat rce in container
- 2250ff8 Fix: Updated comments for better understanding
- 2a3d1bf Added an event for default stable rule PTRACE attached to process
- 46d371f Update launch_suspicious_network_tool_in_container.go
- e44be53 Rename launch_network_tool.go to launch_suspicious_network_tool_in_container.go
- 16a1f14 Update launch_network_tool.go
- a042219 Update launch_network_tool.go
- dde0c94 adding an event of launching network tool
- 786ea1c User uid is set to non zero when generating the event
- 8a7d857 Added an event for default rule UnprivilegedDelegationofPageFaultsHandlingtoaUserspaceProcess
- 2953f26 Switch to a new user such that username is not equal to _apt
- f3b30db Added an event for Launch Package Management Process In Container
- 9a0747d Update debugfs_launched_in_privilleged_container.go
- 1d911a9 Update debugfs_launched_in_privilleged_container.go
- ab58b70 event on debugfs launched in privilleged container
- 5566085 Fix: Use MkdirTemp instead of Mkdir to create a unique temp directory
- 44ce6f1 Now file is created by event generator and reads the shell configuration file
- 53df01f Added an event for default rule read shell configuration file
- d5a7eee Added an event for default stable rule find aws credentials
- 34fb4c3 Fix: Rule triggers irrsepective of command successful or not
- 7770275 Added an event for default rule Detect crypto miners using the Stratum protocol
- d507f85 Fix: First look whether curl exists or not
- 545c1f4 Refactor: Now http_proxy env variable set only for curl command not for entire event generator
- 8e60661 HTTP_PROXY env variable value is reverted to its original value after function return
- 4ef79f5 Added an event for default rule program run with diallowed http proxy env
- 4c28e17 Fix: createSshDirectoryUnderHome also returns a cleanup function
- 52df26e Fix: Helper function name changed
- 0833a43 Refactored code by using a helper function CreateSshDirectoryUnderHome to remove code redundancy
- adab5f3 Refactored ReadSshInformation function to improve directory creation logic
- f569b18 Remove the created directory at end
- 75dea5d Uncommented a line
- 1ecb03f Reduced code size
- 0ecd93a Using temporary data by creating them and removing them after completion
- 3f5c815 Added an event for adding ssh keys to authorized keys
- cb4f3c9 Refactor: createSshDirectoryUnderHome also returns a cleanup function
- 47cb7b1 Fix: No need to export internal utilities
- 71393e2 Fix: Event should be diabled by default as it is not a stable rule event
- 72ac96a Fix: There is no need of for loop as MkdirTemp internally does it
- fc57631 Added an helper function to create .ssh directory inside home
- 9f9bb47 Refactored ReadSshInformation function to improve directory creation logic
- 8599629 Remove the created directory at end
- ceef898 Using temporary data by creating them and removing them after completion
- 141a455 Added event for default rule read ssh information
- 767157d Update modify_shell_configuration_file.go
- 5e65be2 Update modify_shell_configuration_file.go
- ddbadae Update modify_shell_configuration_file.go
- 34c6228 Update modify_shell_configuration_file.go
- 6bc3c4b adding an event for modifying shell configuration file
- e048d5c Update events/syscall/delete_or_rename_shell_history.go
- 9942d9f Update delete_or_rename_shell_history.go
- 66b7a90 Update delete_or_rename_shell_history.go
- 6f649c4 Update delete_or_rename_shell_history.go
- 71b5d77 adding an event of deleting bash history
- d96836b Fix: First look whether kubectl exists or not
- 1a0b4ac Added an event for default rule kubernetes client tool launched in container
- de7c8ef Fix: wget is just enough to trigger the rule
- 3975d83 Added an event for default rule launch ingress remote file copy tools inside container
- 2cc987e Update decoding_payload_in_container.go
- 9c6f486 Update decoding_payload_in_container.go
- 9067d37 adding event on triggering rule
- 55cf1af Update and rename change_namespace_privillege_using_unshare.go to change_namespace_privileges_via_unshare.go
- 06a5c5b Update events/syscall/change_namespace_privillege_using_unshare.go
- 5e0be23 Update change_namespace_privillege_using_unshare.go
- 825468b adding an event on change_namespace_privilleges_using_unshare
- 2f37d9a Update events/syscall/potential_local_privillege_escalation_via_env_var_misuse.go
- 7592c8e Rename potential_local_privillege_escalation_via_env_var_misuse to potential_local_privillege_escalation_via_env_var_misuse.go
- 6ba1c8e event on potential local privillefe escalation via env var misuse
- efc5b17 Update events/syscall/launch_suspicious_network_tool_on_host.go
- df80b6f Update launch_suspicious_network_tool_on_host.go
- 77e19ca Rename launch_network_tool_on_host.go to launch_suspicious_network_tool_on_host.go
- 098d0b3 adding event on launch network tool on host
- 5a84d24 docs(events/README.md): update conventions
- d691c7c Fixed some more broken links
- d205623 Fix broken link by replacing it with valid url
- cde96d9 fix(events/syscall/remove_bulk_data_from_disk): no new variables on left side of :=
- 93c2ee7 No need to return error and updated comments
- 4f36422 Updated comments
- 0baee1e Added comments for explaination
- 76c3685 Shred a file instead of directory
- f76044e Update remove_bulk_data_from_disk.go
- fb626a4 Clean up the temp directory
- 3814b5a Added event for default stable rule remove bulk data from disk
- ade98bb Added event for default rule create hidden file or directory
- ddf4731 falco: create hardlink over sensitive file event added
- 9abd1ec Removed debris at end
- 3a21093 Creates directory if it doesnt exist
- ecddc6e Type in file name
- bd6a3fd Added event for the default rule WriteBelowMonitoredDir
- b1c871e Added event for default rule write_below_root
- 35ff9c5 Corrected a typo
- 31789dc build: upgrade deps