updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

rules/falco-deprecated_rules.yaml

@@ -32,7 +32,7 @@
 
   # Starting with version 8, the Falco engine supports exceptions.
   # However the Falco rules file does not use them by default.
- ---
+---
   - required_engine_version: '0.31.0'
 
   # This macro `never_true` is used as placeholder for
@@ -154,7 +154,7 @@
 
     priority: NOTICE
     tags: [maturity_deprecated, host, container, network,
-           mitre_command_and_control, TA0011]
+      mitre_command_and_control, TA0011]
   # Use this to test whether the event occurred within a container.
   # When displaying container information in the output field, use
   # %container.info, without any leading term (file=%fd.name
@@ -251,4 +251,4 @@
     priority: WARNING
     enabled: false
     tags: [maturity_deprecated, host, container, network,
-           mitre_command_and_control, TA0011]
+      mitre_command_and_control, TA0011]

rules/falco-incubating_rules.yaml

@@ -179,15 +179,15 @@
 # interpreted by the filter expression.
 - list: rpm_binaries
   items: [dnf, dnf-automatic, rpm, rpmkey, yum, '"75-system-updat"',
-          rhsmcertd-worke, rhsmcertd, subscription-ma,
-          repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
-          abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb]
+    rhsmcertd-worke, rhsmcertd, subscription-ma,
+    repoquery, rpmkeys, rpmq, yum-cron, yum-config-mana, yum-debug-dump,
+    abrt-action-sav, rpmdb_stat, microdnf, rhn_check, yumdb]
 
 - list: deb_binaries
   items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get,
-          aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova,
-          apt-key, apt-listchanges, unattended-upgr, apt-add-reposit,
-          apt-cache, apt.systemd.dai
+    aptitude, frontend, preinst, add-apt-reposit, apt-auto-remova,
+    apt-key, apt-listchanges, unattended-upgr, apt-add-reposit,
+    apt-cache, apt.systemd.dai
   ]
 - list: python_package_managers
   items: [pip, pip3, conda]
@@ -196,8 +196,8 @@
 # truncated at the falcosecurity-libs level.
 - list: package_mgmt_binaries
   items: [rpm_binaries, deb_binaries, update-alternat, gem, npm,
-          python_package_managers, sane-utils.post, alternatives, chef-client,
-          apk, snapd]
+    python_package_managers, sane-utils.post, alternatives, chef-client,
+    apk, snapd]
 
 - macro: package_mgmt_procs
   condition: (proc.name in (package_mgmt_binaries))
@@ -317,7 +317,7 @@
   priority:
     WARNING
   tags: [maturity_incubating, host, container, filesystem, mitre_persistence,
-         T1546.004]
+    T1546.004]
 
 - macro: user_known_cron_jobs
   condition: (never_true)
@@ -339,7 +339,7 @@
   priority:
     NOTICE
   tags: [maturity_incubating, host, container, filesystem, mitre_execution,
-         T1053.003]
+    T1053.003]
 
 # Use this to test whether the event occurred within a container.
 #
@@ -540,7 +540,7 @@
     terminal=%proc.tty %container.info)
   priority: NOTICE
   tags: [maturity_incubating, host, container, process,
-         mitre_privilege_escalation, T1611]
+    mitre_privilege_escalation, T1611]
 
 - rule: Change namespace privileges via unshare
   desc: >
@@ -596,9 +596,9 @@
 
 - list: redhat_io_images_privileged
   items: [registry.redhat.io/openshift-logging/fluentd-rhel8,
-          registry.redhat.io/openshift4/ose-csi-node-driver-registrar,
-          registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel8,
-          registry.redhat.io/openshift4/ose-local-storage-diskmaker]
+    registry.redhat.io/openshift4/ose-csi-node-driver-registrar,
+    registry.redhat.io/openshift4/ose-kubernetes-nmstate-handler-rhel8,
+    registry.redhat.io/openshift4/ose-local-storage-diskmaker]
 
 - macro: redhat_image
   condition: >
@@ -650,10 +650,10 @@
 
 - list: sematext_images
   items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent,
-          docker.io/sematext/logagent,
-          registry.access.redhat.com/sematext/sematext-agent-docker,
-          registry.access.redhat.com/sematext/agent,
-          registry.access.redhat.com/sematext/logagent]
+    docker.io/sematext/logagent,
+    registry.access.redhat.com/sematext/sematext-agent-docker,
+    registry.access.redhat.com/sematext/agent,
+    registry.access.redhat.com/sematext/logagent]
 
 # Falco containers
 - list: falco_containers
@@ -1004,7 +1004,7 @@
     exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
   tags: [maturity_incubating, host, users, software_mgmt, mitre_persistence,
-         T1098]
+    T1098]
 
 - list: allowed_dev_files
   items: [
@@ -1070,7 +1070,7 @@
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: NOTICE
   tags: [maturity_incubating, network, aws, container, mitre_credential_access,
-         T1552.005]
+    T1552.005]
 
 # This rule is not enabled by default, since this rule is for
 # cloud environment(GCP, AWS and Azure) only.
@@ -1104,7 +1104,7 @@
 
 - list: network_tool_binaries
   items: [nc, ncat, netcat, nmap, dig, tcpdump, tshark, ngrep, telnet,
-          mitmproxy, socat, zmap]
+    mitmproxy, socat, zmap]
 
 - macro: network_tool_procs
   condition: (proc.name in (network_tool_binaries))
@@ -1291,7 +1291,7 @@
   priority:
     NOTICE
   tags: [maturity_incubating, host, container, process, users,
-         mitre_privilege_escalation, T1548.001]
+    mitre_privilege_escalation, T1548.001]
 
 - list: remote_file_copy_binaries
   items: [rsync, scp, sftp, dcp]
@@ -1457,8 +1457,8 @@
 
 - list: docker_binaries
   items: [docker, dockerd, containerd-shim, "runc:[1:CHILD]",
-          pause, exe, docker-compose, docker-entrypoi, docker-runc-cur,
-          docker-current, dockerd-current]
+    pause, exe, docker-compose, docker-entrypoi, docker-runc-cur,
+    docker-current, dockerd-current]
 
 - list: known_binaries_to_read_environment_variables_from_proc_files
   items: [scsi_id, argoexec]