Skip to content
Cloud Native Security Hub - Security Resources
Makefile Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
resources Merge pull request #17 from falcosecurity/change-warn-to-warning Jan 21, 2020
vendors
CODE_OF_CONDUCT.md Add CoC and CONTRIBUTING guide Oct 16, 2019
CONTRIBUTING.md
Dockerfile Package vendors in the docker image Sep 3, 2019
LICENSE Initial commit Aug 9, 2019
Makefile
OWNERS
README.md

README.md

Cloud Native Security Hub

last commit licence

Cloud Native Security Hub is a platform for discovering and sharing rules and configurations for cloud native security tools.

This repository contains all the security resources which will be displayed on https://securityhub.dev

Usage

Adding a new Falco Rule

You can use the following template or copy from any existent resource.

apiVersion: v1
kind: FalcoRules
vendor: Apache # This is the provider name, is shipped by the vendor or by the community?
name: Apache # The name of the rule, is this for a product or we are protecting against a CVE
shortDescription: Falco rules for securing Apache HTTP Server # What does this rule does?
version: 1.0.0 # The version of the security resource
description: |
  # This is markdown!

  Add *anything* you want and it will be rendered on the security hub!

keywords: # A list of keywords. See the categories on https://securityhub.dev
  - web
icon: # A reference to an icon or an image for the rule
maintainers: # Who are maintaining this rule?
  - name: Nestor Salceda # Maintainer
    link: https://github.com/nestorsalceda # His/her GitHub link
  - name: Fede Barcelona
    link: https://github.com/tembleking
rules:
  - raw: |
      # Here goes the Falco rule itself, written in YAML

      - rule: Unexpected inbound tcp connection apache
        desc: Detect inbound traffic to apache using tcp on a port outside of expected set
        condition: inbound and evt.rawres >= 0 and not fd.sport in (apache_allowed_inbound_ports_tcp) and app_apache
        output: Inbound network connection to apache on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
        priority: NOTICE

Contributing

Contributors are welcome!

See the CONTRIBUTING.md

You can’t perform that action at this time.