Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use of "tag" instead of "tags" in default rules #1081

Merged
merged 1 commit into from
Mar 10, 2020
Merged

fix: use of "tag" instead of "tags" in default rules #1081

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions rules/falco_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -450,7 +450,7 @@
a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority:
WARNING
tag: [file, mitre_persistence]
tags: [file, mitre_persistence]

# This rule is not enabled by default, as there are many legitimate
# readers of shell config files. If you want to enable it, modify the
Expand All @@ -472,7 +472,7 @@
a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
priority:
WARNING
tag: [file, mitre_discovery]
tags: [file, mitre_discovery]

- macro: consider_all_cron_jobs
condition: (never_true)
Expand All @@ -488,7 +488,7 @@
file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
NOTICE
tag: [file, mitre_persistence]
tags: [file, mitre_persistence]

# Use this to test whether the event occurred within a container.

Expand Down Expand Up @@ -2462,7 +2462,7 @@
Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
priority:
WARNING
tag: [process, mitre_defense_evation]
tags: [process, mitre_defense_evation]

# This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
# Rule Delete or rename shell history is the preferred rule to use now.
Expand All @@ -2475,7 +2475,7 @@
Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
priority:
WARNING
tag: [process, mitre_defense_evation]
tags: [process, mitre_defense_evation]

- macro: consider_all_chmods
condition: (always_true)
Expand All @@ -2497,7 +2497,7 @@
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
NOTICE
tag: [process, mitre_persistence]
tags: [process, mitre_persistence]

- list: exclude_hidden_directories
items: [/root/.cassandra]
Expand All @@ -2519,7 +2519,7 @@
file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
NOTICE
tag: [file, mitre_persistence]
tags: [file, mitre_persistence]

- list: remote_file_copy_binaries
items: [rsync, scp, sftp, dcp]
Expand Down