From 7841993cba37f0b1b5b8fe7de2627ef9bf82738f Mon Sep 17 00:00:00 2001 From: Hiroki Suezawa Date: Tue, 15 Sep 2020 17:36:12 +0900 Subject: [PATCH] rule(macro consider_packet_socket_communication): change a value to always_true Signed-off-by: Hiroki Suezawa --- rules/falco_rules.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8ecf64a288d..da0078df763 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2859,17 +2859,16 @@ tags: [container, mitre_execution] -# This rule is not enabled by default, as there are legitimate use -# cases for raw packet. If you want to enable it, modify the -# following macro. +# This rule is enabled by default. +# If you want to disable it, modify the following macro. - macro: consider_packet_socket_communication - condition: (never_true) + condition: (always_true) - list: user_known_packet_socket_binaries items: [] - rule: Packet socket created in container - desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker. + desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker. condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries) output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE