cleanup(rules): initial tagging of stable rules round2

[incertum]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

What this PR does / why we need it:

Second round of initially tagging rules w/ maturity_stable.

• enhanced desc
• more complete output fields
• cleanup of tags if applicable
• add new maturity_stable tag

@LucaGuerra @loresuso @jasondellaluce

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[github-actions]

Rules files suggestions

falco_rules.yaml

Comparing 5ae68d21f7d08d87066106fca7a1943e9b632fbc with latest tag falco-rules-1.0.1

Major changes:

• Rule Redirect STDOUT/STDIN to Network Connection in Container has less tags than before
• Rule Linux Kernel Module Injection Detected has less tags than before
• Rule Debugfs Launched in Privileged Container has less tags than before
• Rule Detect release_agent File Container Escapes has less tags than before
• Rule PTRACE attached to process has less tags than before

Patch changes:

• Rule Disallowed SSH Connection has more tags than before
• Rule Unexpected outbound connection destination has more tags than before
• Rule Unexpected inbound connection source has more tags than before
• Rule Read Shell Configuration File has more tags than before
• Rule Schedule Cron Jobs has more tags than before
• Rule Read ssh information has more tags than before
• Rule Change thread namespace has more tags than before
• Rule Terminal shell in container changed its output fields
• Rule Terminal shell in container has more tags than before
• Rule Program run with disallowed http proxy env has more tags than before
• Rule Interpreted procs inbound network activity has more tags than before
• Rule Interpreted procs outbound network activity has more tags than before
• Rule Unexpected UDP Traffic has more tags than before
• Rule Contact EC2 Instance Metadata Service From Container has more tags than before
• Rule Contact cloud metadata service from container has more tags than before
• Rule Contact K8S API Server From Container changed its output fields
• Rule Contact K8S API Server From Container has more tags than before
• Rule Netcat Remote Code Execution in Container changed its output fields
• Rule Netcat Remote Code Execution in Container has more tags than before
• Rule Set Setuid or Setgid bit has more tags than before
• Rule Create Hidden Files or Directories has more tags than before
• Rule Detect outbound connections to common miner pool ports has more tags than before
• Rule Network Connection outside Local Subnet has more tags than before
• Rule Outbound or Inbound Traffic not to Authorized Server Process and Port has more tags than before
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container has more tags than before
• Rule Container Drift Detected (chmod) has more tags than before
• Rule Container Drift Detected (open+create) has more tags than before
• Rule Outbound Connection to C2 Servers has more tags than before
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Linux Kernel Module Injection Detected has more tags than before
• Rule Container Run as Root User has more tags than before
• Rule Debugfs Launched in Privileged Container changed its output fields
• Rule Debugfs Launched in Privileged Container has more tags than before
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule Detect release_agent File Container Escapes has more tags than before
• Rule Java Process Class File Download has more tags than before
• Rule Modify Container Entrypoint has more tags than before
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE attached to process has more tags than before
• Rule PTRACE anti-debug attempt changed its output fields
• Rule PTRACE anti-debug attempt has more tags than before
• Rule Drop and execute new binary in container changed its output fields
• Rule Drop and execute new binary in container has more tags than before

[LucaGuerra]

Thank you for this! 🙏 LGTM

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: incertum, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [LucaGuerra,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[poiana]

LGTM label has been added.

Git tree hash: 3d97b8970a8787d6facd78ca63038b4582ef6385