File falco-event-generator.changes of Package falco-event-generator
-------------------------------------------------------------------
Thu Oct 03 11:31:53 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.12.0:
* increase timeout for
syscall.DisallowedSSHConnectionNonStandardPort
* update(events): disable
PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse
* update(events): disable JavaProcessClassFileDownload
* use setup-go v3 gh action with go v1.23.1
* rename files to be consistent with rules names
* prevent zombie processes
* move randomString() to a separate file, allowing build on macos
* fix: Enhance Falco syscall events triggering and reliability
* Added an event for default stable rule Detect release_agent
File Container Escapes
* Fix: Updated function name to the correct rule name
* Added an event for polkit local privilege escalation
ulnerability
* Added an event for default rule sudo potential privilege
escalation
* docs(OWNERS): add alacuku (Aldo Lacuku) to approvers
* Update events/syscall/mount_launched_in_privileged_container.go
* adding event for this rule
* adding an event on interpreted procs inbound network activity
* adding an event on modify container entrypoint
* adding an event on triggering rule
* adding an event on interpreted procs outbound network activity
* adding event on triggering this rule
* adding an event on packet_socket_created_in_container
* adding an event
* Fix: os.Mkdir("/dev") instead if os.Mkdir("/dev/shm")
* adding an event for disallowed_ssh_connection_non_standard_port
* adding an event on reading environment variable from /proc
files
* Fix: Ptrace call is detached after a ptrace call with traceme
argument from child process
* Added an event for default stable rule ptrace anti debug
attempt
* Added documentation for the skipping actions due non-supported
context
* Refactor: use return.ErrSkipped to skip actions due to non
supported context or prerequisite
* update(pkg/runner/helper): SpawnAsWithSymlink and SpawnAs to
copy the binary
* Create a new binary by copying it form existing binary instead
of creating a new binary
* Added an event for default stable rule Drop and execute new
binary in container
* more explained comment on `why to use IP 169.254.169.254`
* adding comment on clarification of IP address
* updated comment
* corrected an indentation error
* Update contact_cloud_metadata_service_from_container.go
* adding an event for contact cloud metadata service from
container
* Fix: Event-generator executable is loaded into memory instead
of go binary
* Event-generator executable path is now available to actions
* Debris removed after functionreturn
* Added an event for fileless execution via memfd create
* Fix: Created a unique file under tmp dir
* Added an event for default rule Container Drift Detected
open+create
* Fix: Set execute permission on file via writefile instead of
chmod
* Refactor command execution to use a dynamic script path and
also added comments
* Create /dev/shm if not exists and Remove debris at end
* Changing the condition to trigger falco rule
* Code size reduced
* Created script file in dev shm folder if not exists
* Added an event for default stable rule execution from dev shm
* Update and rename launch_remote_file_copy_tool_in_container.go
to launch_remote_file_copy_tools_in_container.go
* Update launch_remote_file_copy_tool_in_container.go
* adding event on launch remote file copy tool in container
* Fix: Create a unique temp file instead of using any random file
name
* Fix: Changed the function name according to name conventions in
documentation
* Added an event for default rule set setuid or set setgid bit
* Refactor: Create a unique temp directory and changed function
name
* created a directory and syslog file inside it
* Added an event for default stable rule clear log activities
* Update unexpected_udp_traffic.go
* adding event on unexpected_udp_traffic
* chore: don't log inside DoNothing helper
* chore: fix copyright year
* update(events/helper): add the DoNothing helper
* Refactor: Just set execute permission on empty file is enough
trigger the rule
* Code size reduced
* Added an event for default rule Container drift detected using
chmod
* Update netcat_remote_code_execution_in_container.go
* adding event on netcat rce in container
* Fix: Updated comments for better understanding
* Added an event for default stable rule PTRACE attached to
process
* Update launch_suspicious_network_tool_in_container.go
* Rename launch_network_tool.go to
launch_suspicious_network_tool_in_container.go
* Update launch_network_tool.go
* Update launch_network_tool.go
* adding an event of launching network tool
* User uid is set to non zero when generating the event
* Added an event for default rule
UnprivilegedDelegationofPageFaultsHandlingtoaUserspaceProcess
* Switch to a new user such that username is not equal to _apt
* Added an event for Launch Package Management Process In
Container
* Update debugfs_launched_in_privilleged_container.go
* Update debugfs_launched_in_privilleged_container.go
* event on debugfs launched in privilleged container
* Fix: Use MkdirTemp instead of Mkdir to create a unique temp
directory
* Now file is created by event generator and reads the shell
configuration file
* Added an event for default rule read shell configuration file
* Added an event for default stable rule find aws credentials
* Fix: Rule triggers irrsepective of command successful or not
* Added an event for default rule Detect crypto miners using the
Stratum protocol
* Fix: First look whether curl exists or not
* Refactor: Now http_proxy env variable set only for curl command
not for entire event generator
* HTTP_PROXY env variable value is reverted to its original value
after function return
* Added an event for default rule program run with diallowed http
proxy env
* Fix: createSshDirectoryUnderHome also returns a cleanup
function
* Fix: Helper function name changed
* Refactored code by using a helper function
CreateSshDirectoryUnderHome to remove code redundancy
* Refactored ReadSshInformation function to improve directory
creation logic
* Remove the created directory at end
* Uncommented a line
* Reduced code size
* Using temporary data by creating them and removing them after
completion
* Added an event for adding ssh keys to authorized keys
* Refactor: createSshDirectoryUnderHome also returns a cleanup
function
* Fix: No need to export internal utilities
* Fix: Event should be diabled by default as it is not a stable
rule event
* Fix: There is no need of for loop as MkdirTemp internally does
it
* Added an helper function to create .ssh directory inside home
* Refactored ReadSshInformation function to improve directory
creation logic
* Remove the created directory at end
* Using temporary data by creating them and removing them after
completion
* Added event for default rule read ssh information
* Update modify_shell_configuration_file.go
* Update modify_shell_configuration_file.go
* Update modify_shell_configuration_file.go
* Update modify_shell_configuration_file.go
* adding an event for modifying shell configuration file
* Update events/syscall/delete_or_rename_shell_history.go
* Update delete_or_rename_shell_history.go
* Update delete_or_rename_shell_history.go
* Update delete_or_rename_shell_history.go
* adding an event of deleting bash history
* Fix: First look whether kubectl exists or not
* Added an event for default rule kubernetes client tool launched
in container
* Fix: wget is just enough to trigger the rule
* Added an event for default rule launch ingress remote file copy
tools inside container
* Update decoding_payload_in_container.go
* Update decoding_payload_in_container.go
* adding event on triggering rule
* Update and rename change_namespace_privillege_using_unshare.go
to change_namespace_privileges_via_unshare.go
* Update
events/syscall/change_namespace_privillege_using_unshare.go
* Update change_namespace_privillege_using_unshare.go
* adding an event on change_namespace_privilleges_using_unshare
* Update
events/syscall/potential_local_privillege_escalation_via_env_var_misuse.go
* Rename potential_local_privillege_escalation_via_env_var_misuse
to potential_local_privillege_escalation_via_env_var_misuse.go
* event on potential local privillefe escalation via env var
misuse
* Update events/syscall/launch_suspicious_network_tool_on_host.go
* Update launch_suspicious_network_tool_on_host.go
* Rename launch_network_tool_on_host.go to
launch_suspicious_network_tool_on_host.go
* adding event on launch network tool on host
* docs(events/README.md): update conventions
* Fixed some more broken links
* Fix broken link by replacing it with valid url
* fix(events/syscall/remove_bulk_data_from_disk): no new
variables on left side of :=
* No need to return error and updated comments
* Updated comments
* Added comments for explaination
* Shred a file instead of directory
* Update remove_bulk_data_from_disk.go
* Clean up the temp directory
* Added event for default stable rule remove bulk data from disk
* Added event for default rule create hidden file or directory
* falco: create hardlink over sensitive file event added
* Removed debris at end
* Creates directory if it doesnt exist
* Type in file name
* Added event for the default rule WriteBelowMonitoredDir
* Added event for default rule write_below_root
* Corrected a typo
* build: upgrade deps
-------------------------------------------------------------------
Sun May 19 15:15:53 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- new package falco-event-generator: Generate a variety of suspect
actions that are detected by Falco rulesets (but USE WITH
CAUTION!)
