Home

Awesome

CD-Logo

Falco rules hosted by CloudDefenseAI

https://attack.mitre.org/matrices/enterprise/cloud/ . This repository contains a collection of extended Falco rules developed by CloudDefense.ai.

Falco is a powerful open-source behavioral activity monitor designed to detect and alert on unexpected application behavior in containers and Kubernetes. These extended rules provided by CloudDefense.ai enhance the default rule set and offer additional detection capabilities to strengthen the security of your containerized environment.

The image below shows the mitre attack coverage by Falco & extended coverage added by Clouddefense.ai

kkkk

Prerequisites

Before you begin, make sure you have the following prerequisites in place:

  1. Falco Installed: Ensure that you have Falco installed on the target system where you want to enable runtime security. Refer to the official Falco documentation for installation instructions.

  2. Falco Configuration: Set up your Falco configuration file (falco.yaml) according to your specific needs. Make sure you have configured Falco to load external rule files.

Local Installation

To install and use the extended rule set for Falco runtime security, follow these steps:

  1. Clone the Repository: Start by cloning this GitHub repository to your local system:
git clone https://github.com/CloudDefenseAI/falco_extended_rules.git
  1. Navigate to the Repository: Change to the repository directory:
cd falco_extended_rules
  1. Add Rules: Copy the extended rule files (custom_rules.yaml) from the cloned repository to a location accessible by Falco. For example, you can place them in the same directory as your Falco configuration file or in a separate directory, depending on your preference.
  2. Update Falco Configuration: Open your Falco configuration file (falco.yaml) and add the following lines under the rules_file section:
   rules_file:
   -/path/to/your/rules/file1.yaml
   -/path/to/your/rules/file2.yaml
  1. Restart Falco: Restart the Falco service to apply the changes and load the new rules.
# Restart Falco on systemd-based systems
sudo systemctl restart falco

# Restart Falco on non-systemd systems
sudo service falco restart

Installation with Falcoctl

With falcoctl

Add the index:

sudo falcoctl index add clouddefense https://raw.githubusercontent.com/CloudDefenseAI/falco_extended_rules/master/index.yaml

Install the rules:

sudo falcoctl artifact install falco_extended_rules:latest

List of rules

Below table shows the list of hosted rules in this repository:

S. NoRule NamePurposeCorresponding Mitre
1Account manipulation in sshaccount manipulationMitre Persistance
2Suspicious disk activityDetects disk wiping, overwriting or corrupting raw disk dataMitre Impact
3Disable Recovery FeaturesDtects disabling of system recovery featuresMitre Impact
4Detect Data Destruction ActivityDetects activity related to data destructionMitre Imapct
5Suspicious Network Scanning CommandDetects suspicious network scanning commandsMitre Discovery
6Permission and Group Members DiscoveryDetects permission of files and group and its group membersMitre Discovery
7Detect Peripheral Device Enumeration CommandsDetects if someone runs commands that enumerate peripheral devicesMitre Discovery
8Suspicious Time and Date Command ExecutionDetects the execution of commands that may be used to gather time, date, and region informationMitre Discovery
9Enumerate Domain TrustsDetects attempts to enumerate domain trusts in Linux systemsMitre Discovery
10Detect System Location Information RetrievalDetects attempts to retrieve system informationMitre Discovery
11Get Information About Open Application WindowsDetects attempts to get information about open application windowsMitre Discovery
12Suspicious System Information GatheringDetects suspicious commands related to gathering system informationMitre Discovery
13Read Maps File of ProcessAn attempt to read the maps file of a process will be detectedMitre Credential Access
14Attempt to Access Bash History FileSomeone is attempting to access the bash history fileMitre Credential Access
15Chown or Chmod OperationDetects chown or chmod operationsMitre Defense Evasion
16Execute Command Via UtilityDetects execution of commands via parse text, scripting languages, and system utilitiesMitre Defense Evasion
17Read Disk Block CommandDetects execution of commands that read disk blocksMitre Defense Evasion
18Archive and Compression ActivityDetects archive and compression activity using tar, zip, gzip, and bzip2Mitre Collection
19Detect Service Disable Using SystemctlDetect Service Disable Using SystemctlMitre Impact
20System Service Discoveryan attempt to discover all services that are running in systemMitre Discovery

The extended Falco rules included in this repository are carefully crafted and continuously updated by the experienced security experts at CloudDefense.ai. They address a wide range of potential security threats and anomalies, enabling you to identify suspicious activities, unauthorized access attempts, privilege escalations, and other malicious behaviors.

By leveraging these extended Falco rules, you can enhance your security posture, proactively monitor your containerized environment, and respond swiftly to any potential security incidents. Additionally, you have the flexibility to customize and fine-tune the rules according to your specific requirements and environment.

Testing the Rules

To ensure that the extended rules are functioning correctly, you can perform some test scenarios in your runtime environment. These can include simulating potential security events or actions that the rules are designed to detect. Monitor the Falco output, logs, or any configured alerting mechanism to observe the detection and response to these test scenarios.

Contributing

If you want to help and wish to contribute, please review our contribution guidelines. Code contributions are always encouraged and welcome!

Join the community

Join us on discord here, #general

License

This extended rule set for Falco runtime security is released under the Apache-2.0 License.

Disclaimer:

The content and code available in this GitHub repository are currently a work in progress. Please note that the rules, guidelines, or any other materials provided here are subject to change without prior notice. While we aim to ensure the accuracy and completeness of the information presented, there may be errors or omissions. We kindly request users to exercise caution and critical judgment when utilizing or relying on any content found in this repository. We appreciate your understanding and patience as we continue to develop and refine the content within this repository. Contributions, feedback, and suggestions are welcome and greatly valued, as they contribute to the ongoing improvement of this project.

Who Uses Extended rules?

If your organization uses these rules, please file a PR and update this list. Say hi on Discord too!