rules/falco_rules.yaml

Comparing 8cbdcc79f4545234bcad2a9cf788bf41ec4a9912 with latest tag falco-rules-0.1.0

Major changes:

• List white_listed_modules has been removed
• Rule Contact EC2 Instance Metadata Service From Container has been disabled at default
• Rule Outbound Connection to C2 Servers has been disabled at default
• Rule Java Process Class File Download has been disabled at default

Minor changes:

• Required engine version was incremented from 13 to 17
• Rule PTRACE anti-debug attempt has been added
• Rule Drop and execute new binary in container has been added
• Macro kernel_module_load has been added
• Macro known_aks_mount_in_privileged_containers has been added
• Macro ptrace_attach_or_injection has been added
• List allowed_container_images_loading_kernel_module has been added
• List python_package_managers has been added
• List authorized_server_binary has been added
• List known_drop_and_execute_containers has been added

Patch changes:

• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule PTRACE attached to process matches more events than before
• List docker_binaries has some item added or removed
• List rpm_binaries has some item added or removed
• List package_mgmt_binaries has some item added or removed
• List safe_etc_dirs has some item added or removed
• List falco_privileged_images has some item added or removed
• List network_tool_binaries has some item added or removed
• List user_known_k8s_ns_kube_system_images has some item added or removed

This should be ready to go!

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, jasondellaluce

The full list of commands accepted by this bot can be found here.

The pull request process is described here

LGTM label has been added.