From e4e7229990df4816a884fce6d033807c4d715f23 Mon Sep 17 00:00:00 2001 From: RohithRaju Date: Tue, 19 Dec 2023 05:37:17 +0000 Subject: [PATCH 1/2] update(rules/sandbox_rules): update bpf cmd format Signed-off-by: RohithRaju --- rules/falco-sandbox_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml index f6596c78..e540d734 100644 --- a/rules/falco-sandbox_rules.yaml +++ b/rules/falco-sandbox_rules.yaml @@ -1713,7 +1713,7 @@ whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field. condition: > evt.type=bpf and evt.dir=> - and evt.arg.cmd=5 + and evt.arg.cmd=BPF_PROG_LOAD and not bpf_profiled_procs output: BPF Program Not Profiled (bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info) priority: NOTICE From 8fdf9b4970ec49e0dd3a39fc502be1b32bfe4e37 Mon Sep 17 00:00:00 2001 From: RohithRaju Date: Tue, 27 Feb 2024 03:17:51 +0000 Subject: [PATCH 2/2] update(sandbox): update required_engine_version Signed-off-by: RohithRaju --- rules/falco-sandbox_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml index e540d734..7979ca9a 100644 --- a/rules/falco-sandbox_rules.yaml +++ b/rules/falco-sandbox_rules.yaml @@ -25,7 +25,7 @@ # Starting with version 8, the Falco engine supports exceptions. # However the Falco rules file does not use them by default. -- required_engine_version: 0.31.0 +- required_engine_version: 0.35.0 # Currently disabled as read/write are ignored syscalls. The nearly # similar open_write/open_read check for files being opened for