update(rules): bump engine version to Falco 0.37.0 engine version

[Andreagit97]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area rules

Proposed rule maturity level

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

This bumps the engine version to Falco 0.37.0 engine version

Which issue(s) this PR fixes:

Special notes for your reviewer:

[Andreagit97]

/hold
Not sure if we need something else please double-check

[FedeDP]

/cc @loresuso

[github-actions]

Rules files suggestions

falco_rules.yaml

Comparing e43c64534adcebf545eedbede227f9f5766416e9 with latest tag falco-rules-2.0.0

Minor changes:

• Macro containerd_activities has been added

Patch changes:

• Rule Directory traversal monitored file read changed its output fields
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file untrusted changed its output fields
• Rule Contact K8S API Server From Container changed its output fields
• Rule Clear Log Activities changed its output fields
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Packet socket created in container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE anti-debug attempt changed its output fields
• Rule Disallowed SSH Connection Non Standard Port changed its output fields

falco-sandbox_rules.yaml

Comparing e43c64534adcebf545eedbede227f9f5766416e9 with latest tag falco-sandbox-rules-2.0.0

Patch changes:

• Rule Unexpected inbound connection source changed its output fields
• Rule Read Shell Configuration File changed its output fields
• Rule Update Package Repository changed its output fields
• Rule Write below binary dir changed its output fields
• Rule Write below monitored dir changed its output fields
• Rule Write below etc changed its output fields
• Rule Write below root changed its output fields
• Rule Write below rpm database changed its output fields
• Rule Modify binary dirs changed its output fields
• Rule Mkdir binary dirs changed its output fields
• Rule Launch Sensitive Mount Container changed its output fields
• Rule Launch Disallowed Container changed its output fields
• Rule Interpreted procs inbound network activity changed its output fields
• Rule Interpreted procs outbound network activity changed its output fields
• Rule Unexpected K8s NodePort Connection changed its output fields
• Rule Create Hidden Files or Directories changed its output fields
• Rule Detect outbound connections to common miner pool ports changed its output fields
• Rule Container Drift Detected (chmod) changed its output fields
• Rule Container Drift Detected (open+create) changed its output fields
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process changed its output fields
• Rule Java Process Class File Download changed its output fields
• Rule Modify Container Entrypoint changed its output fields
• Rule BPF Program Not Profiled changed its output fields

falco-incubating_rules.yaml

Comparing e43c64534adcebf545eedbede227f9f5766416e9 with latest tag falco-incubating-rules-2.0.0

Minor changes:

• Rule Potential Local Privilege Escalation via Environment Variables Misuse has been added
• Rule Adding ssh keys to authorized_keys has been added
• Macro glibc_tunables_env has been added

Patch changes:

• Rule Modify Shell Configuration File changed its output fields
• Rule Schedule Cron Jobs changed its output fields
• Rule Read ssh information changed its output fields
• Rule Change thread namespace changed its output fields
• Rule Change namespace privileges via unshare changed its output fields
• Rule Launch Privileged Container changed its output fields
• Rule Launch Excessively Capable Container changed its output fields
• Rule System procs network activity changed its output fields
• Rule Unexpected UDP Traffic changed its output fields
• Rule Non sudo setuid changed its output fields
• Rule Create files below dev changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact cloud metadata service from container changed its output fields
• Rule Delete or rename shell history changed its output fields
• Rule Set Setuid or Setgid bit changed its output fields
• Rule Network Connection outside Local Subnet changed its output fields
• Rule Read environment variable from /proc files changed its output fields
• Rule Exfiltrating Artifacts via Kubernetes Control Plane changed its output fields

[leogr]

👍

[poiana]

LGTM label has been added.

Git tree hash: 57b89f0390a8068b4839dfdaa10e990c37be61e1

[leogr]

@Andreagit97

This change makes the rulesets incompatible with Falco 0.36 (that's fine anyway). Thus, this requires:

• to update https://github.com/falcosecurity/rules/blob/main/.github/FALCO_VERSIONS with the supported versions of Falco (ie. master and 0.37 once released)
• to bump the ruleset major number

Note:
This doc https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset states that it would be enough to just bump the minor version. I don't recall why, but I don't think bumping just the minor is enough. Perhaps we have to update the release doc. cc @LucaGuerra @jasondellaluce

[incertum]

LGTM from my side!

[incertum]

@leogr perhaps we should add another badge "Compatible Falco Version" see the other readme update PR we are staging.

[Andreagit97]

to update https://github.com/falcosecurity/rules/blob/main/.github/FALCO_VERSIONS with the supported versions of Falco (ie. master and 0.37 once released)

Done, we will need to add Falco 0.37.0 when released

/unhold

Could you please re-approve?

[github-actions]

Rules files suggestions

falco_rules.yaml

Comparing f0453c24daffcca70afc937ce6f9ff99201134b6 with latest tag falco-rules-2.0.0

Minor changes:

• Macro containerd_activities has been added

Patch changes:

• Rule Directory traversal monitored file read changed its output fields
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file untrusted changed its output fields
• Rule Contact K8S API Server From Container changed its output fields
• Rule Clear Log Activities changed its output fields
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Packet socket created in container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE anti-debug attempt changed its output fields
• Rule Disallowed SSH Connection Non Standard Port changed its output fields

falco-sandbox_rules.yaml

Comparing f0453c24daffcca70afc937ce6f9ff99201134b6 with latest tag falco-sandbox-rules-2.0.0

Patch changes:

• Rule Unexpected inbound connection source changed its output fields
• Rule Read Shell Configuration File changed its output fields
• Rule Update Package Repository changed its output fields
• Rule Write below binary dir changed its output fields
• Rule Write below monitored dir changed its output fields
• Rule Write below etc changed its output fields
• Rule Write below root changed its output fields
• Rule Write below rpm database changed its output fields
• Rule Modify binary dirs changed its output fields
• Rule Mkdir binary dirs changed its output fields
• Rule Launch Sensitive Mount Container changed its output fields
• Rule Launch Disallowed Container changed its output fields
• Rule Interpreted procs inbound network activity changed its output fields
• Rule Interpreted procs outbound network activity changed its output fields
• Rule Unexpected K8s NodePort Connection changed its output fields
• Rule Create Hidden Files or Directories changed its output fields
• Rule Detect outbound connections to common miner pool ports changed its output fields
• Rule Container Drift Detected (chmod) changed its output fields
• Rule Container Drift Detected (open+create) changed its output fields
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process changed its output fields
• Rule Java Process Class File Download changed its output fields
• Rule Modify Container Entrypoint changed its output fields
• Rule BPF Program Not Profiled changed its output fields

falco-incubating_rules.yaml

Comparing f0453c24daffcca70afc937ce6f9ff99201134b6 with latest tag falco-incubating-rules-2.0.0

Minor changes:

• Rule Adding ssh keys to authorized_keys has been added
• Rule Potential Local Privilege Escalation via Environment Variables Misuse has been added
• Macro glibc_tunables_env has been added

Patch changes:

• Rule Modify Shell Configuration File changed its output fields
• Rule Schedule Cron Jobs changed its output fields
• Rule Read ssh information changed its output fields
• Rule Change thread namespace changed its output fields
• Rule Change namespace privileges via unshare changed its output fields
• Rule Launch Privileged Container changed its output fields
• Rule Launch Excessively Capable Container changed its output fields
• Rule System procs network activity changed its output fields
• Rule Unexpected UDP Traffic changed its output fields
• Rule Non sudo setuid changed its output fields
• Rule Create files below dev changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact cloud metadata service from container changed its output fields
• Rule Delete or rename shell history changed its output fields
• Rule Set Setuid or Setgid bit changed its output fields
• Rule Network Connection outside Local Subnet changed its output fields
• Rule Read environment variable from /proc files changed its output fields
• Rule Exfiltrating Artifacts via Kubernetes Control Plane changed its output fields

[poiana]

LGTM label has been added.

Git tree hash: b5ebc829f5399086949a65360321d4a1628067f7

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment