updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

rules/falco-sandbox_rules.yaml

@@ -1943,8 +1943,8 @@
     user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: CRITICAL
-  tags: >
-    [maturity_sandbox, host, container, process, mitre_defense_evasion, TA0005]
+  tags: [
+    maturity_sandbox, host, container, process, mitre_defense_evasion, TA0005]
 
 # This rule helps detect CVE-2021-4034:
 # A privilege escalation to root through memory corruption
@@ -2081,8 +2081,8 @@
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
     exe_flags=%evt.arg.flags %container.info)
   priority: INFO
-  tags: >
-    [maturity_sandbox, container, process, mitre_command_and_control, T1132]
+  tags: [
+    maturity_sandbox, container, process, mitre_command_and_control, T1132]
 - list: recon_binaries
   items: [w, whoami, id, who, uname]
 
@@ -2114,5 +2114,5 @@
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
     exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
-  tags: >
-    [maturity_sandbox, host, container, process, mitre_reconnaissance, TA0043]
+  tags: [
+    maturity_sandbox, host, container, process, mitre_reconnaissance, TA0043]

rules/falco_rules.yaml

@@ -402,17 +402,18 @@
     and directory_traversal
     and not proc.pname in (shell_binaries)
 
-    enabled: true
+  enabled: true
     output: Read monitored file via directory traversal
       (file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2]
       ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type
       user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
       process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
       command=%proc.cmdline terminal=%proc.tty %container.info)
 
-    priority: WARNING
-    tags: [maturity_stable, host, container, filesystem, mitre_credential_access,
-          T1555]
+  priority: WARNING
+  tags: [
+    maturity_stable, host, container, filesystem,
+    mitre_credential_access, T1555]
 
 - macro: cmp_cp_by_passwd
   condition: (proc.name in (cmp, cp) and proc.pname in (passwd, run-parts))
@@ -1441,7 +1442,7 @@
     terminal=%proc.tty %container.info)
   priority: WARNING
   tags: [maturity_stable, host, container, process, mitre_privilege_escalation,
-    T1055.008]
+         T1055.008]
 
 - rule: PTRACE anti-debug attempt
   desc: >
@@ -1492,7 +1493,7 @@
     exe_flags=%evt.arg.flags %container.info)
   priority: WARNING
   tags: [maturity_stable, host, container, process, aws,
-    mitre_credential_access, T1552]
+         mitre_credential_access, T1552]
 
 - rule: Execution from /dev/shm
   desc: >
@@ -1548,18 +1549,18 @@
     and proc.is_exe_upper_layer=true
     and not container.image.repository in (known_drop_and_execute_containers)
   output: Executing binary not part of base image
-  proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2]
-  proc_exe_ino_ctime=%proc.exe_ino.ctime
-  proc_exe_ino_mtime=%proc.exe_ino.mtime
-  proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start
-  proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type
-  user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
-  process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
-  command=%proc.cmdline terminal=%proc.tty
-  exe_flags=%evt.arg.flags %container.info)
+    proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2]
+    proc_exe_ino_ctime=%proc.exe_ino.ctime
+    proc_exe_ino_mtime=%proc.exe_ino.mtime
+    proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start
+    proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type
+    user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
+    process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
+    command=%proc.cmdline terminal=%proc.tty
+    exe_flags=%evt.arg.flags %container.info)
   priority: CRITICAL
-  tags: >
-    [maturity_stable, container, process, mitre_persistence,
+  tags: [
+    maturity_stable, container, process, mitre_persistence,
     TA0003, PCI_DSS_11.5.1]
 
 # RFC1918 addresses were assigned for private network usage
@@ -1606,8 +1607,9 @@
     user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: NOTICE
-  tags: >
-    [maturity_stable, host, container, network, process, mitre_execution, T1059]
+  tags: [ 
+    maturity_stable, host, container, network, process, mitre_execution, T1059
+  ]
 
 - list: known_memfd_execution_binaries
   items: []
@@ -1635,5 +1637,6 @@
     command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
     %container.info)
   priority: CRITICAL
-  tags: >
-    [maturity_stable, host, container, process, mitre_defense_evasion, T1620]
+  tags: [
+    maturity_stable, host, container, process, mitre_defense_evasion, T1620
+  ]