Merge branch 'falcosecurity:main' into AddingSshKeysToAuthorizedKeys

README.md

@@ -105,7 +105,7 @@ docker run -it --rm falcosecurity/event-generator run
 
 #### With Kubernetes
 
-It can be deployed in a Kubernetes cluster using the event-generator [helm chart](https://github.com/falcosecurity/charts/tree/master/event-generator).
+It can be deployed in a Kubernetes cluster using the event-generator [helm chart](https://github.com/falcosecurity/charts/tree/master/charts/event-generator).
 Before installing the chart, add the `falcosecurity` charts repository:
 
 ```bash
@@ -139,7 +139,7 @@ The above commands apply to the `event-generator` namespace. Use a different nam
 ## Collections
 
 ### Generate System Call activity
-The `syscall` collection performs a variety of suspect actions detected by the [default Falco ruleset](https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml).
+The `syscall` collection performs a variety of suspect actions detected by the [default Falco ruleset](https://github.com/falcosecurity/rules/tree/main/rules).
 
 ```shell
 $ docker run -it --rm falcosecurity/event-generator run syscall --loop
@@ -149,7 +149,7 @@ The above command loops forever, incessantly generating a sample event each seco
 
 
 ### Generate activity for the k8s audit rules
-The `k8saudit` collection generates activity that matches the [k8s audit event ruleset](https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml).
+The `k8saudit` collection generates activity that matches the [k8s audit event ruleset](https://github.com/falcosecurity/plugins/blob/master/plugins/k8saudit/rules/k8s_audit_rules.yaml).
 
 Note that all `k8saudit` are disabled by default. To enable them, use the `--all` option.
 

events/README.md

@@ -9,10 +9,15 @@ An *action* is a `func` that implements `events.Action` interface, and when call
 
 ### Choose a package
 
+- The package name should reflect the data source name of the ruleset (ie. `syscall`).
 - Each *action* must be put in a subpackage of `events` that matches the ruleset context.
-- The `helper` subpackage is intended for those actions that does not match a rule, but still be useful to implement other actions.
+- The `helper` subpackage is intended for actions that do not match a rule but can still be useful for implementing other actions.
 - Before adding a new subpackage, propose your motivations to the maintainers.
 
+#### Functions visibility
+
+Only `func`s that implement the `events.Action` interface must be exported by a package. Other utility functions can be included, if needed, stating they are not exported names (a notable example is [syscall/utils_linux.go](https://github.com/falcosecurity/event-generator/blob/main/events/syscall/utils_linux.go)).
+
 ### Naming
 
 - Use the name of the rule the action is intended for, remove all non-alphanumeric characters (eg. `s/[^([:alpha:]|[:digit:]]//g`), and convert it to:
@@ -25,11 +30,20 @@ An *action* is a `func` that implements `events.Action` interface, and when call
 Each action must be registered by calling `events.Register()` or `events.RegisterWithName()` at initialization time, the first one will automatically extracts the name from the `func`'s name. For example:
 
 ```golang
-var _ = events.Register(WriteBelowEtc)
+var _ = events.Register(SystemUserInteractive)
+```
+
+Rules disabled by default or not included in the *stable* ruleset (if the [Rules Maturity Framework applies) must be skipped by default. For example:
+
+```golang
+var _ = events.Register(
+	WriteBelowEtc,
+	events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action
+)
 ```
 
 ### Behavior
-Running an *action* should be an idempotent operation, in the sense that it should not have additional effect if it is called more than once.
+Running an *action* should be an idempotent operation in the sense that it should not have additional effects if it is called more than once.
 For this reason, *actions* should revert any operation that changed the state of the system (eg. if a file is created, then it has to be removed). For example:
 
 ```golang

events/syscall/change_namespace_privileges_via_unshare.go

@@ -0,0 +1,42 @@
+//go:build linux
+// +build linux
+
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syscall
+
+import (
+    "os/exec"
+
+    "github.com/falcosecurity/event-generator/events"
+)
+
+var _ = events.Register(
+	ChangeNamespacePrivilegesViaUnshare,
+        events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
+)
+
+func ChangeNamespacePrivilegesViaUnshare(h events.Helper) error {
+    if h.InContainer() {
+        cmd := exec.Command("unshare")
+
+        h.Log().Infof("Change namespace privileges via unshare")
+
+        if err := cmd.Run(); err != nil {
+            return err
+        }
+	}
+    return nil
+}

events/syscall/create_hardlink_over_sensitive_files.go

@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syscall
+
+import (
+	"os"
+	"os/exec"
+
+	"github.com/falcosecurity/event-generator/events"
+)
+
+var _ = events.Register(CreateHardlinkOverSensitiveFiles)
+
+func CreateHardlinkOverSensitiveFiles(h events.Helper) error {
+	path, err := exec.LookPath("ln")
+	if err != nil {
+		// if we don't have a ln, just bail
+		return &events.ErrSkipped{
+			Reason: "ln utility not found in path",
+		}
+	}
+
+	tmpDir, err := os.MkdirTemp(os.TempDir(), "event-generator-syscall-CreateHardlinkOverSensitiveFiles")
+	if err != nil {
+		return err
+	}
+	defer os.ReadDir(tmpDir)
+
+	cmd := exec.Command(path, "-v", "/etc", tmpDir+"/etc_link")
+	return cmd.Run()
+}

events/syscall/create_hidden_file_or_directory.go

@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syscall
+
+import (
+	"os"
+
+	"github.com/falcosecurity/event-generator/events"
+)
+
+var _ = events.Register(
+	CreateHiddenFileOrDirectory,
+	events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action
+)
+
+func CreateHiddenFileOrDirectory(h events.Helper) error {
+	// Create a hidden directory
+	const directoryname = "/.created-by-event-generator"
+	h.Log().Infof("Created a hidden directory %s", directoryname)
+	defer os.Remove(directoryname) // Remove after function return
+	return os.Mkdir(directoryname, 0755)
+}

events/syscall/decoding_payload_in_container.go

@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syscall
+
+import (
+    "os/exec"
+    "github.com/falcosecurity/event-generator/events"
+)
+
+var _ = events.Register(
+    DecodingPayloadInContainer,
+    events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action
+)
+
+func DecodingPayloadInContainer(h events.Helper) error {
+    if h.InContainer() {
+        encodedPayload := "ZGVjb2RlZF9ieV9ldmVudC1nZW5lcmF0b3I="
+        cmd := exec.Command("echo", encodedPayload, "|", "base64", "-d")
+
+        err := cmd.Run()
+        if err != nil {
+            return err
+        }
+    }
+
+    return nil
+}

events/syscall/delete_or_rename_shell_history.go

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syscall
+
+import (
+    "os"
+    "path/filepath"
+
+    "github.com/falcosecurity/event-generator/events"
+)
+
+var _ = events.Register(
+    DeleteOrRenameShellHistory,
+    events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action    
+)
+
+func DeleteOrRenameShellHistory(h events.Helper) error {
+    // Define the path to the file
+    tmpDir := "/tmp"
+    tmpFile := filepath.Join(tmpDir, "ash_history")
+
+    // Create the file
+    file, err := os.Create(tmpFile)
+    if err != nil {
+        return err
+    }
+    file.Close()
+
+    // Remove the file
+    if err := os.Remove(tmpFile); err != nil {
+        return err
+    }
+
+    return nil
+}

events/syscall/kubernetes_client_tool_launched_in_container.go

@@ -0,0 +1,44 @@
+//go:build linux
+// +build linux
+
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syscall
+
+import (
+	"os/exec"
+
+	"github.com/falcosecurity/event-generator/events"
+)
+
+var _ = events.Register(
+	kubernetesClientToolLaunchedInContainer,
+	events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
+)
+
+func kubernetesClientToolLaunchedInContainer(h events.Helper) error {
+	if h.InContainer() {
+		kubectl, err := exec.LookPath("kubectl")
+		if err != nil {
+			h.Log().Warnf("kubectl is needed to launch this action")
+			return err
+		}
+
+		cmd := exec.Command(kubectl)
+		h.Log().Infof("Kubernetes Client Tool Launched In Container")
+		return cmd.Run()
+	}
+	return nil
+}

events/syscall/launch_remote_file_copy_tools_inside_container.go

@@ -0,0 +1,37 @@
+//go:build linux
+// +build linux
+
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syscall
+
+import (
+	"os/exec"
+
+	"github.com/falcosecurity/event-generator/events"
+)
+
+var _ = events.Register(
+	LaunchIngressRemoteFileCopyToolsInsideContainer,
+	events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
+)
+
+func LaunchIngressRemoteFileCopyToolsInsideContainer(h events.Helper) error {
+	if h.InContainer() {
+		cmd := exec.Command("wget")
+		return cmd.Run()
+	}
+	return nil
+}