PenTestIT RSS Feed
Three days ago, an updated version – Sysdig Falco v0.15.1 – was released. It has been some time since I last blogged about this open source behavorial activity monitor which has container support. This release remediates integration issues with Anchore by updating urllib3 and requests Python library versions in addition to others.
What is Sysdig Falco?
> Sysdig Falco is an open source, behavioral activity monitor designed to detect anomalous activity in your applications. This is project for intrusion and anomaly detection for Cloud Native platforms such as Kubernetes, Mesosphere, and Cloud Foundry.
Launch Remote File Copy Tools in Container
could be used to identify exfiltration attacks [#600]Create Symlink Over Sensitive Files
can help detect attacks like [CVE-2018-15664] [#613] [#637]Netcat Remote Code Execution in Container
rule. [#617]egrep
typo. [#617]Write below etc
exceptions for nginx, rancher [#637] [#648] [#652]We all know how severe CVE-2018-15664 can be for dockers. This is what NVD has to say about it - “In Docker through 18.06.1-ce-rc2, the API endpoints behind the ‘docker cp’ command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).”
Sysdig Falco v0.15.1 (falco-0.15.1.zip/falco-0.15.1.tar.gz) can be downloaded here. If you want to know how to install Sysdig Falco using containers, refer this page.
The post UPDATE: Sysdig Falco v0.15.1 appeared first on PenTestIT.