Skip to content

Instantly share code, notes, and snippets.

View Issif's full-sized avatar
💭
Open To Work

Thomas Labarussias Issif

💭
Open To Work
152 followers · 105 following
View GitHub Profile
@Issif
Issif / talos.md
Last active June 24, 2024 17:26

Talos

cat << EOF > patch.yaml
cluster:
  proxy:
    disabled: true
  network:
    cni:
      name: none
@Issif
Issif / debug_rules.yaml
Last active May 2, 2024 15:54
- rule: Launch Ingress Remote File Copy Tools in Container
desc: >
Detect ingress remote file copy tools (such as curl or wget) launched inside containers. This rule can be
considered a valuable auditing tool, but it has the potential to generate notable noise and requires careful
profiling before full operationalization.
condition: >
spawned_process
and container
and (ingress_remote_file_copy_procs or curl_download)
and not user_known_ingress_remote_file_copy_activities
@Issif
Issif / event.json
Created May 2, 2024 15:56
{
"hostname": "falco-6vmwl",
"output": "15:26:08.771336620: Notice Ingress remote file copy tool launched in container (user=sonarqube user_loginuid=-1 command=wget --no-proxy --quiet -O /dev/null --timeout=1 --header=X-Sonar-Passcode: define_it http://10.X.Y.Z:9000/api/system/liveness pid=73098 parent_process=sh container_id=e5824e25f127 container_name=sonarqube image=docker.io/library/sonarqube:10.1.0-community exe_flags=0) k8s.ns=sonarqube k8s.pod=sonarqube-sonarqube-0 container=e5824e25f127",
"priority": "Notice",
"rule": "Launch Ingress Remote File Copy Tools in Container",
"source": "syscall",
"tags": [
"TA0011",
"container",
"mitre_command_and_control",
@Issif
Issif / falco_grafana_dashboard.json
Created September 26, 2024 13:40
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,