Cloud Native Security Hub is a platform for discovering and sharing rules and configurations for cloud native security tools.
This repository contains all the security resources which will be displayed on https://securityhub.dev
You can use the following template or copy from any existent resource.
apiVersion: v1
kind: FalcoRules
vendor: Apache # This is the provider name, is shipped by the vendor or by the community?
name: Apache # The name of the rule, is this for a product or we are protecting against a CVE
shortDescription: Falco rules for securing Apache HTTP Server # What does this rule does?
version: 1.0.0 # The version of the security resource
description: |
# This is markdown!
Add *anything* you want and it will be rendered on the security hub!
keywords: # A list of keywords. See the categories on https://securityhub.dev
- web
icon: # A reference to an icon or an image for the rule
maintainers: # Who are maintaining this rule?
- name: Nestor Salceda # Maintainer
link: https://github.com/nestorsalceda # His/her GitHub link
- name: Fede Barcelona
link: https://github.com/tembleking
rules:
- raw: |
# Here goes the Falco rule itself, written in YAML
- rule: Unexpected inbound tcp connection apache
desc: Detect inbound traffic to apache using tcp on a port outside of expected set
condition: inbound and evt.rawres >= 0 and not fd.sport in (apache_allowed_inbound_ports_tcp) and app_apache
output: Inbound network connection to apache on unexpected port (command=%proc.cmdline pid=%proc.pid connection=%fd.name sport=%fd.sport user=%user.name %container.info image=%container.image)
priority: NOTICE
Contributors are welcome!
See the CONTRIBUTING.md