Add xz-backdoor alerting rule. (#1206)

* Added xz-backdoor alerting rule. * Check if this fixes linter error.
giantswarm · Jun 3, 2024 · 1b32dc4 · 1b32dc4
1 parent 80d4281
commit 1b32dc4
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Added a new alerting rule to `falco.rules.yml` to fire an alert for XZ-backdoor.
+
 ## [4.1.2] - 2024-05-31
 
 ### Changed

diff --git a/helm/prometheus-rules/templates/platform/shield/alerting-rules/falco.rules.yml b/helm/prometheus-rules/templates/platform/shield/alerting-rules/falco.rules.yml
@@ -59,3 +59,18 @@ spec:
         severity: notify
         team: shield
         topic: security
+    - alert: FalcoXZBackdoorAlert
+      annotations:
+        description: |-
+          {{`{{ if eq $labels.k8s_pod_name "<NA>" }}The Falco rule {{ $labels.rule }} was triggered on the node {{ $labels.node }}.
+          {{else}}Pod {{ $labels.k8s_ns_name }}/{{ $labels.k8s_pod_name }} triggered the Falco rule {{ $labels.rule }} on the node {{ $labels.node }}.{{ end }}`}}
+        opsrecipe: falco-alert/
+      expr: falco_events{rule="Backdoored library loaded into SSHD (CVE-2024-3094)"} > 0
+      labels:
+        area: kaas
+        cancel_if_cluster_status_creating: "false"
+        cancel_if_cluster_status_deleting: "false"
+        cancel_if_cluster_status_updating: "false"
+        severity: notify
+        team: shield
+        topic: security