From 9bc942c654cf43f32795e7ba7b78df4c767f1e46 Mon Sep 17 00:00:00 2001
From: Leonardo Di Donato <leodidonato@gmail.com>
Date: Fri, 11 Jun 2021 13:20:09 +0000
Subject: [PATCH] new(rules): detect unprivileged (successful) userfaultfd
 syscalls

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
---
 rules/falco_rules.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index c3a593de782..47d7d0aad84 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3056,6 +3056,16 @@
   priority: WARNING
   tags: [container, cis, mitre_lateral_movement]
 
+- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
+  desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
+  condition: >
+    evt.type = userfaultfd and
+    user.uid != 0 and
+    (evt.rawres >= 0 or evt.res != -1)
+  output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  priority: CRITICAL
+  tags: [process, mitre_defense_evasion]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.