Added rule to detect LKM module injects using insmod used by rootkits for kernel hooking

[josehelps]

What type of PR is this?

/kind rule-create

Any specific area of the project related to this PR?

/area rules

What this PR does / why we need it:

This PR adds a new falco rule that looks for when insmod is called as part of a execve event. Injecting LKM modules on (post build) running production instances should be rare and is a common way for rootkits that employ kernel hooking to obfuscate themselves.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

This is my first PR please let me know if I missed anything 😇

Does this PR introduce a user-facing change?:

Yes new rule in falco_rules.yml

rule(Linux Kernel Module injection detected): adds a new rule that detects when a LKM module is inject using insmod typically used by rookits looking to obfuscate their behavior via kernel hooking. 

[poiana]

@d1vious: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[poiana]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign mstemm
You can assign the PR to them by writing /assign @mstemm in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• rules/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[poiana]

Welcome @d1vious! It looks like this is your first PR to falcosecurity/falco 🎉

[josehelps]

Added a commit with the DOC sign-off, also:
/assign @mstemm

[leogr]

/cc @Kaizhe

[csschwe]

It would be good to add user_loginuid=%user.loginuid to the rule so that we would know if a particular account started the process or not. example: user4 was logged in/hacked, elevated privledges and executed the command/rootkit.

[josehelps]

@csschwe Great suggestion 👍 , just updated the PR to include that in the output! This is a test I ran:

Sep 10 15:28:04 ip-172-31xxx falco: 15:28:04.191984695: Warning Linux Kernel Module injection using insmod detected (user=root user_loginuid=1000 parent_process=sudo module=rootkit.ko)

[poiana]

@d1vious: Adding label do-not-merge/contains-merge-commits because PR contains merge commits, which are not allowed in this repository.
Use git rebase to reapply your commits on top of the target branch. Detailed instructions for doing so can be found here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[poiana]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• 467bbe5 detect insmod trying to inject LKM modules
• 539999c added user login id
• 452ed29 detect insmod trying to inject LKM modules
• 0cc1ba3 Merge branch 'rule_lkm_injection_detected' of github.com:d1vious/falco into rule_lkm_injection_detected
• a27e25c Merge branch 'rule_lkm_injection_detected' of github.com:d1vious/falco into rule_lkm_injection_detected

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[leogr]

Hey @d1vious

First of all, thank you for your contribution!

I have noticed there're merge commits that are not allowed in this repo. Could you rebase and fix that?
Also, please ensure that all commits have been signed off.

[josehelps]

@leogr I cleaned up this in #1401 closing this one for now.