rebalance system calls

Author: wurstbrot

src/assets/YAML/default/Implementation/InfrastructureHardening.yaml

@@ -194,21 +194,22 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
-    Limitation of system calls in virtual environments:
-      risk: System calls in virtual environments like docker can lead to privilege
+    Limitation of system events:
+      risk: System events (system calls) can lead to privilege
         escalation.
-      measure: System calls in virtual environments like docker are audited and limited.
+      measure: System calls are limited.
       difficultyOfImplementation:
-        knowledge: 3
-        time: 3
-        resources: 3
+        knowledge: 2
+        time: 2
+        resources: 1
       usefulness: 5
-      level: 4
+      level: 3
       dependsOn:
-      - Applications are running in virtualized environments
+      - Audit of systemcalls
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/seccomp
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/strace
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/falco
       references:
         samm2:
         - O-EM-1-A

src/assets/YAML/default/InformationGathering/Monitoring.yaml

@@ -45,6 +45,27 @@ Information Gathering:
       isImplemented: false
       evidence: ""
       comments: ""
+    Audit of system events:
+      risk: System events (system calls) trends and attacks are not detected.
+      measure: Gathering of systemcalls.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 4
+      level: 3
+      dependsOn:
+        - Visualized metrics
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/falco
+      references:
+        samm2:
+          - O-IM-2-A
+        iso27001-2017:
+          - 12.6.1
+      isImplemented: false
+      evidence: ""
+      comments: ""
     Alerting:
       risk: Incidents are discovered after they happened.
       measure: |
@@ -160,6 +181,7 @@ Information Gathering:
       isImplemented: false
       evidence: ""
       comments: ""
+
     Metrics are combined with tests:
       risk: Changes might cause high load due to programming errors.
       measure: Metrics during tests helps to identify programming errors.

src/assets/YAML/default/implementations.yaml

@@ -699,3 +699,9 @@ implementations:
     url: https://github.com/SDA-SE/defectdojo-client
     description: |
       This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner.      
+  falco:
+    name: Falco
+    tags: [falco, systemcall, monitoring]
+    url: https://github.com/falcosecurity/falco
+    description: |
+      Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.