github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-12 11:32:39 +00:00
Code Issues Projects Releases Wiki Activity

Let yum indirectly run user mgmt binaries

Browse Source 
They run shells that run the user binaries, at various levels in the
process heirarchy.
This commit is contained in:
Mark Stemm 2017-11-07 11:01:23 -08:00
parent 82377348ce
commit 0867245b73
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/falco_rules.yaml
View File

@ -494,6 +494,10 @@
proc.cmdline="groupadd sumologic_collector") and proc.cmdline="groupadd sumologic_collector") and
(proc.pname=secureFiles.sh and proc.aname[2]=java)) (proc.pname=secureFiles.sh and proc.aname[2]=java))
- macro: run_by_yum
condition: ((proc.pname=sh and proc.aname[2]=yum) or
(proc.aname[2]=sh and proc.aname[3]=yum))
# Chef is similar. # Chef is similar.
- macro: run_by_chef - macro: run_by_chef
condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or
@ -1214,7 +1218,8 @@
not proc.cmdline startswith "useradd -D" and not proc.cmdline startswith "useradd -D" and
not proc.cmdline startswith "systemd --version" and not proc.cmdline startswith "systemd --version" and
not run_by_qualys and not run_by_qualys and
not run_by_sumologic_securefiles not run_by_sumologic_securefiles and
not run_by_yum
output: > output: >
User management binary command run outside of container User management binary command run outside of container
(user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])