From 33974c6912917f240641cdeb2a92e52d77a7bb37 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 1 Aug 2017 18:02:23 -0700 Subject: [PATCH] More server progs - add ssmtp.postinst as a mail config program - allow runsv to write below etc - allow a2enmod to spawn shells - add additional shell cmdline --- rules/falco_rules.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index a0c858d7..c0699111 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -211,7 +211,7 @@ - list: sendmail_config_binaries items: [ update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4, - update_db, update_mc + update_db, update_mc, ssmtp.postinst ] - list: make_binaries @@ -370,7 +370,7 @@ apparmor_parser, update-mime, tzdata.config, tzdata.postinst, systemd, systemd-machine, systemd-sysuser, debconf-show, rollerd, bind9.postinst, sv, - gen_resolvconf., update-ca-certi, certbot) + gen_resolvconf., update-ca-certi, certbot, runsv) and not proc.pname in (sysdigcloud_binaries) and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d) and not ansible_running_python @@ -515,7 +515,7 @@ init, pluto, mkinitramfs, unattended-upgr, watch, sysdig, landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup, npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d, - serf + serf, a2enmod ] - rule: Run shell untrusted @@ -627,6 +627,7 @@ '"sh -c node index.js"', '"sh -c node index"', '"sh -c node ./src/start.js"', + '"sh -c node app.js"', '"sh -c node -e \"require(''nan'')\")"', '"sh -c node $NODE_DEBUG_OPTION index.js "', '"sh -c crontab -l 2"',