More shell/build related changes

- Move qualys-cloud-ag to the monitoring_binaries list
 - Add a new list sendmail_config_binaries containing programs that can
   modify files.
 - Make parent_php_running_git a bit more generic for
   parent_php_running_builds and add some additional sub-commands.
This commit is contained in:
Mark Stemm
2017-07-28 16:16:58 -07:00
parent d5a107b15f
commit 9883656882

View File

@@ -200,7 +200,7 @@
items: [bro, broctl]
- list: monitoring_binaries
items: [icinga2, nrpe, npcd, check_sar_perf.]
items: [icinga2, nrpe, npcd, check_sar_perf., qualys-cloud-ag]
- macro: system_procs
condition: proc.name in (coreutils_binaries, user_mgmt_binaries)
@@ -208,6 +208,12 @@
- list: mail_binaries
items: [sendmail, sendmail-msp, postfix, procmail, exim4, pickup, showq]
- list: sendmail_config_binaries
items: [
update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4,
update_db, update_mc
]
- list: make_binaries
items: [make, gmake, cmake]
@@ -315,8 +321,11 @@
- macro: parent_java_running_echo
condition: (proc.pname=java and proc.cmdline startswith "sh -c echo")
- macro: parent_php_running_git
condition: (proc.pname in (php,php5-fpm) and proc.cmdline startswith "sh -c git")
- macro: parent_php_running_builds
condition: >
(proc.pname in (php,php5-fpm) and (
proc.cmdline startswith "sh -c git" or
proc.cmdline startswith "sh -c date"))
- macro: parent_ruby_running_gcc
condition: (proc.pname in (ruby,ruby2.3) and proc.cmdline startswith "sh -c gcc")
@@ -400,7 +409,10 @@
tags: [filesystem]
- list: read_sensitive_file_binaries
items: [iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd, systemd, mysql_install_d]
items: [
iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
vsftpd, systemd, mysql_install_d
]
- rule: Read sensitive file untrusted
desc: >
@@ -409,7 +421,8 @@
condition: >
sensitive_files and open_read
and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, vpn_binaries)
cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
vpn_binaries, sendmail_config_binaries)
and not cmp_cp_by_passwd
and not ansible_running_python
and not proc.cmdline contains /usr/bin/mandb
@@ -502,7 +515,7 @@
init, pluto, mkinitramfs, unattended-upgr, watch, sysdig,
landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup,
npm, cloud-init, toybox, ceph, hhvm, certbot, mysql_install_d,
qualys-cloud-ag, serf
serf
]
- rule: Run shell untrusted
@@ -521,7 +534,7 @@
and not parent_linux_image_upgrade_script
and not parent_java_running_jenkins
and not parent_java_running_echo
and not parent_php_running_git
and not parent_php_running_builds
and not parent_ruby_running_gcc
and not parent_Xvfb_running_xkbcomp
and not parent_nginx_running_serf
@@ -642,7 +655,7 @@
and not trusted_containers
and not shell_spawning_containers
and not parent_java_running_echo
and not parent_php_running_git
and not parent_php_running_builds
and not parent_ruby_running_gcc
and not parent_Xvfb_running_xkbcomp
and not mysql_image_running_healthcheck