github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 16:17:32 +00:00
Code Issues Projects Releases Wiki Activity
737 Commits 121 Branches 172 Tags 104 MiB
08afb75009
Commit Graph

737 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Stemm
08afb75009 Add /etc/hrmconfig as a safe directory. 
Used by docker swarm http routing mesh.
 2017-10-09 09:20:41 -07:00
Mark Stemm
823c105f54 Let systemd-udevd spawn shells 2017-10-09 09:20:41 -07:00
Mark Stemm
bde8d67330 Let psql read sensitive files. 2017-10-09 09:20:41 -07:00
Mark Stemm
9504d420f0 Add more jenkins spawners. 
Jenkins spawns shells via script.sh, so allow it.
 2017-10-09 09:20:41 -07:00
Mark Stemm
4f5ab79c69 Add xray-rabbitmq shell spawning programs. 
They have names {1234}_scheduler and need to be quoted as they start
with digits.
 2017-10-09 09:20:41 -07:00
Mark Stemm
6540a856fa Let adclient write below etc. 2017-10-09 09:20:41 -07:00
Mark Stemm
c3c171c7e5 More centrify changes. 
Add crlutil as a program that can modify below etc.

Let centrify programs modify below etc.

Add more info for writes below etc to track etc writers through scripts.

Increase the level of debugging for shells.
 2017-10-09 09:20:41 -07:00
Mark Stemm
011cb2f030 Also let mailq setuid. 
Simialr to showq
 2017-10-09 09:20:41 -07:00
Mark Stemm
59ab40d457 Let centrify spawn shells. 
This is higher up than other programs.
 2017-10-09 09:20:41 -07:00
Mark Stemm
cf5397f701 Change level for sshkit binaries. 
It's actually the programs spawned by sshkit scripts that modify files
below /etc.
 2017-10-09 09:20:41 -07:00
Mark Stemm
cff8ca428a The right program was mailq 
not smmsp, that was the user.
 2017-10-09 09:20:41 -07:00
Mark Stemm
d9cb1e2b27 Let adclient/certutil spawn shells/write below etc 
Let adclient/certutil spawn shells and write below etc.
 2017-10-09 09:20:41 -07:00
Mark Stemm
96992d7ac3 Add scripts possibly run by sshkit 
Some general management scripts, possibly run by sshkit (need to check).
 2017-10-09 09:20:41 -07:00
Mark Stemm
a22099c8c3 Let adclient spawn shells. 
It's not direct, hence the run_by_adclient macro.
 2017-10-09 09:20:41 -07:00
Mark Stemm
0e009fc89a Let smmsp setuid. 
Another sendmail binary.
 2017-10-09 09:20:41 -07:00
Mark Stemm
1a41eeada7 Add ability to augment sensitive file reads 
Similar to user_known_write_etc_conditions, add the ability to easily
override sensitve file reads in a second rules file.
 2017-10-09 09:20:41 -07:00
Mark Stemm
fefb8ba614 Allow puppet to run shells. 
Similar model as chef/qualsys/etc.
 2017-10-09 09:20:41 -07:00
Mark Stemm
2bc9d35d37 Let nfsnobody become themself. 2017-10-09 09:20:41 -07:00
Mark Stemm
09748fcbb3 Allow writes to /etc/motd 
These files are relatively innocuous.
 2017-10-09 09:20:41 -07:00
Mark Stemm
a0e88417fc Add more container innocuous cmdlines 
Various uname -x variants and ruby version.
 2017-10-09 09:20:41 -07:00
Mark Stemm
e44ce9a8d3 Add calico/node as a trusted container. 
It generally needs to run privileged.
 2017-10-09 09:20:41 -07:00
Mark Stemm
c4c5d2f585 Let chef read sensitive files 
Add the macro run_by_chef to the set of exclusions for reading sensitive
files.
 2017-10-09 09:20:41 -07:00
Mark Stemm
340ee2ece7 Add general ability to augment write_etc_common 
Add a stub macro user_known_write_etc_conditions that allows easy
additions to write_etc_common in a separate rules file.
 2017-10-09 09:20:41 -07:00
Mark Stemm
00dd3c47c0 Allow systemd --version as a "user mgmt binary" 
systemd --version might be run in some unusual containerized
environments, so exclude it.
 2017-10-09 09:20:41 -07:00
Mark Stemm
7c8a85158a Decrease terminal shell in container to debug 
From notice. That way the two main shell-related policies are both at
debug.
 2017-10-09 09:20:41 -07:00
Mark Stemm
d0650688d5 Let mysql_ssl_rsa_s spawn shells 
Part of mysql ssl key generation.
 2017-10-09 09:20:41 -07:00
Mark Stemm
425196f974 Let weave spawn shells. 2017-10-09 09:20:41 -07:00
Mark Stemm
70d6e8de2f Add more ancestors for tracking. 2017-10-09 09:20:41 -07:00
Mark Stemm
6dfdadf527 Also let runc:[1:CHILD] count as an entrypoint. 
Handles cases where we lose system events and have incomplete state.
 2017-10-09 09:20:41 -07:00
Mark Stemm
606af16f27 Let updatedb.findut spawn shells. 2017-10-09 09:20:41 -07:00
Mark Stemm
3b5f959de9 Add additional node/edi command lines. 2017-10-09 09:20:41 -07:00
Mark Stemm
a4d3d4d731 Also let docker-runc denote an entrypoint. 2017-10-09 09:20:41 -07:00
Mark Stemm
276ab9139f Let hddtemp.postins(t) write below etc. 
dpkg installation script
 2017-10-09 09:20:41 -07:00
Mark Stemm
ee02571889 Add x2go binaries as a list 
Moving the first program x2goagent into the list.
 2017-10-09 09:20:38 -07:00
Mark Stemm
6aa2373acd More x-related shell spawners 
Add additional x-related shell spawning programs.
 2017-10-09 09:20:00 -07:00
Mark Stemm
b0cf038e1d Another uid to same uid case. 
pki-acme.
 2017-10-09 09:20:00 -07:00
Mark Stemm
548790c663 Add more run by macros for h2o/Passenger 
Add more run_by_xxx macros for h2o/phusion passenger. Handles cases
where the ancestor has a name, but the direct parent is a general
scripting language like ruby/perl/etc.
 2017-10-09 09:20:00 -07:00
Mark Stemm
151d1e67c5 Add an additional scripting-running-command combo 
Add an additional combination of scripting language like php/python/etc
+ a specific command line to parent_scripting_running_builds.
 2017-10-09 09:20:00 -07:00
Mark Stemm
68cca84ba6 Also let tini spawn shells in containers. 2017-10-09 09:20:00 -07:00
Mark Stemm
46f993fa40 Let fluentd write multiple files 
Rename fluentd_writing_fluentd_conf to fluentd_writing_conf_files and
add additional files that it can modify below /etc.
 2017-10-09 09:20:00 -07:00
Mark Stemm
42167e53cc Let chef write below etc. 
New macro run_by_chef is similar to run_by_qualys in that it looks in
various places in the process heirarchy. Use that macro to allow writes
below etc. Will probably add in more places soon.
 2017-10-09 09:20:00 -07:00
Mark Stemm
4e7fcf3f88 Let java running sbt spawn shells 
New macro parent_java_running_sbt looks for java running sbt
code (https://github.com/sbt/sbt), and use that macro to allow shells.
 2017-10-09 09:20:00 -07:00
Mark Stemm
64a014c356 Look for qualys at various places in the heirarchy 
Qualys seems to run a variety of shell subprocesses, at various
levels. Add a macro run_by_qualys that checks at a few levels without
the cost of a full proc.aname, which traverses the full parent
heirarchy.
 2017-10-09 09:20:00 -07:00
Mark Stemm
ac82dd4b54 Let timeout run shells. 2017-10-09 09:20:00 -07:00
Mark Stemm
70e49161b1 Let pkt-agent become themself. 2017-10-09 09:20:00 -07:00
Mark Stemm
1cdacc1494 Add macro to easily augment shell rule 
Add a macro user_shell_container_exclusions that allows a second rules
file to easily extend the shelll in container rule without overriding
the entire rule.

Also add an exclusion node_running_edi_dynamodb which can be used for
that macro.
 2017-10-09 09:20:00 -07:00
Mark Stemm
ca9e1ebfef Add x2go programs 
They can spawn shells in and out of containers.
 2017-10-09 09:20:00 -07:00
Mark Stemm
6be38a3237 Add more nomachine binaries. 
Also let nomachine binaries write below /etc.
 2017-10-09 09:20:00 -07:00
Mark Stemm
bf1f2cb2fd Let coreos update_engine write below dev. 2017-10-09 09:19:59 -07:00
Mark Stemm
ac70325522 Add more debugging for shells 
Used to track down deeper chains of shells for things like ansible, chef.
 2017-10-09 09:19:59 -07:00