github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-01 00:52:16 +00:00
Code Issues Projects Releases Wiki Activity
737 Commits 119 Branches 172 Tags 104 MiB
08afb75009
Commit Graph

737 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Stemm
608d4e234f Let tini spawn shells 
https://github.com/krallin/tini
 2017-10-09 09:19:59 -07:00
Mark Stemm
d21fb408d4 Let locales.postins write below /etc 
locales.postins also writes intermediate files below /etc/ so just it
write generally.
 2017-10-09 09:19:59 -07:00
Mark Stemm
aaa294abd1 Add additional build-like shells 
This time node running git commands.
 2017-10-09 09:19:59 -07:00
Mark Stemm
8e46db05c6 More specific control of some /etc files 
Add more specific controls of files below /etc, allowing specific
combinations of programs and files:
 - start-fluentd can write to /etc/fluent/fluent.conf
 - locales.postins can write to /etc/locale.gen
 2017-10-09 09:19:59 -07:00
Mark Stemm
4efda9cb97 Add nomachine binaries. 
Add a list of nomachine binaries and let them spawn shells, setuid, and
access sensitive files.
 2017-10-09 09:19:56 -07:00
Mark Stemm
57c1b33562 Let /etc/locale.gen be written 
/etc/locale.gen isn't super critical, so let it be written.
 2017-10-09 09:18:53 -07:00
Mark Stemm
75a44a67f9 Use pmatch instead of fd.directory 
Use pmatch, which compares a file against a set of prefix paths, instead
of fd.directory. This allows the directories in safe_etc_dirs to be a
prefix of a file instead of just the directory containing a file.
 2017-10-09 09:18:53 -07:00
Mark Stemm
fbfd540ad2 More user management exclusions. 
Exclude lastlog and useradd -D as they don't change anything.
 2017-10-09 09:18:53 -07:00
Mark Stemm
e88c9ec8e3 Add more shell spawners. 
awslogs, authconfig
 2017-10-09 09:18:53 -07:00
Mark Stemm
3202704950 Add more logging on process ancestors. 
Try to find the root process that might be spawning shells/reading
sensitive files.
 2017-10-09 09:18:53 -07:00
Mark Stemm
689c02666f Allow innocuous user management commands 
Allow innocuous user management command lines like "passwd -S" (show
status for account).
 2017-10-09 09:18:53 -07:00
Mark Stemm
12de2e4119 Make safe etc directories a list. 
This way it can more easily be modified/added to.
 2017-10-09 09:18:53 -07:00
Mark Stemm
cb7dab61e8 Let chef binaries run shells. 2017-10-09 09:18:50 -07:00
Mark Stemm
9791881444 Let mesos-slave, phusion passenger spawn shells 
We already covered mesos-agent, the new name for mesos-slave.
 2017-10-09 09:18:07 -07:00
Mark Stemm
84b3543cc0 Let logrotate spawn shells in containers. 2017-10-09 09:17:13 -07:00
Mark Stemm
71fee6753b Let qualys write below /etc 2017-10-09 09:17:13 -07:00
Mark Stemm
7ff2f66437 Let node running npm spawn shells. 
New macro parent_node_running_npm looks for node running npm. Currently
only /usr/local/bin/npm, can add additional well-known paths as needed.
 2017-10-09 09:17:13 -07:00
Mark Stemm
1f008d6c39 Let needrestart run shells. 
https://github.com/liske/needrestart
 2017-10-09 09:17:09 -07:00
Mark Stemm
dc44655ec2 Change how we detect entrypoints. 
Move entrypoint detection to its own macro. Also consider something the
entrypoint if its parent is runc:[0:PARENT]. There's a race where
runc:[0:PARENT] exits in parallel with the root program being execd, so
the parent might not exist or might have this name.
 2017-10-09 09:16:25 -07:00
Mark Stemm
ef9e045a40 Add more ancestors 
Add more ancestors for several rules. Sometimes shells spawn the program
reading the sensitive file, etc.
 2017-10-09 09:16:25 -07:00
Mark Stemm
0ec46feef2 Make setuid binaries a list 
Move the misc binaries that are allowed to setuid from the rule to its
own list. Makes it easier to add to the list.
 2017-10-09 09:16:25 -07:00
Mark Stemm
2ebe9e06a8 More build-related changes + exposing more info 
Combine parent_php_running_builds and parent_ruby_running_gcc into a
single parent_scripting_running_builds which handles the general case of
some script running some make/compilation related program. Also add some
build-related command line prefixes.

Allow supervisor-related programs to spawn shells and access sensitive
files.

Allow sendmail config binaries to write below etc directly (their
children already could).

Add some directories related to phusion (system-as-a-container).

For a few rules add parent programs in the output so it's easier to
diagnose the context for an event.

Let varnishd spawn shells.
 2017-10-09 09:16:25 -07:00
Mark Stemm
33974c6912 More server progs 
- add ssmtp.postinst as a mail config program
 - allow runsv to write below etc
 - allow a2enmod to spawn shells
 - add additional shell cmdline
 2017-10-09 09:16:25 -07:00
Mark Stemm
9883656882 More shell/build related changes 
- Move qualys-cloud-ag to the monitoring_binaries list
 - Add a new list sendmail_config_binaries containing programs that can
   modify files.
 - Make parent_php_running_git a bit more generic for
   parent_php_running_builds and add some additional sub-commands.
 2017-10-09 09:16:25 -07:00
Mark Stemm
d5a107b15f More beta updates, almost all shell related: 
- Allow several combinations of scripting programs (ruby, python, etc.)
   to run other build-ish commands.
 - Let mysql_install_d(b) spawn shells and access sensitive files.
 - Let qualys-cloud-ag(ent) spawn shells
 - Add a few additional innocuous commandlines
 - Let postfix setuid to itself
 2017-10-09 09:16:25 -07:00
Mark Stemm
b208008be1 Fix parent_python_running_sdchecks 
It was checking the current process instead of the parent, which doesn't
work when you've just done an exec.
 2017-10-09 09:16:25 -07:00
Mark Stemm
6397c3a556 Add additional command line. 2017-10-09 09:16:24 -07:00
Mark Stemm
1221399ac5 Allow writes below /etc/nginx/conf.d 
The nginx docker hub container will write below that directory at
startup.
 2017-10-09 09:16:24 -07:00
Mark Stemm
de3ca31b15 Allow certbot to spawn shells. 
Part of let's encrypt.
 2017-10-09 09:16:24 -07:00
Mark Stemm
463ade2b1d Add 3dt as a meos program. 
mesos diagnostics service.
 2017-10-09 09:16:24 -07:00
Mark Stemm
1c645862e1 Allow systemd-sysuser to write below /etc. 2017-10-09 09:16:24 -07:00
Mark Stemm
f123313389 Let certbot write below etc. 
Let's encrypt client program.
 2017-10-09 09:16:24 -07:00
Mark Stemm
1753d16962 Add easy way to add to container shell cmdlines 
A new (empty) list user_known_container_shell_spawn_binaries allows
additional files to add additional programs that are allowed to spawn
shells in containers.
 2017-10-09 09:16:24 -07:00
Mark Stemm
61f738826c Add additional command lines. 
Add additional command lines for known shells.
 2017-10-09 09:16:24 -07:00
Mark Stemm
7ae765bfc9 Include container image in shell in container rule 
Include the container image in the "run shell in container" rule output.
 2017-10-09 09:16:24 -07:00
Mark Stemm
f6b3068259 Let vpn binaries write below /etc. 
They will modify things like dns servers, etc.
 2017-10-09 09:16:24 -07:00
Mark Stemm
e1293a7eca Add some additional command lines. 
Dangling parentheses intentional.
 2017-10-09 09:16:24 -07:00
Mark Stemm
02645e7a2e Be consistent about nested quotes. 
Use single quotes for the outer yaml-level strings, and double quote for
the quoted string.
 2017-10-09 09:16:24 -07:00
Mark Stemm
c8c0a97f64 Let Xvfb setuid. 
X11 program.
 2017-10-09 09:16:24 -07:00
Mark Stemm
d96cf4c369 Allow programs to write below /etc/logstash 
At least for some logstash configs, device files get written to below
/etc/logstash instead of elsewhere like /var.
 2017-10-09 09:16:24 -07:00
Mark Stemm
e2be47e3c2 Allow update-ca-certi(ficates) to write below /etc 
Truncation intentonal.
 2017-10-09 09:16:24 -07:00
Mark Stemm
ee2c668746 Add systemd as a program that can write below /etc 
It can modify /etc/resolv.conf.
 2017-10-09 09:16:24 -07:00
Mark Stemm
09e1caf4bb add mesos-executor as a mesos binary. 2017-10-09 09:16:24 -07:00
Mark Stemm
68d29fc906 Add shell management programs. 
add-shell and remove-shell are programs that remove shells from
/etc/shells. They are allowed to write to files below /etc.
 2017-10-09 09:16:24 -07:00
Mark Stemm
7ac49a2f99 Also allow sysdig agent to setuid. 
It was already allowed to change namespaces.
 2017-10-09 09:16:24 -07:00
Mark Stemm
e6006e3787 Add additional dpkg binary 
dpkg-reconfigur(e), not to be confused with dpkg-preconfigu(re)
 2017-10-09 09:16:24 -07:00
Mark Stemm
5d856ef97a Let _apt user setuid to itself. 2017-10-09 09:16:24 -07:00
Mark Stemm
3b486fb6c6 Let npm spawn shells in containers. 2017-10-09 09:16:24 -07:00
Mark Stemm
daedcf172f Let hhvm spawn shells. 
http://hhvm.com/, "open-source virtual machine designed for executing
programs written in Hack and PHP."
 2017-10-09 09:16:24 -07:00
Mark Stemm
414a4aaba7 Another shell command line. 2017-10-09 09:16:24 -07:00