github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-01 17:12:21 +00:00
Code Issues Projects Releases Wiki Activity
831 Commits 119 Branches 173 Tags 104 MiB
7169dd9cf0
Commit Graph

831 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Stemm
7169dd9cf0
Merge pull request #298 from draios/addl-rule-updates 
Addl rule updates
 2017-11-10 12:58:41 -08:00
Mark Stemm
15ed651da9 Add additional spawned shells for docker 2017-11-10 12:15:25 -08:00
Mark Stemm
7441052b9a Let consul spawn shells 2017-11-10 12:15:25 -08:00
Mark Stemm
69ede8a785 Let addl progs read sensitive files 
They only display file meta-information.
 2017-11-10 12:15:25 -08:00
Mark Stemm
8dd34205a8 Let java write specific config files below /etc 2017-11-10 12:15:25 -08:00
Mark Stemm
f379e97124 Let haproxy installation write its config files 
The direct or parent process starts with update-haproxy- and the file is
below /etc/haproxy.
 2017-11-10 12:15:25 -08:00
Mark Stemm
109f86cd85 Let ruby running pups spawn shells 2017-11-10 12:15:25 -08:00
Mark Stemm
e51fbd6569 Let python/mesos health checks spawn shells 2017-11-10 12:15:13 -08:00
Mark Stemm
060bf78ed8 Add conda as a scripting binary for builds 
conda == python packaging tool
 2017-11-10 12:05:28 -08:00
Mark Stemm
a2a4cbf586 Let endeca spawn shells in containers also 2017-11-09 14:17:38 -08:00
Mark Stemm
b4bd11bf70 Let nsrun spawn shells in containers. 2017-11-09 14:16:52 -08:00
Mark Stemm
d5869599f7 Add additional innocuous command lines. 2017-11-09 14:16:24 -08:00
Mark Stemm
b0bc00224c Also let terminal shells run innocuous cmdlines 
The terminal shell in container rule has always been less permissive
than the other shell rules, mostly because we expect terminal-attached
shells to be less common. However, they might run innocuous commands,
especially from scripting languages like python. So allow the innocuous
commands to run.
 2017-11-09 14:13:04 -08:00
Mark Stemm
2f4b39ae6f Let find spawn shells 2017-11-09 14:12:41 -08:00
Mark Stemm
326fb2998a Let curl write below the pki db 
Seems to do these writes on redhat?
 2017-11-09 14:11:36 -08:00
Mark Stemm
e3ef7a2ed4 Be more flexible about perl Makefile.PL 
Allow the command line to start with that command.
 2017-11-09 14:10:35 -08:00
Mark Stemm
43f7ee00fb Add an additional ics script ics_status.sh 2017-11-09 14:10:14 -08:00
Mark Stemm
8bcd0e8f05 Add additional cron binaries. 2017-11-09 14:09:36 -08:00
Mark Stemm
85f51cf38c Let salt-minion read sensitive files. 2017-11-08 13:42:24 -08:00
Mark Stemm
2467766f07 Add addl shell spawn conditions 
flock can spawn shells, new allowed shell cmdline.
 2017-11-08 13:41:43 -08:00
Mark Stemm
2cbff6ff70 Add addl safe root directories 2017-11-08 13:40:56 -08:00
Mark Stemm
e02135f9f0 Let datadog write its config files 2017-11-08 13:40:36 -08:00
Mark Stemm
c1de3dfe7a Let ovsdb-server write below /etc/openvswitch 2017-11-08 13:39:20 -08:00
Mark Stemm
27df0ad29b Add nagios as a monitoring binary 
Runs lots of shells
 2017-11-08 13:38:07 -08:00
Mark Stemm
e7c2068267 Add addl ruby binary when run by bundle 2017-11-08 13:13:00 -08:00
Mark Stemm
ffed7ef63c Add additional rpm binaries. 2017-11-08 09:28:45 -08:00
Mark Stemm
fe283dcd76 Add exceptions for /root, / writes 
Java running as root as well as oracle.
 2017-11-08 09:21:17 -08:00
Mark Stemm
4a0ec07235 Let celeryd spawn shells 
Parent process name is strange with leading [ and trailing :, so quote
it.
 2017-11-08 08:12:35 -08:00
Mark Stemm
fdebfb5b6c Add N_scheduler binaries for mesos 
I believe these are related to the equivalent of docker exec for mesos
containers, and aren't specifically related to rabbitmq.
 2017-11-08 08:05:42 -08:00
Mark Stemm
0b775fa722 Let java running endeca spawn shells 2017-11-07 11:19:24 -08:00
Mark Stemm
33faa911d7 Add addl npm cmdlines. 2017-11-07 11:18:33 -08:00
Mark Stemm
24fb84df60 Let docker start script spawn shells 2017-11-07 11:14:50 -08:00
Mark Stemm
7550683862 Add additional shell spawn programs. 2017-11-07 11:06:13 -08:00
Mark Stemm
5755e79fe9 Let polkit-agent-he(lper) read sensitive files. 2017-11-07 11:06:13 -08:00
Mark Stemm
dfbe450eeb Let datastax progs spawn shells 
Various script-based launch points.
 2017-11-07 11:06:13 -08:00
Mark Stemm
0867245b73 Let yum indirectly run user mgmt binaries 
They run shells that run the user binaries, at various levels in the
process heirarchy.
 2017-11-07 11:06:13 -08:00
Mark Stemm
82377348ce Add another way to run npm 
This one seen on redhat installs
 2017-11-07 11:00:43 -08:00
Mark Stemm
fdb2312bcf Let perl Makefile.PL spawn shells 2017-11-07 11:00:19 -08:00
Mark Stemm
fbb5451fd9 Let python running zookeeper spawn shells 2017-11-07 10:59:40 -08:00
Mark Stemm
83c309a6c0 Let subscription-ma(nager) write to rpm db. 2017-11-07 10:57:10 -08:00
Mark Stemm
6bcf397a17 Let plesk weekly cron job spawn shells 2017-11-07 10:19:42 -08:00
Mark Stemm
9ceb11a7c8 Let update-xmlcatal(og) write below /etc/xml 2017-11-07 10:19:19 -08:00
Mark Stemm
e4443bea8e Add additional make-like binaries. 2017-11-07 10:18:56 -08:00
Mark Stemm
15e2d0bf7e Add addl bitnami conditions. 2017-11-07 09:54:09 -08:00
Mark Stemm
480ba4e0f8 Let duply write below /etc/duply 
It's a shell script that runs touch so the detection is slightly more
complicated.
 2017-11-07 09:43:07 -08:00
Mark Stemm
6aae17600f Add addl ruby proc for builds. 
Adding ruby2.1
 2017-11-07 09:42:15 -08:00
Mark Stemm
e9e0177901 Add additional phusion cmdlines. 2017-11-06 15:28:16 -08:00
Mark Stemm
01459fb49a Let threatstack spawn shells 
Either as tsvuln or via node cmdline.
 2017-11-06 15:28:16 -08:00
Mark Stemm
d36df62d1e Add an additional yarn cmdline. 2017-11-06 15:26:03 -08:00
Mark Stemm
36d775100e Be more tolerant of es curator procs 
The command line occasionally ends with a space.
 2017-11-03 17:26:37 -07:00