github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 08:07:24 +00:00
Code Issues Projects Releases Wiki Activity
950 Commits 121 Branches 172 Tags 104 MiB
e15ee1d28d
Commit Graph

950 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Stemm
1676333d7b Docs changes for 0.8.0 
Also fix the incorrect year for several prior releases.
 2017-10-09 16:48:59 -07:00
Mark Stemm
4a8ac8d164 Merge pull request #259 from draios/more-beta-updates 
More beta updates
 2017-10-09 15:09:09 -07:00
Mark Stemm
e1044629cb Work around unknown users in containers wrt setuid 
Work around https://github.com/draios/sysdig/issues/954, which relates
to not always knowing the proper user name in containers, by not running
the rule when in a container and the user name is "<NA>". This won't
address cases where the uid from inside the container maps to a user
name outside the container that is different than the user inside the
container, but it will help a bit.
 2017-10-09 13:15:39 -07:00
Mark Stemm
080305c7a0 Adjust for new severity 
Shell in container is now debug level, so adjust test case to match.
 2017-10-09 13:05:12 -07:00
Mark Stemm
26d5ea0123 Merge pull request #286 from draios/no-config-when-validate-rules 
Add ability to validate rules file
 2017-10-09 12:50:56 -07:00
Mark Stemm
53ca4349f9 Add ability to validate rules file 
New argument -V validates a single rules file without any verbose
description of the rules and without reading the main falco config file
at all.
 2017-10-09 12:02:23 -07:00
Mark Stemm
0fcd01f98d Let git modify nssdb 
Let git-remote-http modify files below the nssdb.
 2017-10-09 10:37:33 -07:00
Mark Stemm
1b591dc4f3 Misc build-related fixes 
- Let yarn spawn shells
- Add several allowed commandlines
- Let configure spawn shells in containers
 2017-10-09 10:36:35 -07:00
Mark Stemm
43b773e9b2 Misc gem/ruby/bundler changes 
- Let gem install software.
- Let ruby spawn shells when run by bundle.
 2017-10-09 10:34:41 -07:00
Mark Stemm
0d88c3020d Let qualys perform more actions. 
It can have more intermediate shells, is allowed to write to its own
conf file, and can run user management binaries.
 2017-10-09 09:20:42 -07:00
Mark Stemm
33a28cc173 Let node running yarn spawn shells. 2017-10-09 09:20:41 -07:00
Mark Stemm
a68d2ad769 Let bundle spawn shells. 2017-10-09 09:20:41 -07:00
Mark Stemm
a921012a6c let logdna-agent spawn shells. 2017-10-09 09:20:41 -07:00
Mark Stemm
08afb75009 Add /etc/hrmconfig as a safe directory. 
Used by docker swarm http routing mesh.
 2017-10-09 09:20:41 -07:00
Mark Stemm
823c105f54 Let systemd-udevd spawn shells 2017-10-09 09:20:41 -07:00
Mark Stemm
bde8d67330 Let psql read sensitive files. 2017-10-09 09:20:41 -07:00
Mark Stemm
9504d420f0 Add more jenkins spawners. 
Jenkins spawns shells via script.sh, so allow it.
 2017-10-09 09:20:41 -07:00
Mark Stemm
4f5ab79c69 Add xray-rabbitmq shell spawning programs. 
They have names {1234}_scheduler and need to be quoted as they start
with digits.
 2017-10-09 09:20:41 -07:00
Mark Stemm
6540a856fa Let adclient write below etc. 2017-10-09 09:20:41 -07:00
Mark Stemm
c3c171c7e5 More centrify changes. 
Add crlutil as a program that can modify below etc.

Let centrify programs modify below etc.

Add more info for writes below etc to track etc writers through scripts.

Increase the level of debugging for shells.
 2017-10-09 09:20:41 -07:00
Mark Stemm
011cb2f030 Also let mailq setuid. 
Simialr to showq
 2017-10-09 09:20:41 -07:00
Mark Stemm
59ab40d457 Let centrify spawn shells. 
This is higher up than other programs.
 2017-10-09 09:20:41 -07:00
Mark Stemm
cf5397f701 Change level for sshkit binaries. 
It's actually the programs spawned by sshkit scripts that modify files
below /etc.
 2017-10-09 09:20:41 -07:00
Mark Stemm
cff8ca428a The right program was mailq 
not smmsp, that was the user.
 2017-10-09 09:20:41 -07:00
Mark Stemm
d9cb1e2b27 Let adclient/certutil spawn shells/write below etc 
Let adclient/certutil spawn shells and write below etc.
 2017-10-09 09:20:41 -07:00
Mark Stemm
96992d7ac3 Add scripts possibly run by sshkit 
Some general management scripts, possibly run by sshkit (need to check).
 2017-10-09 09:20:41 -07:00
Mark Stemm
a22099c8c3 Let adclient spawn shells. 
It's not direct, hence the run_by_adclient macro.
 2017-10-09 09:20:41 -07:00
Mark Stemm
0e009fc89a Let smmsp setuid. 
Another sendmail binary.
 2017-10-09 09:20:41 -07:00
Mark Stemm
1a41eeada7 Add ability to augment sensitive file reads 
Similar to user_known_write_etc_conditions, add the ability to easily
override sensitve file reads in a second rules file.
 2017-10-09 09:20:41 -07:00
Mark Stemm
fefb8ba614 Allow puppet to run shells. 
Similar model as chef/qualsys/etc.
 2017-10-09 09:20:41 -07:00
Mark Stemm
2bc9d35d37 Let nfsnobody become themself. 2017-10-09 09:20:41 -07:00
Mark Stemm
09748fcbb3 Allow writes to /etc/motd 
These files are relatively innocuous.
 2017-10-09 09:20:41 -07:00
Mark Stemm
a0e88417fc Add more container innocuous cmdlines 
Various uname -x variants and ruby version.
 2017-10-09 09:20:41 -07:00
Mark Stemm
e44ce9a8d3 Add calico/node as a trusted container. 
It generally needs to run privileged.
 2017-10-09 09:20:41 -07:00
Mark Stemm
c4c5d2f585 Let chef read sensitive files 
Add the macro run_by_chef to the set of exclusions for reading sensitive
files.
 2017-10-09 09:20:41 -07:00
Mark Stemm
340ee2ece7 Add general ability to augment write_etc_common 
Add a stub macro user_known_write_etc_conditions that allows easy
additions to write_etc_common in a separate rules file.
 2017-10-09 09:20:41 -07:00
Mark Stemm
00dd3c47c0 Allow systemd --version as a "user mgmt binary" 
systemd --version might be run in some unusual containerized
environments, so exclude it.
 2017-10-09 09:20:41 -07:00
Mark Stemm
7c8a85158a Decrease terminal shell in container to debug 
From notice. That way the two main shell-related policies are both at
debug.
 2017-10-09 09:20:41 -07:00
Mark Stemm
d0650688d5 Let mysql_ssl_rsa_s spawn shells 
Part of mysql ssl key generation.
 2017-10-09 09:20:41 -07:00
Mark Stemm
425196f974 Let weave spawn shells. 2017-10-09 09:20:41 -07:00
Mark Stemm
70d6e8de2f Add more ancestors for tracking. 2017-10-09 09:20:41 -07:00
Mark Stemm
6dfdadf527 Also let runc:[1:CHILD] count as an entrypoint. 
Handles cases where we lose system events and have incomplete state.
 2017-10-09 09:20:41 -07:00
Mark Stemm
606af16f27 Let updatedb.findut spawn shells. 2017-10-09 09:20:41 -07:00
Mark Stemm
3b5f959de9 Add additional node/edi command lines. 2017-10-09 09:20:41 -07:00
Mark Stemm
a4d3d4d731 Also let docker-runc denote an entrypoint. 2017-10-09 09:20:41 -07:00
Mark Stemm
276ab9139f Let hddtemp.postins(t) write below etc. 
dpkg installation script
 2017-10-09 09:20:41 -07:00
Mark Stemm
ee02571889 Add x2go binaries as a list 
Moving the first program x2goagent into the list.
 2017-10-09 09:20:38 -07:00
Mark Stemm
6aa2373acd More x-related shell spawners 
Add additional x-related shell spawning programs.
 2017-10-09 09:20:00 -07:00
Mark Stemm
b0cf038e1d Another uid to same uid case. 
pki-acme.
 2017-10-09 09:20:00 -07:00
Mark Stemm
548790c663 Add more run by macros for h2o/Passenger 
Add more run_by_xxx macros for h2o/phusion passenger. Handles cases
where the ancestor has a name, but the direct parent is a general
scripting language like ruby/perl/etc.
 2017-10-09 09:20:00 -07:00