github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 23:57:29 +00:00
Code Issues Projects Releases Wiki Activity
864 Commits 121 Branches 172 Tags 104 MiB
e922a849a9
Commit Graph

864 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Stemm
00dd3c47c0 Allow systemd --version as a "user mgmt binary" 
systemd --version might be run in some unusual containerized
environments, so exclude it.
 2017-10-09 09:20:41 -07:00
Mark Stemm
7c8a85158a Decrease terminal shell in container to debug 
From notice. That way the two main shell-related policies are both at
debug.
 2017-10-09 09:20:41 -07:00
Mark Stemm
d0650688d5 Let mysql_ssl_rsa_s spawn shells 
Part of mysql ssl key generation.
 2017-10-09 09:20:41 -07:00
Mark Stemm
425196f974 Let weave spawn shells. 2017-10-09 09:20:41 -07:00
Mark Stemm
70d6e8de2f Add more ancestors for tracking. 2017-10-09 09:20:41 -07:00
Mark Stemm
6dfdadf527 Also let runc:[1:CHILD] count as an entrypoint. 
Handles cases where we lose system events and have incomplete state.
 2017-10-09 09:20:41 -07:00
Mark Stemm
606af16f27 Let updatedb.findut spawn shells. 2017-10-09 09:20:41 -07:00
Mark Stemm
3b5f959de9 Add additional node/edi command lines. 2017-10-09 09:20:41 -07:00
Mark Stemm
a4d3d4d731 Also let docker-runc denote an entrypoint. 2017-10-09 09:20:41 -07:00
Mark Stemm
276ab9139f Let hddtemp.postins(t) write below etc. 
dpkg installation script
 2017-10-09 09:20:41 -07:00
Mark Stemm
ee02571889 Add x2go binaries as a list 
Moving the first program x2goagent into the list.
 2017-10-09 09:20:38 -07:00
Mark Stemm
6aa2373acd More x-related shell spawners 
Add additional x-related shell spawning programs.
 2017-10-09 09:20:00 -07:00
Mark Stemm
b0cf038e1d Another uid to same uid case. 
pki-acme.
 2017-10-09 09:20:00 -07:00
Mark Stemm
548790c663 Add more run by macros for h2o/Passenger 
Add more run_by_xxx macros for h2o/phusion passenger. Handles cases
where the ancestor has a name, but the direct parent is a general
scripting language like ruby/perl/etc.
 2017-10-09 09:20:00 -07:00
Mark Stemm
151d1e67c5 Add an additional scripting-running-command combo 
Add an additional combination of scripting language like php/python/etc
+ a specific command line to parent_scripting_running_builds.
 2017-10-09 09:20:00 -07:00
Mark Stemm
68cca84ba6 Also let tini spawn shells in containers. 2017-10-09 09:20:00 -07:00
Mark Stemm
46f993fa40 Let fluentd write multiple files 
Rename fluentd_writing_fluentd_conf to fluentd_writing_conf_files and
add additional files that it can modify below /etc.
 2017-10-09 09:20:00 -07:00
Mark Stemm
42167e53cc Let chef write below etc. 
New macro run_by_chef is similar to run_by_qualys in that it looks in
various places in the process heirarchy. Use that macro to allow writes
below etc. Will probably add in more places soon.
 2017-10-09 09:20:00 -07:00
Mark Stemm
4e7fcf3f88 Let java running sbt spawn shells 
New macro parent_java_running_sbt looks for java running sbt
code (https://github.com/sbt/sbt), and use that macro to allow shells.
 2017-10-09 09:20:00 -07:00
Mark Stemm
64a014c356 Look for qualys at various places in the heirarchy 
Qualys seems to run a variety of shell subprocesses, at various
levels. Add a macro run_by_qualys that checks at a few levels without
the cost of a full proc.aname, which traverses the full parent
heirarchy.
 2017-10-09 09:20:00 -07:00
Mark Stemm
ac82dd4b54 Let timeout run shells. 2017-10-09 09:20:00 -07:00
Mark Stemm
70e49161b1 Let pkt-agent become themself. 2017-10-09 09:20:00 -07:00
Mark Stemm
1cdacc1494 Add macro to easily augment shell rule 
Add a macro user_shell_container_exclusions that allows a second rules
file to easily extend the shelll in container rule without overriding
the entire rule.

Also add an exclusion node_running_edi_dynamodb which can be used for
that macro.
 2017-10-09 09:20:00 -07:00
Mark Stemm
ca9e1ebfef Add x2go programs 
They can spawn shells in and out of containers.
 2017-10-09 09:20:00 -07:00
Mark Stemm
6be38a3237 Add more nomachine binaries. 
Also let nomachine binaries write below /etc.
 2017-10-09 09:20:00 -07:00
Mark Stemm
bf1f2cb2fd Let coreos update_engine write below dev. 2017-10-09 09:19:59 -07:00
Mark Stemm
ac70325522 Add more debugging for shells 
Used to track down deeper chains of shells for things like ansible, chef.
 2017-10-09 09:19:59 -07:00
Mark Stemm
608d4e234f Let tini spawn shells 
https://github.com/krallin/tini
 2017-10-09 09:19:59 -07:00
Mark Stemm
d21fb408d4 Let locales.postins write below /etc 
locales.postins also writes intermediate files below /etc/ so just it
write generally.
 2017-10-09 09:19:59 -07:00
Mark Stemm
aaa294abd1 Add additional build-like shells 
This time node running git commands.
 2017-10-09 09:19:59 -07:00
Mark Stemm
8e46db05c6 More specific control of some /etc files 
Add more specific controls of files below /etc, allowing specific
combinations of programs and files:
 - start-fluentd can write to /etc/fluent/fluent.conf
 - locales.postins can write to /etc/locale.gen
 2017-10-09 09:19:59 -07:00
Mark Stemm
4efda9cb97 Add nomachine binaries. 
Add a list of nomachine binaries and let them spawn shells, setuid, and
access sensitive files.
 2017-10-09 09:19:56 -07:00
Mark Stemm
57c1b33562 Let /etc/locale.gen be written 
/etc/locale.gen isn't super critical, so let it be written.
 2017-10-09 09:18:53 -07:00
Mark Stemm
75a44a67f9 Use pmatch instead of fd.directory 
Use pmatch, which compares a file against a set of prefix paths, instead
of fd.directory. This allows the directories in safe_etc_dirs to be a
prefix of a file instead of just the directory containing a file.
 2017-10-09 09:18:53 -07:00
Mark Stemm
fbfd540ad2 More user management exclusions. 
Exclude lastlog and useradd -D as they don't change anything.
 2017-10-09 09:18:53 -07:00
Mark Stemm
e88c9ec8e3 Add more shell spawners. 
awslogs, authconfig
 2017-10-09 09:18:53 -07:00
Mark Stemm
3202704950 Add more logging on process ancestors. 
Try to find the root process that might be spawning shells/reading
sensitive files.
 2017-10-09 09:18:53 -07:00
Mark Stemm
689c02666f Allow innocuous user management commands 
Allow innocuous user management command lines like "passwd -S" (show
status for account).
 2017-10-09 09:18:53 -07:00
Mark Stemm
12de2e4119 Make safe etc directories a list. 
This way it can more easily be modified/added to.
 2017-10-09 09:18:53 -07:00
Mark Stemm
cb7dab61e8 Let chef binaries run shells. 2017-10-09 09:18:50 -07:00
Mark Stemm
9791881444 Let mesos-slave, phusion passenger spawn shells 
We already covered mesos-agent, the new name for mesos-slave.
 2017-10-09 09:18:07 -07:00
Mark Stemm
84b3543cc0 Let logrotate spawn shells in containers. 2017-10-09 09:17:13 -07:00
Mark Stemm
71fee6753b Let qualys write below /etc 2017-10-09 09:17:13 -07:00
Mark Stemm
7ff2f66437 Let node running npm spawn shells. 
New macro parent_node_running_npm looks for node running npm. Currently
only /usr/local/bin/npm, can add additional well-known paths as needed.
 2017-10-09 09:17:13 -07:00
Mark Stemm
1f008d6c39 Let needrestart run shells. 
https://github.com/liske/needrestart
 2017-10-09 09:17:09 -07:00
Mark Stemm
dc44655ec2 Change how we detect entrypoints. 
Move entrypoint detection to its own macro. Also consider something the
entrypoint if its parent is runc:[0:PARENT]. There's a race where
runc:[0:PARENT] exits in parallel with the root program being execd, so
the parent might not exist or might have this name.
 2017-10-09 09:16:25 -07:00
Mark Stemm
ef9e045a40 Add more ancestors 
Add more ancestors for several rules. Sometimes shells spawn the program
reading the sensitive file, etc.
 2017-10-09 09:16:25 -07:00
Mark Stemm
0ec46feef2 Make setuid binaries a list 
Move the misc binaries that are allowed to setuid from the rule to its
own list. Makes it easier to add to the list.
 2017-10-09 09:16:25 -07:00
Mark Stemm
2ebe9e06a8 More build-related changes + exposing more info 
Combine parent_php_running_builds and parent_ruby_running_gcc into a
single parent_scripting_running_builds which handles the general case of
some script running some make/compilation related program. Also add some
build-related command line prefixes.

Allow supervisor-related programs to spawn shells and access sensitive
files.

Allow sendmail config binaries to write below etc directly (their
children already could).

Add some directories related to phusion (system-as-a-container).

For a few rules add parent programs in the output so it's easier to
diagnose the context for an event.

Let varnishd spawn shells.
 2017-10-09 09:16:25 -07:00
Mark Stemm
33974c6912 More server progs 
- add ssmtp.postinst as a mail config program
 - allow runsv to write below etc
 - allow a2enmod to spawn shells
 - add additional shell cmdline
 2017-10-09 09:16:25 -07:00