mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 11:29:26 +00:00
1feae90c74
* Additional rpm writers, root directories salt-minion can also touch the rpm database, and some node packages write below /root/.config/configstore. * Add smbd as a protected shell spawner. It's a server-like program. * Also handle .ash_history default shell for alpine linux * Add exceptions for veritas Let many veritas programs write below /etc/vx. Let one veritas-related perl script read sensitive files. * Allow postgres to run wal-e https://github.com/wal-e/wal-e, archiving program for postgres. * Let consul (agent) run addl scripts Also let consul (agent, but the distinction is in the command line args) to run nc in addition to curl. Also rename the macro. * Let postgres setuid to itself Let postgres setuid to itself. Seen by archiving programs like wal-e. * Also allow consul to run alert check scripts "sh -c /bin/consul-alerts watch checks --alert-addr 0.0.0.0:9000 ..." * Add additional privileged containers. Openshift's logging support containers generally run privileged. * Let addl progs write below /etc/lvm Add lvcreate as a program that can write below /etc/lvm and rename the macro to lvprogs_writing_lvm_archive. * Let glide write below root https://glide.sh/, package management for go. * Let sosreport read sensitive files. * Let scom server read sensitive files. Microsoft System Center Operations Manager (SCOM). * Let kube-router run privileged. https://github.com/cloudnativelabs/kube-router * Let needrestart_binaries spawns shells Was included in prior version of shell rules, adding back. * Let splunk spawn shells below /opt/splunkforwarder * Add yum-cron as a rpm binary * Add a different way to run denyhosts. Strange that the program is denyhosts.py but observed in actual environments. * Let nrpe setuid to nagios. * Also let postgres run wal-e wrt shells Previously added as an exception for db program spawned process, need to add as an exception for run shell untrusted. * Remove installer shell-related rules They aren't used that often and removing them cleans up space for new rules we want to add soon.