mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 12:27:10 +00:00
Several changes to reduce spurious alerts when managing machines via ansible: - Add ansible_running_python (that is, ansible-spawned python scripts) as scripts that can read sensitive files and write below /etc. Notably this is the user ansible module. - Also add comments to ansible_running_python suggesting users make it more strict by specifically naming the root directory for ansible scripts. - Add pypy as a python variant that can run ansible-related scripts. Also other changes to reduce FPs: - add apt-add-reposit, apt-auto-remova (truncation intentional), apt-get, apt, apt-key as package management programs, and add package management binaries to the set of shell spawners. The overlapping binaries that were in known_shell_spawn_binaries were removed. - add passwd_binaries, gpg, insserv, apparmor_parser, update-mime, tzdata.{config,postinst}, systemd-machine, and debconf-show to the set of binaries that can write below /etc. - Add vsftpd as a program that can read sensitive files. - Add additional programs (incl. python support programs like pip, pycompile) as ones that can spawn shells. - Allow privileged containers to spawn shells. - Break out the set of files below /dev that are written to with O_CREAT into a separate list, and add /dev/random,urandom,console to the list. - Add python running denyhosts as a program that can write below /etc. - Also add binaries starting with linux-image- as ones that can spawn shells. These are perl scripts run as a part of installing linux-image-N.N packages.