mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
* Let supervisor write more generally below /etc * Let perl+plesk scripts run shells/write below etc * Allow spaces after some cmdlines * Add additional shell spawner. * Add addl package mgmt binaries. * Add addl cases for java + jenkins Addl jar files to consider. * Add addl jenkins-related cmdlines Mostly related to node scripts run by jenkins * Let python running some mesos tasks spawn shells In this case marathon run by python * Let ucf write below etc Only below /etc/gconf for now. * Let dpkg-reconfigur indirectly write below /etc It may run programs that modify files below /etc * Add files/dirs/prefixes for writes below root Build a set of acceptable files/dirs/prefixes for writes below /root. Mostly triggered by apps that run directly as root. * Add addl shell spawn binaries. * Also let java + sbt spawn shells in containers Not seen only at host level * Make sure the file below etc is /etc/ Make sure the file below /etc is really below the directory etc aka /etc/xxx. Otherwise it would match a file /etcfoo. * Let rancher healthcheck spawn shells The name healthcheck is relatively innocuous so also look at the parent process. * Add addl shell container shell spawn binaries * Add addl x2go binaries * Let rabbitq write its config files * Let rook write below /etc toolbox.sh is fairly generic so add a condition based on the image name. * Let consul-template spawn shells * Add rook/toolbox as a trusted container Their github pages recommend running privileged. * Add addl mail binary that can setuid * Let plesk autoinstaller spawn shells The name autoinstaller is fairly generic so also look at the parent. * Let php handlers write its config * Let addl pkg-* binary write to /etc indirectly * Add additional shell spawning binaries. * Add ability to specify user trusted containers New macro user_trusted_containers allows a user-provided set of containers that are trusted and are allowed to run privileged. * If npm runs node, let node spawn shells * Let python run airflow via a shell. * Add addl passenger commandlines (for shells) * Add addl ways datadog can be run * Let find run shells in containers. * Add rpmq as a rpm binary * Let httpd write below /etc/httpd/ * Let awstats/sa-update spawn shells * Add container entrypoint as a shell Some images have an extra shell level for image entrypoints. * Add an additional jenkins commandline * Let mysql write its config * Let openvpn write its config * Add addl root dirs/files Also move /root/.java to be a general prefix. * Let mysql_upgrade/opkg-cl spawn shells * Allow login to perform dns lookups With run with -h <host> to specify a remote host, some versions of login will do a dns lookup to try to resolve the host. * Let consul-template write haproxy config. * Also let mysql indirectly edit its config It might spawn a program to edit the config in addition to directly. * Allow certain sed temp files below /etc/ * Allow debian binaries to indirectly write to /etc They may spawn programs like sed, touch, etc to change files below /etc. * Add additional root file * Let rancher healthcheck be run more indirectly The grandparent as well as parent of healthcheck can be tini. * Add more cases for haproxy writing config Allow more files as well as more scripts to update the config. * Let vmtoolsd spawn shells on the host * Add an additional innocuous entrypoint shell * Let peer-finder (mongodb) spawn shells * Split application rules to separate file. Move the contents of application rules, which have never been enabled by default, to a separate file. It's only installed in the mail falco packages. * Add more build-related command lines * Let perl running openresty spawn shells * Let countly write nginx config * Let confd spawn shells * Also let aws spawn shells in containers.
38 lines
1.1 KiB
CMake
38 lines
1.1 KiB
CMake
if(NOT DEFINED FALCO_ETC_DIR)
|
|
set(FALCO_ETC_DIR "/etc/falco")
|
|
endif()
|
|
|
|
if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
|
|
set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
|
|
set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
|
|
set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
|
|
endif()
|
|
|
|
if(DEFINED FALCO_COMPONENT)
|
|
install(FILES falco_rules.yaml
|
|
COMPONENT "${FALCO_COMPONENT}"
|
|
DESTINATION "${FALCO_ETC_DIR}"
|
|
RENAME "${FALCO_RULES_DEST_FILENAME}")
|
|
|
|
install(FILES falco_rules.local.yaml
|
|
COMPONENT "${FALCO_COMPONENT}"
|
|
DESTINATION "${FALCO_ETC_DIR}"
|
|
RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
|
|
|
|
# Intentionally *not* installing application_rules.yaml. Not needed
|
|
# when falco is embedded in other projects.
|
|
else()
|
|
install(FILES falco_rules.yaml
|
|
DESTINATION "${FALCO_ETC_DIR}"
|
|
RENAME "${FALCO_RULES_DEST_FILENAME}")
|
|
|
|
install(FILES falco_rules.local.yaml
|
|
DESTINATION "${FALCO_ETC_DIR}"
|
|
RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
|
|
|
|
install(FILES application_rules.yaml
|
|
DESTINATION "${FALCO_ETC_DIR}"
|
|
RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
|
|
endif()
|
|
|