mirror of
https://github.com/falcosecurity/falco.git
synced 2026-01-15 14:55:42 +00:00
1516fe4eac
* add common fluentd command, let docker modify Add a common fluentd command, and let docker operations modify bin dir * Add abrt-action-sav(...) as a rpm program https://linux.die.net/man/1/abrt-action-save-package-data * Add etc writers for more ms-on-linux svcs Microsoft SCX and Azure Network Watcher Agent. * Let nginx write its own config. * Let chef-managed gitlab write gitlab config * Let docker container fsen outside of containers The docker process can also be outside of a container when doing actions like docker save, etc, so drop the docker requirement. * Expand the set of haproxy configs. Let the parent process also be haproxy_reload and add an additional directory. * Add an additional node-related file below /root For node cli. * Let adclient read sensitive files Active Directory Client. * Let mesos docker executor write shells * Add additional privileged containers. A few more openshift-related containers and datadog. * Add a kafka admin command line as allowed shell In this case, run by cassandra * Add additional ignored root directories gradle and crashlytics * Add back mesos shell spawning binaries back This list will be limited only to those binaries known to spawn shells. Add mesos-slave/mesos-health-ch. * Add addl trusted containers Consul and mesos-slave. * Add additional config writers for sosreport Can also write files below /etc/pki/nssdb. * Expand selinux config progs Rename macro to selinux_writing_conf and add additional programs. * Let rtvscand read sensitive files Symantec av cli program. * Let nginx-launch write its own certificates Sometimes directly, sometimes by invoking openssl. * Add addl haproxy config writers Also allow the general prefix /etc/haproxy. * Add additional root files. Mongodb-related. * Add additional rpm binaries rpmdb_stat * Let python running get-pip.py modify binary files Used as a part of directly running get-pip.py. * Let centrify scripts read sensitive files Scripts start with /usr/share/centrifydc * Let centrify progs write krb info Specifically, adjoin and addns. * Let ansible run below /root/.ansible * Let ms oms-run progs manage users The parent process is generally omsagent-<version> or scx-<version. * Combine & expand omiagent/omsagent macros Combine the two macros into a single ms_oms_writing_conf and add both direct and parent binaries. * Let python scripts rltd to ms oms write binaries Python scripts below /var/lib/waagent. * Let google accounts daemon modify users Parent process is google_accounts(_daemon). * Let update-rc.d modify files below /etc * Let dhcp binaries write indirectly to etc This allows them to run programs like sed, cp, etc. * Add istio as a trusted container. * Add addl user management progs Related to post-install steps for systemd/udev. * Let azure-related scripts write below etc Directory is /etc/azure, scripts are below /var/lib/waagent. * Let cockpit write its config http://www.cockpit-project.org/ * Add openshift's cassandra as a trusted container * Let ipsec write config Related to strongswan (https://strongswan.org/). * Let consul-template write to addl /etc files It may spawn intermediate shells and write below /etc/ssl. * Add openvpn-entrypo(int) as an openvpn program Also allow subdirectories below /etc/openvpn. * Add additional files/directories below /root * Add cockpit-session as a sensitive file reader * Add puppet macro back Still used in some people's user rules files. * Rename name= to program= Some users pointed out that name= was ambiguous, especially when the event includes files being acted upon. Change to program=. * Also let omiagent run progs that write oms config It can run things like python scripts. * Allow writes below /root/.android