Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule updates 2018 02.v3 #344

Merged
merged 46 commits into from
Apr 3, 2018
Merged

Rule updates 2018 02.v3 #344

merged 46 commits into from
Apr 3, 2018

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Apr 3, 2018

Various rule improvements to address false positives.

chipsysdig and others added 30 commits April 2, 2018 17:04
@chipsysdig @mstemm
add common fluentd command, let docker modify
39c6056 
Add a common fluentd command, and let docker operations modify bin dir
@mstemm
Add abrt-action-sav(...) as a rpm program
f83f1ed 
https://linux.die.net/man/1/abrt-action-save-package-data
@mstemm
Add etc writers for more ms-on-linux svcs
e5c256a 
Microsoft SCX and Azure Network Watcher Agent.
@mstemm
Let nginx write its own config.
7b21c85
@mstemm
Let chef-managed gitlab write gitlab config
3e6f2b0
@mstemm
Let docker container fsen outside of containers
786d732 
The docker process can also be outside of a container when doing actions
like docker save, etc, so drop the docker requirement.
@mstemm
Expand the set of haproxy configs.
50cb9b9 
Let the parent process also be haproxy_reload and add an additional
directory.
@mstemm
Add an additional node-related file below /root
60c1185 
For node cli.
@mstemm
Let adclient read sensitive files
0dd4e8e 
Active Directory Client.
@mstemm
Let mesos docker executor write shells
1f7d796
@mstemm
Add additional privileged containers.
6d74db2 
A few more openshift-related containers and datadog.
@mstemm
Add a kafka admin command line as allowed shell
8a98028 
In this case, run by cassandra
@mstemm
Add additional ignored root directories
6bc4eff 
gradle and crashlytics
@mstemm
Add back mesos shell spawning binaries back
9640e41 
This list will be limited only to those binaries known to spawn
shells. Add mesos-slave/mesos-health-ch.
@mstemm
Add addl trusted containers
cc8eb67 
Consul and mesos-slave.
@mstemm
Add additional config writers for sosreport
7ecdf0d 
Can also write files below /etc/pki/nssdb.
@mstemm
Expand selinux config progs
9eae650 
Rename macro to selinux_writing_conf and add additional programs.
@mstemm
Let rtvscand read sensitive files
2629b32 
Symantec av cli program.
@mstemm
Let nginx-launch write its own certificates
d849f1d 
Sometimes directly, sometimes by invoking openssl.
@mstemm
Add addl haproxy config writers
61fd9d2 
Also allow the general prefix /etc/haproxy.
@mstemm
Add additional root files.
62ed89e 
Mongodb-related.
@mstemm
Add additional rpm binaries
5c4387c 
rpmdb_stat
@mstemm
Let python running get-pip.py modify binary files
5dd5686 
Used as a part of directly running get-pip.py.
@mstemm
Let centrify scripts read sensitive files
4a87652 
Scripts start with /usr/share/centrifydc
@mstemm
Let centrify progs write krb info
7da4abb 
Specifically, adjoin and addns.
@mstemm
Let ansible run below /root/.ansible
381c2be
@mstemm
Let ms oms-run progs manage users
a9138f2 
The parent process is generally omsagent-<version> or scx-<version.
@mstemm
Combine & expand omiagent/omsagent macros
395802b 
Combine the two macros into a single ms_oms_writing_conf and add both
direct and parent binaries.
@mstemm
Let python scripts rltd to ms oms write binaries
fe3f689 
Python scripts below /var/lib/waagent.
@mstemm
Let google accounts daemon modify users
0a181a7 
Parent process is google_accounts(_daemon).
mstemm added 16 commits April 2, 2018 17:04
@mstemm
Let update-rc.d modify files below /etc
3b83d96
@mstemm
Let dhcp binaries write indirectly to etc
2928691 
This allows them to run programs like sed, cp, etc.
@mstemm
Add istio as a trusted container.
65ccf8a
@mstemm
Add addl user management progs
d7a3257 
Related to post-install steps for systemd/udev.
@mstemm
Let azure-related scripts write below etc
fb13fd8 
Directory is /etc/azure, scripts are below /var/lib/waagent.
@mstemm
Let cockpit write its config
8767bfc 
http://www.cockpit-project.org/
@mstemm
Add openshift's cassandra as a trusted container
de74c9b
@mstemm
Let ipsec write config
dfa780d 
Related to strongswan (https://strongswan.org/).
@mstemm
Let consul-template write to addl /etc files
4eec9ca 
It may spawn intermediate shells and write below /etc/ssl.
@mstemm
Add openvpn-entrypo(int) as an openvpn program
94846d0 
Also allow subdirectories below /etc/openvpn.
@mstemm
Add additional files/directories below /root
4ae14fe
@mstemm
Add cockpit-session as a sensitive file reader
9f77893
@mstemm
Add puppet macro back
1af63c4 
Still used in some people's user rules files.
@mstemm
Rename name= to program=
364e64d 
Some users pointed out that name= was ambiguous, especially when the
event includes files being acted upon. Change to program=.
@mstemm
Also let omiagent run progs that write oms config
36f9fbc 
It can run things like python scripts.
@mstemm
Allow writes below /root/.android
74d0490
@mstemm mstemm merged commit 1516fe4 into dev Apr 3, 2018
@mstemm mstemm deleted the rule-updates-2018-02.v3 branch April 3, 2018 01:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mstemm @fntlnz @chipsysdig