Beta rule updates #247
Merged
Beta rule updates #247
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mstemm
force-pushed
the
beta-rule-updates
branch
3 times, most recently
from
64de0a5
to
26d2f17
Compare
mstemm
force-pushed
the
beta-rule-updates
branch
2 times, most recently
from
c586502
to
9495668
Compare
- add anacron as a cron program
Split package_management_binaries into two separate lists rpm_binaries and deb_binaries. unattended-upgr is common to both worlds so it's still in package_management_binaries. Also change Write below rpm database to use rpm_binaries instead of its own list. Also add 75-system-updat (truncated) as a shell spawner.
mstemm
force-pushed
the
beta-rule-updates
branch
from
4cde1bf
to
a4198df
Compare
Add rules that allow jenkins to spawn shells, both in containers and directly on the host. Also handle jenkins slaves that run /tmp/slave.jar.
Not yet allowing node to run shells itself, although we want to add something to reduce node-related FPs.
urlgrabber and git-remote both try to access the RHEL nss database, containing shared certificates. I may change this in a more general way by changing open_read/open_write to only look for successful opens.
Change the macros open_read/open_write to only trigger on successful opens (when fd.num > 0). This is a pretty big change to behavior, but is more intuitive. This required a small update to the open counts for a couple of unit tests, but otherwise they still all passed with this change.
Part of udev.
sdchecks is a part of the sysdig monitor agent.
Specifically this includes blkid and /etc/blkid/blkid.tab.
They were already allowed to run shells in a container.
Allows userspace programs to write to kernel log.
Also allow gmake/cmake to spawn shells and put them in their own list make_binaries.
Mesos slaves appear to be in a container due to their cgroup and can run programs mesos-health-check/mesos-docker-exec to monitor the containers on the slave, so allow them to run shells. Add mesos-agent, mesos-logrotate, mesos-fetch as shell spawners both in and out of containers. Add gen_resolvconf. (short for gen_resolvconf.py) as a program that can write to /etc. Add toybox (used by mesos, part of http://landley.net/toybox/about.html) as a shell spawner.
mstemm
force-pushed
the
beta-rule-updates
branch
from
a4198df
to
0f9f299
Compare
Systemd can listen on network ports to launch daemons on demand, so allow it to perform network activity.
Let docker binaries setuid and add docker-entrypoi (truncation intentional) to the set of docker binaries.
Change the two cis-related falco rules "File Open by Privileged Container" and "Sensitive Mount by Container" to be less noisy. We found in practice that tracking every open still results in too many falco notifications. For now, change the rules to only track the initial process start in the container by looking for vpid=1. This should result in only triggering when a privileged/sensitive mount container is started. This is slightly less coverage but is far less noisy.
These are used for sysdig cloud onpremise deployments.
Add gitlab-runner-b (truncated gitlab-runner-build) as a gitlab binary.
Also allow ceph to spawn shells in a container.
For some mesos containers, where the container doesn't have an image and is just a tarball in a cgroup/namespace, we don't have any image to work with. In those cases, allow specific command lines.
Allow the user nobody to setuid. This depends on the user nobody being set up in the first place to have no access, but that should be an ok assumption.
Add rule somebody_becoming_themself that handles cases of nobody and www-data trying to setuid to themself. The sysdig filter language doesn't support template/variable values to allow "user.name=X and evt.arg.uid=X for a given X", so we have to enumerate the users.
mstemm
force-pushed
the
beta-rule-updates
branch
from
0f9f299
to
b714470
Compare
Some CI/CD pipelines build in containers.
Was already in the general list, seen in some customers, so adding to the in containers list.
Take a pass through the rules making sure each line is < 120 characters.
Change unit tests to reflect the new privileged/sensitive mount container rules that only detect container launch.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.