Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule updates next #293

Merged
merged 90 commits into from
Oct 25, 2017
Merged

Rule updates next #293

merged 90 commits into from
Oct 25, 2017

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Oct 25, 2017

Syncing the next batch of rule updates to dev.

@mstemm
Let luajit spawn shells.
b068452
@mstemm
Start support for db mgmt programs
c25ab63 
Add support for db management programs that tend to spawn
shells. Starting with two lists
mysql_mgmt_binaries/postgres_mgmt_binaries which are combined into
db_mgmt_binaries. db_mgmt_binaries is added to both shell spawning rules
and the individual programs are removed.
@mstemm
Let apache beam spawn shells
e05d379 
The program is "python pipeline.py" but it appears to be related to
https://github.com/apache/beam/blob/master/sdks/python/apache_beam/pipeline.py.
@mstemm
Better support for dovecot
6cd54db 
Allow dovecot to setuid by adding to mail_binaries.

Allow the program auth, when run by dovecot, to spawn shells.
@mstemm
Better support for plesk
b295bfa 
Create a list plesk_binaries and allow them to run shells.

Also let them write to files below /etc/sw/keys.
@mstemm
Let strongswan spawn shells.
2b31a1a 
Specifically the program starter. Using the full command line to be more
specific.
@mstemm
Let proftpd modify files below /etc.
079ca27
@mstemm
Let chef binaries write below /etc
22aa9c9
@mstemm
Let mandb read sensitive files
7d630e0
@mstemm
Let specific phusion passenger binaries run shells
9b4e9ea 
The program is "my_init", which is fairly generic, so capture it by the
full command line.
@mstemm
Make git-remote-http more permissive.
7ebbabb
@mstemm
Let networkmanager modify /etc/resolv.conf
90a5b36 
specifically nm-dispatcher
@mstemm
Let hostid open network connections
4fc1277 
It might perform dns lookups as a part of resolving ip addresses.
@mstemm
Let uwsgi spawn shells
145c487
@mstemm
Add docker-runc-cur as a docker binary.
bb1bb93 
truncated version of docker-runc-current.
@mstemm
Add rule for allowed containers
56823e2 
New rule Launch Disallowed Container triggers when a container is
started that does not match the macro allowed_containers. In the main
falco rules file, this macro never matches, so it never
triggers. However, in a second rules file the macro allowed_containers
could be filled in with the specific images that match.
@mstemm
Also let foreman spawn shells
ff8123b 
Used by Red Hat Sattelite.
@mstemm
Let confluence run shells.
75d5a7b 
Appears as java program, so look for the classpath.
@mstemm
Make allowed_containers macro more foolproof.
809b7aa 
In some cases, the container image might not be known/is NULL, so the
comparison aganst "dummy-not-allowed-container-image" doesn't work.

Replace this with proc.vpid=1, which is in the main rule Launch
Disallowed Continer. Ensures it will only trigger when the
allowed_containers macro is overridden.
@mstemm
Let tomcat spawn shells.
c23ff4b 
It's java so you need to look at the classpath.
@mstemm
Let pip install software.
00ddcf6
@mstemm
Add another yarn command line.
182d70a
@mstemm
Let add-shell write to /etc/shells.tmp
de2432e
@mstemm
Let more plesk binaries setuid.
4e52cf1
@mstemm
Add imap-login as a mail binary.
2eb0103
@mstemm
Fix plesk writing keys macro
29306b6 
Should be testing proc.name, not proc.cmdline.
@mstemm
Let screen read sensitive files.
e9a1657
@mstemm
Add more shell spawners.
2604f9e 
S99qualys-cloud is the init script, cfn-signal is cloudformation.
@mstemm
Exclude nologin from user mgmt programs.
a50b32a
@mstemm
Let programs run by locales.postins write to /etc
daa37d6 
It can run scripts like sed to modify files before writing the final
file.
@mstemm
Add container.image to container-related rules.
18c405d 
Helps in diagnosis.
@mstemm
Add sw-engine-kv as a plesk binary.
a6123e9
@mstemm
Allow sa-update to read sensitive files
b469122 
SpamAssassin updater.
@mstemm
Add additional shell spawners.
d1c827d
@mstemm
Allow sumologic secureFiles to run user mgmt progs
e640ac4 
See https://help.sumologic.com/Send-Data/Installed-Collectors/05Reference-Information-for-Collector-Installation/08Enhanced-File-System-Security-for-Installed-Collectors.
@mstemm
Only consider full mounts of /etc as sensitive
26171da 
A legitimate case is k8s mounting /etc/kubernetes/ssl, which was
matching /etc*. The glob matcher we have isn't a full regex so you can't
exclude strings, only characters.
@mstemm
Let htpasswd write below /etc
d3ccae3 
Part of nginx
@mstemm
Let pam-auth-update read sensitive files
7b99c57
@mstemm
Let hawkular-metric spawn shells.
84e36d9
@mstemm
Generalize jenkins scripts spawning shells
fd68ab7 
Generalize jenkins_script_sh to jenkins_scripts and add additional
cases.
@mstemm
Let php run by assemble spawn shells
244397f 
Better than globally letting php spawn shells.
@mstemm
Add additional setuid binaries.
99d275c
@mstemm
Add additional package mgmt prog
3966187 
rhsmcertd-worke(r), red hat subscription manager
@mstemm
Add additional yarn cmdlines.
4c1f0ff
@mstemm
Let dmeventd write below etc.
9c2b110 
device mapper event daemon.
@mstemm
Let rhsmcertd-worke(r) spawn shells.
ea1af2b
@mstemm
Let node spawn bitnami-related shells.
ee78d96
@mstemm
Add user allowed sensitive mounts
bc54809 
New macro user_sensitive_mount_containers allows a second rules file to
specify containers/images that can perform sensitive mounts.
@mstemm
Add start-stop-daemon as setuid program
f9035d7 
It has -g/-u args to change gid/uid.

Also move some other single setuid programs to the list
known_setuid_binaries.
@mstemm
Add additional shell spawners/cmdlines.
d5277c5
@mstemm
Let python running localstack spawn shells.
ac02fae
@mstemm
Add additional chef binaries.
bcebe72
@mstemm
Let fluentd spawn shells.
91892f0
@mstemm
Don't consider unix_chkpwd to be a user mgmt prog
7f6dfff 
It only checks passwords.
@mstemm
Get setuid for NULL user in container working
b08ea96 
Reorganize the unknown_user_in_container macro to get it working again
in containers. Previously, it was being skipped entirely due to a
problem with handling of unknown users, which get returned as NULL.

The new macro is known_user_in_container, which tests the user.name
against "N/A". It happens that if user.name is NULL, the comparison
fails, so it has the same effect as if the string "N/A" were being
returned. Any valid user name won't match the string "N/A", so known
users will cause the macro to return true.

The setuid rule needs an additional check for not container, so add that.
@mstemm
Add exceptions for Write below root
71a386f 
Add lists of files/directories that are acceptable to write.
@mstemm mstemm merged commit ccea09b into dev Oct 25, 2017
@mstemm mstemm deleted the rule-updates-next branch October 25, 2017 21:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mstemm @fntlnz