Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ms_oms_writing_conf macro not working properly #387

Closed
mleneveut opened this issue Jul 6, 2018 · 2 comments
Closed

ms_oms_writing_conf macro not working properly #387

mleneveut opened this issue Jul 6, 2018 · 2 comments

Comments

@mleneveut
Copy link

The macro "ms_oms_writing_conf" doesn't seem to work in my Azure AKS (v1.10.3). It fires Errors like this :

07:15:30.756713513: Error File below /etc opened for writing (user= command=StatusReport.sh /opt/microsoft/omsconfig/Scripts/StatusReport.sh D34448EA-363A-42C2-ACE0-ACD6C1514CF1 EndTime parent=sh pcmdline=sh -c /opt/microsoft/omsconfig/Scripts/StatusReport.sh D34448EA-363A-42C2-ACE0-ACD6C1514CF1 EndTime file=/etc/opt/omi/conf/omsconfig/last_statusreport program=StatusReport.sh gparent=omiagent ggparent=omiagent gggparent=omiagent) k8s.pod= container=host k8s.pod= container=host

and like this :

07:11:28.755207452: Error File below /etc opened for writing (user= command=omsagent-5fb677 /opt/microsoft/omsagent/bin/omsagent-5fb67755-d162-42c8-bf39-9aaf03039323 -d /var/opt/microsoft/omsagent/5fb67755-d162-42c8-bf39-9aaf03039323/run/omsagent.pid --no-supervisor -o /var/opt/microsoft/omsagent/5fb67755-d162-42c8-bf39-9aaf03039323/log/omsagent.log -c /etc/opt/microsoft/omsagent/5fb67755-d162-42c8-bf39-9aaf03039323/conf/omsagent.conf parent=omsagent-5fb677 pcmdline=omsagent-5fb677 /opt/microsoft/omsagent/bin/omsagent-5fb67755-d162-42c8-bf39-9aaf03039323 -d /var/opt/microsoft/omsagent/5fb67755-d162-42c8-bf39-9aaf03039323/run/omsagent.pid --no-supervisor -o /var/opt/microsoft/omsagent/5fb67755-d162-42c8-bf39-9aaf03039323/log/omsagent.log -c /etc/opt/microsoft/omsagent/5fb67755-d162-42c8-bf39-9aaf03039323/conf/omsagent.conf file=/etc/opt/microsoft/omsagent/5fb67755-d162-42c8-bf39-9aaf03039323/conf/omsadmin.conf program=omsagent-5fb677 gparent= ggparent= gggparent=) k8s.pod= container=host k8s.pod= container=host

I think that the "proc.pname" is not working. I tested with proc.aname[2] instead and it seems to work. Not sure what is proc.pname and why it doesn't get the parent process.

So the macro :

- macro: ms_oms_writing_conf
  condition: >
    ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor)
      or proc.pname in (omi.postinst,omsconfig.posti,scx.postinst,omsadmin.sh,omiagent))
     and (fd.name startswith /etc/opt/omi or fd.name startswith /etc/opt/microsoft/omsagent))

could be replaced by :

- macro: ms_oms_writing_conf
  condition: >
    ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor)
      or proc.aname[2] in (omi.postinst,omsconfig.posti,scx.postinst,omsadmin.sh,omiagent))
     and (fd.name startswith /etc/opt/omi or fd.name startswith /etc/opt/microsoft/omsagent))
@mleneveut mleneveut changed the title ms_oms_writing_conf macro/rule not working properly ms_oms_writing_conf macro not working properly Jul 6, 2018
mstemm added a commit that referenced this issue Jul 13, 2018
@mstemm
Also allow grandparents for ms_oms_writing_conf
05dfefd 
In some cases the program spawns intermediate shells, for example:

07:15:30.756713513: Error File below /etc opened for writing (user= command=StatusReport.sh /opt/microsoft/omsconfig/Scripts/StatusReport.sh D34448EA-363A-42C2-ACE0-ACD6C1514CF1 EndTime parent=sh pcmdline=sh -c /opt/microsoft/omsconfig/Scripts/StatusReport.sh D34448EA-363A-42C2-ACE0-ACD6C1514CF1 EndTime file=/etc/opt/omi/conf/omsconfig/last_statusreport program=StatusReport.sh gparent=omiagent ggparent=omiagent gggparent=omiagent) k8s.pod= container=host k8s.pod= container=host

This should fix #387.
@mstemm
Copy link
Contributor

mstemm commented Jul 13, 2018

proc.pname is the parent process name. (In general, all the filterchecks that can be used in condition fields are documented at https://github.com/draios/sysdig/wiki/Sysdig-User-Guide#filtering)

I think I fixed this in 05dfefd. Could you try it and let me know?

@mleneveut
Copy link
Author

Working, thanks :)

mstemm added a commit that referenced this issue Jul 24, 2018
@mstemm
Rule updates 2018 07.v1 (#388)
d63542d 
* Add dpkg-divert as a debian package mgmt program.

* Add pip3 as a package mgmt program.

* Let ucpagent write config

Since the name is fairly generic (apiserver), require that it runs in a
container with image docker/ucp-agent.

* Let iscsi admin programs write config

* Add parent to some output strings

Will aid in addressing false positives.

* Let update-ca-trust write to pki files

* Add additional root writing programs

- zap: web application security tool
- airflow: apache app for managing data pipelines
- rpm can sometimes write below /root/.rpmdb
- maven can write groovy files

* Expand redis etc files

Additional program redis-launcher.(sh) and path /etc/redis.

* Add additional root directories

/root/workspace could be used by jenkins, /root/oradiag_root could be
used by Oracle 11 SQL*Net.

* Add pam-config as an auth program

* Add additional trusted containers

openshift image inspector, alternate name for datadog agent, docker ucp
agent, gliderlabs logspout.

* Add microdnf as a rpm binary.

https://github.com/rpm-software-management/microdnf

* Let coreos update-ssh-keys write /home/core/.ssh

* Allow additional writes below /etc/iscsi

Allow any path starting with /etc/iscsi.

* Add additional /root write paths

Additional files, with /root/workspace changing from a directory to a
path prefix.

* Add additional openshift trusted container.

* Also allow grandparents for ms_oms_writing_conf

In some cases the program spawns intermediate shells, for example:

07:15:30.756713513: Error File below /etc opened for writing (user= command=StatusReport.sh /opt/microsoft/omsconfig/Scripts/StatusReport.sh D34448EA-363A-42C2-ACE0-ACD6C1514CF1 EndTime parent=sh pcmdline=sh -c /opt/microsoft/omsconfig/Scripts/StatusReport.sh D34448EA-363A-42C2-ACE0-ACD6C1514CF1 EndTime file=/etc/opt/omi/conf/omsconfig/last_statusreport program=StatusReport.sh gparent=omiagent ggparent=omiagent gggparent=omiagent) k8s.pod= container=host k8s.pod= container=host

This should fix #387.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mleneveut @mstemm