Address rules fps #1028
Merged
Address rules fps #1028
Commits on Jan 31, 2020
-
Add "dsc_host" as a MS OMS program
Sample Falco alert: ``` File below /etc opened for writing (user=<NA> command=dsc_host /opt/dsc/output PerformRequiredConfigurationChecks 1 parent=python pcmdline=python /opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py file=/etc/opt/omi/conf/omsconfig/con... ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Let mcafee write to /etc/cma.d
Sample Falco alert: ``` File below /etc opened for writing (user=root command=macompatsvc self_start parent=macompatsvc pcmdline=macompatsvc self_start file=/etc/cma.d/lpc.conf program=macompatsvc gparent=macompatsvc ggparent=systemd gggparent=<NA> CID1 image=<NA>) ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Let avinetworks supervisor write some ssh cfg
Sample Falco alert: ``` File below /etc opened for writing (user=root command=se_supervisor.p /opt/avi/scripts/se_supervisor.py -d parent=systemd pcmdline=systemd file=/etc/ssh/ssh_monitor_config_10.24.249.200 program=se_supervisor.p gparent=docker-containe ggparent=docker-con... ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Commits on Feb 1, 2020
-
Alow writes to /etc/pki from openshift secrets dir
Sample falco alert: ``` File below /etc opened for writing (user=root command=cp /run/secrets/kubernetes.io/serviceaccount/ca.crt /etc/pki/ca-trust/source/anchors/openshift-ca.crt parent=bash pcmdline=bash -c #!/bin/bash\nset -euo pipefail\n\n# set by the node image\nunset KUB... ``` The exception is conditioned on containers. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Sample Falco alert: ``` File below / or /root opened for writing (user=<NA> command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo program=runc:[1:CHILD] CID1 image=<NA>) ``` This github issue provides some context: opencontainers/runc#1698 Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Let cilium-cni change namespaces
Sample Falco alert: ``` Namespace change (setns) by unexpected program (user=root command=cilium-cni parent=cilium-cni host CID2 CID1 image=<NA>) ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Sample Falco alert: ``` Shell spawned by untrusted binary (user=git shell=sh parent=puma reactor cmdline=sh -c pgrep -fl "unicorn.* worker\[.*?\]" pcmdline=puma reactor gparent=puma ggparent=runsv aname[4]=ru... ``` https://github.com/puma/puma says it is "A Ruby/Rack web server built for concurrency". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.