Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More beta updates #259

Merged
merged 110 commits into from
Oct 9, 2017
Merged

More beta updates #259

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
110 commits
Select commit Hold shift + click to select a range
5382aa4
More shell spawners
mstemm Jun 26, 2017
414a4aa
Another shell command line.
mstemm Jun 26, 2017
daedcf1
Let hhvm spawn shells.
mstemm Jun 26, 2017
3b486fb
Let npm spawn shells in containers.
mstemm Jun 28, 2017
5d856ef
Let _apt user setuid to itself.
mstemm Jun 28, 2017
e6006e3
Add additional dpkg binary
mstemm Jun 28, 2017
7ac49a2
Also allow sysdig agent to setuid.
mstemm Jun 28, 2017
68d29fc
Add shell management programs.
mstemm Jul 5, 2017
09e1caf
add mesos-executor as a mesos binary.
mstemm Jul 5, 2017
ee2c668
Add systemd as a program that can write below /etc
mstemm Jul 5, 2017
e2be47e
Allow update-ca-certi(ficates) to write below /etc
mstemm Jul 5, 2017
d96cf4c
Allow programs to write below /etc/logstash
mstemm Jul 5, 2017
c8c0a97
Let Xvfb setuid.
mstemm Jul 5, 2017
02645e7
Be consistent about nested quotes.
mstemm Jul 5, 2017
e1293a7
Add some additional command lines.
mstemm Jul 5, 2017
f6b3068
Let vpn binaries write below /etc.
mstemm Jul 5, 2017
7ae765b
Include container image in shell in container rule
mstemm Jul 5, 2017
61f7388
Add additional command lines.
mstemm Jul 5, 2017
1753d16
Add easy way to add to container shell cmdlines
mstemm Jul 5, 2017
f123313
Let certbot write below etc.
mstemm Jul 5, 2017
1c64586
Allow systemd-sysuser to write below /etc.
mstemm Jul 7, 2017
463ade2
Add 3dt as a meos program.
mstemm Jul 13, 2017
de3ca31
Allow certbot to spawn shells.
mstemm Jul 13, 2017
1221399
Allow writes below /etc/nginx/conf.d
mstemm Jul 14, 2017
6397c3a
Add additional command line.
mstemm Jul 21, 2017
b208008
Fix parent_python_running_sdchecks
mstemm Jul 26, 2017
d5a107b
More beta updates, almost all shell related:
mstemm Jul 28, 2017
9883656
More shell/build related changes
mstemm Jul 28, 2017
33974c6
More server progs
mstemm Aug 2, 2017
2ebe9e0
More build-related changes + exposing more info
mstemm Aug 2, 2017
0ec46fe
Make setuid binaries a list
mstemm Aug 9, 2017
ef9e045
Add more ancestors
mstemm Aug 9, 2017
dc44655
Change how we detect entrypoints.
mstemm Aug 9, 2017
1f008d6
Let needrestart run shells.
mstemm Aug 11, 2017
7ff2f66
Let node running npm spawn shells.
mstemm Aug 11, 2017
71fee67
Let qualys write below /etc
mstemm Aug 11, 2017
84b3543
Let logrotate spawn shells in containers.
mstemm Aug 11, 2017
9791881
Let mesos-slave, phusion passenger spawn shells
mstemm Aug 16, 2017
cb7dab6
Let chef binaries run shells.
mstemm Aug 22, 2017
12de2e4
Make safe etc directories a list.
mstemm Aug 22, 2017
689c026
Allow innocuous user management commands
mstemm Aug 22, 2017
3202704
Add more logging on process ancestors.
mstemm Aug 22, 2017
e88c9ec
Add more shell spawners.
mstemm Aug 22, 2017
fbfd540
More user management exclusions.
mstemm Aug 22, 2017
75a44a6
Use pmatch instead of fd.directory
mstemm Aug 22, 2017
57c1b33
Let /etc/locale.gen be written
mstemm Aug 23, 2017
4efda9c
Add nomachine binaries.
mstemm Aug 23, 2017
8e46db0
More specific control of some /etc files
mstemm Aug 23, 2017
aaa294a
Add additional build-like shells
mstemm Aug 23, 2017
d21fb40
Let locales.postins write below /etc
mstemm Aug 23, 2017
608d4e2
Let tini spawn shells
mstemm Aug 23, 2017
ac70325
Add more debugging for shells
mstemm Aug 23, 2017
bf1f2cb
Let coreos update_engine write below dev.
mstemm Aug 24, 2017
6be38a3
Add more nomachine binaries.
mstemm Aug 24, 2017
ca9e1eb
Add x2go programs
mstemm Aug 24, 2017
1cdacc1
Add macro to easily augment shell rule
mstemm Aug 24, 2017
70e4916
Let pkt-agent become themself.
mstemm Aug 24, 2017
ac82dd4
Let timeout run shells.
mstemm Aug 24, 2017
64a014c
Look for qualys at various places in the heirarchy
mstemm Aug 24, 2017
4e7fcf3
Let java running sbt spawn shells
mstemm Aug 24, 2017
42167e5
Let chef write below etc.
mstemm Aug 24, 2017
46f993f
Let fluentd write multiple files
mstemm Aug 24, 2017
68cca84
Also let tini spawn shells in containers.
mstemm Aug 24, 2017
151d1e6
Add an additional scripting-running-command combo
mstemm Aug 24, 2017
548790c
Add more run by macros for h2o/Passenger
mstemm Aug 24, 2017
b0cf038
Another uid to same uid case.
mstemm Aug 24, 2017
6aa2373
More x-related shell spawners
mstemm Aug 24, 2017
ee02571
Add x2go binaries as a list
mstemm Aug 25, 2017
276ab91
Let hddtemp.postins(t) write below etc.
mstemm Aug 25, 2017
a4d3d4d
Also let docker-runc denote an entrypoint.
mstemm Aug 25, 2017
3b5f959
Add additional node/edi command lines.
mstemm Aug 25, 2017
606af16
Let updatedb.findut spawn shells.
mstemm Aug 25, 2017
6dfdadf
Also let runc:[1:CHILD] count as an entrypoint.
mstemm Aug 25, 2017
70d6e8d
Add more ancestors for tracking.
mstemm Aug 25, 2017
425196f
Let weave spawn shells.
mstemm Aug 25, 2017
d065068
Let mysql_ssl_rsa_s spawn shells
mstemm Sep 6, 2017
7c8a851
Decrease terminal shell in container to debug
mstemm Sep 14, 2017
00dd3c4
Allow systemd --version as a "user mgmt binary"
mstemm Sep 19, 2017
340ee2e
Add general ability to augment write_etc_common
mstemm Sep 21, 2017
c4c5d2f
Let chef read sensitive files
mstemm Sep 21, 2017
e44ce9a
Add calico/node as a trusted container.
mstemm Sep 21, 2017
a0e8841
Add more container innocuous cmdlines
mstemm Sep 21, 2017
09748fc
Allow writes to /etc/motd
mstemm Sep 21, 2017
2bc9d35
Let nfsnobody become themself.
mstemm Sep 21, 2017
fefb8ba
Allow puppet to run shells.
mstemm Sep 21, 2017
1a41eea
Add ability to augment sensitive file reads
mstemm Sep 21, 2017
0e009fc
Let smmsp setuid.
mstemm Sep 25, 2017
a22099c
Let adclient spawn shells.
mstemm Sep 25, 2017
96992d7
Add scripts possibly run by sshkit
mstemm Sep 25, 2017
d9cb1e2
Let adclient/certutil spawn shells/write below etc
mstemm Sep 25, 2017
cff8ca4
The right program was mailq
mstemm Sep 25, 2017
cf5397f
Change level for sshkit binaries.
mstemm Sep 25, 2017
59ab40d
Let centrify spawn shells.
mstemm Sep 25, 2017
011cb2f
Also let mailq setuid.
mstemm Sep 25, 2017
c3c171c
More centrify changes.
mstemm Sep 25, 2017
6540a85
Let adclient write below etc.
mstemm Sep 25, 2017
4f5ab79
Add xray-rabbitmq shell spawning programs.
mstemm Sep 29, 2017
9504d42
Add more jenkins spawners.
mstemm Sep 29, 2017
bde8d67
Let psql read sensitive files.
mstemm Sep 29, 2017
823c105
Let systemd-udevd spawn shells
mstemm Sep 29, 2017
08afb75
Add /etc/hrmconfig as a safe directory.
mstemm Sep 29, 2017
a921012
let logdna-agent spawn shells.
mstemm Oct 4, 2017
a68d2ad
Let bundle spawn shells.
mstemm Oct 5, 2017
33a28cc
Let node running yarn spawn shells.
mstemm Oct 5, 2017
0d88c30
Let qualys perform more actions.
mstemm Oct 6, 2017
43b773e
Misc gem/ruby/bundler changes
mstemm Oct 9, 2017
1b591dc
Misc build-related fixes
mstemm Oct 9, 2017
0fcd01f
Let git modify nssdb
mstemm Oct 9, 2017
080305c
Adjust for new severity
mstemm Oct 9, 2017
e104462
Work around unknown users in containers wrt setuid
mstemm Oct 9, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading