Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule updates next #293

Merged
merged 90 commits into from
Oct 25, 2017
Merged

Rule updates next #293

Changes from all commits
Commits
Show all changes
90 commits
Select commit Hold shift + click to select a range
b068452
Let luajit spawn shells.
mstemm Oct 11, 2017
c25ab63
Start support for db mgmt programs
mstemm Oct 11, 2017
e05d379
Let apache beam spawn shells
mstemm Oct 11, 2017
6cd54db
Better support for dovecot
mstemm Oct 11, 2017
b295bfa
Better support for plesk
mstemm Oct 11, 2017
2b31a1a
Let strongswan spawn shells.
mstemm Oct 11, 2017
079ca27
Let proftpd modify files below /etc.
mstemm Oct 11, 2017
22aa9c9
Let chef binaries write below /etc
mstemm Oct 11, 2017
7d630e0
Let mandb read sensitive files
mstemm Oct 11, 2017
9b4e9ea
Let specific phusion passenger binaries run shells
mstemm Oct 11, 2017
7ebbabb
Make git-remote-http more permissive.
mstemm Oct 12, 2017
90a5b36
Let networkmanager modify /etc/resolv.conf
mstemm Oct 13, 2017
4fc1277
Let hostid open network connections
mstemm Oct 13, 2017
145c487
Let uwsgi spawn shells
mstemm Oct 13, 2017
bb1bb93
Add docker-runc-cur as a docker binary.
mstemm Oct 13, 2017
56823e2
Add rule for allowed containers
mstemm Oct 13, 2017
ff8123b
Also let foreman spawn shells
mstemm Oct 16, 2017
75d5a7b
Let confluence run shells.
mstemm Oct 17, 2017
809b7aa
Make allowed_containers macro more foolproof.
mstemm Oct 17, 2017
c23ff4b
Let tomcat spawn shells.
mstemm Oct 17, 2017
00ddcf6
Let pip install software.
mstemm Oct 17, 2017
182d70a
Add another yarn command line.
mstemm Oct 17, 2017
de2432e
Let add-shell write to /etc/shells.tmp
mstemm Oct 17, 2017
4e52cf1
Let more plesk binaries setuid.
mstemm Oct 17, 2017
2eb0103
Add imap-login as a mail binary.
mstemm Oct 17, 2017
29306b6
Fix plesk writing keys macro
mstemm Oct 17, 2017
e9a1657
Let screen read sensitive files.
mstemm Oct 17, 2017
2604f9e
Add more shell spawners.
mstemm Oct 17, 2017
a50b32a
Exclude nologin from user mgmt programs.
mstemm Oct 17, 2017
daa37d6
Let programs run by locales.postins write to /etc
mstemm Oct 17, 2017
99d4ca7
Let install4j java progs spawn shells.
mstemm Oct 17, 2017
8104cec
Let some shell cmds be spawned outside containers
mstemm Oct 17, 2017
3bd8103
Add addl ruby-based passenger spawners
mstemm Oct 17, 2017
c7fa091
Allow bundle ruby cmds to be identififed by name
mstemm Oct 17, 2017
afbfe1b
Let nginx spawn shells.
mstemm Oct 17, 2017
2bd09cc
Skip setuid rules for containers.
mstemm Oct 17, 2017
5a209d0
Let PassengerWatchd run shells
mstemm Oct 17, 2017
dbc7826
Add additional foreman shells
mstemm Oct 17, 2017
709d81d
Add additional innocuous command lines.
mstemm Oct 17, 2017
0b49909
Also let cron spawn shells in containers
mstemm Oct 17, 2017
480a1eb
Also let run-parts run cmp/cp for sensitive files
mstemm Oct 18, 2017
d2cd0dc
Let erlexec spawn shells.
mstemm Oct 18, 2017
f43fdaf
Add additional innocuous shell cmdlines.
mstemm Oct 18, 2017
841f94b
Add suexec as a userexec binary.
mstemm Oct 18, 2017
3d73f77
Add imap/mailmng-core as mail binaries.
mstemm Oct 18, 2017
6344215
Let perl spawn shells when run by cpanm
mstemm Oct 18, 2017
cde79ff
Let apache_control_ spawn shells
mstemm Oct 18, 2017
8299675
Let ics_start/stop running java spawn shells
mstemm Oct 18, 2017
17145d8
Let PassengerAgent setuid.
mstemm Oct 18, 2017
0c12507
Let multilog write below /etc if run by supervise
mstemm Oct 18, 2017
5f0d0d5
Let bwrap setuid
mstemm Oct 18, 2017
6bfeb6c
Detect writes below /, /root
mstemm Oct 19, 2017
f8431d3
Don't let shells directly open network connections
mstemm Oct 19, 2017
b6e7215
Add additional sensitive mounts.
mstemm Oct 19, 2017
2be5da9
Let pki-realm write below /etc/pki/realms
mstemm Oct 20, 2017
4539521
Let sgdisk write below dev
mstemm Oct 20, 2017
0fa5315
Let debconf-show read sensitive files.
mstemm Oct 20, 2017
6ec06b8
Additional case for build-related scripts.
mstemm Oct 20, 2017
cc47fa2
Add additional mail binaries.
mstemm Oct 20, 2017
38f8df1
Let ruby running discourse spawn shells.
mstemm Oct 20, 2017
8c0c789
Let beam.smp and paster run shells
mstemm Oct 20, 2017
ecbfa1a
Temporarily undo shells opening net conns update
mstemm Oct 20, 2017
75fdbf4
Make the actual sensitive files a list.
mstemm Oct 20, 2017
370f64b
Print mounts in Launch Sensitive Mount Container
mstemm Oct 23, 2017
18c405d
Add container.image to container-related rules.
mstemm Oct 23, 2017
a6123e9
Add sw-engine-kv as a plesk binary.
mstemm Oct 23, 2017
b469122
Allow sa-update to read sensitive files
mstemm Oct 23, 2017
d1c827d
Add additional shell spawners.
mstemm Oct 23, 2017
e640ac4
Allow sumologic secureFiles to run user mgmt progs
mstemm Oct 23, 2017
26171da
Only consider full mounts of /etc as sensitive
mstemm Oct 23, 2017
d3ccae3
Let htpasswd write below /etc
mstemm Oct 24, 2017
7b99c57
Let pam-auth-update read sensitive files
mstemm Oct 24, 2017
84e36d9
Let hawkular-metric spawn shells.
mstemm Oct 24, 2017
fd68ab7
Generalize jenkins scripts spawning shells
mstemm Oct 24, 2017
244397f
Let php run by assemble spawn shells
mstemm Oct 24, 2017
99d275c
Add additional setuid binaries.
mstemm Oct 24, 2017
3966187
Add additional package mgmt prog
mstemm Oct 24, 2017
4c1f0ff
Add additional yarn cmdlines.
mstemm Oct 24, 2017
9c2b110
Let dmeventd write below etc.
mstemm Oct 24, 2017
ea1af2b
Let rhsmcertd-worke(r) spawn shells.
mstemm Oct 24, 2017
ee78d96
Let node spawn bitnami-related shells.
mstemm Oct 25, 2017
bc54809
Add user allowed sensitive mounts
mstemm Oct 25, 2017
f9035d7
Add start-stop-daemon as setuid program
mstemm Oct 25, 2017
d5277c5
Add additional shell spawners/cmdlines.
mstemm Oct 25, 2017
ac02fae
Let python running localstack spawn shells.
mstemm Oct 25, 2017
bcebe72
Add additional chef binaries.
mstemm Oct 25, 2017
91892f0
Let fluentd spawn shells.
mstemm Oct 25, 2017
7f6dfff
Don't consider unix_chkpwd to be a user mgmt prog
mstemm Oct 25, 2017
b08ea96
Get setuid for NULL user in container working
mstemm Oct 25, 2017
71a386f
Add exceptions for Write below root
mstemm Oct 25, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading