Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule updates vdec2 #315

Merged
merged 21 commits into from
Jan 18, 2018
Merged

Rule updates vdec2 #315

merged 21 commits into from
Jan 18, 2018

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Jan 18, 2018

No description provided.

@mstemm
Additional rpm writers, root directories
80f452b 
salt-minion can also touch the rpm database, and some node packages
write below /root/.config/configstore.
@mstemm
Add smbd as a protected shell spawner.
5ae4c31 
It's a server-like program.
@mstemm
Also handle .ash_history
d050b09 
default shell for alpine linux
@mstemm
Add exceptions for veritas
73da281 
Let many veritas programs write below /etc/vx.

Let one veritas-related perl script read sensitive files.
@mstemm
Allow postgres to run wal-e
10a9e34 
https://github.com/wal-e/wal-e, archiving program for postgres.
@mstemm
Let consul (agent) run addl scripts
d708708 
Also let consul (agent, but the distinction is in the command line args)
to run nc in addition to curl. Also rename the macro.
@mstemm
Let postgres setuid to itself
759d348 
Let postgres setuid to itself. Seen by archiving programs like wal-e.
@mstemm
Also allow consul to run alert check scripts
9b77603 
"sh -c /bin/consul-alerts watch checks --alert-addr 0.0.0.0:9000 ..."
@mstemm
Add additional privileged containers.
7e8e7e8 
Openshift's logging support containers generally run privileged.
@mstemm
Let addl progs write below /etc/lvm
ea23498 
Add lvcreate as a program that can write below /etc/lvm and rename the
macro to lvprogs_writing_lvm_archive.
@mstemm
Let glide write below root
8de5d6d 
https://glide.sh/, package management for go.
@mstemm
Let sosreport read sensitive files.
79c4e6b
@mstemm
Let scom server read sensitive files.
052f3ba 
Microsoft System Center Operations Manager (SCOM).
@mstemm
Let kube-router run privileged.
36a9121 
https://github.com/cloudnativelabs/kube-router
@mstemm
Let needrestart_binaries spawns shells
fe7b440 
Was included in prior version of shell rules, adding back.
@mstemm
Let splunk spawn shells below /opt/splunkforwarder
a25433c
@mstemm
Add yum-cron as a rpm binary
f59253e
@mstemm
Add a different way to run denyhosts.
62a29fd 
Strange that the program is denyhosts.py but observed in actual
environments.
@mstemm
Let nrpe setuid to nagios.
aee0da7
@mstemm
Also let postgres run wal-e wrt shells
07e3cf9 
Previously added as an exception for db program spawned process, need to
add as an exception for run shell untrusted.
@mstemm
Remove installer shell-related rules
bb34242 
They aren't used that often and removing them cleans up space for new
rules we want to add soon.
@mstemm mstemm merged commit 1feae90 into dev Jan 18, 2018
@mstemm mstemm deleted the rule-updates-vdec2 branch January 18, 2018 04:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mstemm @fntlnz