-
Notifications
You must be signed in to change notification settings - Fork 895
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule updates 2018 02.v1 #321
Commits on Jan 31, 2018
-
Add additional allowed files below root.
These are related to node.js apps.
Configuration menu - View commit details
-
Copy full SHA for c134497 - Browse repository at this point
Copy the full SHA c134497View commit details
Commits on Feb 3, 2018
-
Configuration menu - View commit details
-
Copy full SHA for 25b0d9e - Browse repository at this point
Copy the full SHA 25b0d9eView commit details -
Let gugent write to (root) + GuestAgent.log
vRA7 Guest Agent writes to GuestAgent.log with a cwd of root.
Configuration menu - View commit details
-
Copy full SHA for d366293 - Browse repository at this point
Copy the full SHA d366293View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3cfe8c5 - Browse repository at this point
Copy the full SHA 3cfe8c5View commit details -
Add additional root files and directories
All seen in legitimate cases.
Configuration menu - View commit details
-
Copy full SHA for 1fdbae6 - Browse repository at this point
Copy the full SHA 1fdbae6View commit details -
Possibly seen as a part of consul deployments and/or openresty.
Configuration menu - View commit details
-
Copy full SHA for cdeb62c - Browse repository at this point
Copy the full SHA cdeb62cView commit details
Commits on Feb 9, 2018
-
Add rule for disallowed ssh connections
New rule "Disallowed SSH Connection" detects ssh connection attempts other than those allowed by the macro allowed_ssh_hosts. The default version of the macro allows any ssh connection, so the rule never triggers by default. The macro could be overridden in a local/user rules file, though.
Configuration menu - View commit details
-
Copy full SHA for 48a40c2 - Browse repository at this point
Copy the full SHA 48a40c2View commit details -
Detect contacting NodePort svcs in containers
New rule "Unexpected K8s NodePort Connection" detects attempts to contact K8s NodePort services (i.e. ports >=30000) from within containers. It requires overridding a macro nodeport_containers which specifies a set of containers that are allowed to use these port ranges. By default every container is allowed.
Configuration menu - View commit details
-
Copy full SHA for fe82480 - Browse repository at this point
Copy the full SHA fe82480View commit details