Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule updates 2018 02.v1 #321

Merged
merged 8 commits into from
Feb 20, 2018
Merged

Rule updates 2018 02.v1 #321

merged 8 commits into from
Feb 20, 2018

Commits on Jan 31, 2018

  1. Add additional allowed files below root. 

    These are related to node.js apps.
    @mstemm
    mstemm committed Jan 31, 2018
    Configuration menu
    Copy the full SHA
    c134497 View commit details
    Browse the repository at this point in the history

Commits on Feb 3, 2018

  1. Let yum-config-mana(ger) write to rpm database.

    @mstemm
    mstemm committed Feb 3, 2018
    Configuration menu
    Copy the full SHA
    25b0d9e View commit details
    Browse the repository at this point in the history

  2. Let gugent write to (root) + GuestAgent.log 

    vRA7 Guest Agent writes to GuestAgent.log with a cwd of root.
    @mstemm
    mstemm committed Feb 3, 2018
    Configuration menu
    Copy the full SHA
    d366293 View commit details
    Browse the repository at this point in the history

  3. Let cron-start write to pam_env.conf

    @mstemm
    mstemm committed Feb 3, 2018
    Configuration menu
    Copy the full SHA
    3cfe8c5 View commit details
    Browse the repository at this point in the history

  4. Add additional root files and directories 

    All seen in legitimate cases.
    @mstemm
    mstemm committed Feb 3, 2018
    Configuration menu
    Copy the full SHA
    1fdbae6 View commit details
    Browse the repository at this point in the history

  5. Let nginx run aws s3 cp 

    Possibly seen as a part of consul deployments and/or openresty.
    @mstemm
    mstemm committed Feb 3, 2018
    Configuration menu
    Copy the full SHA
    cdeb62c View commit details
    Browse the repository at this point in the history

Commits on Feb 9, 2018

  1. Add rule for disallowed ssh connections 

    New rule "Disallowed SSH Connection" detects ssh connection attempts
other than those allowed by the macro allowed_ssh_hosts. The default
version of the macro allows any ssh connection, so the rule never
triggers by default.

The macro could be overridden in a local/user rules file, though.
    @mstemm
    mstemm committed Feb 9, 2018
    Configuration menu
    Copy the full SHA
    48a40c2 View commit details
    Browse the repository at this point in the history

  2. Detect contacting NodePort svcs in containers 

    New rule "Unexpected K8s NodePort Connection" detects attempts to
contact K8s NodePort services (i.e. ports >=30000) from within
containers.

It requires overridding a macro nodeport_containers which specifies a
set of containers that are allowed to use these port ranges. By default
every container is allowed.
    @mstemm
    mstemm committed Feb 9, 2018
    Configuration menu
    Copy the full SHA
    fe82480 View commit details
    Browse the repository at this point in the history