New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule updates 2018 02.v3 #344

Merged
merged 46 commits into from Apr 3, 2018

Conversation

Projects
None yet
2 participants
@mstemm
Contributor

mstemm commented Apr 3, 2018

Various rule improvements to address false positives.

chipsysdig and others added some commits Apr 2, 2018

add common fluentd command, let docker modify
Add a common fluentd command, and let docker operations modify bin dir
Add etc writers for more ms-on-linux svcs
Microsoft SCX and Azure Network Watcher Agent.
Let docker container fsen outside of containers
The docker process can also be outside of a container when doing actions
like docker save, etc, so drop the docker requirement.
Expand the set of haproxy configs.
Let the parent process also be haproxy_reload and add an additional
directory.
Let adclient read sensitive files
Active Directory Client.
Add additional privileged containers.
A few more openshift-related containers and datadog.
Add back mesos shell spawning binaries back
This list will be limited only to those binaries known to spawn
shells. Add mesos-slave/mesos-health-ch.
Add addl trusted containers
Consul and mesos-slave.
Add additional config writers for sosreport
Can also write files below /etc/pki/nssdb.
Expand selinux config progs
Rename macro to selinux_writing_conf and add additional programs.
Let rtvscand read sensitive files
Symantec av cli program.
Let nginx-launch write its own certificates
Sometimes directly, sometimes by invoking openssl.
Add addl haproxy config writers
Also allow the general prefix /etc/haproxy.
Let python running get-pip.py modify binary files
Used as a part of directly running get-pip.py.
Let centrify scripts read sensitive files
Scripts start with /usr/share/centrifydc
Let centrify progs write krb info
Specifically, adjoin and addns.
Let ms oms-run progs manage users
The parent process is generally omsagent-<version> or scx-<version.
Combine & expand omiagent/omsagent macros
Combine the two macros into a single ms_oms_writing_conf and add both
direct and parent binaries.
Let python scripts rltd to ms oms write binaries
Python scripts below /var/lib/waagent.
Let google accounts daemon modify users
Parent process is google_accounts(_daemon).

mstemm added some commits Feb 27, 2018

Let dhcp binaries write indirectly to etc
This allows them to run programs like sed, cp, etc.
Add addl user management progs
Related to post-install steps for systemd/udev.
Let azure-related scripts write below etc
Directory is /etc/azure, scripts are below /var/lib/waagent.
Let consul-template write to addl /etc files
It may spawn intermediate shells and write below /etc/ssl.
Add openvpn-entrypo(int) as an openvpn program
Also allow subdirectories below /etc/openvpn.
Add puppet macro back
Still used in some people's user rules files.
Rename name= to program=
Some users pointed out that name= was ambiguous, especially when the
event includes files being acted upon. Change to program=.
Also let omiagent run progs that write oms config
It can run things like python scripts.

@mstemm mstemm merged commit 1516fe4 into dev Apr 3, 2018

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@mstemm mstemm deleted the rule-updates-2018-02.v3 branch Apr 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment