Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule updates 2018 04.v2 #366

Merged
merged 23 commits into from
Jul 6, 2018
Merged

Rule updates 2018 04.v2 #366

merged 23 commits into from
Jul 6, 2018

Commits on Jun 12, 2018

  1. Add alternatives as a binary dir writer 

    It can set symlinks below binary dirs.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    12a39e3 View commit details
    Browse the repository at this point in the history

  2. Let userhelper read sens.files/write below /etc 

    Part of usermode package, can be used by oVirt.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    f547ee3 View commit details
    Browse the repository at this point in the history

  3. Let package mgmt progs urlgrabber pki files 

    Some package management programs run urlgrabber-ext-{down} to update pki
files.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    a4aae62 View commit details
    Browse the repository at this point in the history

  4. Add additional root directory 

    for Jupyter-notebook
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    24c7ab2 View commit details
    Browse the repository at this point in the history

  5. Let brandbot write to /etc/os-release 

    Used on centos
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    ce96033 View commit details
    Browse the repository at this point in the history

  6. Add an additional veritas conf directory. 

    Also /etc/opt/VRTS...
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    34adeb9 View commit details
    Browse the repository at this point in the history

  7. Let appdynamics spawn shells 

    Java, so we look at parent cmdline.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    d44efaf View commit details
    Browse the repository at this point in the history

  8. Add more ancestors to output 

    In an attempt to track down the source of some additional shell
spawners, add additional parents.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    460cf82 View commit details
    Browse the repository at this point in the history

  9. Let chef write below bin dirs/rpm database 

    Rename an existing macro chef_running_yum_dump to python_running_chef
and add additional variants.

Also add chef-client as a package management binary.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    73e0b56 View commit details
    Browse the repository at this point in the history

  10. Remove dangling macro. 

    No longer in use.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    cd12d3d View commit details
    Browse the repository at this point in the history

  11. Add additional volume mgmt progs 

    Add pvscan as a volume management program and add an additional
directory below /etc. Also rename the macro to make it more generic.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    f2ccb80 View commit details
    Browse the repository at this point in the history

  12. Let openldap write below /etc/openldap 

    Only program is run-openldap.sh for now.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    3b55367 View commit details
    Browse the repository at this point in the history

  13. Add additional veritas directory 

    Also /etc/vom.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    71ea5b9 View commit details
    Browse the repository at this point in the history

  14. Let sed write /etc/sedXXXXX files 

    These are often seen in install scrips for rpm/deb packages. The test
only checks for /etc/sed, as we don't have anything like a regex match
or glob operator.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    966f62b View commit details
    Browse the repository at this point in the history

  15. Let dse (DataStax Search) write to /root 

    Only file is /root/tmp__.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    c6695bc View commit details
    Browse the repository at this point in the history

  16. Add additional mysql programs and directories 

    Add run-mysqld and /etc/my.cnf.d directory.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    b167309 View commit details
    Browse the repository at this point in the history

  17. Let redis write its config below /etc.

    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    4637997 View commit details
    Browse the repository at this point in the history

  18. Let id program open network connections 

    Seen using port 111 (sun-rpc, but really user lookups).
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    5a8428b View commit details
    Browse the repository at this point in the history

  19. Opt-in rule for protecting tomcat shell spawns 

    Some users want to consider any shell spawned by tomcat suspect for
example, protecting against the famous apache struts attack
CVE-2017-5638, while others do not.

Split the difference by adding a macro
possibly_parent_java_running_tomcat, but disabling it by default.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    01f9d72 View commit details
    Browse the repository at this point in the history

  20. added ossec-syscheckd to read_sensitive_file_binaries

    @chipsysdig @mstemm
    chipsysdig authored and mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    29923b3 View commit details
    Browse the repository at this point in the history

  21. Add "Write below monitored directory" 

    Take the technique used by "Write below binary dir", and make it more
general, expanding to a list of "monitored directories". This contains
common directories like /boot, /lib, etc.

It has a small workaround to look for home ssh directories without using
the glob operator, which has a pending fix in
draios/sysdig#1153.
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    2ad7452 View commit details
    Browse the repository at this point in the history

  22. Fix FPs 

    Move monitored_dir to after evt type checks and allow mkinitramfs to
write below /boot
    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    739e11c View commit details
    Browse the repository at this point in the history

  23. Addl boot writers.

    @mstemm
    mstemm committed Jun 12, 2018
    Configuration menu
    Copy the full SHA
    08a2f98 View commit details
    Browse the repository at this point in the history