-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule updates 2018 04.v2 #366
Commits on Jun 12, 2018
-
Add alternatives as a binary dir writer
It can set symlinks below binary dirs.
Configuration menu - View commit details
-
Copy full SHA for 12a39e3 - Browse repository at this point
Copy the full SHA 12a39e3View commit details -
Let userhelper read sens.files/write below /etc
Part of usermode package, can be used by oVirt.
Configuration menu - View commit details
-
Copy full SHA for f547ee3 - Browse repository at this point
Copy the full SHA f547ee3View commit details -
Let package mgmt progs urlgrabber pki files
Some package management programs run urlgrabber-ext-{down} to update pki files.
Configuration menu - View commit details
-
Copy full SHA for a4aae62 - Browse repository at this point
Copy the full SHA a4aae62View commit details -
Configuration menu - View commit details
-
Copy full SHA for 24c7ab2 - Browse repository at this point
Copy the full SHA 24c7ab2View commit details -
Configuration menu - View commit details
-
Copy full SHA for ce96033 - Browse repository at this point
Copy the full SHA ce96033View commit details -
Configuration menu - View commit details
-
Copy full SHA for 34adeb9 - Browse repository at this point
Copy the full SHA 34adeb9View commit details -
Configuration menu - View commit details
-
Copy full SHA for d44efaf - Browse repository at this point
Copy the full SHA d44efafView commit details -
In an attempt to track down the source of some additional shell spawners, add additional parents.
Configuration menu - View commit details
-
Copy full SHA for 460cf82 - Browse repository at this point
Copy the full SHA 460cf82View commit details -
Let chef write below bin dirs/rpm database
Rename an existing macro chef_running_yum_dump to python_running_chef and add additional variants. Also add chef-client as a package management binary.
Configuration menu - View commit details
-
Copy full SHA for 73e0b56 - Browse repository at this point
Copy the full SHA 73e0b56View commit details -
Configuration menu - View commit details
-
Copy full SHA for cd12d3d - Browse repository at this point
Copy the full SHA cd12d3dView commit details -
Add additional volume mgmt progs
Add pvscan as a volume management program and add an additional directory below /etc. Also rename the macro to make it more generic.
Configuration menu - View commit details
-
Copy full SHA for f2ccb80 - Browse repository at this point
Copy the full SHA f2ccb80View commit details -
Let openldap write below /etc/openldap
Only program is run-openldap.sh for now.
Configuration menu - View commit details
-
Copy full SHA for 3b55367 - Browse repository at this point
Copy the full SHA 3b55367View commit details -
Configuration menu - View commit details
-
Copy full SHA for 71ea5b9 - Browse repository at this point
Copy the full SHA 71ea5b9View commit details -
Let sed write /etc/sedXXXXX files
These are often seen in install scrips for rpm/deb packages. The test only checks for /etc/sed, as we don't have anything like a regex match or glob operator.
Configuration menu - View commit details
-
Copy full SHA for 966f62b - Browse repository at this point
Copy the full SHA 966f62bView commit details -
Configuration menu - View commit details
-
Copy full SHA for c6695bc - Browse repository at this point
Copy the full SHA c6695bcView commit details -
Add additional mysql programs and directories
Add run-mysqld and /etc/my.cnf.d directory.
Configuration menu - View commit details
-
Copy full SHA for b167309 - Browse repository at this point
Copy the full SHA b167309View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4637997 - Browse repository at this point
Copy the full SHA 4637997View commit details -
Let id program open network connections
Seen using port 111 (sun-rpc, but really user lookups).
Configuration menu - View commit details
-
Copy full SHA for 5a8428b - Browse repository at this point
Copy the full SHA 5a8428bView commit details -
Opt-in rule for protecting tomcat shell spawns
Some users want to consider any shell spawned by tomcat suspect for example, protecting against the famous apache struts attack CVE-2017-5638, while others do not. Split the difference by adding a macro possibly_parent_java_running_tomcat, but disabling it by default.
Configuration menu - View commit details
-
Copy full SHA for 01f9d72 - Browse repository at this point
Copy the full SHA 01f9d72View commit details -
Configuration menu - View commit details
-
Copy full SHA for 29923b3 - Browse repository at this point
Copy the full SHA 29923b3View commit details -
Add "Write below monitored directory"
Take the technique used by "Write below binary dir", and make it more general, expanding to a list of "monitored directories". This contains common directories like /boot, /lib, etc. It has a small workaround to look for home ssh directories without using the glob operator, which has a pending fix in draios/sysdig#1153.
Configuration menu - View commit details
-
Copy full SHA for 2ad7452 - Browse repository at this point
Copy the full SHA 2ad7452View commit details -
Move monitored_dir to after evt type checks and allow mkinitramfs to write below /boot
Configuration menu - View commit details
-
Copy full SHA for 739e11c - Browse repository at this point
Copy the full SHA 739e11cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 08a2f98 - Browse repository at this point
Copy the full SHA 08a2f98View commit details