Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule updates 2019 05.v1 #590

Merged
merged 3 commits into from May 1, 2019

Conversation

Projects
None yet
4 participants
@mstemm
Copy link
Contributor

commented May 1, 2019

No description provided.

mstemm added some commits May 1, 2019

Fix parentheses for rpm_procs macro
Ensures a preceding not will apply to the whole macro
Let anything write to /etc/fluent/configs.d
It looks like a lot of scripted programs (shell scripts running cp, sed,
arbitrary ruby programs) are run by fluentd to set up config. They're
too generic to identify, so jut add /etc/fluent/configs.d to
safe_etc_dirs, sadly.
Let java setup write to /etc/passwd in containers
/opt/jboss/container/java/run/run-java.sh and /opt/run-java/run-java.sh
write to /etc/passwd in a contaner, probably to add a user. Add an
exception for them.

@mstemm mstemm requested a review from Kaizhe May 1, 2019

@mfdii

This comment has been minimized.

Copy link
Member

commented May 1, 2019

Could you add a fix for the FPs generated by aws-cni? #588

@@ -1029,6 +1029,13 @@
fd.name startswith "/etc/rancher-dns")
)

- macro: jboss_in_container_writing_passwd
condition: >
((proc.cmdline="run-java.sh /opt/jboss/container/java/run/run-java.sh"

This comment has been minimized.

Copy link
@Kaizhe

Kaizhe May 1, 2019

Contributor

the proc.cmdline looks strange, the args[1] is the abs path of the exe?

This comment has been minimized.

Copy link
@mstemm

mstemm May 1, 2019

Author Contributor

It does look strange, but the policy event did have that as the full cmdline. Here's an example:

File below /etc opened for writing (user=<NA> command=run-java.sh /opt/jboss/container/java/run/run-java.sh parent=java pcmdline=java -javaagent:/opt/jboss/container/jolokia/jolokia.jar=config=/opt/jboss/container/jolokia/etc/jolokia.properties....

And for reference, the output field of that rule is:

output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
@Kaizhe

Kaizhe approved these changes May 1, 2019

@mstemm mstemm merged commit 0100835 into dev May 1, 2019

5 checks passed

Build Build Successful
Details
Run tests All tests passed
Details
Travis CI - Branch Build Passed
Details
Travis CI - Pull Request Build Passed
Details
continuous-integration/jenkins/branch This commit looks good
Details

@mstemm mstemm deleted the rule-updates-2019-05.v1 branch May 1, 2019

@fntlnz fntlnz added the area/rules label May 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.