Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule updates 2019 05.v1 #590

merged 3 commits into from May 1, 2019


None yet
4 participants
Copy link

commented May 1, 2019

No description provided.

mstemm added some commits May 1, 2019

Fix parentheses for rpm_procs macro
Ensures a preceding not will apply to the whole macro
Let anything write to /etc/fluent/configs.d
It looks like a lot of scripted programs (shell scripts running cp, sed,
arbitrary ruby programs) are run by fluentd to set up config. They're
too generic to identify, so jut add /etc/fluent/configs.d to
safe_etc_dirs, sadly.
Let java setup write to /etc/passwd in containers
/opt/jboss/container/java/run/ and /opt/run-java/
write to /etc/passwd in a contaner, probably to add a user. Add an
exception for them.

@mstemm mstemm requested a review from Kaizhe May 1, 2019


This comment has been minimized.

Copy link

commented May 1, 2019

Could you add a fix for the FPs generated by aws-cni? #588

@@ -1029,6 +1029,13 @@ startswith "/etc/rancher-dns")

- macro: jboss_in_container_writing_passwd
condition: >
((proc.cmdline=" /opt/jboss/container/java/run/"

This comment has been minimized.

Copy link

Kaizhe May 1, 2019


the proc.cmdline looks strange, the args[1] is the abs path of the exe?

This comment has been minimized.

Copy link

mstemm May 1, 2019

Author Contributor

It does look strange, but the policy event did have that as the full cmdline. Here's an example:

File below /etc opened for writing (user=<NA> /opt/jboss/container/java/run/ parent=java pcmdline=java -javaagent:/opt/jboss/container/jolokia/jolokia.jar=config=/opt/jboss/container/jolokia/etc/

And for reference, the output field of that rule is:

output: "File below /etc opened for writing ( command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"

Kaizhe approved these changes May 1, 2019

@mstemm mstemm merged commit 0100835 into dev May 1, 2019

5 checks passed

Build Build Successful
Run tests All tests passed
Travis CI - Branch Build Passed
Travis CI - Pull Request Build Passed
continuous-integration/jenkins/branch This commit looks good

@mstemm mstemm deleted the rule-updates-2019-05.v1 branch May 1, 2019

@fntlnz fntlnz added the area/rules label May 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.