Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule updates 2019 05.v1 #590

Merged
merged 3 commits into from
May 1, 2019
Merged

Rule updates 2019 05.v1 #590

merged 3 commits into from
May 1, 2019

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented May 1, 2019

No description provided.

@mstemm
Fix parentheses for rpm_procs macro
761db7f 
Ensures a preceding not will apply to the whole macro
@mstemm
Let anything write to /etc/fluent/configs.d
19dbe6b 
It looks like a lot of scripted programs (shell scripts running cp, sed,
arbitrary ruby programs) are run by fluentd to set up config. They're
too generic to identify, so jut add /etc/fluent/configs.d to
safe_etc_dirs, sadly.
@mstemm
Let java setup write to /etc/passwd in containers
d8bb0e7 
/opt/jboss/container/java/run/run-java.sh and /opt/run-java/run-java.sh
write to /etc/passwd in a contaner, probably to add a user. Add an
exception for them.
@mstemm mstemm requested a review from Kaizhe May 1, 2019 00:34
@mfdii
Copy link
Member

mfdii commented May 1, 2019

Could you add a fix for the FPs generated by aws-cni? #588

Kaizhe
Kaizhe reviewed May 1, 2019
View reviewed changes
rules/falco_rules.yaml
@@ -1029,6 +1029,13 @@
fd.name startswith "/etc/rancher-dns")
)

- macro: jboss_in_container_writing_passwd
condition: >
((proc.cmdline="run-java.sh /opt/jboss/container/java/run/run-java.sh"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the proc.cmdline looks strange, the args[1] is the abs path of the exe?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does look strange, but the policy event did have that as the full cmdline. Here's an example:

File below /etc opened for writing (user=<NA> command=run-java.sh /opt/jboss/container/java/run/run-java.sh parent=java pcmdline=java -javaagent:/opt/jboss/container/jolokia/jolokia.jar=config=/opt/jboss/container/jolokia/etc/jolokia.properties....

And for reference, the output field of that rule is:

output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"

@mstemm mstemm merged commit 0100835 into dev May 1, 2019
@mstemm mstemm deleted the rule-updates-2019-05.v1 branch May 1, 2019 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kaizhe Kaizhe Kaizhe approved these changes

Assignees
No one assigned
Labels
area/rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mstemm @mfdii @Kaizhe @fntlnz