Commits on Jan 24, 2017

1. Several changes to reduce FPs …

   Several changes to reduce spurious alerts when managing machines via
   ansible:
   
    - Add ansible_running_python (that is, ansible-spawned python scripts)
      as scripts that can read sensitive files and write below
      /etc. Notably this is the user ansible module.
    - Also add comments to ansible_running_python suggesting users make it
      more strict by specifically naming the root directory for ansible
      scripts.
    - Add pypy as a python variant that can run ansible-related scripts.
   
   Also other changes to reduce FPs:
   
    - add apt-add-reposit, apt-auto-remova (truncation intentional),
      apt-get, apt, apt-key as package management programs, and add package
      management binaries to the set of shell spawners. The overlapping
      binaries that were in known_shell_spawn_binaries were removed.
    - add passwd_binaries, gpg, insserv, apparmor_parser, update-mime,
      tzdata.{config,postinst}, systemd-machine, and debconf-show to
      the set of binaries that can write below /etc.
    - Add vsftpd as a program that can read sensitive files.
    - Add additional programs (incl. python support programs like pip,
      pycompile) as ones that can spawn shells.
    - Allow privileged containers to spawn shells.
    - Break out the set of files below /dev that are written to with O_CREAT
      into a separate list, and add /dev/random,urandom,console to the list.
    - Add python running denyhosts as a program that can write below /etc.
    - Also add binaries starting with linux-image- as ones that can spawn
      shells. These are perl scripts run as a part of installing
      linux-image-N.N packages.

   

   mstemm committed Jan 24, 2017
   Configuration menu

   • View commit details
   • Copy full SHA for e0850bf
   • Browse repository at this point

   Copy the full SHA

   e0850bf View commit details

   Browse the repository at this point in the history