Add support for db management programs that tend to spawn
shells. Starting with two lists
mysql_mgmt_binaries/postgres_mgmt_binaries which are combined into
db_mgmt_binaries. db_mgmt_binaries is added to both shell spawning rules
and the individual programs are removed.

The program is "python pipeline.py" but it appears to be related to
https://github.com/apache/beam/blob/master/sdks/python/apache_beam/pipeline.py.

Allow dovecot to setuid by adding to mail_binaries.

Allow the program auth, when run by dovecot, to spawn shells.

Create a list plesk_binaries and allow them to run shells.

Also let them write to files below /etc/sw/keys.

Specifically the program starter. Using the full command line to be more
specific.

The program is "my_init", which is fairly generic, so capture it by the
full command line.

specifically nm-dispatcher

It might perform dns lookups as a part of resolving ip addresses.

truncated version of docker-runc-current.

New rule Launch Disallowed Container triggers when a container is
started that does not match the macro allowed_containers. In the main
falco rules file, this macro never matches, so it never
triggers. However, in a second rules file the macro allowed_containers
could be filled in with the specific images that match.

Used by Red Hat Sattelite.

Appears as java program, so look for the classpath.

In some cases, the container image might not be known/is NULL, so the
comparison aganst "dummy-not-allowed-container-image" doesn't work.

Replace this with proc.vpid=1, which is in the main rule Launch
Disallowed Continer. Ensures it will only trigger when the
allowed_containers macro is overridden.

It's java so you need to look at the classpath.

Should be testing proc.name, not proc.cmdline.

S99qualys-cloud is the init script, cfn-signal is cloudformation.

It can run scripts like sed to modify files before writing the final
file.

Again, searching by classpath.

We had a list known_container_shell_spawn_cmdlines that contained
innocuous commandlines, but it only worked for containers.

Split this list into container-specific and general commandlines, and
add an exception for the general commandlines for the Run Shell
Untrusted rule.

Add a different way to identify ruby run by phusion passenger.

In some cases, bundle runs ruby scripts by direct script
name (foo.rb). Also allow that to spawn shells.

For now, entirely skip the setuid rule for containers. Will add back
once I can find a way to check for unknown users.

Let the direct parent also be scl when the ancestor is tfm-rake,tfm-ruby.

Seen when using things like phusion passenger.

Might be a case of a missing process but might also be legitimate.

Also split list across multiple lines.

java is the direct parent, ics_start/stop are ancestors.

It setuids to nobody.

A container setup utility.

New rule Write below root detects writes either directly below / or
anywhere below /root.

In addition to system binaries, don't let shells directly open network
connections. Bash has /dev/{tcp,udp} which allows direct connections.

Add additional sensitive mounts, including the docker socket, /,
anywhere below /root, or anywhere below /etc.

Appears to be an ansible script.

At some customers, at container create time events are being lost, and
for that reason programs spawned by the shell that perform network
connections are being misattributed to the shell.

Make the actual sensitive files used by the sensitive files macro a list
so it can be easily extended.

Add the full list of mounts to the output of Launch Sensitive Mount
Container, so it's easy to see which sensitive mount was used.

Helps in diagnosis.

SpamAssassin updater.

See https://help.sumologic.com/Send-Data/Installed-Collectors/05Reference-Information-for-Collector-Installation/08Enhanced-File-System-Security-for-Installed-Collectors.

A legitimate case is k8s mounting /etc/kubernetes/ssl, which was
matching /etc*. The glob matcher we have isn't a full regex so you can't
exclude strings, only characters.

Part of nginx

Generalize jenkins_script_sh to jenkins_scripts and add additional
cases.

Better than globally letting php spawn shells.

rhsmcertd-worke(r), red hat subscription manager

device mapper event daemon.

New macro user_sensitive_mount_containers allows a second rules file to
specify containers/images that can perform sensitive mounts.

It has -g/-u args to change gid/uid.

Also move some other single setuid programs to the list
known_setuid_binaries.

It only checks passwords.

Reorganize the unknown_user_in_container macro to get it working again
in containers. Previously, it was being skipped entirely due to a
problem with handling of unknown users, which get returned as NULL.

The new macro is known_user_in_container, which tests the user.name
against "N/A". It happens that if user.name is NULL, the comparison
fails, so it has the same effect as if the string "N/A" were being
returned. Any valid user name won't match the string "N/A", so known
users will cause the macro to return true.

The setuid rule needs an additional check for not container, so add that.

Add lists of files/directories that are acceptable to write.