-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule updates next #293
Rule updates next #293
Commits on Oct 19, 2017
-
Configuration menu - View commit details
-
Copy full SHA for b068452 - Browse repository at this point
Copy the full SHA b068452View commit details -
Start support for db mgmt programs
Add support for db management programs that tend to spawn shells. Starting with two lists mysql_mgmt_binaries/postgres_mgmt_binaries which are combined into db_mgmt_binaries. db_mgmt_binaries is added to both shell spawning rules and the individual programs are removed.
Configuration menu - View commit details
-
Copy full SHA for c25ab63 - Browse repository at this point
Copy the full SHA c25ab63View commit details -
The program is "python pipeline.py" but it appears to be related to https://github.com/apache/beam/blob/master/sdks/python/apache_beam/pipeline.py.
Configuration menu - View commit details
-
Copy full SHA for e05d379 - Browse repository at this point
Copy the full SHA e05d379View commit details -
Allow dovecot to setuid by adding to mail_binaries. Allow the program auth, when run by dovecot, to spawn shells.
Configuration menu - View commit details
-
Copy full SHA for 6cd54db - Browse repository at this point
Copy the full SHA 6cd54dbView commit details -
Create a list plesk_binaries and allow them to run shells. Also let them write to files below /etc/sw/keys.
Configuration menu - View commit details
-
Copy full SHA for b295bfa - Browse repository at this point
Copy the full SHA b295bfaView commit details -
Specifically the program starter. Using the full command line to be more specific.
Configuration menu - View commit details
-
Copy full SHA for 2b31a1a - Browse repository at this point
Copy the full SHA 2b31a1aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 079ca27 - Browse repository at this point
Copy the full SHA 079ca27View commit details -
Configuration menu - View commit details
-
Copy full SHA for 22aa9c9 - Browse repository at this point
Copy the full SHA 22aa9c9View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7d630e0 - Browse repository at this point
Copy the full SHA 7d630e0View commit details -
Let specific phusion passenger binaries run shells
The program is "my_init", which is fairly generic, so capture it by the full command line.
Configuration menu - View commit details
-
Copy full SHA for 9b4e9ea - Browse repository at this point
Copy the full SHA 9b4e9eaView commit details -
Configuration menu - View commit details
-
Copy full SHA for 7ebbabb - Browse repository at this point
Copy the full SHA 7ebbabbView commit details -
Configuration menu - View commit details
-
Copy full SHA for 90a5b36 - Browse repository at this point
Copy the full SHA 90a5b36View commit details -
Let hostid open network connections
It might perform dns lookups as a part of resolving ip addresses.
Configuration menu - View commit details
-
Copy full SHA for 4fc1277 - Browse repository at this point
Copy the full SHA 4fc1277View commit details -
Configuration menu - View commit details
-
Copy full SHA for 145c487 - Browse repository at this point
Copy the full SHA 145c487View commit details -
Add docker-runc-cur as a docker binary.
truncated version of docker-runc-current.
Configuration menu - View commit details
-
Copy full SHA for bb1bb93 - Browse repository at this point
Copy the full SHA bb1bb93View commit details -
Add rule for allowed containers
New rule Launch Disallowed Container triggers when a container is started that does not match the macro allowed_containers. In the main falco rules file, this macro never matches, so it never triggers. However, in a second rules file the macro allowed_containers could be filled in with the specific images that match.
Configuration menu - View commit details
-
Copy full SHA for 56823e2 - Browse repository at this point
Copy the full SHA 56823e2View commit details -
Configuration menu - View commit details
-
Copy full SHA for ff8123b - Browse repository at this point
Copy the full SHA ff8123bView commit details -
Appears as java program, so look for the classpath.
Configuration menu - View commit details
-
Copy full SHA for 75d5a7b - Browse repository at this point
Copy the full SHA 75d5a7bView commit details -
Make allowed_containers macro more foolproof.
In some cases, the container image might not be known/is NULL, so the comparison aganst "dummy-not-allowed-container-image" doesn't work. Replace this with proc.vpid=1, which is in the main rule Launch Disallowed Continer. Ensures it will only trigger when the allowed_containers macro is overridden.
Configuration menu - View commit details
-
Copy full SHA for 809b7aa - Browse repository at this point
Copy the full SHA 809b7aaView commit details -
It's java so you need to look at the classpath.
Configuration menu - View commit details
-
Copy full SHA for c23ff4b - Browse repository at this point
Copy the full SHA c23ff4bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 00ddcf6 - Browse repository at this point
Copy the full SHA 00ddcf6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 182d70a - Browse repository at this point
Copy the full SHA 182d70aView commit details -
Configuration menu - View commit details
-
Copy full SHA for de2432e - Browse repository at this point
Copy the full SHA de2432eView commit details -
Configuration menu - View commit details
-
Copy full SHA for 4e52cf1 - Browse repository at this point
Copy the full SHA 4e52cf1View commit details -
Configuration menu - View commit details
-
Copy full SHA for 2eb0103 - Browse repository at this point
Copy the full SHA 2eb0103View commit details -
Should be testing proc.name, not proc.cmdline.
Configuration menu - View commit details
-
Copy full SHA for 29306b6 - Browse repository at this point
Copy the full SHA 29306b6View commit details -
Configuration menu - View commit details
-
Copy full SHA for e9a1657 - Browse repository at this point
Copy the full SHA e9a1657View commit details -
S99qualys-cloud is the init script, cfn-signal is cloudformation.
Configuration menu - View commit details
-
Copy full SHA for 2604f9e - Browse repository at this point
Copy the full SHA 2604f9eView commit details -
Configuration menu - View commit details
-
Copy full SHA for a50b32a - Browse repository at this point
Copy the full SHA a50b32aView commit details -
Let programs run by locales.postins write to /etc
It can run scripts like sed to modify files before writing the final file.
Configuration menu - View commit details
-
Copy full SHA for daa37d6 - Browse repository at this point
Copy the full SHA daa37d6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 99d4ca7 - Browse repository at this point
Copy the full SHA 99d4ca7View commit details -
Let some shell cmds be spawned outside containers
We had a list known_container_shell_spawn_cmdlines that contained innocuous commandlines, but it only worked for containers. Split this list into container-specific and general commandlines, and add an exception for the general commandlines for the Run Shell Untrusted rule.
Configuration menu - View commit details
-
Copy full SHA for 8104cec - Browse repository at this point
Copy the full SHA 8104cecView commit details -
Add addl ruby-based passenger spawners
Add a different way to identify ruby run by phusion passenger.
Configuration menu - View commit details
-
Copy full SHA for 3bd8103 - Browse repository at this point
Copy the full SHA 3bd8103View commit details -
Allow bundle ruby cmds to be identififed by name
In some cases, bundle runs ruby scripts by direct script name (foo.rb). Also allow that to spawn shells.
Configuration menu - View commit details
-
Copy full SHA for c7fa091 - Browse repository at this point
Copy the full SHA c7fa091View commit details -
Configuration menu - View commit details
-
Copy full SHA for afbfe1b - Browse repository at this point
Copy the full SHA afbfe1bView commit details -
Skip setuid rules for containers.
For now, entirely skip the setuid rule for containers. Will add back once I can find a way to check for unknown users.
Configuration menu - View commit details
-
Copy full SHA for 2bd09cc - Browse repository at this point
Copy the full SHA 2bd09ccView commit details -
Configuration menu - View commit details
-
Copy full SHA for 5a209d0 - Browse repository at this point
Copy the full SHA 5a209d0View commit details -
Let the direct parent also be scl when the ancestor is tfm-rake,tfm-ruby.
Configuration menu - View commit details
-
Copy full SHA for dbc7826 - Browse repository at this point
Copy the full SHA dbc7826View commit details -
Configuration menu - View commit details
-
Copy full SHA for 709d81d - Browse repository at this point
Copy the full SHA 709d81dView commit details -
Also let cron spawn shells in containers
Seen when using things like phusion passenger.
Configuration menu - View commit details
-
Copy full SHA for 0b49909 - Browse repository at this point
Copy the full SHA 0b49909View commit details -
Also let run-parts run cmp/cp for sensitive files
Might be a case of a missing process but might also be legitimate.
Configuration menu - View commit details
-
Copy full SHA for 480a1eb - Browse repository at this point
Copy the full SHA 480a1ebView commit details -
Configuration menu - View commit details
-
Copy full SHA for d2cd0dc - Browse repository at this point
Copy the full SHA d2cd0dcView commit details -
Configuration menu - View commit details
-
Copy full SHA for f43fdaf - Browse repository at this point
Copy the full SHA f43fdafView commit details -
Configuration menu - View commit details
-
Copy full SHA for 841f94b - Browse repository at this point
Copy the full SHA 841f94bView commit details -
Add imap/mailmng-core as mail binaries.
Also split list across multiple lines.
Configuration menu - View commit details
-
Copy full SHA for 3d73f77 - Browse repository at this point
Copy the full SHA 3d73f77View commit details -
Configuration menu - View commit details
-
Copy full SHA for 6344215 - Browse repository at this point
Copy the full SHA 6344215View commit details -
Configuration menu - View commit details
-
Copy full SHA for cde79ff - Browse repository at this point
Copy the full SHA cde79ffView commit details -
Let ics_start/stop running java spawn shells
java is the direct parent, ics_start/stop are ancestors.
Configuration menu - View commit details
-
Copy full SHA for 8299675 - Browse repository at this point
Copy the full SHA 8299675View commit details -
Configuration menu - View commit details
-
Copy full SHA for 17145d8 - Browse repository at this point
Copy the full SHA 17145d8View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0c12507 - Browse repository at this point
Copy the full SHA 0c12507View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5f0d0d5 - Browse repository at this point
Copy the full SHA 5f0d0d5View commit details -
New rule Write below root detects writes either directly below / or anywhere below /root.
Configuration menu - View commit details
-
Copy full SHA for 6bfeb6c - Browse repository at this point
Copy the full SHA 6bfeb6cView commit details -
Don't let shells directly open network connections
In addition to system binaries, don't let shells directly open network connections. Bash has /dev/{tcp,udp} which allows direct connections.
Configuration menu - View commit details
-
Copy full SHA for f8431d3 - Browse repository at this point
Copy the full SHA f8431d3View commit details -
Add additional sensitive mounts.
Add additional sensitive mounts, including the docker socket, /, anywhere below /root, or anywhere below /etc.
Configuration menu - View commit details
-
Copy full SHA for b6e7215 - Browse repository at this point
Copy the full SHA b6e7215View commit details
Commits on Oct 20, 2017
-
Let pki-realm write below /etc/pki/realms
Appears to be an ansible script.
Configuration menu - View commit details
-
Copy full SHA for 2be5da9 - Browse repository at this point
Copy the full SHA 2be5da9View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4539521 - Browse repository at this point
Copy the full SHA 4539521View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0fa5315 - Browse repository at this point
Copy the full SHA 0fa5315View commit details -
Configuration menu - View commit details
-
Copy full SHA for 6ec06b8 - Browse repository at this point
Copy the full SHA 6ec06b8View commit details -
Configuration menu - View commit details
-
Copy full SHA for cc47fa2 - Browse repository at this point
Copy the full SHA cc47fa2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 38f8df1 - Browse repository at this point
Copy the full SHA 38f8df1View commit details -
Configuration menu - View commit details
-
Copy full SHA for 8c0c789 - Browse repository at this point
Copy the full SHA 8c0c789View commit details -
Temporarily undo shells opening net conns update
At some customers, at container create time events are being lost, and for that reason programs spawned by the shell that perform network connections are being misattributed to the shell.
Configuration menu - View commit details
-
Copy full SHA for ecbfa1a - Browse repository at this point
Copy the full SHA ecbfa1aView commit details -
Make the actual sensitive files a list.
Make the actual sensitive files used by the sensitive files macro a list so it can be easily extended.
Configuration menu - View commit details
-
Copy full SHA for 75fdbf4 - Browse repository at this point
Copy the full SHA 75fdbf4View commit details
Commits on Oct 23, 2017
-
Print mounts in Launch Sensitive Mount Container
Add the full list of mounts to the output of Launch Sensitive Mount Container, so it's easy to see which sensitive mount was used.
Configuration menu - View commit details
-
Copy full SHA for 370f64b - Browse repository at this point
Copy the full SHA 370f64bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 18c405d - Browse repository at this point
Copy the full SHA 18c405dView commit details -
Configuration menu - View commit details
-
Copy full SHA for a6123e9 - Browse repository at this point
Copy the full SHA a6123e9View commit details -
Configuration menu - View commit details
-
Copy full SHA for b469122 - Browse repository at this point
Copy the full SHA b469122View commit details -
Configuration menu - View commit details
-
Copy full SHA for d1c827d - Browse repository at this point
Copy the full SHA d1c827dView commit details -
Configuration menu - View commit details
-
Copy full SHA for e640ac4 - Browse repository at this point
Copy the full SHA e640ac4View commit details -
Only consider full mounts of /etc as sensitive
A legitimate case is k8s mounting /etc/kubernetes/ssl, which was matching /etc*. The glob matcher we have isn't a full regex so you can't exclude strings, only characters.
Configuration menu - View commit details
-
Copy full SHA for 26171da - Browse repository at this point
Copy the full SHA 26171daView commit details
Commits on Oct 24, 2017
-
Configuration menu - View commit details
-
Copy full SHA for d3ccae3 - Browse repository at this point
Copy the full SHA d3ccae3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7b99c57 - Browse repository at this point
Copy the full SHA 7b99c57View commit details -
Configuration menu - View commit details
-
Copy full SHA for 84e36d9 - Browse repository at this point
Copy the full SHA 84e36d9View commit details -
Generalize jenkins scripts spawning shells
Generalize jenkins_script_sh to jenkins_scripts and add additional cases.
Configuration menu - View commit details
-
Copy full SHA for fd68ab7 - Browse repository at this point
Copy the full SHA fd68ab7View commit details -
Let php run by assemble spawn shells
Better than globally letting php spawn shells.
Configuration menu - View commit details
-
Copy full SHA for 244397f - Browse repository at this point
Copy the full SHA 244397fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 99d275c - Browse repository at this point
Copy the full SHA 99d275cView commit details -
Add additional package mgmt prog
rhsmcertd-worke(r), red hat subscription manager
Configuration menu - View commit details
-
Copy full SHA for 3966187 - Browse repository at this point
Copy the full SHA 3966187View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4c1f0ff - Browse repository at this point
Copy the full SHA 4c1f0ffView commit details -
Configuration menu - View commit details
-
Copy full SHA for 9c2b110 - Browse repository at this point
Copy the full SHA 9c2b110View commit details -
Configuration menu - View commit details
-
Copy full SHA for ea1af2b - Browse repository at this point
Copy the full SHA ea1af2bView commit details
Commits on Oct 25, 2017
-
Configuration menu - View commit details
-
Copy full SHA for ee78d96 - Browse repository at this point
Copy the full SHA ee78d96View commit details -
Add user allowed sensitive mounts
New macro user_sensitive_mount_containers allows a second rules file to specify containers/images that can perform sensitive mounts.
Configuration menu - View commit details
-
Copy full SHA for bc54809 - Browse repository at this point
Copy the full SHA bc54809View commit details -
Add start-stop-daemon as setuid program
It has -g/-u args to change gid/uid. Also move some other single setuid programs to the list known_setuid_binaries.
Configuration menu - View commit details
-
Copy full SHA for f9035d7 - Browse repository at this point
Copy the full SHA f9035d7View commit details -
Configuration menu - View commit details
-
Copy full SHA for d5277c5 - Browse repository at this point
Copy the full SHA d5277c5View commit details -
Configuration menu - View commit details
-
Copy full SHA for ac02fae - Browse repository at this point
Copy the full SHA ac02faeView commit details -
Configuration menu - View commit details
-
Copy full SHA for bcebe72 - Browse repository at this point
Copy the full SHA bcebe72View commit details -
Configuration menu - View commit details
-
Copy full SHA for 91892f0 - Browse repository at this point
Copy the full SHA 91892f0View commit details -
Don't consider unix_chkpwd to be a user mgmt prog
It only checks passwords.
Configuration menu - View commit details
-
Copy full SHA for 7f6dfff - Browse repository at this point
Copy the full SHA 7f6dfffView commit details -
Get setuid for NULL user in container working
Reorganize the unknown_user_in_container macro to get it working again in containers. Previously, it was being skipped entirely due to a problem with handling of unknown users, which get returned as NULL. The new macro is known_user_in_container, which tests the user.name against "N/A". It happens that if user.name is NULL, the comparison fails, so it has the same effect as if the string "N/A" were being returned. Any valid user name won't match the string "N/A", so known users will cause the macro to return true. The setuid rule needs an additional check for not container, so add that.
Configuration menu - View commit details
-
Copy full SHA for b08ea96 - Browse repository at this point
Copy the full SHA b08ea96View commit details -
Add exceptions for Write below root
Add lists of files/directories that are acceptable to write.
Configuration menu - View commit details
-
Copy full SHA for 71a386f - Browse repository at this point
Copy the full SHA 71a386fView commit details