Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding few executables in corresponding groups #445

Merged
merged 4 commits into from
Nov 9, 2018
Merged

adding few executables in corresponding groups #445

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c4322dd
merge with testing environment
juju4 Jan 22, 2017
8093747
Merge remote-tracking branch 'upstream/dev' into dev
juju4 Oct 20, 2018
07f2c1c
extra valid executables
juju4 Oct 20, 2018
623a1c3
cleaning unused code or duplicate
juju4 Oct 20, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions rules/falco_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,7 +204,7 @@
# A canonical set of processes that run other programs with different
# privileges or as a different user.
- list: userexec_binaries
items: [sudo, su, suexec]
items: [sudo, su, suexec, critical-stack]

- list: known_setuid_binaries
items: [
Expand All @@ -220,7 +220,7 @@
items: [blkid, rename_device, update_engine, sgdisk]

- list: hids_binaries
items: [aide]
items: [aide, aide.wrapper, update-aide.con, logcheck, syslog-summary, osqueryd, ossec-syscheckd]

- list: vpn_binaries
items: [openvpn]
Expand All @@ -242,7 +242,7 @@
items: [
update_conf, parse_mc, makemap_hash, newaliases, update_mk, update_tlsm4,
update_db, update_mc, ssmtp.postinst, mailq, postalias, postfix.config.,
postfix.config, postfix-script
postfix.config, postfix-script, postconf
]

- list: sensitive_file_names
Expand Down Expand Up @@ -852,7 +852,7 @@
gen_resolvconf., update-ca-certi, certbot, runsv,
qualys-cloud-ag, locales.postins, nomachine_binaries,
adclient, certutil, crlutil, pam-auth-update, parallels_insta,
openshift-launc, update-rc.d)
openshift-launc, update-rc.d, ufw, cloud-init)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For ufw, could we limit the scope to both the ufw program as well as the directory to which it writes? With something like this:

- macro: ufw_writing_config
  condition: proc.name=ufw and fd.directory=/etc/ufw

And then add ufw_writing_config to the (long) list of exceptions in write_etc_common.

For cloud-init, it looks like your example involves writing below /root/.ssh, right? In which case you want to add it as an exception to the Write below monitored dir rule instead. Again, ideally the exception would tie together the program as well as the file/directory being written.

I have some other rule updates pending, so if you'd like I can merge this PR and then make those changes in my rule updates branch once I rebase.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no problem. good to me. Thanks @mstemm!

and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries, dhcp_binaries)
and not fd.name pmatch (safe_etc_dirs)
and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
Expand Down