-
Notifications
You must be signed in to change notification settings - Fork 68
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add alternatives as a binary dir writer It can set symlinks below binary dirs. * Let userhelper read sens.files/write below /etc Part of usermode package, can be used by oVirt. * Let package mgmt progs urlgrabber pki files Some package management programs run urlgrabber-ext-{down} to update pki files. * Add additional root directory for Jupyter-notebook * Let brandbot write to /etc/os-release Used on centos * Add an additional veritas conf directory. Also /etc/opt/VRTS... * Let appdynamics spawn shells Java, so we look at parent cmdline. * Add more ancestors to output In an attempt to track down the source of some additional shell spawners, add additional parents. * Let chef write below bin dirs/rpm database Rename an existing macro chef_running_yum_dump to python_running_chef and add additional variants. Also add chef-client as a package management binary. * Remove dangling macro. No longer in use. * Add additional volume mgmt progs Add pvscan as a volume management program and add an additional directory below /etc. Also rename the macro to make it more generic. * Let openldap write below /etc/openldap Only program is run-openldap.sh for now. * Add additional veritas directory Also /etc/vom. * Let sed write /etc/sedXXXXX files These are often seen in install scrips for rpm/deb packages. The test only checks for /etc/sed, as we don't have anything like a regex match or glob operator. * Let dse (DataStax Search) write to /root Only file is /root/tmp__. * Add additional mysql programs and directories Add run-mysqld and /etc/my.cnf.d directory. * Let redis write its config below /etc. * Let id program open network connections Seen using port 111 (sun-rpc, but really user lookups). * Opt-in rule for protecting tomcat shell spawns Some users want to consider any shell spawned by tomcat suspect for example, protecting against the famous apache struts attack CVE-2017-5638, while others do not. Split the difference by adding a macro possibly_parent_java_running_tomcat, but disabling it by default. * added ossec-syscheckd to read_sensitive_file_binaries * Add "Write below monitored directory" Take the technique used by "Write below binary dir", and make it more general, expanding to a list of "monitored directories". This contains common directories like /boot, /lib, etc. It has a small workaround to look for home ssh directories without using the glob operator, which has a pending fix in draios/sysdig#1153. * Fix FPs Move monitored_dir to after evt type checks and allow mkinitramfs to write below /boot * Addl boot writers.
- Loading branch information
Showing
1 changed file
with
108 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters