Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add filesize condition to linux_multi_persist rule #515

Merged
merged 4 commits into from
Oct 12, 2024
Merged

Add filesize condition to linux_multi_persist rule #515

merged 4 commits into from
Oct 12, 2024

Conversation

egibs
Copy link
Member

@egibs egibs commented Oct 11, 2024
edited
Loading

Follow-up for: wolfi-dev/os#30457

This PR initially added a Gitaly override rule for linux_persist_multi but now adds a filesize < 20MB condition which will automatically ignore larger files (gitaly was ~270-280MB).

@egibs egibs requested a review from tstromberg October 11, 2024 19:35
tstromberg
tstromberg approved these changes Oct 12, 2024
View reviewed changes
Copy link
Collaborator

@tstromberg tstromberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I also wonder if the original rule should be guarded by a file size. IMHO, any Linux binary over 10-20MB is unlikely to be a persistence dropper.

@egibs
Copy link
Member Author

egibs commented Oct 12, 2024

Looks good. I also wonder if the original rule should be guarded by a file size. IMHO, any Linux binary over 10-20MB is unlikely to be a persistence dropper.

Good point. I'll rework the PR to add the filesize limit which will make the override moot.

@egibs egibs changed the title Add Gitaly override rule Add filesize condition to linux_multi_persist rule Oct 12, 2024
egibs
egibs commented Oct 12, 2024
View reviewed changes
rules/persist/linux_multi.yara
@@ -14,5 +14,5 @@ rule linux_multi_persist : critical {
$bash_ref6 = "/etc/bashrc"
$bash_ref7 = "/etc/bash"
condition:
($initd or $udev) and $crontab and any of ($bash*)
filesize < 20MB and ($initd or $udev) and $crontab and any of ($bash*)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

$ go run cmd/mal/mal.go analyze ./out/gitaly 
🔎 Scanning "./out/gitaly"
out/gitaly [🔥 HIGH]

@egibs egibs merged commit 2587f5c into chainguard-dev:main Oct 12, 2024
6 checks passed
@egibs egibs deleted the gitaly-override branch October 12, 2024 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tstromberg tstromberg tstromberg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@egibs @tstromberg