Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule updates 2018 04.v2 #366

Merged
merged 23 commits into from
Jul 6, 2018
Merged

Rule updates 2018 04.v2 #366

merged 23 commits into from
Jul 6, 2018

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented May 16, 2018

No description provided.

@mstemm mstemm closed this May 22, 2018
@mstemm
Copy link
Contributor Author

mstemm commented May 22, 2018

testing new falco integration

@mstemm mstemm reopened this May 22, 2018
@mstemm mstemm force-pushed the rule-updates-2018-04.v2 branch 2 times, most recently from 0a08c22 to f419af2 Compare May 22, 2018 20:47
mstemm and others added 20 commits June 12, 2018 13:32
@mstemm
Add alternatives as a binary dir writer
12a39e3 
It can set symlinks below binary dirs.
@mstemm
Let userhelper read sens.files/write below /etc
f547ee3 
Part of usermode package, can be used by oVirt.
@mstemm
Let package mgmt progs urlgrabber pki files
a4aae62 
Some package management programs run urlgrabber-ext-{down} to update pki
files.
@mstemm
Add additional root directory
24c7ab2 
for Jupyter-notebook
@mstemm
Let brandbot write to /etc/os-release
ce96033 
Used on centos
@mstemm
Add an additional veritas conf directory.
34adeb9 
Also /etc/opt/VRTS...
@mstemm
Let appdynamics spawn shells
d44efaf 
Java, so we look at parent cmdline.
@mstemm
Add more ancestors to output
460cf82 
In an attempt to track down the source of some additional shell
spawners, add additional parents.
@mstemm
Let chef write below bin dirs/rpm database
73e0b56 
Rename an existing macro chef_running_yum_dump to python_running_chef
and add additional variants.

Also add chef-client as a package management binary.
@mstemm
Remove dangling macro.
cd12d3d 
No longer in use.
@mstemm
Add additional volume mgmt progs
f2ccb80 
Add pvscan as a volume management program and add an additional
directory below /etc. Also rename the macro to make it more generic.
@mstemm
Let openldap write below /etc/openldap
3b55367 
Only program is run-openldap.sh for now.
@mstemm
Add additional veritas directory
71ea5b9 
Also /etc/vom.
@mstemm
Let sed write /etc/sedXXXXX files
966f62b 
These are often seen in install scrips for rpm/deb packages. The test
only checks for /etc/sed, as we don't have anything like a regex match
or glob operator.
@mstemm
Let dse (DataStax Search) write to /root
c6695bc 
Only file is /root/tmp__.
@mstemm
Add additional mysql programs and directories
b167309 
Add run-mysqld and /etc/my.cnf.d directory.
@mstemm
Let redis write its config below /etc.
4637997
@mstemm
Let id program open network connections
5a8428b 
Seen using port 111 (sun-rpc, but really user lookups).
@mstemm
Opt-in rule for protecting tomcat shell spawns
01f9d72 
Some users want to consider any shell spawned by tomcat suspect for
example, protecting against the famous apache struts attack
CVE-2017-5638, while others do not.

Split the difference by adding a macro
possibly_parent_java_running_tomcat, but disabling it by default.
@chipsysdig @mstemm
added ossec-syscheckd to read_sensitive_file_binaries
29923b3
@mstemm mstemm force-pushed the rule-updates-2018-04.v2 branch from 4dcdd1e to 29923b3 Compare June 12, 2018 20:32
mstemm added 3 commits June 12, 2018 13:46
@mstemm
Add "Write below monitored directory"
2ad7452 
Take the technique used by "Write below binary dir", and make it more
general, expanding to a list of "monitored directories". This contains
common directories like /boot, /lib, etc.

It has a small workaround to look for home ssh directories without using
the glob operator, which has a pending fix in
draios/sysdig#1153.
@mstemm
Fix FPs
739e11c 
Move monitored_dir to after evt type checks and allow mkinitramfs to
write below /boot
@mstemm
Addl boot writers.
08a2f98
@mstemm mstemm merged commit c5523d8 into dev Jul 6, 2018
@mstemm mstemm deleted the rule-updates-2018-04.v2 branch July 6, 2018 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mstemm @fntlnz @chipsysdig