Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule updates 2018 02.v2 #326

Merged
merged 26 commits into from
Feb 26, 2018
Merged

Rule updates 2018 02.v2 #326

merged 26 commits into from
Feb 26, 2018

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Feb 20, 2018

No description provided.

Programs are omiagent/omsagent/PerformInventor/in_heartbeat_r* and files
are below /etc/opt/omi and /etc/opt/microsoft/omsagent.
Some cassandra cmdlines are so long the classpath truncates the cmdline
before the actual entry class gets named. In those cases also look for
cassandra-specific config options.
Also add a couple of postgres cluster management programs.
Add parent/grandparent process info.
In some cases, a file below root might be detected but the file itself
has no directory component at all. This might be a bug with dropped
events. Make the test more strict by requiring that the file actually
contains a "/".
Some rules such as reading sensitive files and writing below etc have
many exceptions that depend on the process name. In very busy
environments, system call events might end up being dropped, which
causes the process name to be missing.

In these cases, we'll let the sensitive file read/write below etc to
occur. That's handled by a macro proc_name_exists, which ensures that
proc.name is not "<NA>" (the placeholder when it doesn't exist).
ucf is a general purpose config copying program, so let it generally
write below /etc, as long as it in turn is run by the apt program
"frontend".
Each has specific subdirectories below /etc
Let sed write to additional temporary files (some directory + "sed")
below /etc. All generally related to package installation scripts.
Let rabbitmq spawn limited shells that perform read-only tasks like
reading processes/ifaces.

Let rabbitmqctl generally spawn shells.
Let redis run specific startup/shutdown scripts that trigger at
start/stop. They generally reside below /etc/redis, but just looking for
the names redis-server.{pre,post}-up in the commandline.
https://github.com/saleyn/erlexec, "Execute and control OS processes
from Erlang/OTP."
As a part of these changes, we updated some of the positive trace files
to properly include a process name. These newer trace files have
additional opens, so update the expected event counts to match.
Symantec AV for Linux, sosreport, semodule (selinux), all with their
config files.
Try improving coverage of run shell untrusted by looking for shells
below node processes again. Want to see how many FPs this causes before
fully committing to it.
Generally, we don't want to consider all uses of node as a service wrt
spawned shells. But we might be able to consider node run directly by
docker as a "service". So add that to protected_shell_spawner.
This should handle cases where PM2 manages node apps.
Do a pass over the set of macros/lists, removing most of those that are
no longer referred to by any macro/list. The bulk of the macros/lists
were related to the rule Run Shell Untrusted, which was refactored to
only detect shells run below specific programs. With that change, many
of these exceptions were no longer neeeded.
Add a never_true macro that will never match any event. Useful if you
want to disable a rule/macro/etc.
Add the macro veritas_writing_config to write_below_etc, which was
mistakenly not added before.
The change to generally consider node run directly in a container as a
protected shell spawner was too permissive, causing false
positives. However, there are some deployments that want to track shells
spawned by node as suspect. To address this, create a macro
possibly_node_in_container which defaults to never matching (via the
never_true) macro. In a user rules file, you can override the macro to
remove the never_true clause, reverting to the old behavior.
Some macros/lists are still referred to by some widely used user rules
files, so add them back temporarily.
@mstemm mstemm merged commit 947faca into dev Feb 26, 2018
@mstemm mstemm deleted the rule-updates-2018-02.v2 branch February 26, 2018 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants