More beta updates #259
Merged
More beta updates #259
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mstemm
force-pushed
the
more-beta-updates
branch
from
4da5da0 to
4ffe7be
Compare
mstemm
force-pushed
the
more-beta-updates
branch
from
3b30644 to
c2619bd
Compare
Add additional shell spawning command lines. Allow package management binaries in containers--lots of people seem to do it. Also allow pycompile/py3compile. I need to refactor the shell spawners to more clearly isolate shell spawners that we don't want to occur in a container from ones that can run both inside and outside of a container.
http://hhvm.com/, "open-source virtual machine designed for executing programs written in Hack and PHP."
dpkg-reconfigur(e), not to be confused with dpkg-preconfigu(re)
It was already allowed to change namespaces.
add-shell and remove-shell are programs that remove shells from /etc/shells. They are allowed to write to files below /etc.
It can modify /etc/resolv.conf.
Truncation intentonal.
At least for some logstash configs, device files get written to below /etc/logstash instead of elsewhere like /var.
X11 program.
Use single quotes for the outer yaml-level strings, and double quote for the quoted string.
Dangling parentheses intentional.
They will modify things like dns servers, etc.
Include the container image in the "run shell in container" rule output.
Add additional command lines for known shells.
A new (empty) list user_known_container_shell_spawn_binaries allows additional files to add additional programs that are allowed to spawn shells in containers.
Let's encrypt client program.
mesos diagnostics service.
Part of let's encrypt.
The nginx docker hub container will write below that directory at startup.
It was checking the current process instead of the parent, which doesn't work when you've just done an exec.
- Allow several combinations of scripting programs (ruby, python, etc.) to run other build-ish commands. - Let mysql_install_d(b) spawn shells and access sensitive files. - Let qualys-cloud-ag(ent) spawn shells - Add a few additional innocuous commandlines - Let postfix setuid to itself
- Move qualys-cloud-ag to the monitoring_binaries list - Add a new list sendmail_config_binaries containing programs that can modify files. - Make parent_php_running_git a bit more generic for parent_php_running_builds and add some additional sub-commands.
Similar model as chef/qualsys/etc.
Similar to user_known_write_etc_conditions, add the ability to easily override sensitve file reads in a second rules file.
Another sendmail binary.
It's not direct, hence the run_by_adclient macro.
Some general management scripts, possibly run by sshkit (need to check).
Let adclient/certutil spawn shells and write below etc.
not smmsp, that was the user.
It's actually the programs spawned by sshkit scripts that modify files below /etc.
This is higher up than other programs.
Simialr to showq
Add crlutil as a program that can modify below etc. Let centrify programs modify below etc. Add more info for writes below etc to track etc writers through scripts. Increase the level of debugging for shells.
They have names {1234}_scheduler and need to be quoted as they start
with digits.
Jenkins spawns shells via script.sh, so allow it.
Used by docker swarm http routing mesh.
It can have more intermediate shells, is allowed to write to its own conf file, and can run user management binaries.
mstemm
force-pushed
the
more-beta-updates
branch
from
95776c1 to
0d88c30
Compare
- Let gem install software. - Let ruby spawn shells when run by bundle.
- Let yarn spawn shells - Add several allowed commandlines - Let configure spawn shells in containers
Let git-remote-http modify files below the nssdb.
Shell in container is now debug level, so adjust test case to match.
Work around draios/sysdig#954, which relates to not always knowing the proper user name in containers, by not running the rule when in a container and the user name is "<NA>". This won't address cases where the uid from inside the container maps to a user name outside the container that is different than the user inside the container, but it will help a bit.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.