Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding few executables in corresponding groups #445

Merged
merged 4 commits into from
Nov 9, 2018
Merged

Conversation

juju4
Copy link
Contributor

@juju4 juju4 commented Oct 20, 2018

  • Warning Sensitive file opened for reading by non-trusted program (user=root program=osqueryd command=osqueryd
  • postconf (ubuntu/debian)
  • Error File below /etc opened for writing (user=root command=postconf -e inet_protocols=all parent=postfix.postins pcmdline=postfix.postins -e /var/lib/dpkg/info/postfix.postinst configure file=/etc/postfix/main.cf.tmp program=postconf gparent=frontend ggparent=dpkg gggparent=apt-get)
  • ufw, cloud-init
  • Error File below /etc opened for writing (user=root command=ufw /usr/sbin/ufw disable parent=bash pcmdline=bash file=/etc/ufw/ufw.conf program=ufw gparent=sshd ggparent=sshd gggparent=systemd)
  • Error File below a monitored directory opened for writing (user=root command=cloud-init /usr/bin/cloud-init init file=/root/.ssh/authorized_keys parent=init pcmdline=init gparent=lxd)

Thanks

@mstemm
Copy link
Contributor

mstemm commented Nov 7, 2018

Thanks for the updates! A couple of inline comments.

@@ -852,7 +852,7 @@
gen_resolvconf., update-ca-certi, certbot, runsv,
qualys-cloud-ag, locales.postins, nomachine_binaries,
adclient, certutil, crlutil, pam-auth-update, parallels_insta,
openshift-launc, update-rc.d)
openshift-launc, update-rc.d, ufw, cloud-init)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For ufw, could we limit the scope to both the ufw program as well as the directory to which it writes? With something like this:

- macro: ufw_writing_config
  condition: proc.name=ufw and fd.directory=/etc/ufw

And then add ufw_writing_config to the (long) list of exceptions in write_etc_common.

For cloud-init, it looks like your example involves writing below /root/.ssh, right? In which case you want to add it as an exception to the Write below monitored dir rule instead. Again, ideally the exception would tie together the program as well as the file/directory being written.

I have some other rule updates pending, so if you'd like I can merge this PR and then make those changes in my rule updates branch once I rebase.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no problem. good to me. Thanks @mstemm!

@mstemm mstemm merged commit b79670a into falcosecurity:dev Nov 9, 2018
@fntlnz fntlnz mentioned this pull request Aug 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants