Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Several changes to reduce FPs #196

Merged
merged 1 commit into from
Jan 25, 2017
Merged

Several changes to reduce FPs #196

merged 1 commit into from
Jan 25, 2017

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Jan 24, 2017

Several changes to reduce spurious alerts when managing machines via
ansible:

  • Add ansible_running_python (that is, ansible-spawned python scripts)
    as scripts that can read sensitive files and write below
    /etc. Notably this is the user ansible module.
  • Also add comments to ansible_running_python suggesting users make it
    more strict by specifically naming the root directory for ansible
    scripts.

Also other changes to reduce FPs:

  • add apt-add-reposit, apt-auto-remova (truncation intentional),
    apt-get, apt, apt-key as package management programs, and add package
    management binaries to the set of shell spawners. The overlapping
    binaries that were in known_shell_spawn_binaries were removed.
  • add passwd_binaries, gpg, insserv, apparmor_parser, update-mime,
    tzdata.{config,postinst}, systemd-machine, and debconf-show to
    the set of binaries that can write below /etc.
  • Add vsftpd as a program that can read sensitive files.
  • Add additional programs (incl. python support programs like pip,
    pycompile) as ones that can spawn shells.
  • Allow privileged containers to spawn shells.
  • Break out the set of files below /dev that are written to with O_CREAT
    into a separate list, and add /dev/random,urandom,console to the list.

@mstemm mstemm force-pushed the improve-ansible-support branch 4 times, most recently from b15465a to 4cb5b42 Compare January 24, 2017 20:05

Unverified

No user is associated with the committer email.
Several changes to reduce spurious alerts when managing machines via
ansible:

 - Add ansible_running_python (that is, ansible-spawned python scripts)
   as scripts that can read sensitive files and write below
   /etc. Notably this is the user ansible module.
 - Also add comments to ansible_running_python suggesting users make it
   more strict by specifically naming the root directory for ansible
   scripts.
 - Add pypy as a python variant that can run ansible-related scripts.

Also other changes to reduce FPs:

 - add apt-add-reposit, apt-auto-remova (truncation intentional),
   apt-get, apt, apt-key as package management programs, and add package
   management binaries to the set of shell spawners. The overlapping
   binaries that were in known_shell_spawn_binaries were removed.
 - add passwd_binaries, gpg, insserv, apparmor_parser, update-mime,
   tzdata.{config,postinst}, systemd-machine, and debconf-show to
   the set of binaries that can write below /etc.
 - Add vsftpd as a program that can read sensitive files.
 - Add additional programs (incl. python support programs like pip,
   pycompile) as ones that can spawn shells.
 - Allow privileged containers to spawn shells.
 - Break out the set of files below /dev that are written to with O_CREAT
   into a separate list, and add /dev/random,urandom,console to the list.
 - Add python running denyhosts as a program that can write below /etc.
 - Also add binaries starting with linux-image- as ones that can spawn
   shells. These are perl scripts run as a part of installing
   linux-image-N.N packages.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant