Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule updates 2018 02.v1 #321

Merged
merged 8 commits into from
Feb 20, 2018
Merged

Rule updates 2018 02.v1 #321

merged 8 commits into from
Feb 20, 2018

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Feb 9, 2018

Changes to reduce false positives as well as handling suggested use cases from customers.

@mattpag could you take a look at the last 2 commits (ssh/nodeport support?)

mstemm added 6 commits January 31, 2018 11:48
@mstemm
Add additional allowed files below root.
c134497 
These are related to node.js apps.
@mstemm
Let yum-config-mana(ger) write to rpm database.
25b0d9e
@mstemm
Let gugent write to (root) + GuestAgent.log
d366293 
vRA7 Guest Agent writes to GuestAgent.log with a cwd of root.
@mstemm
Let cron-start write to pam_env.conf
3cfe8c5
@mstemm
Add additional root files and directories
1fdbae6 
All seen in legitimate cases.
@mstemm
Let nginx run aws s3 cp
cdeb62c 
Possibly seen as a part of consul deployments and/or openresty.
@mstemm mstemm requested a review from mattpag February 9, 2018 00:50
mattpag
mattpag reviewed Feb 9, 2018
View reviewed changes
Copy link
Contributor

@mattpag mattpag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's an inconsistency between the comment and the implementation for the macro allowed_ssh_hosts: I suppose you want to set it to ssh_port (as the comment says), otherwise the rule will trigger for every non local ssh connection. Or am I missing something?
The rule for detecting nodeport connections looks good.

mstemm added 2 commits February 9, 2018 10:20
@mstemm
Add rule for disallowed ssh connections
48a40c2 
New rule "Disallowed SSH Connection" detects ssh connection attempts
other than those allowed by the macro allowed_ssh_hosts. The default
version of the macro allows any ssh connection, so the rule never
triggers by default.

The macro could be overridden in a local/user rules file, though.
@mstemm
Detect contacting NodePort svcs in containers
fe82480 
New rule "Unexpected K8s NodePort Connection" detects attempts to
contact K8s NodePort services (i.e. ports >=30000) from within
containers.

It requires overridding a macro nodeport_containers which specifies a
set of containers that are allowed to use these port ranges. By default
every container is allowed.
@mstemm mstemm force-pushed the rule-updates-2018-02.v1 branch from 05d048d to fe82480 Compare February 9, 2018 18:20
@mstemm
Copy link
Contributor Author

mstemm commented Feb 9, 2018

yeah, that was a typo on my part. I had changed it for testing, but hadn't changed it back. It's fixed now.

@mstemm mstemm merged commit 414c9a0 into dev Feb 20, 2018
@mstemm mstemm deleted the rule-updates-2018-02.v1 branch February 20, 2018 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattpag mattpag mattpag left review comments

Assignees
No one assigned
Labels
area/rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mstemm @mattpag @fntlnz