sinter icon indicating copy to clipboard operation
sinter copied to clipboard
verified publisher icon trailofbits

Invalidate cached approvals in reaction to on-disk changes

Open mike-myers-tob opened this issue 5 years ago • 1 comments

Why

As a security engineer, I want previously cached approvals to be invalidated when the associated executable files on disk have been changed since the initial cached check so that these processes are subject to validation.

Acceptance Criteria

  • If executables related to a process that was previously approved are changed or updated, invalidate the approval cache so that the process and associated executables are checked again.

mike-myers-tob avatar Mar 27 '20 06:03 mike-myers-tob

The following events will invalidate the cache when the paths being modified affect binaries/bundles that are being tracked:

  • ES_EVENT_TYPE_NOTIFY_WRITE
  • ES_EVENT_TYPE_NOTIFY_UNLINK
  • ES_EVENT_TYPE_NOTIFY_RENAME
  • ES_EVENT_TYPE_NOTIFY_MMAP (if mapping is not read only)
  • ES_EVENT_TYPE_NOTIFY_LINK
  • ES_EVENT_TYPE_NOTIFY_TRUNCATE
  • ES_EVENT_TYPE_NOTIFY_CREATE
  • ES_EVENT_TYPE_NOTIFY_MOUNT
  • ES_EVENT_TYPE_NOTIFY_UNMOUNT

alessandrogario avatar Jun 09 '20 14:06 alessandrogario