Skip to content
This repository has been archived by the owner on Mar 28, 2023. It is now read-only.

Invalidate cached approvals in reaction to on-disk changes #42

Open
mike-myers-tob opened this issue Mar 27, 2020 · 1 comment
Open
Labels
acceptance enhancement New feature or request

Comments

@mike-myers-tob
Copy link
Contributor

mike-myers-tob commented Mar 27, 2020

Why

As a security engineer, I want previously cached approvals to be invalidated when the associated executable files on disk have been changed since the initial cached check so that these processes are subject to validation.

Acceptance Criteria

  • If executables related to a process that was previously approved are changed or updated, invalidate the approval cache so that the process and associated executables are checked again.
@mike-myers-tob mike-myers-tob added the enhancement New feature or request label Mar 27, 2020
@mike-myers-tob mike-myers-tob added this to the Version 2.0 milestone Mar 27, 2020
@alessandrogario alessandrogario removed this from the Version 2.0 milestone Jun 8, 2020
@alessandrogario
Copy link
Member

The following events will invalidate the cache when the paths being modified affect binaries/bundles that are being tracked:

  • ES_EVENT_TYPE_NOTIFY_WRITE
  • ES_EVENT_TYPE_NOTIFY_UNLINK
  • ES_EVENT_TYPE_NOTIFY_RENAME
  • ES_EVENT_TYPE_NOTIFY_MMAP (if mapping is not read only)
  • ES_EVENT_TYPE_NOTIFY_LINK
  • ES_EVENT_TYPE_NOTIFY_TRUNCATE
  • ES_EVENT_TYPE_NOTIFY_CREATE
  • ES_EVENT_TYPE_NOTIFY_MOUNT
  • ES_EVENT_TYPE_NOTIFY_UNMOUNT

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
acceptance enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants