Merge pull request #336 from kubescape/bugfix/false-positives

Fixing exec from malicous source
kubescape · Aug 9, 2024 · 0411dd7 · 0411dd7
2 parents 3274822 + 1c9bfe0
commit 0411dd7
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 7 deletions.
diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go
@@ -21,8 +21,8 @@ const (
 var R1000ExecFromMaliciousSourceDescriptor = RuleDescriptor{
 	ID:          R1000ID,
 	Name:        R1000Name,
-	Description: "Detecting exec calls that are from malicious source like: /dev/shm, /run, /var/run, /proc/self",
-	Priority:    RulePriorityCritical,
+	Description: "Detecting exec calls that are from malicious source like: /dev/shm, /proc/self",
+	Priority:    RulePriorityMed,
 	Tags:        []string{"exec", "signature"},
 	Requirements: &RuleRequirements{
 		EventTypes: []utils.EventType{utils.ExecveEventType},
@@ -61,8 +61,6 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType
 
 	var maliciousExecPathPrefixes = []string{
 		"/dev/shm",
-		"/run",
-		"/var/run",
 		"/proc/self",
 	}
 

diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source_test.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source_test.go
@@ -59,21 +59,21 @@ func TestR1000ExecFromMaliciousSource(t *testing.T) {
 		t.Errorf("Expected ruleResult to be nil since exec is not malicious")
 	}
 
-	e.Comm = "/run/run.sh"
+	e.Comm = "/dev/shm/run.sh"
 
 	ruleResult = r.ProcessEvent(utils.ExecveEventType, e, &RuleObjectCacheMock{})
 	if ruleResult == nil {
 		t.Errorf("Expected ruleResult since exec is malicious")
 	}
 
-	e.Comm = "./run/run.sh"
+	e.Comm = "./dev/shm/run.sh"
 
 	ruleResult = r.ProcessEvent(utils.ExecveEventType, e, &RuleObjectCacheMock{})
 	if ruleResult == nil {
 		t.Errorf("Expected ruleResult since exec is malicious")
 	}
 
-	e.Cwd = "/run"
+	e.Cwd = "/dev/shm"
 	e.Comm = "./run.sh"
 
 	ruleResult = r.ProcessEvent(utils.ExecveEventType, e, &RuleObjectCacheMock{})