Merge remote-tracking branch 'remotes/origin/main' into crypto_miner_…

…files

# Conflicts:
#	pkg/ruleengine/v1/factory.go
#	pkg/ruleengine/v1/r0001_unexpected_process_launched.go
#	pkg/ruleengine/v1/r1008_crypto_mining_domain.go

.github/workflows/component-tests.yaml

@@ -43,14 +43,15 @@ jobs:
           Test_01_BasicAlertTest,
           Test_02_AllAlertsFromMaliciousApp,
           Test_03_BasicLoadActivities,
-          Test_04_MemoryLeak,
+          # Test_04_MemoryLeak,
           Test_05_MemoryLeak_10K_Alerts,
           Test_06_KillProcessInTheMiddle,
           Test_07_RuleBindingApplyTest,
           Test_08_ApplicationProfilePatching,
           Test_10_MalwareDetectionTest,
-          # Test_10_DemoTest
-          # Test_11_DuplicationTest
+          Test_11_EndpointTest,
+          Test_12_MergingProfilesTest,
+          Test_13_MergingNetworkNeighborhoodTest,
         ]
     steps:
       - name: Checkout code
@@ -96,7 +97,12 @@ jobs:
       - name: Run test
         run: |
           cd tests && go test -v ./... -run ${{ matrix.test }} --timeout=20m --tags=component
-      # - name: Upload plot images
+      - name: Print storage logs
+        if: always()
+        run: |
+          kubectl logs $(kubectl get pods -n kubescape -o name | grep storage) -n kubescape
+
+      # - name: Upload plot images 
       #   if: always()
       #   uses: actions/upload-artifact@v2
       #   with:

Makefile

@@ -9,7 +9,7 @@ binary:
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o $(BINARY_NAME)
 
 docker-build:
-	docker buildx build --platform linux/amd64 -t $(IMAGE):$(TAG) -f $(DOCKERFILE_PATH) .
+	docker buildx build --platform linux/amd64 -t $(IMAGE):$(TAG) -f $(DOCKERFILE_PATH) --load .
 
 docker-push:
 	docker push $(IMAGE):$(TAG)

README.md

@@ -1,15 +1,16 @@
 # NodeAgent
+[![Version](https://img.shields.io/github/v/release/kubescape/node-agent)](https://github.com/kubescape/node-agent/releases)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubescape/node-agent/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kubescape/node-agent)
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubescape%2Fsniffer.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubescape%2Fsniffer?ref=badge_shield&issueType=license)
+[![Stars](https://img.shields.io/github/stars/kubescape/node-agent?style=social)](https://github.com/kubescape/node-agent/stargazers)
 
-## Prerequisites
-1. [Minikube](https://minikube.sigs.k8s.io/docs/start/)
-Start minikube with the following command:
-```
-minikube start
-```
-2. Linux kernel version 5.4 and above.
+NodeAgent is a component of Kubescape that enables node-level security scanning and monitoring.
+It uses eBPF technology to monitor the system and provides real-time security insights.
 
+## Running Node Agent in Kubernetes
+This is the recommended way to run the Node Agent.
+You can run the Node Agent in a Kubernetes cluster as part of Kubescape by using helm.
+Please refer to the [docs](https://kubescape.io/docs/) for more information.
 
 ## Running the Node Agent
 Make sure to set the `NODE_NAME` environment variable to the name of the node you want to scan.
@@ -23,13 +24,9 @@ Then run the binarty with root privileges:
 sudo ./node-agent
 ```
 
-## Running Node Agent in Kubernetes
-You can run the Node Agent in a Kubernetes cluster as part of Kubescape by using helm.
-Please refer to the [docs](https://kubescape.io/docs/) for more information.
-
-## Limitations:
-1. This feature is using eBPF technology that is implemented only on linux.
-2. the linux kernel version that supported it 5.4 and above.
+## System Requirements
+1. The node agent uses eBPF, so make sure your system supports it.
+2. It uses `CO-RE`, so make sure your kernel version is 5.4 or higher.
 
 
 ## Debugging

clamav/init.sh

@@ -63,7 +63,8 @@ else
 		if [ -S "/tmp/clamd.sock" ]; then
 			unlink "/tmp/clamd.sock"
 		fi
-		clamd --foreground &
+		# Run clamd in the foreground but redirecting output to stdout and stderr to /dev/null
+		clamd --foreground > /dev/null 2>&1 &
 		while [ ! -S "/run/clamav/clamd.sock" ] && [ ! -S "/tmp/clamd.sock" ]; do
 			if [ "${_timeout:=0}" -gt "${CLAMD_STARTUP_TIMEOUT:=1800}" ]; then
 				echo

configuration/config.json

@@ -10,6 +10,7 @@
   "prometheusExporterEnabled": "true",
   "runtimeDetectionEnabled": "true",
   "nodeProfileServiceEnabled": "true",
+  "httpDetectionEnabled": "true",
   "nodeProfileInterval": "1m",
   "seccompServiceEnabled": "true",
   "exporters": {

demo/README.md

@@ -4,7 +4,8 @@ This is a walkthrough of Node Agent Runtime Detection & Response capability, in
 2. Deploy a sample web application and attack it.
 3. Deploy fileless malware.
 4. Deploy a container with malicious image that contains malwares.
-5. See how Node Agent detects the attacks.
+5. Deploy an xmrig container to mine cryptocurrency.
+6. See how Node Agent detects the attacks.
 
 With this demo you will be able to see how Node Agent works and how it can be used to detect and prevent attacks.
 To learn more about Node Agent, see [here](https://kubescape.io/docs/).
@@ -177,6 +178,12 @@ ClamAV is an open source antivirus engine for detecting trojans, viruses, malwar
 
 Please note that Node Agent doesn't scan the images by default, you need to enable it by setting `capabilities.malwareDetection=enable` in the helm chart. See [here](https://kubescape.io/docs/) for more information.
 
+## Attack Cryptocurrency Mining
+Let's deploy an xmrig container to mine cryptocurrency and see how Node Agent detects it.
+```bash
+kubectl apply -f demo/miner/miner-pod.yaml
+```
+You can see in the logs of the node-agent that it detected the xmrig container and raised an alert. 
 
 ## Conclusion
 In this demo we saw how Node Agent can be used to detect and prevent attacks in Kubernetes.

demo/miner/miner-pod.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: k8s-miner-deployment
-  namespace: kubescape
+  namespace: default
 spec:
   replicas: 1
   selector:
@@ -18,8 +18,4 @@ spec:
       containers:
       - name: k8s-miner
         image: docker.io/amitschendel/crypto-miner-1
-        imagePullPolicy: IfNotPresent
-        resources:
-          requests:
-            memory: "3Gi"
-            cpu: "3"
+        imagePullPolicy: Always