Merge pull request #375 from kubescape/feature/enrich

Adding arguments enrichment
kubescape · Sep 23, 2024 · cecec08 · cecec08
2 parents 0b4e0c8 + 32e8743
commit cecec08
Show file tree

Hide file tree

Showing 16 changed files with 78 additions and 16 deletions.
diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go
@@ -116,6 +116,8 @@ func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventTy
 			InfectedPID: execEvent.Pid,
 			Arguments: map[string]interface{}{
 				"retval": execEvent.Retval,
+				"exec":   execPath,
+				"args":   strings.Join(execEvent.Args, ","),
 			},
 			FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the exec call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", execPath, execEvent.GetPod(), rule.generatePatchCommand(execEvent, ap)),
 			Severity:       R0001UnexpectedProcessLaunchedRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r0003_unexpected_system_call.go b/pkg/ruleengine/v1/r0003_unexpected_system_call.go
@@ -92,7 +92,10 @@ func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType utils.EventType, e
 
 	ruleFailure := GenericRuleFailure{
 		BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-			AlertName:      rule.Name(),
+			AlertName: rule.Name(),
+			Arguments: map[string]interface{}{
+				"syscall": syscallEvent.SyscallName,
+			},
 			InfectedPID:    syscallEvent.Pid,
 			FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the system call \"%s\" to the whitelist in the application profile for the Pod \"%s\".", syscallEvent.SyscallName, syscallEvent.GetPod()),
 			Severity:       R0003UnexpectedSystemCallRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r0004_unexpected_capability_used.go b/pkg/ruleengine/v1/r0004_unexpected_capability_used.go
@@ -84,7 +84,11 @@ func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventTyp
 
 	ruleFailure := GenericRuleFailure{
 		BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-			AlertName:      rule.Name(),
+			AlertName: rule.Name(),
+			Arguments: map[string]interface{}{
+				"syscall":    capEvent.Syscall,
+				"capability": capEvent.CapName,
+			},
 			InfectedPID:    capEvent.Pid,
 			FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the capability use \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", capEvent.CapName, capEvent.GetPod(), rule.generatePatchCommand(capEvent, ap)),
 			Severity:       R0004UnexpectedCapabilityUsedRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r0005_unexpected_domain_request.go b/pkg/ruleengine/v1/r0005_unexpected_domain_request.go
@@ -3,6 +3,7 @@ package ruleengine
 import (
 	"fmt"
 	"slices"
+	"strconv"
 	"strings"
 
 	"github.com/goradd/maps"
@@ -102,7 +103,10 @@ func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType
 			AlertName:   rule.Name(),
 			InfectedPID: domainEvent.Pid,
 			Arguments: map[string]interface{}{
-				"domain": domainEvent.DNSName,
+				"domain":    domainEvent.DNSName,
+				"addresses": strings.Join(domainEvent.Addresses, ","),
+				"protocol":  domainEvent.Protocol,
+				"port":      strconv.Itoa(int(domainEvent.DstPort)),
 			},
 			FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the domain %s to the whitelist in the application profile for the Pod %s. You can use the following command: %s",
 				domainEvent.DNSName,

diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go
@@ -119,7 +119,11 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti
 
 	ruleFailure := GenericRuleFailure{
 		BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-			AlertName:      rule.Name(),
+			AlertName: rule.Name(),
+			Arguments: map[string]interface{}{
+				"path":  openEvent.FullPath,
+				"flags": strings.Join(openEvent.Flags, ","),
+			},
 			InfectedPID:    openEvent.Pid,
 			FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the open call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", openEvent.FullPath, openEvent.GetPod(), rule.generatePatchCommand(openEvent, ap)),
 			Severity:       R0006UnexpectedServiceAccountTokenAccessRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"path/filepath"
 	"slices"
+	"strconv"
 	"strings"
 
 	"github.com/kubescape/node-agent/pkg/objectcache"
@@ -97,7 +98,12 @@ func (rule *R0007KubernetesClientExecuted) handleNetworkEvent(event *tracernetwo
 
 	ruleFailure := GenericRuleFailure{
 		BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-			AlertName:      rule.Name(),
+			AlertName: rule.Name(),
+			Arguments: map[string]interface{}{
+				"dstIP": event.DstEndpoint.Addr,
+				"port":  strconv.Itoa(int(event.Port)),
+				"proto": event.Proto,
+			},
 			InfectedPID:    event.Pid,
 			FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
 			Severity:       R0007KubernetesClientExecutedDescriptor.Priority,
@@ -148,7 +154,8 @@ func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *tracerexectype
 				AlertName:   rule.Name(),
 				InfectedPID: event.Pid,
 				Arguments: map[string]interface{}{
-					"hardlink": event.ExePath,
+					"exec": event.ExePath,
+					"args": strings.Join(event.Args, ","),
 				},
 				FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
 				Severity:       R0007KubernetesClientExecutedDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go b/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go
@@ -85,7 +85,11 @@ func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.Ev
 
 	ruleFailure := GenericRuleFailure{
 		BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-			AlertName:      rule.Name(),
+			AlertName: rule.Name(),
+			Arguments: map[string]interface{}{
+				"path":  openEvent.FullPath,
+				"flags": strings.Join(openEvent.Flags, ","),
+			},
 			InfectedPID:    openEvent.Pid,
 			FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
 			Severity:       R0008ReadEnvironmentVariablesProcFSRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r0009_ebpf_program_load.go b/pkg/ruleengine/v1/r0009_ebpf_program_load.go
@@ -88,7 +88,10 @@ func (rule *R0009EbpfProgramLoad) ProcessEvent(eventType utils.EventType, event
 		rule.alreadyNotified = true
 		ruleFailure := GenericRuleFailure{
 			BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-				AlertName:      rule.Name(),
+				AlertName: rule.Name(),
+				Arguments: map[string]interface{}{
+					"syscall": syscallEvent.SyscallName,
+				},
 				InfectedPID:    syscallEvent.Pid,
 				FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule",
 				Severity:       R0009EbpfProgramLoadRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go
@@ -117,7 +117,11 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve
 
 	ruleFailure := GenericRuleFailure{
 		BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-			AlertName:      rule.Name(),
+			AlertName: rule.Name(),
+			Arguments: map[string]interface{}{
+				"path":  openEvent.FullPath,
+				"flags": strings.Join(openEvent.Flags, ","),
+			},
 			InfectedPID:    openEvent.Pid,
 			FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
 			Severity:       R0010UnexpectedSensitiveFileAccessRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go b/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"slices"
+	"strconv"
 	"strings"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
@@ -100,7 +101,7 @@ func (rule *R0011UnexpectedEgressNetworkTraffic) handleNetworkEvent(networkEvent
 				InfectedPID: networkEvent.Pid,
 				Arguments: map[string]interface{}{
 					"ip":    networkEvent.DstEndpoint.Addr,
-					"port":  networkEvent.Port,
+					"port":  strconv.Itoa(int(networkEvent.Port)),
 					"proto": networkEvent.Proto,
 				},
 				FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the IP %s to the whitelist in the application profile for the Pod %s.",

diff --git a/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go b/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go
@@ -169,7 +169,13 @@ func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType utils.EventType,
 		rule.requests.Set(sshEvent.SrcIP, sshEvent.DstIP)
 		ruleFailure := GenericRuleFailure{
 			BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-				AlertName:      rule.Name(),
+				AlertName: rule.Name(),
+				Arguments: map[string]interface{}{
+					"srcIP":   sshEvent.SrcIP,
+					"dstIP":   sshEvent.DstIP,
+					"dstPort": sshEvent.DstPort,
+					"srcPort": sshEvent.SrcPort,
+				},
 				InfectedPID:    sshEvent.Pid,
 				FixSuggestions: "If this is a legitimate action, please add the port as a parameter to the binding of this rule",
 				Severity:       R1003MaliciousSSHConnectionRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r1004_exec_from_mount.go b/pkg/ruleengine/v1/r1004_exec_from_mount.go
@@ -80,7 +80,8 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event ut
 					AlertName:   rule.Name(),
 					InfectedPID: execEvent.Pid,
 					Arguments: map[string]interface{}{
-						"hardlink": execEvent.ExePath,
+						"exec": execEvent.ExePath,
+						"args": strings.Join(execEvent.Args, ","),
 					},
 					FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule",
 					Severity:       R1004ExecFromMountRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r1009_crypto_mining_port.go b/pkg/ruleengine/v1/r1009_crypto_mining_port.go
@@ -3,6 +3,7 @@ package ruleengine
 import (
 	"fmt"
 	"slices"
+	"strconv"
 
 	"github.com/kubescape/node-agent/pkg/objectcache"
 	"github.com/kubescape/node-agent/pkg/ruleengine"
@@ -96,7 +97,12 @@ func (rule *R1009CryptoMiningRelatedPort) ProcessEvent(eventType utils.EventType
 		if networkEvent.Proto == "TCP" && networkEvent.PktType == "OUTGOING" && slices.Contains(CommonlyUsedCryptoMinersPorts, networkEvent.Port) {
 			ruleFailure := GenericRuleFailure{
 				BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-					AlertName:      rule.Name(),
+					AlertName: rule.Name(),
+					Arguments: map[string]interface{}{
+						"port":  strconv.Itoa(int(networkEvent.Port)),
+						"proto": networkEvent.Proto,
+						"ip":    networkEvent.DstEndpoint.Addr,
+					},
 					InfectedPID:    networkEvent.Pid,
 					FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
 					Severity:       R1009CryptoMiningRelatedPortRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go
@@ -98,7 +98,11 @@ func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.E
 		if strings.HasPrefix(symlinkEvent.OldPath, path) {
 			return &GenericRuleFailure{
 				BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-					AlertName:      rule.Name(),
+					AlertName: rule.Name(),
+					Arguments: map[string]interface{}{
+						"oldPath": symlinkEvent.OldPath,
+						"newPath": symlinkEvent.NewPath,
+					},
 					InfectedPID:    symlinkEvent.Pid,
 					FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
 					Severity:       R1010SymlinkCreatedOverSensitiveFileRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go
@@ -111,6 +111,7 @@ func (rule *R1011LdPreloadHook) handleExecEvent(execEvent *tracerexectype.Event,
 		ruleFailure := GenericRuleFailure{
 			BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
 				AlertName:      rule.Name(),
+				Arguments:      map[string]interface{}{"envVar": ldHookVar},
 				InfectedPID:    execEvent.Pid,
 				FixSuggestions: fmt.Sprintf("Check the environment variable %s", ldHookVar),
 				Severity:       R1011LdPreloadHookRuleDescriptor.Priority,
@@ -152,7 +153,11 @@ func (rule *R1011LdPreloadHook) handleOpenEvent(openEvent *traceropentype.Event)
 	if openEvent.FullPath == LD_PRELOAD_FILE && (openEvent.FlagsRaw&(int32(os.O_WRONLY)|int32(os.O_RDWR))) != 0 {
 		ruleFailure := GenericRuleFailure{
 			BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-				AlertName:      rule.Name(),
+				AlertName: rule.Name(),
+				Arguments: map[string]interface{}{
+					"path":  openEvent.FullPath,
+					"flags": strings.Join(openEvent.Flags, ","),
+				},
 				InfectedPID:    openEvent.Pid,
 				FixSuggestions: "Check the file /etc/ld.so.preload",
 				Severity:       R1011LdPreloadHookRuleDescriptor.Priority,

diff --git a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go
@@ -98,7 +98,11 @@ func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.
 		if strings.HasPrefix(hardlinkEvent.OldPath, path) {
 			return &GenericRuleFailure{
 				BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-					AlertName:      rule.Name(),
+					AlertName: rule.Name(),
+					Arguments: map[string]interface{}{
+						"oldPath": hardlinkEvent.OldPath,
+						"newPath": hardlinkEvent.NewPath,
+					},
 					InfectedPID:    hardlinkEvent.Pid,
 					FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
 					Severity:       R1012HardlinkCreatedOverSensitiveFileRuleDescriptor.Priority,