diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go index 976008c4..31de9124 100644 --- a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go +++ b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go @@ -10,8 +10,6 @@ import ( "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" - "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - apitypes "github.com/armosec/armoapi-go/armotypes" ) @@ -59,21 +57,6 @@ func CreateRuleR0001UnexpectedProcessLaunched() *R0001UnexpectedProcessLaunched return &R0001UnexpectedProcessLaunched{enforceArgs: false} } -func (rule *R0001UnexpectedProcessLaunched) generatePatchCommand(event *events.ExecEvent, ap *v1beta1.ApplicationProfile) string { - argList := "[" - for _, arg := range event.Args { - argList += "\"" + arg + "\"," - } - // remove the last comma - if len(argList) > 1 { - argList = argList[:len(argList)-1] - } - argList += "]" - baseTemplate := "kubectl patch applicationprofile %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"execs\": [{\"path\": \"%s\", \"args\": %s}]}]}}'" - return fmt.Sprintf(baseTemplate, ap.GetName(), ap.GetNamespace(), - event.GetContainer(), getExecPathFromEvent(event), argList) -} - func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objectCache objectcache.ObjectCache) ruleengine.RuleFailure { if eventType != utils.ExecveEventType { return nil @@ -118,8 +101,7 @@ func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventTy "exec": execPath, "args": execEvent.Args, }, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the exec call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", execPath, execEvent.GetPod(), rule.generatePatchCommand(execEvent, ap)), - Severity: R0001UnexpectedProcessLaunchedRuleDescriptor.Priority, + Severity: R0001UnexpectedProcessLaunchedRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0002_unexpected_file_access.go b/pkg/ruleengine/v1/r0002_unexpected_file_access.go index 9cb25d28..87ed588d 100644 --- a/pkg/ruleengine/v1/r0002_unexpected_file_access.go +++ b/pkg/ruleengine/v1/r0002_unexpected_file_access.go @@ -12,11 +12,9 @@ import ( "github.com/kubescape/node-agent/pkg/objectcache" apitypes "github.com/armosec/armoapi-go/armotypes" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" - "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) const ( @@ -82,19 +80,6 @@ func (rule *R0002UnexpectedFileAccess) SetParameters(parameters map[string]inter func (rule *R0002UnexpectedFileAccess) DeleteRule() { } -func (rule *R0002UnexpectedFileAccess) generatePatchCommand(event *traceropentype.Event, ap *v1beta1.ApplicationProfile) string { - flagList := "[" - for _, arg := range event.Flags { - flagList += "\"" + arg + "\"," - } - // remove the last comma - if len(flagList) > 1 { - flagList = flagList[:len(flagList)-1] - } - baseTemplate := "kubectl patch applicationprofile %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"opens\": [{\"path\": \"%s\", \"flags\": %s}]}]}}'" - return fmt.Sprintf(baseTemplate, ap.GetName(), ap.GetNamespace(), event.GetContainer(), event.FullPath, flagList) -} - func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { if eventType != utils.OpenEventType { return nil @@ -162,8 +147,7 @@ func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, e "flags": openEvent.Flags, "path": openEvent.FullPath, }, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the open call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", openEvent.FullPath, openEvent.GetPod(), rule.generatePatchCommand(&openEvent, ap)), - Severity: R0002UnexpectedFileAccessRuleDescriptor.Priority, + Severity: R0002UnexpectedFileAccessRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0003_unexpected_system_call.go b/pkg/ruleengine/v1/r0003_unexpected_system_call.go index 952ea758..88668fed 100644 --- a/pkg/ruleengine/v1/r0003_unexpected_system_call.go +++ b/pkg/ruleengine/v1/r0003_unexpected_system_call.go @@ -96,9 +96,8 @@ func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType utils.EventType, e Arguments: map[string]interface{}{ "syscall": syscallEvent.SyscallName, }, - InfectedPID: syscallEvent.Pid, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the system call \"%s\" to the whitelist in the application profile for the Pod \"%s\".", syscallEvent.SyscallName, syscallEvent.GetPod()), - Severity: R0003UnexpectedSystemCallRuleDescriptor.Priority, + InfectedPID: syscallEvent.Pid, + Severity: R0003UnexpectedSystemCallRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0004_unexpected_capability_used.go b/pkg/ruleengine/v1/r0004_unexpected_capability_used.go index c4d8e906..53330758 100644 --- a/pkg/ruleengine/v1/r0004_unexpected_capability_used.go +++ b/pkg/ruleengine/v1/r0004_unexpected_capability_used.go @@ -10,7 +10,6 @@ import ( apitypes "github.com/armosec/armoapi-go/armotypes" tracercapabilitiestype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/capabilities/types" - "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) const ( @@ -52,12 +51,6 @@ func (rule *R0004UnexpectedCapabilityUsed) ID() string { func (rule *R0004UnexpectedCapabilityUsed) DeleteRule() { } -func (rule *R0004UnexpectedCapabilityUsed) generatePatchCommand(event *tracercapabilitiestype.Event, ap *v1beta1.ApplicationProfile) string { - baseTemplate := "kubectl patch applicationprofile %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"capabilities\": [{\"syscall\": \"%s\", \"caps\": [%s]}]}]}}'" - return fmt.Sprintf(baseTemplate, ap.GetName(), ap.GetNamespace(), - event.GetContainer(), event.Syscall, event.CapName) -} - func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { if eventType != utils.CapabilitiesEventType { return nil @@ -95,9 +88,8 @@ func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventTyp "syscall": capEvent.Syscall, "capability": capEvent.CapName, }, - InfectedPID: capEvent.Pid, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the capability use \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", capEvent.CapName, capEvent.GetPod(), rule.generatePatchCommand(capEvent, ap)), - Severity: R0004UnexpectedCapabilityUsedRuleDescriptor.Priority, + InfectedPID: capEvent.Pid, + Severity: R0004UnexpectedCapabilityUsedRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0005_unexpected_domain_request.go b/pkg/ruleengine/v1/r0005_unexpected_domain_request.go index 7ea82b38..b1cd0168 100644 --- a/pkg/ruleengine/v1/r0005_unexpected_domain_request.go +++ b/pkg/ruleengine/v1/r0005_unexpected_domain_request.go @@ -12,7 +12,6 @@ import ( apitypes "github.com/armosec/armoapi-go/armotypes" tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types" - "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) const ( @@ -55,12 +54,6 @@ func (rule *R0005UnexpectedDomainRequest) ID() string { func (rule *R0005UnexpectedDomainRequest) DeleteRule() { } -func (rule *R0005UnexpectedDomainRequest) generatePatchCommand(event *tracerdnstype.Event, nn *v1beta1.NetworkNeighborhood) string { - baseTemplate := "kubectl patch networkneighborhood %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"dns\": [{\"dnsName\": \"%s\"}]}]}}'" - return fmt.Sprintf(baseTemplate, nn.GetName(), nn.GetNamespace(), - event.GetContainer(), event.DNSName) -} - func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { if eventType != utils.DnsEventType { return nil @@ -107,10 +100,6 @@ func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType "protocol": domainEvent.Protocol, "port": domainEvent.DstPort, }, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the domain %s to the whitelist in the application profile for the Pod %s. You can use the following command: %s", - domainEvent.DNSName, - domainEvent.GetPod(), - rule.generatePatchCommand(domainEvent, nn)), Severity: R0005UnexpectedDomainRequestRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go index d6edb7d0..115bcb58 100644 --- a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go +++ b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go @@ -143,10 +143,7 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti "flags": openEvent.Flags, }, InfectedPID: openEvent.Pid, - FixSuggestions: fmt.Sprintf( - "If this is a valid behavior, please add the open call to the whitelist in the application profile for the Pod %s", - openEvent.GetPod()), - Severity: R0006UnexpectedServiceAccountTokenAccessRuleDescriptor.Priority, + Severity: R0006UnexpectedServiceAccountTokenAccessRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go index faba5f78..f4137a38 100644 --- a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go +++ b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go @@ -156,8 +156,7 @@ func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *events.ExecEve "exec": execPath, "args": event.Args, }, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R0007KubernetesClientExecutedDescriptor.Priority, + Severity: R0007KubernetesClientExecutedDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go b/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go index f69bfd9e..abc80291 100644 --- a/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go +++ b/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go @@ -92,9 +92,8 @@ func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.Ev "path": openEvent.FullPath, "flags": openEvent.Flags, }, - InfectedPID: openEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R0008ReadEnvironmentVariablesProcFSRuleDescriptor.Priority, + InfectedPID: openEvent.Pid, + Severity: R0008ReadEnvironmentVariablesProcFSRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0009_ebpf_program_load.go b/pkg/ruleengine/v1/r0009_ebpf_program_load.go index 9933e93d..6ba899f2 100644 --- a/pkg/ruleengine/v1/r0009_ebpf_program_load.go +++ b/pkg/ruleengine/v1/r0009_ebpf_program_load.go @@ -92,9 +92,8 @@ func (rule *R0009EbpfProgramLoad) ProcessEvent(eventType utils.EventType, event Arguments: map[string]interface{}{ "syscall": syscallEvent.SyscallName, }, - InfectedPID: syscallEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule", - Severity: R0009EbpfProgramLoadRuleDescriptor.Priority, + InfectedPID: syscallEvent.Pid, + Severity: R0009EbpfProgramLoadRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go index 6e74dad3..819d9d59 100644 --- a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go +++ b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go @@ -117,9 +117,8 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve "path": openEvent.FullPath, "flags": openEvent.Flags, }, - InfectedPID: openEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R0010UnexpectedSensitiveFileAccessRuleDescriptor.Priority, + InfectedPID: openEvent.Pid, + Severity: R0010UnexpectedSensitiveFileAccessRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go b/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go index 5c50d390..96a52670 100644 --- a/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go +++ b/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go @@ -102,10 +102,6 @@ func (rule *R0011UnexpectedEgressNetworkTraffic) handleNetworkEvent(networkEvent "port": networkEvent.Port, "proto": networkEvent.Proto, }, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the IP %s to the whitelist in the application profile for the Pod %s.", - networkEvent.DstEndpoint.Addr, - networkEvent.GetPod(), - ), Severity: R0011UnexpectedEgressNetworkTrafficRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go index 037996d0..c3cd4842 100644 --- a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go +++ b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go @@ -78,8 +78,7 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType Arguments: map[string]interface{}{ "hardlink": execEvent.ExePath, }, - FixSuggestions: "If this is a legitimate action, please add consider removing this workload from the binding of this rule.", - Severity: R1000ExecFromMaliciousSourceDescriptor.Priority, + Severity: R1000ExecFromMaliciousSourceDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go index 1954fa7c..2c637ad9 100644 --- a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go +++ b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go @@ -71,10 +71,9 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventTyp upperLayer := true ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: execEvent.Pid, - FixSuggestions: "If this is an expected behavior it is strongly suggested to include all executables in the container image. If this is not possible you can remove the rule binding to this workload.", - Severity: R1001ExecBinaryNotInBaseImageRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: execEvent.Pid, + Severity: R1001ExecBinaryNotInBaseImageRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1002_load_kernel_module.go b/pkg/ruleengine/v1/r1002_load_kernel_module.go index b74dfda4..f8445c38 100644 --- a/pkg/ruleengine/v1/r1002_load_kernel_module.go +++ b/pkg/ruleengine/v1/r1002_load_kernel_module.go @@ -70,10 +70,9 @@ func (rule *R1002LoadKernelModule) ProcessEvent(eventType utils.EventType, event rule.alerted = true ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: syscallEvent.Pid, - FixSuggestions: "If this is a legitimate action, please add consider removing this workload from the binding of this rule", - Severity: R1002LoadKernelModuleRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: syscallEvent.Pid, + Severity: R1002LoadKernelModuleRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go b/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go index 8ea39b0a..2df07d40 100644 --- a/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go +++ b/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go @@ -176,9 +176,8 @@ func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType utils.EventType, "dstPort": sshEvent.DstPort, "srcPort": sshEvent.SrcPort, }, - InfectedPID: sshEvent.Pid, - FixSuggestions: "If this is a legitimate action, please add the port as a parameter to the binding of this rule", - Severity: R1003MaliciousSSHConnectionRuleDescriptor.Priority, + InfectedPID: sshEvent.Pid, + Severity: R1003MaliciousSSHConnectionRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1004_exec_from_mount.go b/pkg/ruleengine/v1/r1004_exec_from_mount.go index 8f3d9c7f..020b8bfa 100644 --- a/pkg/ruleengine/v1/r1004_exec_from_mount.go +++ b/pkg/ruleengine/v1/r1004_exec_from_mount.go @@ -83,8 +83,7 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event ut "exec": execEvent.ExePath, "args": execEvent.Args, }, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule", - Severity: R1004ExecFromMountRuleDescriptor.Priority, + Severity: R1004ExecFromMountRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1005_fileless_execution.go b/pkg/ruleengine/v1/r1005_fileless_execution.go index 132e62d7..a8db0506 100644 --- a/pkg/ruleengine/v1/r1005_fileless_execution.go +++ b/pkg/ruleengine/v1/r1005_fileless_execution.go @@ -80,8 +80,7 @@ func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *events.ExecEven Arguments: map[string]interface{}{ "hardlink": execEvent.ExePath, }, - FixSuggestions: "If this is a legitimate action, please add consider removing this workload from the binding of this rule.", - Severity: R1005FilelessExecutionRuleDescriptor.Priority, + Severity: R1005FilelessExecutionRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1006_unshare_system_call.go b/pkg/ruleengine/v1/r1006_unshare_system_call.go index 5440d673..8865dbf9 100644 --- a/pkg/ruleengine/v1/r1006_unshare_system_call.go +++ b/pkg/ruleengine/v1/r1006_unshare_system_call.go @@ -72,10 +72,9 @@ func (rule *R1006UnshareSyscall) ProcessEvent(eventType utils.EventType, event u rule.alreadyNotified = true ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: syscallEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule", - Severity: R1006UnshareSyscallRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: syscallEvent.Pid, + Severity: R1006UnshareSyscallRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1007_xmr_crypto_mining.go b/pkg/ruleengine/v1/r1007_xmr_crypto_mining.go index 4083afd9..ba0499c4 100644 --- a/pkg/ruleengine/v1/r1007_xmr_crypto_mining.go +++ b/pkg/ruleengine/v1/r1007_xmr_crypto_mining.go @@ -62,10 +62,9 @@ func (rule *R1007XMRCryptoMining) ProcessEvent(eventType utils.EventType, event if randomXEvent, ok := event.(*tracerrandomxtype.Event); ok { ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: randomXEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R1007XMRCryptoMiningRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: randomXEvent.Pid, + Severity: R1007XMRCryptoMiningRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1008_crypto_mining_domain.go b/pkg/ruleengine/v1/r1008_crypto_mining_domain.go index 96cd3941..1bb26441 100644 --- a/pkg/ruleengine/v1/r1008_crypto_mining_domain.go +++ b/pkg/ruleengine/v1/r1008_crypto_mining_domain.go @@ -179,10 +179,9 @@ func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.E if slices.Contains(commonlyUsedCryptoMinersDomains, dnsEvent.DNSName) { ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: dnsEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R1008CryptoMiningDomainCommunicationRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: dnsEvent.Pid, + Severity: R1008CryptoMiningDomainCommunicationRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1009_crypto_mining_port.go b/pkg/ruleengine/v1/r1009_crypto_mining_port.go index 072155b2..5e1911b3 100644 --- a/pkg/ruleengine/v1/r1009_crypto_mining_port.go +++ b/pkg/ruleengine/v1/r1009_crypto_mining_port.go @@ -102,9 +102,8 @@ func (rule *R1009CryptoMiningRelatedPort) ProcessEvent(eventType utils.EventType "proto": networkEvent.Proto, "ip": networkEvent.DstEndpoint.Addr, }, - InfectedPID: networkEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R1009CryptoMiningRelatedPortRuleDescriptor.Priority, + InfectedPID: networkEvent.Pid, + Severity: R1009CryptoMiningRelatedPortRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go index 77b426ce..4b820d8c 100644 --- a/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go +++ b/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go @@ -79,10 +79,7 @@ func (rule *R1010SymlinkCreatedOverSensitiveFile) DeleteRule() { } func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { - logger.L().Debug("Processing event", helpers.String("ruleID", rule.ID()), helpers.String("eventType", string(eventType))) - if !rule.EvaluateRule(eventType, event, objCache.K8sObjectCache()) { - logger.L().Debug("Event does not match rule", helpers.String("ruleID", rule.ID()), helpers.String("eventType", string(eventType))) return nil } @@ -102,9 +99,8 @@ func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.E "oldPath": symlinkEvent.OldPath, "newPath": symlinkEvent.NewPath, }, - InfectedPID: symlinkEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R1010SymlinkCreatedOverSensitiveFileRuleDescriptor.Priority, + InfectedPID: symlinkEvent.Pid, + Severity: R1010SymlinkCreatedOverSensitiveFileRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go index 8447e248..cc5f143e 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook.go @@ -12,8 +12,6 @@ import ( apitypes "github.com/armosec/armoapi-go/armotypes" traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - "github.com/kubescape/go-logger" - "github.com/kubescape/go-logger/helpers" ) const ( @@ -63,7 +61,6 @@ func (rule *R1011LdPreloadHook) DeleteRule() { } func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objectCache objectcache.ObjectCache) ruleengine.RuleFailure { - if !rule.EvaluateRule(eventType, event, objectCache.K8sObjectCache()) { return nil } @@ -75,7 +72,6 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut } if allowed, err := isAllowed(&execEvent.Event.Event, objectCache, execEvent.Comm, R1011ID); err != nil { - logger.L().Error("failed to check if ld_preload is allowed", helpers.String("ruleID", rule.ID()), helpers.String("error", err.Error())) return nil } else if allowed { return nil @@ -89,7 +85,6 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut } if allowed, err := isAllowed(&openEvent.Event.Event, objectCache, openEvent.Comm, R1011ID); err != nil { - logger.L().Error("failed to check if ld_preload is allowed", helpers.String("ruleID", rule.ID()), helpers.String("error", err.Error())) return nil } else if allowed { return nil @@ -131,7 +126,6 @@ func (rule *R1011LdPreloadHook) Requirements() ruleengine.RuleSpec { func (rule *R1011LdPreloadHook) ruleFailureExecEvent(execEvent *events.ExecEvent) ruleengine.RuleFailure { envVars, err := utils.GetProcessEnv(int(execEvent.Pid)) if err != nil { - logger.L().Debug("Failed to get process environment variables", helpers.Error(err)) return nil } @@ -141,11 +135,10 @@ func (rule *R1011LdPreloadHook) ruleFailureExecEvent(execEvent *events.ExecEvent ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - Arguments: map[string]interface{}{"envVar": ldHookVar}, - InfectedPID: execEvent.Pid, - FixSuggestions: fmt.Sprintf("Check the environment variable %s", ldHookVar), - Severity: R1011LdPreloadHookRuleDescriptor.Priority, + AlertName: rule.Name(), + Arguments: map[string]interface{}{"envVar": ldHookVar}, + InfectedPID: execEvent.Pid, + Severity: R1011LdPreloadHookRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ @@ -185,9 +178,8 @@ func (rule *R1011LdPreloadHook) ruleFailureOpenEvent(openEvent *traceropentype.E "path": openEvent.FullPath, "flags": openEvent.Flags, }, - InfectedPID: openEvent.Pid, - FixSuggestions: "Check the file /etc/ld.so.preload", - Severity: R1011LdPreloadHookRuleDescriptor.Priority, + InfectedPID: openEvent.Pid, + Severity: R1011LdPreloadHookRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ @@ -225,7 +217,6 @@ func (rule *R1011LdPreloadHook) shouldAlertExec(execEvent *events.ExecEvent, k8s envVars, err := utils.GetProcessEnv(int(execEvent.Pid)) if err != nil { - logger.L().Debug("Failed to get process environment variables", helpers.Error(err)) return false } diff --git a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go index e361ffcb..add63be4 100644 --- a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go +++ b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go @@ -97,9 +97,8 @@ func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils. "oldPath": hardlinkEvent.OldPath, "newPath": hardlinkEvent.NewPath, }, - InfectedPID: hardlinkEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R1012HardlinkCreatedOverSensitiveFileRuleDescriptor.Priority, + InfectedPID: hardlinkEvent.Pid, + Severity: R1012HardlinkCreatedOverSensitiveFileRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1015_malicious_ptrace_usage.go b/pkg/ruleengine/v1/r1015_malicious_ptrace_usage.go index 42c311ea..01b921ce 100644 --- a/pkg/ruleengine/v1/r1015_malicious_ptrace_usage.go +++ b/pkg/ruleengine/v1/r1015_malicious_ptrace_usage.go @@ -88,10 +88,9 @@ func (rule *R1015MaliciousPtraceUsage) ProcessEvent(eventType utils.EventType, e return &GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: ptraceEvent.Pid, - FixSuggestions: "Consider reviewing the application usage of ptrace.", - Severity: R1015MaliciousPtraceUsageRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: ptraceEvent.Pid, + Severity: R1015MaliciousPtraceUsageRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{