From 4f7c520ce6381088fd870dd7bc4c80a31fd511c3 Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Tue, 3 Dec 2024 07:45:16 +0000 Subject: [PATCH 1/2] Removing fix suggestions to save network Signed-off-by: Amit Schendel --- .../v1/r0001_unexpected_process_launched.go | 20 +----------------- .../v1/r0002_unexpected_file_access.go | 17 +-------------- .../v1/r0003_unexpected_system_call.go | 5 ++--- .../v1/r0004_unexpected_capability_used.go | 12 ++--------- .../v1/r0005_unexpected_domain_request.go | 11 ---------- ...unexpected_service_account_token_access.go | 5 +---- .../v1/r0007_kubernetes_client_executed.go | 3 +-- .../v1/r0008_read_env_variables_procfs.go | 5 ++--- pkg/ruleengine/v1/r0009_ebpf_program_load.go | 5 ++--- .../r0010_unexpected_sensitive_file_access.go | 5 ++--- ...r0011_unexpected_egress_network_traffic.go | 4 ---- .../v1/r1000_exec_from_malicious_source.go | 3 +-- .../v1/r1001_exec_binary_not_in_base_image.go | 7 +++---- pkg/ruleengine/v1/r1002_load_kernel_module.go | 7 +++---- .../v1/r1003_malicious_ssh_connection.go | 5 ++--- pkg/ruleengine/v1/r1004_exec_from_mount.go | 3 +-- pkg/ruleengine/v1/r1005_fileless_execution.go | 3 +-- .../v1/r1006_unshare_system_call.go | 7 +++---- pkg/ruleengine/v1/r1007_xmr_crypto_mining.go | 7 +++---- .../v1/r1008_crypto_mining_domain.go | 7 +++---- pkg/ruleengine/v1/r1009_crypto_mining_port.go | 5 ++--- ...010_symlink_created_over_sensitive_file.go | 8 ++----- pkg/ruleengine/v1/r1011_ld_preload_hook.go | 21 ++++++------------- ...12_hardlink_created_over_sensitive_file.go | 8 ++----- .../v1/r1015_malicious_ptrace_usage.go | 7 +++---- 25 files changed, 49 insertions(+), 141 deletions(-) diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go index 44afacde..9f43dc5a 100644 --- a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go +++ b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go @@ -11,8 +11,6 @@ import ( tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - apitypes "github.com/armosec/armoapi-go/armotypes" ) @@ -60,21 +58,6 @@ func CreateRuleR0001UnexpectedProcessLaunched() *R0001UnexpectedProcessLaunched return &R0001UnexpectedProcessLaunched{enforceArgs: false} } -func (rule *R0001UnexpectedProcessLaunched) generatePatchCommand(event *tracerexectype.Event, ap *v1beta1.ApplicationProfile) string { - argList := "[" - for _, arg := range event.Args { - argList += "\"" + arg + "\"," - } - // remove the last comma - if len(argList) > 1 { - argList = argList[:len(argList)-1] - } - argList += "]" - baseTemplate := "kubectl patch applicationprofile %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"execs\": [{\"path\": \"%s\", \"args\": %s}]}]}}'" - return fmt.Sprintf(baseTemplate, ap.GetName(), ap.GetNamespace(), - event.GetContainer(), getExecPathFromEvent(event), argList) -} - func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objectCache objectcache.ObjectCache) ruleengine.RuleFailure { if eventType != utils.ExecveEventType { return nil @@ -119,8 +102,7 @@ func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventTy "exec": execPath, "args": execEvent.Args, }, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the exec call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", execPath, execEvent.GetPod(), rule.generatePatchCommand(execEvent, ap)), - Severity: R0001UnexpectedProcessLaunchedRuleDescriptor.Priority, + Severity: R0001UnexpectedProcessLaunchedRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0002_unexpected_file_access.go b/pkg/ruleengine/v1/r0002_unexpected_file_access.go index ca7fd204..75164fe8 100644 --- a/pkg/ruleengine/v1/r0002_unexpected_file_access.go +++ b/pkg/ruleengine/v1/r0002_unexpected_file_access.go @@ -15,7 +15,6 @@ import ( "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" - "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) const ( @@ -81,19 +80,6 @@ func (rule *R0002UnexpectedFileAccess) SetParameters(parameters map[string]inter func (rule *R0002UnexpectedFileAccess) DeleteRule() { } -func (rule *R0002UnexpectedFileAccess) generatePatchCommand(event *traceropentype.Event, ap *v1beta1.ApplicationProfile) string { - flagList := "[" - for _, arg := range event.Flags { - flagList += "\"" + arg + "\"," - } - // remove the last comma - if len(flagList) > 1 { - flagList = flagList[:len(flagList)-1] - } - baseTemplate := "kubectl patch applicationprofile %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"opens\": [{\"path\": \"%s\", \"flags\": %s}]}]}}'" - return fmt.Sprintf(baseTemplate, ap.GetName(), ap.GetNamespace(), event.GetContainer(), event.FullPath, flagList) -} - func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { if eventType != utils.OpenEventType { return nil @@ -159,8 +145,7 @@ func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, e "flags": openEvent.Flags, "path": openEvent.FullPath, }, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the open call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", openEvent.FullPath, openEvent.GetPod(), rule.generatePatchCommand(openEvent, ap)), - Severity: R0002UnexpectedFileAccessRuleDescriptor.Priority, + Severity: R0002UnexpectedFileAccessRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0003_unexpected_system_call.go b/pkg/ruleengine/v1/r0003_unexpected_system_call.go index 952ea758..88668fed 100644 --- a/pkg/ruleengine/v1/r0003_unexpected_system_call.go +++ b/pkg/ruleengine/v1/r0003_unexpected_system_call.go @@ -96,9 +96,8 @@ func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType utils.EventType, e Arguments: map[string]interface{}{ "syscall": syscallEvent.SyscallName, }, - InfectedPID: syscallEvent.Pid, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the system call \"%s\" to the whitelist in the application profile for the Pod \"%s\".", syscallEvent.SyscallName, syscallEvent.GetPod()), - Severity: R0003UnexpectedSystemCallRuleDescriptor.Priority, + InfectedPID: syscallEvent.Pid, + Severity: R0003UnexpectedSystemCallRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0004_unexpected_capability_used.go b/pkg/ruleengine/v1/r0004_unexpected_capability_used.go index c4d8e906..53330758 100644 --- a/pkg/ruleengine/v1/r0004_unexpected_capability_used.go +++ b/pkg/ruleengine/v1/r0004_unexpected_capability_used.go @@ -10,7 +10,6 @@ import ( apitypes "github.com/armosec/armoapi-go/armotypes" tracercapabilitiestype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/capabilities/types" - "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) const ( @@ -52,12 +51,6 @@ func (rule *R0004UnexpectedCapabilityUsed) ID() string { func (rule *R0004UnexpectedCapabilityUsed) DeleteRule() { } -func (rule *R0004UnexpectedCapabilityUsed) generatePatchCommand(event *tracercapabilitiestype.Event, ap *v1beta1.ApplicationProfile) string { - baseTemplate := "kubectl patch applicationprofile %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"capabilities\": [{\"syscall\": \"%s\", \"caps\": [%s]}]}]}}'" - return fmt.Sprintf(baseTemplate, ap.GetName(), ap.GetNamespace(), - event.GetContainer(), event.Syscall, event.CapName) -} - func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { if eventType != utils.CapabilitiesEventType { return nil @@ -95,9 +88,8 @@ func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventTyp "syscall": capEvent.Syscall, "capability": capEvent.CapName, }, - InfectedPID: capEvent.Pid, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the capability use \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", capEvent.CapName, capEvent.GetPod(), rule.generatePatchCommand(capEvent, ap)), - Severity: R0004UnexpectedCapabilityUsedRuleDescriptor.Priority, + InfectedPID: capEvent.Pid, + Severity: R0004UnexpectedCapabilityUsedRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0005_unexpected_domain_request.go b/pkg/ruleengine/v1/r0005_unexpected_domain_request.go index 7ea82b38..b1cd0168 100644 --- a/pkg/ruleengine/v1/r0005_unexpected_domain_request.go +++ b/pkg/ruleengine/v1/r0005_unexpected_domain_request.go @@ -12,7 +12,6 @@ import ( apitypes "github.com/armosec/armoapi-go/armotypes" tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types" - "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) const ( @@ -55,12 +54,6 @@ func (rule *R0005UnexpectedDomainRequest) ID() string { func (rule *R0005UnexpectedDomainRequest) DeleteRule() { } -func (rule *R0005UnexpectedDomainRequest) generatePatchCommand(event *tracerdnstype.Event, nn *v1beta1.NetworkNeighborhood) string { - baseTemplate := "kubectl patch networkneighborhood %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"dns\": [{\"dnsName\": \"%s\"}]}]}}'" - return fmt.Sprintf(baseTemplate, nn.GetName(), nn.GetNamespace(), - event.GetContainer(), event.DNSName) -} - func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { if eventType != utils.DnsEventType { return nil @@ -107,10 +100,6 @@ func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType "protocol": domainEvent.Protocol, "port": domainEvent.DstPort, }, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the domain %s to the whitelist in the application profile for the Pod %s. You can use the following command: %s", - domainEvent.DNSName, - domainEvent.GetPod(), - rule.generatePatchCommand(domainEvent, nn)), Severity: R0005UnexpectedDomainRequestRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go index 71f0a1f8..b5d401fb 100644 --- a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go +++ b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go @@ -141,10 +141,7 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti "flags": openEvent.Flags, }, InfectedPID: openEvent.Pid, - FixSuggestions: fmt.Sprintf( - "If this is a valid behavior, please add the open call to the whitelist in the application profile for the Pod %s", - openEvent.GetPod()), - Severity: R0006UnexpectedServiceAccountTokenAccessRuleDescriptor.Priority, + Severity: R0006UnexpectedServiceAccountTokenAccessRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go index bfecb5f8..f99bc64d 100644 --- a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go +++ b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go @@ -156,8 +156,7 @@ func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *tracerexectype "exec": execPath, "args": event.Args, }, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R0007KubernetesClientExecutedDescriptor.Priority, + Severity: R0007KubernetesClientExecutedDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go b/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go index 35f7b736..7a7ebc83 100644 --- a/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go +++ b/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go @@ -90,9 +90,8 @@ func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.Ev "path": openEvent.FullPath, "flags": openEvent.Flags, }, - InfectedPID: openEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R0008ReadEnvironmentVariablesProcFSRuleDescriptor.Priority, + InfectedPID: openEvent.Pid, + Severity: R0008ReadEnvironmentVariablesProcFSRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0009_ebpf_program_load.go b/pkg/ruleengine/v1/r0009_ebpf_program_load.go index 9933e93d..6ba899f2 100644 --- a/pkg/ruleengine/v1/r0009_ebpf_program_load.go +++ b/pkg/ruleengine/v1/r0009_ebpf_program_load.go @@ -92,9 +92,8 @@ func (rule *R0009EbpfProgramLoad) ProcessEvent(eventType utils.EventType, event Arguments: map[string]interface{}{ "syscall": syscallEvent.SyscallName, }, - InfectedPID: syscallEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule", - Severity: R0009EbpfProgramLoadRuleDescriptor.Priority, + InfectedPID: syscallEvent.Pid, + Severity: R0009EbpfProgramLoadRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go index 1f512cc9..f811cf8e 100644 --- a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go +++ b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go @@ -115,9 +115,8 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve "path": openEvent.FullPath, "flags": openEvent.Flags, }, - InfectedPID: openEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R0010UnexpectedSensitiveFileAccessRuleDescriptor.Priority, + InfectedPID: openEvent.Pid, + Severity: R0010UnexpectedSensitiveFileAccessRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go b/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go index 5c50d390..96a52670 100644 --- a/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go +++ b/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go @@ -102,10 +102,6 @@ func (rule *R0011UnexpectedEgressNetworkTraffic) handleNetworkEvent(networkEvent "port": networkEvent.Port, "proto": networkEvent.Proto, }, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the IP %s to the whitelist in the application profile for the Pod %s.", - networkEvent.DstEndpoint.Addr, - networkEvent.GetPod(), - ), Severity: R0011UnexpectedEgressNetworkTrafficRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go index 2be1abf2..61ad8f0b 100644 --- a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go +++ b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go @@ -78,8 +78,7 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType Arguments: map[string]interface{}{ "hardlink": execEvent.ExePath, }, - FixSuggestions: "If this is a legitimate action, please add consider removing this workload from the binding of this rule.", - Severity: R1000ExecFromMaliciousSourceDescriptor.Priority, + Severity: R1000ExecFromMaliciousSourceDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go index f9236509..7b5a6af9 100644 --- a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go +++ b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go @@ -71,10 +71,9 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventTyp upperLayer := true ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: execEvent.Pid, - FixSuggestions: "If this is an expected behavior it is strongly suggested to include all executables in the container image. If this is not possible you can remove the rule binding to this workload.", - Severity: R1001ExecBinaryNotInBaseImageRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: execEvent.Pid, + Severity: R1001ExecBinaryNotInBaseImageRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1002_load_kernel_module.go b/pkg/ruleengine/v1/r1002_load_kernel_module.go index b74dfda4..f8445c38 100644 --- a/pkg/ruleengine/v1/r1002_load_kernel_module.go +++ b/pkg/ruleengine/v1/r1002_load_kernel_module.go @@ -70,10 +70,9 @@ func (rule *R1002LoadKernelModule) ProcessEvent(eventType utils.EventType, event rule.alerted = true ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: syscallEvent.Pid, - FixSuggestions: "If this is a legitimate action, please add consider removing this workload from the binding of this rule", - Severity: R1002LoadKernelModuleRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: syscallEvent.Pid, + Severity: R1002LoadKernelModuleRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go b/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go index 8ea39b0a..2df07d40 100644 --- a/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go +++ b/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go @@ -176,9 +176,8 @@ func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType utils.EventType, "dstPort": sshEvent.DstPort, "srcPort": sshEvent.SrcPort, }, - InfectedPID: sshEvent.Pid, - FixSuggestions: "If this is a legitimate action, please add the port as a parameter to the binding of this rule", - Severity: R1003MaliciousSSHConnectionRuleDescriptor.Priority, + InfectedPID: sshEvent.Pid, + Severity: R1003MaliciousSSHConnectionRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1004_exec_from_mount.go b/pkg/ruleengine/v1/r1004_exec_from_mount.go index e266a874..d2f14926 100644 --- a/pkg/ruleengine/v1/r1004_exec_from_mount.go +++ b/pkg/ruleengine/v1/r1004_exec_from_mount.go @@ -83,8 +83,7 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event ut "exec": execEvent.ExePath, "args": execEvent.Args, }, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule", - Severity: R1004ExecFromMountRuleDescriptor.Priority, + Severity: R1004ExecFromMountRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1005_fileless_execution.go b/pkg/ruleengine/v1/r1005_fileless_execution.go index d1645caa..7768d2e6 100644 --- a/pkg/ruleengine/v1/r1005_fileless_execution.go +++ b/pkg/ruleengine/v1/r1005_fileless_execution.go @@ -80,8 +80,7 @@ func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *tracerexectype. Arguments: map[string]interface{}{ "hardlink": execEvent.ExePath, }, - FixSuggestions: "If this is a legitimate action, please add consider removing this workload from the binding of this rule.", - Severity: R1005FilelessExecutionRuleDescriptor.Priority, + Severity: R1005FilelessExecutionRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1006_unshare_system_call.go b/pkg/ruleengine/v1/r1006_unshare_system_call.go index 5440d673..8865dbf9 100644 --- a/pkg/ruleengine/v1/r1006_unshare_system_call.go +++ b/pkg/ruleengine/v1/r1006_unshare_system_call.go @@ -72,10 +72,9 @@ func (rule *R1006UnshareSyscall) ProcessEvent(eventType utils.EventType, event u rule.alreadyNotified = true ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: syscallEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule", - Severity: R1006UnshareSyscallRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: syscallEvent.Pid, + Severity: R1006UnshareSyscallRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1007_xmr_crypto_mining.go b/pkg/ruleengine/v1/r1007_xmr_crypto_mining.go index 4083afd9..ba0499c4 100644 --- a/pkg/ruleengine/v1/r1007_xmr_crypto_mining.go +++ b/pkg/ruleengine/v1/r1007_xmr_crypto_mining.go @@ -62,10 +62,9 @@ func (rule *R1007XMRCryptoMining) ProcessEvent(eventType utils.EventType, event if randomXEvent, ok := event.(*tracerrandomxtype.Event); ok { ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: randomXEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R1007XMRCryptoMiningRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: randomXEvent.Pid, + Severity: R1007XMRCryptoMiningRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1008_crypto_mining_domain.go b/pkg/ruleengine/v1/r1008_crypto_mining_domain.go index 96cd3941..1bb26441 100644 --- a/pkg/ruleengine/v1/r1008_crypto_mining_domain.go +++ b/pkg/ruleengine/v1/r1008_crypto_mining_domain.go @@ -179,10 +179,9 @@ func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.E if slices.Contains(commonlyUsedCryptoMinersDomains, dnsEvent.DNSName) { ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: dnsEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R1008CryptoMiningDomainCommunicationRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: dnsEvent.Pid, + Severity: R1008CryptoMiningDomainCommunicationRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1009_crypto_mining_port.go b/pkg/ruleengine/v1/r1009_crypto_mining_port.go index 072155b2..5e1911b3 100644 --- a/pkg/ruleengine/v1/r1009_crypto_mining_port.go +++ b/pkg/ruleengine/v1/r1009_crypto_mining_port.go @@ -102,9 +102,8 @@ func (rule *R1009CryptoMiningRelatedPort) ProcessEvent(eventType utils.EventType "proto": networkEvent.Proto, "ip": networkEvent.DstEndpoint.Addr, }, - InfectedPID: networkEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R1009CryptoMiningRelatedPortRuleDescriptor.Priority, + InfectedPID: networkEvent.Pid, + Severity: R1009CryptoMiningRelatedPortRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go index 0e46234d..06a6ea5a 100644 --- a/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go +++ b/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go @@ -79,10 +79,7 @@ func (rule *R1010SymlinkCreatedOverSensitiveFile) DeleteRule() { } func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { - logger.L().Debug("Processing event", helpers.String("ruleID", rule.ID()), helpers.String("eventType", string(eventType))) - if !rule.EvaluateRule(eventType, event, objCache.K8sObjectCache()) { - logger.L().Debug("Event does not match rule", helpers.String("ruleID", rule.ID()), helpers.String("eventType", string(eventType))) return nil } @@ -102,9 +99,8 @@ func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.E "oldPath": symlinkEvent.OldPath, "newPath": symlinkEvent.NewPath, }, - InfectedPID: symlinkEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R1010SymlinkCreatedOverSensitiveFileRuleDescriptor.Priority, + InfectedPID: symlinkEvent.Pid, + Severity: R1010SymlinkCreatedOverSensitiveFileRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go index aba0ff86..596e2261 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook.go @@ -12,8 +12,6 @@ import ( apitypes "github.com/armosec/armoapi-go/armotypes" tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - "github.com/kubescape/go-logger" - "github.com/kubescape/go-logger/helpers" ) const ( @@ -63,7 +61,6 @@ func (rule *R1011LdPreloadHook) DeleteRule() { } func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objectCache objectcache.ObjectCache) ruleengine.RuleFailure { - if !rule.EvaluateRule(eventType, event, objectCache.K8sObjectCache()) { return nil } @@ -75,7 +72,6 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut } if allowed, err := isAllowed(&execEvent.Event, objectCache, execEvent.Comm, R1011ID); err != nil { - logger.L().Error("failed to check if ld_preload is allowed", helpers.String("ruleID", rule.ID()), helpers.String("error", err.Error())) return nil } else if allowed { return nil @@ -89,7 +85,6 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut } if allowed, err := isAllowed(&openEvent.Event, objectCache, openEvent.Comm, R1011ID); err != nil { - logger.L().Error("failed to check if ld_preload is allowed", helpers.String("ruleID", rule.ID()), helpers.String("error", err.Error())) return nil } else if allowed { return nil @@ -131,7 +126,6 @@ func (rule *R1011LdPreloadHook) Requirements() ruleengine.RuleSpec { func (rule *R1011LdPreloadHook) ruleFailureExecEvent(execEvent *tracerexectype.Event) ruleengine.RuleFailure { envVars, err := utils.GetProcessEnv(int(execEvent.Pid)) if err != nil { - logger.L().Debug("Failed to get process environment variables", helpers.Error(err)) return nil } @@ -141,11 +135,10 @@ func (rule *R1011LdPreloadHook) ruleFailureExecEvent(execEvent *tracerexectype.E ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - Arguments: map[string]interface{}{"envVar": ldHookVar}, - InfectedPID: execEvent.Pid, - FixSuggestions: fmt.Sprintf("Check the environment variable %s", ldHookVar), - Severity: R1011LdPreloadHookRuleDescriptor.Priority, + AlertName: rule.Name(), + Arguments: map[string]interface{}{"envVar": ldHookVar}, + InfectedPID: execEvent.Pid, + Severity: R1011LdPreloadHookRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ @@ -185,9 +178,8 @@ func (rule *R1011LdPreloadHook) ruleFailureOpenEvent(openEvent *traceropentype.E "path": openEvent.FullPath, "flags": openEvent.Flags, }, - InfectedPID: openEvent.Pid, - FixSuggestions: "Check the file /etc/ld.so.preload", - Severity: R1011LdPreloadHookRuleDescriptor.Priority, + InfectedPID: openEvent.Pid, + Severity: R1011LdPreloadHookRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ @@ -225,7 +217,6 @@ func (rule *R1011LdPreloadHook) shouldAlertExec(execEvent *tracerexectype.Event, envVars, err := utils.GetProcessEnv(int(execEvent.Pid)) if err != nil { - logger.L().Debug("Failed to get process environment variables", helpers.Error(err)) return false } diff --git a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go index 25533fc1..38dfa76e 100644 --- a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go +++ b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go @@ -78,16 +78,13 @@ func (rule *R1012HardlinkCreatedOverSensitiveFile) DeleteRule() { } func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { - logger.L().Debug("Processing event", helpers.String("ruleID", rule.ID()), helpers.String("eventType", string(eventType))) if !rule.EvaluateRule(eventType, event, objCache.K8sObjectCache()) { - logger.L().Debug("Event does not match rule", helpers.String("ruleID", rule.ID()), helpers.String("eventType", string(eventType))) return nil } hardlinkEvent, _ := event.(*tracerhardlinktype.Event) if allowed, err := isAllowed(&hardlinkEvent.Event, objCache, hardlinkEvent.Comm, R1012ID); err != nil { - logger.L().Error("failed to check if hardlink is allowed", helpers.String("ruleID", rule.ID()), helpers.String("error", err.Error())) return nil } else if allowed { return nil @@ -100,9 +97,8 @@ func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils. "oldPath": hardlinkEvent.OldPath, "newPath": hardlinkEvent.NewPath, }, - InfectedPID: hardlinkEvent.Pid, - FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.", - Severity: R1012HardlinkCreatedOverSensitiveFileRuleDescriptor.Priority, + InfectedPID: hardlinkEvent.Pid, + Severity: R1012HardlinkCreatedOverSensitiveFileRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ diff --git a/pkg/ruleengine/v1/r1015_malicious_ptrace_usage.go b/pkg/ruleengine/v1/r1015_malicious_ptrace_usage.go index 42c311ea..01b921ce 100644 --- a/pkg/ruleengine/v1/r1015_malicious_ptrace_usage.go +++ b/pkg/ruleengine/v1/r1015_malicious_ptrace_usage.go @@ -88,10 +88,9 @@ func (rule *R1015MaliciousPtraceUsage) ProcessEvent(eventType utils.EventType, e return &GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - InfectedPID: ptraceEvent.Pid, - FixSuggestions: "Consider reviewing the application usage of ptrace.", - Severity: R1015MaliciousPtraceUsageRuleDescriptor.Priority, + AlertName: rule.Name(), + InfectedPID: ptraceEvent.Pid, + Severity: R1015MaliciousPtraceUsageRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ ProcessTree: apitypes.Process{ From eedd4bba5a96b0666e4dea04705be40f8c585065 Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Tue, 3 Dec 2024 08:26:16 +0000 Subject: [PATCH 2/2] Fixing conflicts Signed-off-by: Amit Schendel --- pkg/ruleengine/v1/r0001_unexpected_process_launched.go | 1 - pkg/ruleengine/v1/r0002_unexpected_file_access.go | 1 - pkg/ruleengine/v1/r1011_ld_preload_hook.go | 4 ++-- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go index 8fb05a3e..31de9124 100644 --- a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go +++ b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go @@ -9,7 +9,6 @@ import ( "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" - "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" apitypes "github.com/armosec/armoapi-go/armotypes" ) diff --git a/pkg/ruleengine/v1/r0002_unexpected_file_access.go b/pkg/ruleengine/v1/r0002_unexpected_file_access.go index 286747be..87ed588d 100644 --- a/pkg/ruleengine/v1/r0002_unexpected_file_access.go +++ b/pkg/ruleengine/v1/r0002_unexpected_file_access.go @@ -12,7 +12,6 @@ import ( "github.com/kubescape/node-agent/pkg/objectcache" apitypes "github.com/armosec/armoapi-go/armotypes" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go index 1154af0f..cc5f143e 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook.go @@ -71,7 +71,7 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut return nil } - if allowed, err := isAllowed(&execEvent.Event, objectCache, execEvent.Comm, R1011ID); err != nil { + if allowed, err := isAllowed(&execEvent.Event.Event, objectCache, execEvent.Comm, R1011ID); err != nil { return nil } else if allowed { return nil @@ -84,7 +84,7 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut return nil } - if allowed, err := isAllowed(&openEvent.Event, objectCache, openEvent.Comm, R1011ID); err != nil { + if allowed, err := isAllowed(&openEvent.Event.Event, objectCache, openEvent.Comm, R1011ID); err != nil { return nil } else if allowed { return nil