feat(analyze): enable sigs consuming sigs

Implement the feature that should have worked in analyze in tracee-rules as a (hopefully) last treat before deprecetation. Co-authored-by: Asaf Eitani <[email protected]>
aquasecurity · Oct 22, 2024 · 7320464 · 7320464
1 parent 840b32a
commit 7320464
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 7 deletions.
diff --git a/cmd/tracee-rules/main.go b/cmd/tracee-rules/main.go
@@ -17,6 +17,8 @@ import (
 
 	"github.com/aquasecurity/tracee/pkg/capabilities"
 	"github.com/aquasecurity/tracee/pkg/cmd/flags/server"
+	"github.com/aquasecurity/tracee/pkg/cmd/initialize/sigs"
+	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/pkg/signatures/engine"
 	"github.com/aquasecurity/tracee/pkg/signatures/signature"
@@ -59,7 +61,7 @@ func main() {
 				rulesDir = []string{c.String("rules-dir")}
 			}
 
-			sigs, _, err := signature.Find(
+			signatures, _, err := signature.Find(
 				target,
 				c.Bool("rego-partial-eval"),
 				rulesDir,
@@ -70,6 +72,8 @@ func main() {
 				return err
 			}
 
+			_ = sigs.CreateEventsFromSignatures(events.StartSignatureID, signatures)
+
 			// can't drop privileges before this point due to signature.Find(),
 			// orelse we would have to raise capabilities in Find() and it can't
 			// be done in the single binary case (capabilities initialization
@@ -88,7 +92,7 @@ func main() {
 			var loadedSigIDs []string
 			err = capabilities.GetInstance().Specific(
 				func() error {
-					for _, s := range sigs {
+					for _, s := range signatures {
 						m, err := s.GetMetadata()
 						if err != nil {
 							logger.Errorw("Failed to load signature", "error", err)
@@ -105,14 +109,14 @@ func main() {
 			}
 
 			if c.Bool("list-events") {
-				listEvents(os.Stdout, sigs)
+				listEvents(os.Stdout, signatures)
 				return nil
 			}
 
 			logger.Infow("Signatures loaded", "total", len(loadedSigIDs), "signatures", loadedSigIDs)
 
 			if c.Bool("list") {
-				listSigs(os.Stdout, sigs)
+				listSigs(os.Stdout, signatures)
 				return nil
 			}
 
@@ -138,14 +142,15 @@ func main() {
 				c.String("webhook-template"),
 				c.String("webhook-content-type"),
 				c.String("output-template"),
+				inputs.Tracee,
 			)
 			if err != nil {
 				return err
 			}
 
 			config := engine.Config{
 				SignatureBufferSize: c.Uint(signatureBufferFlag),
-				Signatures:          sigs,
+				Signatures:          signatures,
 				DataSources:         []detect.DataSource{},
 			}
 			e, err := engine.NewEngine(config, inputs, output)

diff --git a/cmd/tracee-rules/output.go b/cmd/tracee-rules/output.go
@@ -11,8 +11,10 @@ import (
 	"github.com/Masterminds/sprig/v3"
 
 	"github.com/aquasecurity/tracee/pkg/errfmt"
+	"github.com/aquasecurity/tracee/pkg/events/findings"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
 	"github.com/aquasecurity/tracee/types/trace"
 )
 
@@ -39,7 +41,7 @@ func setupTemplate(inputTemplateFile string) (*template.Template, error) {
 	}
 }
 
-func setupOutput(w io.Writer, webhook string, webhookTemplate string, contentType string, outputTemplate string) (chan *detect.Finding, error) {
+func setupOutput(w io.Writer, webhook string, webhookTemplate string, contentType string, outputTemplate string, tracee chan protocol.Event) (chan *detect.Finding, error) {
 	out := make(chan *detect.Finding)
 	var err error
 
@@ -59,6 +61,22 @@ func setupOutput(w io.Writer, webhook string, webhookTemplate string, contentTyp
 		for res := range out {
 			switch res.Event.Payload.(type) {
 			case trace.Event:
+				if tracee != nil {
+					select {
+					case _, ok := <-tracee:
+						if !ok {
+							logger.Debugw("Tracee input channel closed")
+							return
+						}
+					default:
+						e, err := findings.FindingToEvent(res)
+						if err != nil {
+							logger.Errorw("Error converting finding to event for feedback", "error", err)
+							continue
+						}
+						tracee <- e.ToProtocol()
+					}
+				}
 				if err := tOutput.Execute(w, res); err != nil {
 					logger.Errorw("Writing to output: " + err.Error())
 				}

diff --git a/cmd/tracee-rules/output_test.go b/cmd/tracee-rules/output_test.go
@@ -85,7 +85,7 @@ HostName: foobar.local
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			actualOutput := NewSyncBuffer([]byte{})
-			findingCh, err := setupOutput(actualOutput, "", "", "", tc.outputFormat)
+			findingCh, err := setupOutput(actualOutput, "", "", "", tc.outputFormat, nil)
 			require.NoError(t, err, tc.name)
 
 			sm, err := signature.FakeSignature{}.GetMetadata()