From 2c6fe9e5ea8011975ddd80ad38dde553f40b8fd7 Mon Sep 17 00:00:00 2001 From: Yaniv Agman Date: Wed, 25 Dec 2024 10:50:06 +0200 Subject: [PATCH 1/4] chore(go.mod): bump sig helpers --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1ee20a57795d..8155ba50e8de 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/Masterminds/sprig/v3 v3.2.3 github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca github.com/aquasecurity/tracee/api v0.0.0-20241203172838-1f796cb64289 - github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241127122336-d1a65073b12d + github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241225084355-5b8f456dae7b github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863 github.com/containerd/containerd v1.7.21 github.com/docker/docker v26.1.5+incompatible diff --git a/go.sum b/go.sum index 89ad8f2a3e30..61d0f531b95c 100644 --- a/go.sum +++ b/go.sum @@ -404,8 +404,8 @@ github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca/go.mod h1:UpO6kTehEgAGGKR2twztBxvzjTiLiV/cb2xmlYb+TfE= github.com/aquasecurity/tracee/api v0.0.0-20241203172838-1f796cb64289 h1:mr7+agMcMRwn9vRwc44MaEFTUZnw0pvIbhteyANG38I= github.com/aquasecurity/tracee/api v0.0.0-20241203172838-1f796cb64289/go.mod h1:Gn6xVkaBkVe1pOQ0++uuHl+lMMClv0TPY8mCQ6j88aA= -github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241127122336-d1a65073b12d h1:DRHCyvgCuLNg8cSKKEhPFMCTFqlqOa9bffOPL6Wx0TI= -github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241127122336-d1a65073b12d/go.mod h1:/eGxScU8+vnxYhchZ72Y0lv1HqTSooLvtGCt9x7450I= +github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241225084355-5b8f456dae7b h1:eTIrU0vdn49P0LhtEypnSdGgoRzLvNPAGivGHPnCBXg= +github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241225084355-5b8f456dae7b/go.mod h1:DL+Q2DxyS7dpJGt4NVj26XbPiE2bjRK4vwqrmImr6Go= github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863 h1:domVTTQICTuCvX+ZW5EjvdUBz8EH7FedBj5lRqwpgf4= github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863/go.mod h1:Jwh9OOuiMHXDoGQY12N9ls5YB+j1FlRcXvFMvh1CmIU= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= From b46a2b6bde588825877ea45ec690a7dc871fe73c Mon Sep 17 00:00:00 2001 From: Yaniv Agman Date: Tue, 24 Dec 2024 14:32:29 +0200 Subject: [PATCH 2/4] Revert "feat(sigs): refactor to use nonparsed arguments" This reverts commit ec478cc6a6b35b70c024f265d47d8d0910f3789a. --- .../signature/golang/anti_debugging.go | 25 ++++++------------- .../signature/golang/code_injection.go | 4 +-- signatures/golang/anti_debugging_ptraceme.go | 7 +++--- .../golang/anti_debugging_ptraceme_test.go | 7 +++--- signatures/golang/aslr_inspection.go | 2 +- signatures/golang/aslr_inspection_test.go | 9 +++---- .../cgroup_notify_on_release_modification.go | 2 +- ...oup_notify_on_release_modification_test.go | 9 +++---- .../cgroup_release_agent_modification.go | 2 +- .../cgroup_release_agent_modification_test.go | 9 +++---- .../golang/core_pattern_modification.go | 2 +- .../golang/core_pattern_modification_test.go | 9 +++---- .../golang/default_loader_modification.go | 2 +- .../default_loader_modification_test.go | 9 +++---- signatures/golang/docker_abuse.go | 2 +- signatures/golang/docker_abuse_test.go | 9 +++---- signatures/golang/dynamic_code_loading.go | 9 +++---- .../golang/dynamic_code_loading_test.go | 6 ++--- .../golang/k8s_service_account_token.go | 2 +- .../golang/k8s_service_account_token_test.go | 11 ++++---- .../kubernetes_certificate_theft_attempt.go | 2 +- ...bernetes_certificate_theft_attempt_test.go | 11 ++++---- signatures/golang/ld_preload.go | 2 +- signatures/golang/ld_preload_test.go | 9 +++---- signatures/golang/proc_kcore_read.go | 2 +- signatures/golang/proc_kcore_read_test.go | 9 +++---- signatures/golang/proc_mem_access.go | 2 +- signatures/golang/proc_mem_access_test.go | 9 +++---- signatures/golang/proc_mem_code_injection.go | 2 +- .../golang/proc_mem_code_injection_test.go | 9 +++---- signatures/golang/ptrace_code_injection.go | 11 ++++---- .../golang/ptrace_code_injection_test.go | 11 ++++---- signatures/golang/rcd_modification.go | 2 +- signatures/golang/rcd_modification_test.go | 13 +++++----- signatures/golang/sched_debug_recon.go | 2 +- signatures/golang/sched_debug_recon_test.go | 9 +++---- .../golang/scheduled_task_modification.go | 2 +- .../scheduled_task_modification_test.go | 13 +++++----- signatures/golang/sudoers_modification.go | 2 +- .../golang/sudoers_modification_test.go | 13 +++++----- .../system_request_key_config_modification.go | 2 +- ...em_request_key_config_modification_test.go | 9 +++---- signatures/golang/test_helpers.go | 11 -------- tests/e2e-inst-signatures/e2e-bpf_attach.go | 5 ++-- .../e2e-suspicious_syscall_source.go | 5 ++-- 45 files changed, 129 insertions(+), 175 deletions(-) delete mode 100644 signatures/golang/test_helpers.go diff --git a/pkg/signatures/benchmark/signature/golang/anti_debugging.go b/pkg/signatures/benchmark/signature/golang/anti_debugging.go index b892dd037fca..16b94d8c4f2d 100644 --- a/pkg/signatures/benchmark/signature/golang/anti_debugging.go +++ b/pkg/signatures/benchmark/signature/golang/anti_debugging.go @@ -3,7 +3,6 @@ package golang import ( "fmt" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/helpers" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/protocol" @@ -13,7 +12,6 @@ import ( type antiDebugging struct { cb detect.SignatureHandler metadata detect.SignatureMetadata - logger detect.Logger } func NewAntiDebuggingSignature() (detect.Signature, error) { @@ -32,7 +30,6 @@ func NewAntiDebuggingSignature() (detect.Signature, error) { func (sig *antiDebugging) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback - sig.logger = ctx.Logger return nil } @@ -55,30 +52,22 @@ func (sig *antiDebugging) OnEvent(event protocol.Event) error { if ee.EventName != "ptrace" { return nil } - requestArg, err := helpers.GetTraceeIntArgumentByName(ee, "request") + request, err := helpers.GetTraceeArgumentByName(ee, "request", helpers.GetArgOps{DefaultArgs: false}) if err != nil { return err } - - if uint64(requestArg) != parsers.PTRACE_TRACEME.Value() { - return nil + requestString, ok := request.Value.(string) + if !ok { + return fmt.Errorf("failed to cast request's value") } - - var ptraceRequestData string - requestString, err := parsers.ParsePtraceRequestArgument(uint64(requestArg)) - - if err != nil { - ptraceRequestData = fmt.Sprint(requestArg) - sig.logger.Debugw("anti_debugging sig: failed to parse ptrace request argument: %v", err) - } else { - ptraceRequestData = requestString.String() + if requestString != "PTRACE_TRACEME" { + return nil } - sig.cb(&detect.Finding{ SigMetadata: sig.metadata, Event: event, Data: map[string]interface{}{ - "ptrace request": ptraceRequestData, + "ptrace request": requestString, }, }) return nil diff --git a/pkg/signatures/benchmark/signature/golang/code_injection.go b/pkg/signatures/benchmark/signature/golang/code_injection.go index a3e99e644d8d..bdef40babea6 100644 --- a/pkg/signatures/benchmark/signature/golang/code_injection.go +++ b/pkg/signatures/benchmark/signature/golang/code_injection.go @@ -65,11 +65,11 @@ func (sig *codeInjection) OnEvent(event protocol.Event) error { } switch ee.EventName { case "open", "openat": - flags, err := helpers.GetTraceeIntArgumentByName(ee, "flags") + flags, err := helpers.GetTraceeArgumentByName(ee, "flags", helpers.GetArgOps{DefaultArgs: false}) if err != nil { return fmt.Errorf("%v %#v", err, ee) } - if helpers.IsFileWrite(flags) { + if helpers.IsFileWrite(flags.Value.(string)) { pathname, err := helpers.GetTraceeArgumentByName(ee, "pathname", helpers.GetArgOps{DefaultArgs: false}) if err != nil { return err diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go index 95e80b2b117c..9b2fb22afda8 100644 --- a/signatures/golang/anti_debugging_ptraceme.go +++ b/signatures/golang/anti_debugging_ptraceme.go @@ -3,7 +3,6 @@ package main import ( "fmt" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/helpers" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/protocol" @@ -12,12 +11,12 @@ import ( type AntiDebuggingPtraceme struct { cb detect.SignatureHandler - ptraceTraceMe int + ptraceTraceMe string } func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback - sig.ptraceTraceMe = int(parsers.PTRACE_TRACEME.Value()) + sig.ptraceTraceMe = "PTRACE_TRACEME" return nil } @@ -53,7 +52,7 @@ func (sig *AntiDebuggingPtraceme) OnEvent(event protocol.Event) error { switch eventObj.EventName { case "ptrace": - requestArg, err := helpers.GetTraceeIntArgumentByName(eventObj, "request") + requestArg, err := helpers.GetTraceeStringArgumentByName(eventObj, "request") if err != nil { return err } diff --git a/signatures/golang/anti_debugging_ptraceme_test.go b/signatures/golang/anti_debugging_ptraceme_test.go index 3d82108d65ce..39139edb4e41 100644 --- a/signatures/golang/anti_debugging_ptraceme_test.go +++ b/signatures/golang/anti_debugging_ptraceme_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -30,7 +29,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "request", }, - Value: interface{}(int64(parsers.PTRACE_TRACEME.Value())), + Value: interface{}("PTRACE_TRACEME"), }, }, }, @@ -45,7 +44,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "request", }, - Value: interface{}(int64(parsers.PTRACE_TRACEME.Value())), + Value: interface{}("PTRACE_TRACEME"), }, }, }.ToProtocol(), @@ -77,7 +76,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "request", }, - Value: interface{}(int64(parsers.PTRACE_PEEKTEXT.Value())), + Value: interface{}("PTRACE_PEEKTEXT"), }, }, }, diff --git a/signatures/golang/aslr_inspection.go b/signatures/golang/aslr_inspection.go index 87f88989356f..e16855f980a8 100644 --- a/signatures/golang/aslr_inspection.go +++ b/signatures/golang/aslr_inspection.go @@ -57,7 +57,7 @@ func (sig *AslrInspection) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/aslr_inspection_test.go b/signatures/golang/aslr_inspection_test.go index e8e3b39ed98c..39264499e6a3 100644 --- a/signatures/golang/aslr_inspection_test.go +++ b/signatures/golang/aslr_inspection_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -30,7 +29,7 @@ func TestAslrInspection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -51,7 +50,7 @@ func TestAslrInspection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -95,7 +94,7 @@ func TestAslrInspection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)), + Value: interface{}("O_WRONLY"), }, }, }, @@ -112,7 +111,7 @@ func TestAslrInspection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ diff --git a/signatures/golang/cgroup_notify_on_release_modification.go b/signatures/golang/cgroup_notify_on_release_modification.go index ef5057976f04..1f018e0cdd28 100644 --- a/signatures/golang/cgroup_notify_on_release_modification.go +++ b/signatures/golang/cgroup_notify_on_release_modification.go @@ -59,7 +59,7 @@ func (sig *CgroupNotifyOnReleaseModification) OnEvent(event protocol.Event) erro } basename := path.Base(pathname) - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/cgroup_notify_on_release_modification_test.go b/signatures/golang/cgroup_notify_on_release_modification_test.go index d6507a3f65ff..661f77b149ad 100644 --- a/signatures/golang/cgroup_notify_on_release_modification_test.go +++ b/signatures/golang/cgroup_notify_on_release_modification_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -36,7 +35,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)), + Value: interface{}("O_WRONLY"), }, }, }, @@ -57,7 +56,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)), + Value: interface{}("O_WRONLY"), }, }, }.ToProtocol(), @@ -95,7 +94,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)), + Value: interface{}("O_RDONLY"), }, }, }, @@ -118,7 +117,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)), + Value: interface{}("O_WRONLY"), }, }, }, diff --git a/signatures/golang/cgroup_release_agent_modification.go b/signatures/golang/cgroup_release_agent_modification.go index fd9fa537a93e..87685fcf2cad 100644 --- a/signatures/golang/cgroup_release_agent_modification.go +++ b/signatures/golang/cgroup_release_agent_modification.go @@ -56,7 +56,7 @@ func (sig *CgroupReleaseAgentModification) OnEvent(event protocol.Event) error { switch eventObj.EventName { case "security_file_open": - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/cgroup_release_agent_modification_test.go b/signatures/golang/cgroup_release_agent_modification_test.go index bce02349d280..262e33a31218 100644 --- a/signatures/golang/cgroup_release_agent_modification_test.go +++ b/signatures/golang/cgroup_release_agent_modification_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -36,7 +35,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)), + Value: interface{}("O_WRONLY"), }, }, }, @@ -57,7 +56,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)), + Value: interface{}("O_WRONLY"), }, }, }.ToProtocol(), @@ -142,7 +141,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)), + Value: interface{}("O_RDONLY"), }, }, }, @@ -165,7 +164,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)), + Value: interface{}("O_WRONLY"), }, }, }, diff --git a/signatures/golang/core_pattern_modification.go b/signatures/golang/core_pattern_modification.go index 4949ab7c7752..5672a56c5629 100644 --- a/signatures/golang/core_pattern_modification.go +++ b/signatures/golang/core_pattern_modification.go @@ -58,7 +58,7 @@ func (sig *CorePatternModification) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/core_pattern_modification_test.go b/signatures/golang/core_pattern_modification_test.go index 9c1d26b61808..d2877db9b7e9 100644 --- a/signatures/golang/core_pattern_modification_test.go +++ b/signatures/golang/core_pattern_modification_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -36,7 +35,7 @@ func TestCorePatternModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }, @@ -57,7 +56,7 @@ func TestCorePatternModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }.ToProtocol(), @@ -95,7 +94,7 @@ func TestCorePatternModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, }, }, @@ -118,7 +117,7 @@ func TestCorePatternModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }, diff --git a/signatures/golang/default_loader_modification.go b/signatures/golang/default_loader_modification.go index 738953d81fc0..d2a2df58c1e0 100644 --- a/signatures/golang/default_loader_modification.go +++ b/signatures/golang/default_loader_modification.go @@ -59,7 +59,7 @@ func (sig *DefaultLoaderModification) OnEvent(event protocol.Event) error { switch eventObj.EventName { case "security_file_open": - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/default_loader_modification_test.go b/signatures/golang/default_loader_modification_test.go index 094b70f8fafb..a33e2300896d 100644 --- a/signatures/golang/default_loader_modification_test.go +++ b/signatures/golang/default_loader_modification_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -36,7 +35,7 @@ func TestDefaultLoaderModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }, @@ -57,7 +56,7 @@ func TestDefaultLoaderModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }.ToProtocol(), @@ -142,7 +141,7 @@ func TestDefaultLoaderModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, }, }, @@ -165,7 +164,7 @@ func TestDefaultLoaderModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }, diff --git a/signatures/golang/docker_abuse.go b/signatures/golang/docker_abuse.go index 7d2bfa3b11bd..9671f763c56c 100644 --- a/signatures/golang/docker_abuse.go +++ b/signatures/golang/docker_abuse.go @@ -61,7 +61,7 @@ func (sig *DockerAbuse) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/docker_abuse_test.go b/signatures/golang/docker_abuse_test.go index 24fde9746bba..5ba66e94b766 100644 --- a/signatures/golang/docker_abuse_test.go +++ b/signatures/golang/docker_abuse_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -31,7 +30,7 @@ func TestDockerAbuse(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -53,7 +52,7 @@ func TestDockerAbuse(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -141,7 +140,7 @@ func TestDockerAbuse(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -165,7 +164,7 @@ func TestDockerAbuse(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ diff --git a/signatures/golang/dynamic_code_loading.go b/signatures/golang/dynamic_code_loading.go index 7e1245cd1513..be148f9b5484 100644 --- a/signatures/golang/dynamic_code_loading.go +++ b/signatures/golang/dynamic_code_loading.go @@ -11,12 +11,12 @@ import ( type DynamicCodeLoading struct { cb detect.SignatureHandler - alertType trace.MemProtAlert + alertText string } func (sig *DynamicCodeLoading) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback - sig.alertType = trace.ProtAlertMprotectWXToX + sig.alertText = "Protection changed from W to E!" return nil } @@ -52,13 +52,12 @@ func (sig *DynamicCodeLoading) OnEvent(event protocol.Event) error { switch eventObj.EventName { case "mem_prot_alert": - alert, err := helpers.GetTraceeUintArgumentByName(eventObj, "alert") + alert, err := helpers.GetTraceeStringArgumentByName(eventObj, "alert") if err != nil { return err } - memProtAlert := trace.MemProtAlert(alert) - if memProtAlert == sig.alertType { + if alert == sig.alertText { metadata, err := sig.GetMetadata() if err != nil { return err diff --git a/signatures/golang/dynamic_code_loading_test.go b/signatures/golang/dynamic_code_loading_test.go index 51ab065f5056..b7dec8a46208 100644 --- a/signatures/golang/dynamic_code_loading_test.go +++ b/signatures/golang/dynamic_code_loading_test.go @@ -29,7 +29,7 @@ func TestDynamicCodeLoading(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "alert", }, - Value: uint32(trace.ProtAlertMprotectWXToX), + Value: interface{}("Protection changed from W to E!"), }, }, }, @@ -44,7 +44,7 @@ func TestDynamicCodeLoading(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "alert", }, - Value: uint32(trace.ProtAlertMprotectWXToX), + Value: interface{}("Protection changed from W to E!"), }, }, }.ToProtocol(), @@ -76,7 +76,7 @@ func TestDynamicCodeLoading(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "alert", }, - Value: uint32(trace.ProtAlertMmapWX), + Value: interface{}("Protection changed to Executable!"), }, }, }, diff --git a/signatures/golang/k8s_service_account_token.go b/signatures/golang/k8s_service_account_token.go index 4e861b41629b..d721b3ac83c7 100644 --- a/signatures/golang/k8s_service_account_token.go +++ b/signatures/golang/k8s_service_account_token.go @@ -70,7 +70,7 @@ func (sig *K8SServiceAccountToken) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/k8s_service_account_token_test.go b/signatures/golang/k8s_service_account_token_test.go index b06accf1c869..57e46a05eb4f 100644 --- a/signatures/golang/k8s_service_account_token_test.go +++ b/signatures/golang/k8s_service_account_token_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -31,7 +30,7 @@ func TestK8SServiceAccountToken(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -53,7 +52,7 @@ func TestK8SServiceAccountToken(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -92,7 +91,7 @@ func TestK8SServiceAccountToken(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -116,7 +115,7 @@ func TestK8SServiceAccountToken(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -140,7 +139,7 @@ func TestK8SServiceAccountToken(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ diff --git a/signatures/golang/kubernetes_certificate_theft_attempt.go b/signatures/golang/kubernetes_certificate_theft_attempt.go index aeb1b7389721..847b5b388c0f 100644 --- a/signatures/golang/kubernetes_certificate_theft_attempt.go +++ b/signatures/golang/kubernetes_certificate_theft_attempt.go @@ -65,7 +65,7 @@ func (sig *KubernetesCertificateTheftAttempt) OnEvent(event protocol.Event) erro } } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/kubernetes_certificate_theft_attempt_test.go b/signatures/golang/kubernetes_certificate_theft_attempt_test.go index b5f8b35a1121..852642d768d8 100644 --- a/signatures/golang/kubernetes_certificate_theft_attempt_test.go +++ b/signatures/golang/kubernetes_certificate_theft_attempt_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -31,7 +30,7 @@ func TestKubernetesCertificateTheftAttempt(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -53,7 +52,7 @@ func TestKubernetesCertificateTheftAttempt(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -139,7 +138,7 @@ func TestKubernetesCertificateTheftAttempt(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -163,7 +162,7 @@ func TestKubernetesCertificateTheftAttempt(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -187,7 +186,7 @@ func TestKubernetesCertificateTheftAttempt(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ diff --git a/signatures/golang/ld_preload.go b/signatures/golang/ld_preload.go index 6ff59e806eb2..181e6ab27dbe 100644 --- a/signatures/golang/ld_preload.go +++ b/signatures/golang/ld_preload.go @@ -85,7 +85,7 @@ func (sig *LdPreload) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/ld_preload_test.go b/signatures/golang/ld_preload_test.go index 42ae921dd3bb..4d884cbf4c51 100644 --- a/signatures/golang/ld_preload_test.go +++ b/signatures/golang/ld_preload_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -30,7 +29,7 @@ func TestLdPreload(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -51,7 +50,7 @@ func TestLdPreload(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -195,7 +194,7 @@ func TestLdPreload(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -218,7 +217,7 @@ func TestLdPreload(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ diff --git a/signatures/golang/proc_kcore_read.go b/signatures/golang/proc_kcore_read.go index 29400b527f23..7a39d91f0573 100644 --- a/signatures/golang/proc_kcore_read.go +++ b/signatures/golang/proc_kcore_read.go @@ -58,7 +58,7 @@ func (sig *ProcKcoreRead) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/proc_kcore_read_test.go b/signatures/golang/proc_kcore_read_test.go index c6ad61f1ae77..6e05960bb7ec 100644 --- a/signatures/golang/proc_kcore_read_test.go +++ b/signatures/golang/proc_kcore_read_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -30,7 +29,7 @@ func TestProcKcoreRead(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -51,7 +50,7 @@ func TestProcKcoreRead(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -95,7 +94,7 @@ func TestProcKcoreRead(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }, @@ -118,7 +117,7 @@ func TestProcKcoreRead(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, }, }, diff --git a/signatures/golang/proc_mem_access.go b/signatures/golang/proc_mem_access.go index a742ec9e3813..e1f80b911067 100644 --- a/signatures/golang/proc_mem_access.go +++ b/signatures/golang/proc_mem_access.go @@ -61,7 +61,7 @@ func (sig *ProcMemAccess) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/proc_mem_access_test.go b/signatures/golang/proc_mem_access_test.go index 4c262cafd792..1fbd0ee93816 100644 --- a/signatures/golang/proc_mem_access_test.go +++ b/signatures/golang/proc_mem_access_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -30,7 +29,7 @@ func TestProcMemAccess(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -51,7 +50,7 @@ func TestProcMemAccess(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -89,7 +88,7 @@ func TestProcMemAccess(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -112,7 +111,7 @@ func TestProcMemAccess(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ diff --git a/signatures/golang/proc_mem_code_injection.go b/signatures/golang/proc_mem_code_injection.go index 4e935d36d578..6dc7d84bfb17 100644 --- a/signatures/golang/proc_mem_code_injection.go +++ b/signatures/golang/proc_mem_code_injection.go @@ -61,7 +61,7 @@ func (sig *ProcMemCodeInjection) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/proc_mem_code_injection_test.go b/signatures/golang/proc_mem_code_injection_test.go index 92600803d1b8..90a20c8b8e2f 100644 --- a/signatures/golang/proc_mem_code_injection_test.go +++ b/signatures/golang/proc_mem_code_injection_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -30,7 +29,7 @@ func TestProcMemCodeInjection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -51,7 +50,7 @@ func TestProcMemCodeInjection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -89,7 +88,7 @@ func TestProcMemCodeInjection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -112,7 +111,7 @@ func TestProcMemCodeInjection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ diff --git a/signatures/golang/ptrace_code_injection.go b/signatures/golang/ptrace_code_injection.go index b6eb6ceeb1d5..593701d4903b 100644 --- a/signatures/golang/ptrace_code_injection.go +++ b/signatures/golang/ptrace_code_injection.go @@ -3,7 +3,6 @@ package main import ( "fmt" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/helpers" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/protocol" @@ -12,14 +11,14 @@ import ( type PtraceCodeInjection struct { cb detect.SignatureHandler - ptracePokeText int - ptracePokeData int + ptracePokeText string + ptracePokeData string } func (sig *PtraceCodeInjection) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback - sig.ptracePokeText = int(parsers.PTRACE_POKETEXT.Value()) - sig.ptracePokeData = int(parsers.PTRACE_POKEDATA.Value()) + sig.ptracePokeText = "PTRACE_POKETEXT" + sig.ptracePokeData = "PTRACE_POKEDATA" return nil } @@ -55,7 +54,7 @@ func (sig *PtraceCodeInjection) OnEvent(event protocol.Event) error { switch eventObj.EventName { case "ptrace": - requestArg, err := helpers.GetTraceeIntArgumentByName(eventObj, "request") + requestArg, err := helpers.GetTraceeStringArgumentByName(eventObj, "request") if err != nil { return err } diff --git a/signatures/golang/ptrace_code_injection_test.go b/signatures/golang/ptrace_code_injection_test.go index 5f1424e25ebb..d882a4365b16 100644 --- a/signatures/golang/ptrace_code_injection_test.go +++ b/signatures/golang/ptrace_code_injection_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -30,7 +29,7 @@ func TestPtraceCodeInjection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "request", }, - Value: int32(parsers.PTRACE_POKETEXT.Value()), + Value: interface{}("PTRACE_POKETEXT"), }, }, }, @@ -45,7 +44,7 @@ func TestPtraceCodeInjection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "request", }, - Value: int32(parsers.PTRACE_POKETEXT.Value()), + Value: interface{}("PTRACE_POKETEXT"), }, }, }.ToProtocol(), @@ -77,7 +76,7 @@ func TestPtraceCodeInjection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "request", }, - Value: int32(parsers.PTRACE_POKEDATA.Value()), + Value: interface{}("PTRACE_POKEDATA"), }, }, }, @@ -92,7 +91,7 @@ func TestPtraceCodeInjection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "request", }, - Value: int32(parsers.PTRACE_POKEDATA.Value()), + Value: interface{}("PTRACE_POKEDATA"), }, }, }.ToProtocol(), @@ -124,7 +123,7 @@ func TestPtraceCodeInjection(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "request", }, - Value: int32(parsers.PTRACE_PEEKTEXT.Value()), + Value: interface{}("PTRACE_PEEKTEXT"), }, }, }, diff --git a/signatures/golang/rcd_modification.go b/signatures/golang/rcd_modification.go index 336338f96986..fa4e0cdba68a 100644 --- a/signatures/golang/rcd_modification.go +++ b/signatures/golang/rcd_modification.go @@ -65,7 +65,7 @@ func (sig *RcdModification) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/rcd_modification_test.go b/signatures/golang/rcd_modification_test.go index ba1f5131776f..eae82c3fb26f 100644 --- a/signatures/golang/rcd_modification_test.go +++ b/signatures/golang/rcd_modification_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -30,7 +29,7 @@ func TestRcdModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -51,7 +50,7 @@ func TestRcdModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -89,7 +88,7 @@ func TestRcdModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -110,7 +109,7 @@ func TestRcdModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -289,7 +288,7 @@ func TestRcdModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -312,7 +311,7 @@ func TestRcdModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ diff --git a/signatures/golang/sched_debug_recon.go b/signatures/golang/sched_debug_recon.go index 88335f820c50..6c10283fbb44 100644 --- a/signatures/golang/sched_debug_recon.go +++ b/signatures/golang/sched_debug_recon.go @@ -57,7 +57,7 @@ func (sig *SchedDebugRecon) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/sched_debug_recon_test.go b/signatures/golang/sched_debug_recon_test.go index 8337184f45d2..51db29b0d3eb 100644 --- a/signatures/golang/sched_debug_recon_test.go +++ b/signatures/golang/sched_debug_recon_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -30,7 +29,7 @@ func TestSchedDebugRecon(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -51,7 +50,7 @@ func TestSchedDebugRecon(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -89,7 +88,7 @@ func TestSchedDebugRecon(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -112,7 +111,7 @@ func TestSchedDebugRecon(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ diff --git a/signatures/golang/scheduled_task_modification.go b/signatures/golang/scheduled_task_modification.go index fe52daf8f43e..a7564e78bd04 100644 --- a/signatures/golang/scheduled_task_modification.go +++ b/signatures/golang/scheduled_task_modification.go @@ -65,7 +65,7 @@ func (sig *ScheduledTaskModification) OnEvent(event protocol.Event) error { return err } - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/scheduled_task_modification_test.go b/signatures/golang/scheduled_task_modification_test.go index f3b1e8de1880..c25abcb776ce 100644 --- a/signatures/golang/scheduled_task_modification_test.go +++ b/signatures/golang/scheduled_task_modification_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -30,7 +29,7 @@ func TestScheduledTaskModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -51,7 +50,7 @@ func TestScheduledTaskModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -89,7 +88,7 @@ func TestScheduledTaskModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -110,7 +109,7 @@ func TestScheduledTaskModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -289,7 +288,7 @@ func TestScheduledTaskModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, { ArgMeta: trace.ArgMeta{ @@ -312,7 +311,7 @@ func TestScheduledTaskModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, { ArgMeta: trace.ArgMeta{ diff --git a/signatures/golang/sudoers_modification.go b/signatures/golang/sudoers_modification.go index 90c4d90a1775..74973699e87b 100644 --- a/signatures/golang/sudoers_modification.go +++ b/signatures/golang/sudoers_modification.go @@ -59,7 +59,7 @@ func (sig *SudoersModification) OnEvent(event protocol.Event) error { switch eventObj.EventName { case "security_file_open": - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/sudoers_modification_test.go b/signatures/golang/sudoers_modification_test.go index 209749cb06ef..544392eb3d92 100644 --- a/signatures/golang/sudoers_modification_test.go +++ b/signatures/golang/sudoers_modification_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -36,7 +35,7 @@ func TestSudoersModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }, @@ -57,7 +56,7 @@ func TestSudoersModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }.ToProtocol(), @@ -95,7 +94,7 @@ func TestSudoersModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }, @@ -116,7 +115,7 @@ func TestSudoersModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }.ToProtocol(), @@ -248,7 +247,7 @@ func TestSudoersModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, }, }, @@ -271,7 +270,7 @@ func TestSudoersModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }, diff --git a/signatures/golang/system_request_key_config_modification.go b/signatures/golang/system_request_key_config_modification.go index e110c02e1305..05d8c531fd03 100644 --- a/signatures/golang/system_request_key_config_modification.go +++ b/signatures/golang/system_request_key_config_modification.go @@ -52,7 +52,7 @@ func (sig *SystemRequestKeyConfigModification) OnEvent(event protocol.Event) err switch eventObj.EventName { case "security_file_open": - flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags") + flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags") if err != nil { return err } diff --git a/signatures/golang/system_request_key_config_modification_test.go b/signatures/golang/system_request_key_config_modification_test.go index 051cdd7d53d4..f906621c3ed4 100644 --- a/signatures/golang/system_request_key_config_modification_test.go +++ b/signatures/golang/system_request_key_config_modification_test.go @@ -6,7 +6,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/signaturestest" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/trace" @@ -36,7 +35,7 @@ func TestSystemRequestKeyConfigModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }, @@ -57,7 +56,7 @@ func TestSystemRequestKeyConfigModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }.ToProtocol(), @@ -95,7 +94,7 @@ func TestSystemRequestKeyConfigModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_RDONLY), + Value: interface{}("O_RDONLY"), }, }, }, @@ -118,7 +117,7 @@ func TestSystemRequestKeyConfigModification(t *testing.T) { ArgMeta: trace.ArgMeta{ Name: "flags", }, - Value: buildFlagArgValue(parsers.O_WRONLY), + Value: interface{}("O_WRONLY"), }, }, }, diff --git a/signatures/golang/test_helpers.go b/signatures/golang/test_helpers.go deleted file mode 100644 index c395fefbedcc..000000000000 --- a/signatures/golang/test_helpers.go +++ /dev/null @@ -1,11 +0,0 @@ -package main - -import "github.com/aquasecurity/tracee/pkg/events/parsers" - -func buildFlagArgValue(flags ...parsers.SystemFunctionArgument) int32 { - var res int32 - for _, flagVal := range flags { - res = res | int32(flagVal.Value()) - } - return res -} diff --git a/tests/e2e-inst-signatures/e2e-bpf_attach.go b/tests/e2e-inst-signatures/e2e-bpf_attach.go index 4eeb87da2a71..a803e78fba2d 100644 --- a/tests/e2e-inst-signatures/e2e-bpf_attach.go +++ b/tests/e2e-inst-signatures/e2e-bpf_attach.go @@ -3,7 +3,6 @@ package main import ( "fmt" - "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/signatures/helpers" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/protocol" @@ -49,14 +48,14 @@ func (sig *e2eBpfAttach) OnEvent(event protocol.Event) error { return err } - attachType, err := helpers.GetTraceeIntArgumentByName(eventObj, "attach_type") + attachType, err := helpers.GetTraceeStringArgumentByName(eventObj, "attach_type") if err != nil { return err } // check expected values from test for detection - if symbolName != "security_file_open" || attachType != int(parsers.BPFProgTypeKprobe) { + if symbolName != "security_file_open" || attachType != "kprobe" { return nil } diff --git a/tests/e2e-inst-signatures/e2e-suspicious_syscall_source.go b/tests/e2e-inst-signatures/e2e-suspicious_syscall_source.go index ebd271021f35..7d91adb878fd 100644 --- a/tests/e2e-inst-signatures/e2e-suspicious_syscall_source.go +++ b/tests/e2e-inst-signatures/e2e-suspicious_syscall_source.go @@ -3,7 +3,6 @@ package main import ( "fmt" - "github.com/aquasecurity/tracee/pkg/events" "github.com/aquasecurity/tracee/signatures/helpers" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/protocol" @@ -48,7 +47,7 @@ func (sig *e2eSuspiciousSyscallSource) OnEvent(event protocol.Event) error { switch eventObj.EventName { case "suspicious_syscall_source": - syscall, err := helpers.ArgVal[int32](eventObj.Args, "syscall") + syscall, err := helpers.ArgVal[string](eventObj.Args, "syscall") if err != nil { return err } @@ -59,7 +58,7 @@ func (sig *e2eSuspiciousSyscallSource) OnEvent(event protocol.Event) error { // check expected values from test for detection - if syscall != int32(events.Exit) { + if syscall != "exit" { return nil } From a481d11d2ad3eda1ea9c5a187a8574e0c46e9e33 Mon Sep 17 00:00:00 2001 From: Yaniv Agman Date: Tue, 24 Dec 2024 14:46:44 +0200 Subject: [PATCH 3/4] Add workaround: Revert to using raw argument values in engine stage Introduced a workaround to revert to raw argument values for tracee signatures, maintaining compatibility while further migration is planned. --- pkg/ebpf/signature_engine.go | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/pkg/ebpf/signature_engine.go b/pkg/ebpf/signature_engine.go index 053dc2af684e..7fe3cb7d2a4c 100644 --- a/pkg/ebpf/signature_engine.go +++ b/pkg/ebpf/signature_engine.go @@ -82,16 +82,28 @@ func (t *Tracee) engineEvents(ctx context.Context, in <-chan *trace.Event) (<-ch // arguments parsing) can affect engine stage. eventCopy := *event + // if t.config.Output.ParseArguments { + // // shallow clone the event arguments before parsing them (new slice is created), + // // to keep the eventCopy with raw arguments. + // eventCopy.Args = slices.Clone(event.Args) + + // err := t.parseArguments(event) + // if err != nil { + // t.handleError(err) + // return + // } + // } + + // This is a workaround to keep working with parsed arguments in the engine stage. + // Once fully migrated, this should be reverted to the commented code above + eventCopy.Args = slices.Clone(event.Args) + err := t.parseArguments(&eventCopy) + if err != nil { + t.handleError(err) + return + } if t.config.Output.ParseArguments { - // shallow clone the event arguments before parsing them (new slice is created), - // to keep the eventCopy with raw arguments. - eventCopy.Args = slices.Clone(event.Args) - - err := t.parseArguments(event) - if err != nil { - t.handleError(err) - return - } + event.Args = slices.Clone(eventCopy.Args) } // pass the event to the sink stage, if the event is also marked as emit From 0c2a414767e41b19b68c602686c041f8edceeed3 Mon Sep 17 00:00:00 2001 From: Raphael Campos Date: Wed, 18 Dec 2024 06:26:33 -0600 Subject: [PATCH 4/4] chore: add kernel 6.11 and 6.12 in matrix images - Add kernel 6.11 and 6.12, both for x86_64 and aarch64; - Both kernels are based on Ubuntu 24.04 LTS (codename Noble). --- .github/workflows/pr.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 223097357358..4f7dd9815d09 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -285,6 +285,10 @@ jobs: ["Noble 6.8 aarch64"]="0f5260685b3ec2293 aarch64" ["Noble 6.10 x86_64"]="0ae23eabda70efc60 x86_64" ["Noble 6.10 aarch64"]="01ce0f71400b5ff38 aarch64" + ["Noble 6.11 x86_64"]="0ce1f88aa63091921 x86_64" + ["Noble 6.11 aarch64"]="0123508488affb578 aarch64" + ["Noble 6.12 x86_64"]="0e38f3caba1b4234d x86_64" + ["Noble 6.12 aarch64"]="0547f429681dc1f2a aarch64" # expand as needed ) for num in 01; do