Feature/identifiers (#587)

* Bumping armoapi-go

Signed-off-by: Amit Schendel <[email protected]>

* Adding identifiers to all rules

Signed-off-by: Amit Schendel <[email protected]>

* Adding filepath.Base for Name field

Signed-off-by: Amit Schendel <[email protected]>

---------

Signed-off-by: Amit Schendel <[email protected]>

Author: amitschendel

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/DmitriyVTitov/size v1.5.0
 	github.com/anchore/syft v1.18.1
 	github.com/aquilax/truncate v1.0.0
-	github.com/armosec/armoapi-go v0.0.596
+	github.com/armosec/armoapi-go v0.0.605
 	github.com/armosec/utils-k8s-go v0.0.30
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cenkalti/backoff/v4 v4.3.0

go.sum

@@ -157,8 +157,8 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/armosec/armoapi-go v0.0.596 h1:n8xB6Y/zuzjAqqwc7zJPXxdvn6pqZK94IC6x7nvj1oI=
-github.com/armosec/armoapi-go v0.0.596/go.mod h1:GQQzRuP8OBvbDx7GGwOyw3TCjk5NtK3WbeyfuLoiEts=
+github.com/armosec/armoapi-go v0.0.605 h1:EKvb2tbK0Edno6XaC+LxRecaVCeL6oxrL4Vg6iplocc=
+github.com/armosec/armoapi-go v0.0.605/go.mod h1:GQQzRuP8OBvbDx7GGwOyw3TCjk5NtK3WbeyfuLoiEts=
 github.com/armosec/gojay v1.2.17 h1:VSkLBQzD1c2V+FMtlGFKqWXNsdNvIKygTKJI9ysY8eM=
 github.com/armosec/gojay v1.2.17/go.mod h1:vuvX3DlY0nbVrJ0qCklSS733AWMoQboq3cFyuQW9ybc=
 github.com/armosec/utils-go v0.0.58 h1:g9RnRkxZAmzTfPe2ruMo2OXSYLwVSegQSkSavOfmaIE=

pkg/ruleengine/v1/r0001_unexpected_process_launched.go

@@ -2,10 +2,12 @@ package ruleengine
 
 import (
 	"fmt"
+	"path/filepath"
 	"slices"
 	"strings"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/armoapi-go/armotypes/common"
 	events "github.com/kubescape/node-agent/pkg/ebpf/events"
 	"github.com/kubescape/node-agent/pkg/objectcache"
 	"github.com/kubescape/node-agent/pkg/ruleengine"
@@ -119,6 +121,16 @@ func (rule *R0001UnexpectedProcessLaunched) CreateRuleFailure(eventType utils.Ev
 				"args":   execEvent.Args,
 			},
 			Severity: R0001UnexpectedProcessLaunchedRuleDescriptor.Priority,
+			Identifiers: &common.Identifiers{
+				Process: &common.ProcessEntity{
+					Name:        execEvent.Comm,
+					CommandLine: fmt.Sprintf("%s %s", execPath, strings.Join(utils.GetExecArgsFromEvent(&execEvent.Event), " ")),
+				},
+				File: &common.FileEntity{
+					Name:      filepath.Base(GetExecFullPathFromEvent(execEvent)),
+					Directory: filepath.Dir(GetExecFullPathFromEvent(execEvent)),
+				},
+			},
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0002_unexpected_file_access.go

@@ -2,6 +2,7 @@ package ruleengine
 
 import (
 	"fmt"
+	"path/filepath"
 	"strings"
 
 	"github.com/kubescape/node-agent/pkg/ebpf/events"
@@ -12,6 +13,7 @@ import (
 	"github.com/kubescape/node-agent/pkg/objectcache"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/armoapi-go/armotypes/common"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 )
@@ -187,6 +189,15 @@ func (rule *R0002UnexpectedFileAccess) CreateRuleFailure(eventType utils.EventTy
 				"path":  openEventTyped.FullPath,
 			},
 			Severity: R0002UnexpectedFileAccessRuleDescriptor.Priority,
+			Identifiers: &common.Identifiers{
+				Process: &common.ProcessEntity{
+					Name: openEventTyped.Comm,
+				},
+				File: &common.FileEntity{
+					Name:      filepath.Base(openEventTyped.FullPath),
+					Directory: filepath.Dir(openEventTyped.FullPath),
+				},
+			},
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0004_unexpected_capability_used.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/armoapi-go/armotypes/common"
 	"github.com/goradd/maps"
 	tracercapabilitiestype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/capabilities/types"
 	"github.com/kubescape/node-agent/pkg/objectcache"
@@ -108,6 +109,11 @@ func (rule *R0004UnexpectedCapabilityUsed) CreateRuleFailure(eventType utils.Eve
 			},
 			InfectedPID: capEvent.Pid,
 			Severity:    R0004UnexpectedCapabilityUsedRuleDescriptor.Priority,
+			Identifiers: &common.Identifiers{
+				Process: &common.ProcessEntity{
+					Name: capEvent.Comm,
+				},
+			},
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0005_unexpected_domain_request.go

@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/armoapi-go/armotypes/common"
 	"github.com/goradd/maps"
 	tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types"
 	"github.com/kubescape/node-agent/pkg/objectcache"
@@ -107,6 +108,11 @@ func (rule *R0005UnexpectedDomainRequest) CreateRuleFailure(eventType utils.Even
 	domainEvent, _ := event.(*tracerdnstype.Event)
 	rule.alertedDomains.Set(domainEvent.DNSName, true)
 
+	dstIP := ""
+	if len(domainEvent.Addresses) > 0 {
+		dstIP = domainEvent.Addresses[0]
+	}
+
 	return &GenericRuleFailure{
 		BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
 			UniqueID:    HashStringToMD5(fmt.Sprintf("%s%s", domainEvent.Comm, domainEvent.DNSName)),
@@ -119,6 +125,18 @@ func (rule *R0005UnexpectedDomainRequest) CreateRuleFailure(eventType utils.Even
 				"port":      domainEvent.DstPort,
 			},
 			Severity: R0005UnexpectedDomainRequestRuleDescriptor.Priority,
+			Identifiers: &common.Identifiers{
+				Process: &common.ProcessEntity{
+					Name: domainEvent.Comm,
+				},
+				Dns: &common.DnsEntity{
+					Domain: domainEvent.DNSName,
+				},
+				Network: &common.NetworkEntity{
+					DstIP:    dstIP,
+					Protocol: domainEvent.Protocol,
+				},
+			},
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go

@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/armoapi-go/armotypes/common"
 	"github.com/kubescape/node-agent/pkg/ebpf/events"
 	"github.com/kubescape/node-agent/pkg/objectcache"
 	"github.com/kubescape/node-agent/pkg/ruleengine"
@@ -159,6 +160,15 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) CreateRuleFailure(eventTyp
 			},
 			InfectedPID: openEvent.Pid,
 			Severity:    R0006UnexpectedServiceAccountTokenAccessRuleDescriptor.Priority,
+			Identifiers: &common.Identifiers{
+				Process: &common.ProcessEntity{
+					Name: openEvent.Comm,
+				},
+				File: &common.FileEntity{
+					Name:      filepath.Base(openEvent.FullPath),
+					Directory: filepath.Dir(openEvent.FullPath),
+				},
+			},
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0007_kubernetes_client_executed.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/armoapi-go/armotypes/common"
 	tracernetworktype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/types"
 	events "github.com/kubescape/node-agent/pkg/ebpf/events"
 	"github.com/kubescape/node-agent/pkg/objectcache"
@@ -159,6 +160,16 @@ func (rule *R0007KubernetesClientExecuted) CreateRuleFailure(eventType utils.Eve
 					"args": execEvent.Args,
 				},
 				Severity: R0007KubernetesClientExecutedDescriptor.Priority,
+				Identifiers: &common.Identifiers{
+					Process: &common.ProcessEntity{
+						Name:        execEvent.Comm,
+						CommandLine: fmt.Sprintf("%s %s", execPath, strings.Join(utils.GetExecArgsFromEvent(&execEvent.Event), " ")),
+					},
+					File: &common.FileEntity{
+						Name:      filepath.Base(execPath),
+						Directory: filepath.Dir(execPath),
+					},
+				},
 			},
 			RuntimeProcessDetails: apitypes.ProcessTree{
 				ProcessTree: apitypes.Process{
@@ -201,6 +212,16 @@ func (rule *R0007KubernetesClientExecuted) CreateRuleFailure(eventType utils.Eve
 			},
 			InfectedPID: networkEvent.Pid,
 			Severity:    R0007KubernetesClientExecutedDescriptor.Priority,
+			Identifiers: &common.Identifiers{
+				Process: &common.ProcessEntity{
+					Name: networkEvent.Comm,
+				},
+				Network: &common.NetworkEntity{
+					DstIP:    networkEvent.DstEndpoint.Addr,
+					DstPort:  int(networkEvent.Port),
+					Protocol: networkEvent.Proto,
+				},
+			},
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0008_read_env_variables_procfs.go

@@ -2,9 +2,11 @@ package ruleengine
 
 import (
 	"fmt"
+	"path/filepath"
 	"strings"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/armoapi-go/armotypes/common"
 	events "github.com/kubescape/node-agent/pkg/ebpf/events"
 	"github.com/kubescape/node-agent/pkg/objectcache"
 	"github.com/kubescape/node-agent/pkg/ruleengine"
@@ -121,6 +123,15 @@ func (rule *R0008ReadEnvironmentVariablesProcFS) CreateRuleFailure(eventType uti
 			},
 			InfectedPID: openEvent.Pid,
 			Severity:    R0008ReadEnvironmentVariablesProcFSRuleDescriptor.Priority,
+			Identifiers: &common.Identifiers{
+				Process: &common.ProcessEntity{
+					Name: openEvent.Comm,
+				},
+				File: &common.FileEntity{
+					Name:      filepath.Base(openEvent.FullPath),
+					Directory: filepath.Dir(openEvent.FullPath),
+				},
+			},
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go

@@ -2,6 +2,7 @@ package ruleengine
 
 import (
 	"fmt"
+	"path/filepath"
 
 	events "github.com/kubescape/node-agent/pkg/ebpf/events"
 	"github.com/kubescape/node-agent/pkg/objectcache"
@@ -10,6 +11,7 @@ import (
 	"github.com/kubescape/storage/pkg/registry/file/dynamicpathdetector"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/armoapi-go/armotypes/common"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 )
@@ -174,6 +176,15 @@ func (rule *R0010UnexpectedSensitiveFileAccess) CreateRuleFailure(eventType util
 			},
 			InfectedPID: openEvent.Pid,
 			Severity:    R0010UnexpectedSensitiveFileAccessRuleDescriptor.Priority,
+			Identifiers: &common.Identifiers{
+				Process: &common.ProcessEntity{
+					Name: openEvent.Comm,
+				},
+				File: &common.FileEntity{
+					Name:      filepath.Base(openEvent.FullPath),
+					Directory: filepath.Dir(openEvent.FullPath),
+				},
+			},
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{