feat: enhnace yara scanner (#1774)

openclarity · Jun 13, 2024 · ad6f596 · ad6f596
1 parent dec4c32
commit ad6f596
Show file tree

Hide file tree

Showing 9 changed files with 168 additions and 152 deletions.
diff --git a/api/openapi.yaml b/api/openapi.yaml
@@ -1864,6 +1864,10 @@ components:
           type: array
           items:
             type: string
+        yara_directories_to_scan:
+          type: array
+          items:
+            type: string
 
     RootkitsConfig:
       type: object

diff --git a/api/server/database/gorm/odata.go b/api/server/database/gorm/odata.go
@@ -782,6 +782,12 @@ var schemaMetas = map[string]odatasql.SchemaMeta{
 					FieldType: odatasql.StringFieldType,
 				},
 			},
+			"yara_directories_to_scan": odatasql.FieldMeta{
+				FieldType: odatasql.CollectionFieldType,
+				CollectionItemMeta: &odatasql.FieldMeta{
+					FieldType: odatasql.StringFieldType,
+				},
+			},
 		},
 	},
 	"MisconfigurationsConfig": {

diff --git a/api/server/internal/server/server.gen.go b/api/server/internal/server/server.gen.go
diff --git a/api/types/families.go b/api/types/families.go
@@ -91,6 +91,14 @@ func (c *MalwareConfig) GetScannersList() []string {
 	return []string{"clam", "yara"}
 }
 
+func (c *MalwareConfig) GetYaraDirectoriesToScan() []string {
+	if c != nil && c.YaraDirectoriesToScan != nil && len(*c.YaraDirectoriesToScan) != 0 {
+		return *c.YaraDirectoriesToScan
+	}
+
+	return []string{"/home", "/opt", "/tmp", "/var/log"}
+}
+
 func (c *ExploitsConfig) IsEnabled() bool {
 	return c != nil && c.Enabled != nil && *c.Enabled
 }

diff --git a/api/types/types.gen.go b/api/types/types.gen.go
diff --git a/e2e/config/config.go b/e2e/config/config.go
@@ -88,24 +88,18 @@ func TestSuiteParamsForEnv(t types.EnvironmentType) *TestSuiteParams {
 
 	switch t {
 	case types.EnvironmentTypeAWS, types.EnvironmentTypeGCP:
-		// NOTE(paralta) Disabling the malware families to speed up the test
-		familiesConfig := FullScanFamiliesConfig
-		familiesConfig.Malware.Enabled = to.Ptr(false)
 		return &TestSuiteParams{
 			ServicesReadyTimeout: 10 * time.Minute,
 			ScanTimeout:          20 * time.Minute,
 			Scope:                fmt.Sprintf(scope, "tags"),
-			FamiliesConfig:       familiesConfig,
+			FamiliesConfig:       FullScanFamiliesConfig,
 		}
 	case types.EnvironmentTypeAzure:
-		// NOTE(paralta) Disabling the malware families to speed up the test
-		familiesConfig := FullScanFamiliesConfig
-		familiesConfig.Malware.Enabled = to.Ptr(false)
 		return &TestSuiteParams{
 			ServicesReadyTimeout: 20 * time.Minute,
 			ScanTimeout:          40 * time.Minute,
 			Scope:                fmt.Sprintf(scope, "tags"),
-			FamiliesConfig:       familiesConfig,
+			FamiliesConfig:       FullScanFamiliesConfig,
 		}
 	case types.EnvironmentTypeDocker:
 		return &TestSuiteParams{

diff --git a/orchestrator/watcher/assetscan/families.go b/orchestrator/watcher/assetscan/families.go
@@ -176,8 +176,9 @@ func withMalwareConfig(config *apitypes.MalwareConfig, opts *ScannerConfig) Fami
 					AlternativeFreshclamMirrorURL: opts.AlternativeFreshclamMirrorURL,
 				},
 				Yara: yaraconfig.Config{
-					YaraBinaryPath:  "",
-					CompiledRuleURL: opts.YaraRuleServerAddress,
+					YaraBinaryPath:    "",
+					CompiledRuleURL:   opts.YaraRuleServerAddress,
+					DirectoriesToScan: config.GetYaraDirectoriesToScan(),
 				},
 			},
 		}

diff --git a/scanner/families/malware/yara/config/config.go b/scanner/families/malware/yara/config/config.go
@@ -18,9 +18,10 @@ package config
 import "github.com/openclarity/yara-rule-server/pkg/config"
 
 type Config struct {
-	YaraBinaryPath  string              `yaml:"yara_binary_path" mapstructure:"yara_binary_path"`
-	CompiledRuleURL string              `yaml:"compiled_rule_url" mapstructure:"compiled_rule_url"`
-	RuleSources     []config.RuleSource `yaml:"rule_sources" mapstructure:"rule_sources"`
-	YaracBinaryPath string              `yaml:"yarac_binary_path" mapstructure:"yarac_binary_path"`
-	CacheDir        string              `yaml:"cache_dir" mapstructure:"cache_dir"`
+	YaraBinaryPath    string              `yaml:"yara_binary_path" mapstructure:"yara_binary_path"`
+	CompiledRuleURL   string              `yaml:"compiled_rule_url" mapstructure:"compiled_rule_url"`
+	RuleSources       []config.RuleSource `yaml:"rule_sources" mapstructure:"rule_sources"`
+	YaracBinaryPath   string              `yaml:"yarac_binary_path" mapstructure:"yarac_binary_path"`
+	CacheDir          string              `yaml:"cache_dir" mapstructure:"cache_dir"`
+	DirectoriesToScan []string            `yaml:"directories_to_scan" mapstructure:"directories_to_scan"`
 }
diff --git a/scanner/families/malware/yara/yara.go b/scanner/families/malware/yara/yara.go
@@ -25,12 +25,13 @@ import (
 	"os"
 	"os/exec"
 	"path"
+	"runtime"
+	"strconv"
 	"strings"
 
-	"github.com/sirupsen/logrus"
-
 	ruleServerConfig "github.com/openclarity/yara-rule-server/pkg/config"
 	"github.com/openclarity/yara-rule-server/pkg/rules"
+	"github.com/sirupsen/logrus"
 
 	"github.com/openclarity/vmclarity/scanner/families/malware/common"
 	"github.com/openclarity/vmclarity/scanner/families/malware/yara/config"
@@ -90,10 +91,6 @@ func (s *Scanner) Run(ctx context.Context, sourceType utils.SourceType, userInpu
 		}
 		defer cleanup()
 
-		// Define the yara args to run
-		args := []string{"-C", s.compiledRuleFile, "-r", "-w", "-m", fsPath}
-		s.logger.Infof("Running yara...")
-
 		// Process function that parses each line of yara output
 		var detectedMalware []common.DetectedMalware
 		var parseErrSamples, scanErrSamples []error
@@ -130,13 +127,17 @@ func (s *Scanner) Run(ctx context.Context, sourceType utils.SourceType, userInpu
 			}
 		}
 
-		// Execute the yara command
-		// nolint:gosec
-		yaraCommand := exec.Command(yaraBinaryPath, args...)
-		err = utils.RunCommandAndParseOutputLineByLine(yaraCommand, parserFunc, errCheckFunc)
-		if err != nil {
-			s.sendResults(retResults, fmt.Errorf("failed to run yara command: %w", err))
-			return
+		// Define the yara args to run
+		args := []string{"-C", s.compiledRuleFile, "-r", "-w", "-m", "-p", strconv.Itoa(runtime.NumCPU())}
+		s.logger.Infof("Running yara...")
+
+		for _, d := range s.config.DirectoriesToScan {
+			yaraCommand := exec.CommandContext(ctx, yaraBinaryPath, append(args, fsPath+d)...)
+			err = utils.RunCommandAndParseOutputLineByLine(yaraCommand, parserFunc, errCheckFunc)
+			if err != nil {
+				s.sendResults(retResults, fmt.Errorf("failed to run yara command: %w", err))
+				return
+			}
 		}
 
 		// If the stderr lines / stderr lines + stdout lines is greater than the `errThreshold` the error threshold will be reached.
@@ -201,7 +202,7 @@ func getCompiledRuleFilePath(cfg config.Config, logger *logrus.Entry) (string, e
 		if err != nil {
 			return "", fmt.Errorf("failed to lookup executable %s: %w", cfg.YaracBinaryPath, err)
 		}
-		logger.Debugf("found yara binary at: %s", yaracBinaryPath)
+		logger.Debugf("found yarac binary at: %s", yaracBinaryPath)
 
 		if cacheDir == "" {
 			cacheDir, err = createCacheDir()