From 0080fdb9d1deaad9dc7466fd6b4d1b685b559ac1 Mon Sep 17 00:00:00 2001 From: Simar Date: Wed, 1 Sep 2021 18:53:48 -0700 Subject: [PATCH 1/6] feat: Add flag for prepared events Signed-off-by: Simar --- tracee-rules/benchmark/benchmark_test.go | 36 ++++++-- .../benchmark/signature/wasm/signatures.go | 1 + tracee-rules/engine/engine.go | 36 ++++---- tracee-rules/engine/engine_test.go | 83 ++++++++++++------- tracee-rules/main.go | 6 +- 5 files changed, 109 insertions(+), 53 deletions(-) diff --git a/tracee-rules/benchmark/benchmark_test.go b/tracee-rules/benchmark/benchmark_test.go index 595e01cf37f5..dcac79051bd2 100644 --- a/tracee-rules/benchmark/benchmark_test.go +++ b/tracee-rules/benchmark/benchmark_test.go @@ -53,21 +53,37 @@ func BenchmarkOnEventWithCodeInjectionSignature(b *testing.B) { func BenchmarkEngineWithCodeInjectionSignature(b *testing.B) { benches := []struct { - name string - sigFunc func() (types.Signature, error) + name string + sigFunc func() (types.Signature, error) + preparedEvents bool }{ { name: "rego", sigFunc: rego.NewCodeInjectionSignature, }, + { + name: "rego + prepared events", + sigFunc: rego.NewCodeInjectionSignature, + preparedEvents: true, + }, { name: "golang", sigFunc: golang.NewCodeInjectionSignature, }, + { + name: "golang + prepared events", + sigFunc: golang.NewCodeInjectionSignature, + preparedEvents: true, + }, { name: "wasm", sigFunc: wasm.NewCodeInjectionSignature, }, + { + name: "wasm + prepared events", + sigFunc: wasm.NewCodeInjectionSignature, + preparedEvents: true, + }, } for _, bc := range benches { @@ -87,7 +103,7 @@ func BenchmarkEngineWithCodeInjectionSignature(b *testing.B) { b.StartTimer() // Start rules engine and wait until all events are processed - e.Start(waitForEventsProcessed(inputs.Tracee)) + e.Start(bc.preparedEvents, waitForEventsProcessed(inputs.Tracee)) } }) } @@ -95,13 +111,19 @@ func BenchmarkEngineWithCodeInjectionSignature(b *testing.B) { func BenchmarkEngineWithMultipleSignatures(b *testing.B) { benches := []struct { - name string - sigFuncs []func() (types.Signature, error) + name string + sigFuncs []func() (types.Signature, error) + preparedEvents bool }{ { name: "rego and golang", sigFuncs: []func() (types.Signature, error){rego.NewCodeInjectionSignature, golang.NewCodeInjectionSignature}, }, + { + name: "rego and golang, with prepared events", + sigFuncs: []func() (types.Signature, error){rego.NewCodeInjectionSignature, golang.NewCodeInjectionSignature}, + preparedEvents: true, + }, { name: "wasm and golang", sigFuncs: []func() (types.Signature, error){wasm.NewCodeInjectionSignature, golang.NewCodeInjectionSignature}, @@ -136,7 +158,7 @@ func BenchmarkEngineWithMultipleSignatures(b *testing.B) { b.StartTimer() // Start rules engine and wait until all events are processed - e.Start(waitForEventsProcessed(inputs.Tracee)) + e.Start(bc.preparedEvents, waitForEventsProcessed(inputs.Tracee)) } }) } @@ -196,7 +218,7 @@ func BenchmarkEngineWithNSignatures(b *testing.B) { b.StartTimer() // Start rules engine and wait until all events are processed - e.Start(waitForEventsProcessed(inputs.Tracee)) + e.Start(false, waitForEventsProcessed(inputs.Tracee)) } }) } diff --git a/tracee-rules/benchmark/signature/wasm/signatures.go b/tracee-rules/benchmark/signature/wasm/signatures.go index 2392847a3939..6e9cd75cd445 100644 --- a/tracee-rules/benchmark/signature/wasm/signatures.go +++ b/tracee-rules/benchmark/signature/wasm/signatures.go @@ -10,6 +10,7 @@ import ( "github.com/aquasecurity/tracee/tracee-rules/types" "github.com/open-policy-agent/opa/ast" + _ "github.com/open-policy-agent/opa/features/wasm" "github.com/open-policy-agent/opa/rego" ) diff --git a/tracee-rules/engine/engine.go b/tracee-rules/engine/engine.go index c93228fd228b..77f5343dcffb 100644 --- a/tracee-rules/engine/engine.go +++ b/tracee-rules/engine/engine.go @@ -110,14 +110,14 @@ func signatureStart(signature types.Signature, c chan types.Event, wg *sync.Wait // it runs continuously until stopped by the done channel // once done, it cleans all internal resources, which means the engine is not reusable // note that the input and output channels are created by the consumer and therefore are not closed -func (engine *Engine) Start(done chan bool) { +func (engine *Engine) Start(parsedEvents bool, done chan bool) { defer engine.unloadAllSignatures() engine.signaturesMutex.RLock() for s, c := range engine.signatures { go signatureStart(s, c, &engine.waitGroup) } engine.signaturesMutex.RUnlock() - engine.consumeSources(done) + engine.consumeSources(parsedEvents, done) } func (engine *Engine) unloadAllSignatures() { @@ -149,7 +149,7 @@ func (engine *Engine) checkCompletion() bool { // consumeSources starts consuming the input sources // it runs continuously until stopped by the done channel -func (engine *Engine) consumeSources(done <-chan bool) { +func (engine *Engine) consumeSources(parsedEvents bool, done <-chan bool) { for { select { case event, ok := <-engine.inputs.Tracee: @@ -182,25 +182,18 @@ func (engine *Engine) consumeSources(done <-chan bool) { continue } - pe, err := ToParsedEvent(traceeEvt) - if err != nil { - engine.logger.Printf("error converting tracee event to OPA ast.Value: %v", err) - engine.signaturesMutex.RUnlock() - continue - } - eventOrigin := analyzeEventOrigin(traceeEvt) for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: traceeEvt.EventName, Origin: eventOrigin}] { - engine.dispatchEvent(s, pe) + engine.dispatchEvent(s, event.(tracee.Event), parsedEvents) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: traceeEvt.EventName, Origin: ALL_EVENT_ORIGINS}] { - engine.dispatchEvent(s, pe) + engine.dispatchEvent(s, event.(tracee.Event), parsedEvents) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: ALL_EVENT_TYPES, Origin: eventOrigin}] { - engine.dispatchEvent(s, pe) + engine.dispatchEvent(s, event.(tracee.Event), parsedEvents) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: ALL_EVENT_TYPES, Origin: ALL_EVENT_ORIGINS}] { - engine.dispatchEvent(s, pe) + engine.dispatchEvent(s, event.(tracee.Event), parsedEvents) } engine.signaturesMutex.RUnlock() } @@ -210,12 +203,21 @@ func (engine *Engine) consumeSources(done <-chan bool) { } } -func (engine *Engine) dispatchEvent(s types.Signature, pe ParsedEvent) { +func (engine *Engine) dispatchEvent(s types.Signature, event tracee.Event, parsedEvent bool) { switch { case strings.Contains(reflect.TypeOf(s).String(), "rego"): - engine.signatures[s] <- pe + if parsedEvent { + pe, err := ToParsedEvent(event) + if err != nil { + engine.logger.Printf("error converting tracee event to OPA ast.Value: %v", err) + return + } + engine.signatures[s] <- pe + } else { + engine.signatures[s] <- event + } default: - engine.signatures[s] <- pe.Event + engine.signatures[s] <- event } } diff --git a/tracee-rules/engine/engine_test.go b/tracee-rules/engine/engine_test.go index 283c36ab391f..f03ab788e414 100644 --- a/tracee-rules/engine/engine_test.go +++ b/tracee-rules/engine/engine_test.go @@ -68,10 +68,11 @@ func TestConsumeSources(t *testing.T) { inputSignature regoFakeSignature expectedNumEvents int expectedError string - expectedEvent ParsedEvent + expectedEvent interface{} + enableParsedEvent bool }{ { - name: "happy path - with one matching selector", + name: "happy path - with one matching selector, parsed event enabled", inputEvent: tracee.Event{ EventName: "test_event", ProcessID: 2, @@ -96,12 +97,42 @@ func TestConsumeSources(t *testing.T) { }, }, expectedNumEvents: 1, - expectedEvent: ParsedEvent{ - Event: tracee.Event{ - ProcessID: 2, ParentProcessID: 1, Args: []external.Argument{{ArgMeta: external.ArgMeta{Name: "pathname", Type: ""}, Value: "/proc/self/mem"}}, - EventName: "test_event", + expectedEvent: tracee.Event{ + ProcessID: 2, ParentProcessID: 1, Args: []external.Argument{{ArgMeta: external.ArgMeta{Name: "pathname", Type: ""}, Value: "/proc/self/mem"}}, + EventName: "test_event", + }, + enableParsedEvent: true, + }, + { + name: "happy path - with one matching selector", + inputEvent: tracee.Event{ + EventName: "test_event", + ProcessID: 2, + ParentProcessID: 1, + Args: []tracee.Argument{ + { + ArgMeta: tracee.ArgMeta{ + Name: "pathname", + }, + Value: "/proc/self/mem", + }, }, }, + inputSignature: regoFakeSignature{ + getSelectedEvents: func() ([]types.SignatureEventSelector, error) { + return []types.SignatureEventSelector{ + { + Name: "test_event", + Source: "tracee", + }, + }, nil + }, + }, + expectedNumEvents: 1, + expectedEvent: tracee.Event{ + ProcessID: 2, ParentProcessID: 1, Args: []external.Argument{{ArgMeta: external.ArgMeta{Name: "pathname", Type: ""}, Value: "/proc/self/mem"}}, + EventName: "test_event", + }, }, { name: "happy path - with no matching event selector", @@ -136,8 +167,8 @@ func TestConsumeSources(t *testing.T) { }, }, expectedNumEvents: 1, - expectedEvent: ParsedEvent{ - Event: tracee.Event{EventName: "execve"}, + expectedEvent: tracee.Event{ + EventName: "execve", }, }, { @@ -153,9 +184,7 @@ func TestConsumeSources(t *testing.T) { }, }, expectedNumEvents: 1, - expectedEvent: ParsedEvent{ - Event: tracee.Event{EventName: "execve"}, - }, + expectedEvent: tracee.Event{EventName: "execve"}, }, { name: "happy path - with one matching selector including event origin from container", @@ -185,11 +214,9 @@ func TestConsumeSources(t *testing.T) { }, }, expectedNumEvents: 1, - expectedEvent: ParsedEvent{ - Event: tracee.Event{ - ProcessID: 2, ParentProcessID: 1, ContainerID: "container ID", Args: []external.Argument{{ArgMeta: external.ArgMeta{Name: "pathname", Type: ""}, Value: "/proc/self/mem"}}, - EventName: "test_event", - }, + expectedEvent: tracee.Event{ + ProcessID: 2, ParentProcessID: 1, ContainerID: "container ID", Args: []external.Argument{{ArgMeta: external.ArgMeta{Name: "pathname", Type: ""}, Value: "/proc/self/mem"}}, + EventName: "test_event", }, }, { @@ -248,11 +275,9 @@ func TestConsumeSources(t *testing.T) { }, }, expectedNumEvents: 1, - expectedEvent: ParsedEvent{ - Event: tracee.Event{ - ProcessID: 2, ParentProcessID: 2, Args: []external.Argument{{ArgMeta: external.ArgMeta{Name: "pathname", Type: ""}, Value: "/proc/self/mem"}}, - EventName: "test_event", - }, + expectedEvent: tracee.Event{ + ProcessID: 2, ParentProcessID: 2, Args: []external.Argument{{ArgMeta: external.ArgMeta{Name: "pathname", Type: ""}, Value: "/proc/self/mem"}}, + EventName: "test_event", }, }, { @@ -323,11 +348,9 @@ func TestConsumeSources(t *testing.T) { }, }, expectedNumEvents: 1, - expectedEvent: ParsedEvent{ - Event: tracee.Event{ - ProcessID: 2, ParentProcessID: 1, Args: []external.Argument{{ArgMeta: external.ArgMeta{Name: "pathname", Type: ""}, Value: "/proc/self/mem"}}, - EventName: "test_event", - }, + expectedEvent: tracee.Event{ + ProcessID: 2, ParentProcessID: 1, Args: []external.Argument{{ArgMeta: external.ArgMeta{Name: "pathname", Type: ""}, Value: "/proc/self/mem"}}, + EventName: "test_event", }, }, } @@ -356,7 +379,11 @@ func TestConsumeSources(t *testing.T) { var gotNumEvents int tc.inputSignature.onEvent = func(event types.Event) error { - assert.Equal(t, tc.expectedEvent.Event, event.(ParsedEvent).Event, tc.name) + if tc.enableParsedEvent { + assert.Equal(t, tc.expectedEvent, event.(ParsedEvent).Event, tc.name) + } else { + assert.Equal(t, tc.expectedEvent, event.(tracee.Event), tc.name) + } gotNumEvents++ return nil } @@ -364,7 +391,7 @@ func TestConsumeSources(t *testing.T) { e, err := NewEngine(sigs, inputs, outputChan, logger) require.NoError(t, err, "constructing engine") go func() { - e.Start(done) + e.Start(tc.enableParsedEvent, done) }() // send a test event diff --git a/tracee-rules/main.go b/tracee-rules/main.go index 92484b7134ce..2727bdbfb544 100644 --- a/tracee-rules/main.go +++ b/tracee-rules/main.go @@ -101,7 +101,7 @@ func main() { if err != nil { return fmt.Errorf("constructing engine: %w", err) } - e.Start(sigHandler()) + e.Start(c.Bool("enable-parsed-events"), sigHandler()) return nil }, Flags: []cli.Flag{ @@ -146,6 +146,10 @@ func main() { Usage: "listening address of the pprof endpoints server", Value: ":7777", }, + &cli.BoolFlag{ + Name: "enable-parsed-events", + Usage: "enables pre parsing of input events to rego prior to evaluation", + }, }, } err := app.Run(os.Args) From ce30e5a87056fdd359c9cee540c35bab9f7cf3ce Mon Sep 17 00:00:00 2001 From: Simar Date: Tue, 7 Sep 2021 14:57:54 -0700 Subject: [PATCH 2/6] fix: Change engine.NewEngine() prototype to accommodate new flag Signed-off-by: Simar --- tracee-rules/benchmark/benchmark_test.go | 12 ++++++------ tracee-rules/engine/engine.go | 18 ++++++++++-------- tracee-rules/engine/engine_test.go | 4 ++-- tracee-rules/main.go | 4 ++-- 4 files changed, 20 insertions(+), 18 deletions(-) diff --git a/tracee-rules/benchmark/benchmark_test.go b/tracee-rules/benchmark/benchmark_test.go index dcac79051bd2..430938e1c6c3 100644 --- a/tracee-rules/benchmark/benchmark_test.go +++ b/tracee-rules/benchmark/benchmark_test.go @@ -98,12 +98,12 @@ func BenchmarkEngineWithCodeInjectionSignature(b *testing.B) { s, err := bc.sigFunc() require.NoError(b, err, bc.name) - e, err := engine.NewEngine([]types.Signature{s}, inputs, output, os.Stderr) + e, err := engine.NewEngine([]types.Signature{s}, inputs, output, os.Stderr, bc.preparedEvents) require.NoError(b, err, "constructing engine") b.StartTimer() // Start rules engine and wait until all events are processed - e.Start(bc.preparedEvents, waitForEventsProcessed(inputs.Tracee)) + e.Start(waitForEventsProcessed(inputs.Tracee)) } }) } @@ -153,12 +153,12 @@ func BenchmarkEngineWithMultipleSignatures(b *testing.B) { inputs := ProduceEventsInMemory(inputEventsCount) output := make(chan types.Finding, inputEventsCount*len(sigs)) - e, err := engine.NewEngine(sigs, inputs, output, os.Stderr) + e, err := engine.NewEngine(sigs, inputs, output, os.Stderr, bc.preparedEvents) require.NoError(b, err, "constructing engine") b.StartTimer() // Start rules engine and wait until all events are processed - e.Start(bc.preparedEvents, waitForEventsProcessed(inputs.Tracee)) + e.Start(waitForEventsProcessed(inputs.Tracee)) } }) } @@ -213,12 +213,12 @@ func BenchmarkEngineWithNSignatures(b *testing.B) { b.StopTimer() inputs := ProduceEventsInMemory(inputEventsCount) output := make(chan types.Finding, inputEventsCount*len(sigs)) - e, err := engine.NewEngine(sigs, inputs, output, os.Stderr) + e, err := engine.NewEngine(sigs, inputs, output, os.Stderr, false) require.NoError(b, err, "constructing engine") b.StartTimer() // Start rules engine and wait until all events are processed - e.Start(false, waitForEventsProcessed(inputs.Tracee)) + e.Start(waitForEventsProcessed(inputs.Tracee)) } }) } diff --git a/tracee-rules/engine/engine.go b/tracee-rules/engine/engine.go index 77f5343dcffb..adb7f0388d41 100644 --- a/tracee-rules/engine/engine.go +++ b/tracee-rules/engine/engine.go @@ -28,6 +28,7 @@ type Engine struct { inputs EventSources output chan types.Finding waitGroup sync.WaitGroup + parsedEvents bool } //EventSources is a bundle of input sources used to configure the Engine @@ -37,7 +38,7 @@ type EventSources struct { // NewEngine creates a new rules-engine with the given arguments // inputs and outputs are given as channels created by the consumer -func NewEngine(sigs []types.Signature, sources EventSources, output chan types.Finding, logWriter io.Writer) (*Engine, error) { +func NewEngine(sigs []types.Signature, sources EventSources, output chan types.Finding, logWriter io.Writer, parsedEvents bool) (*Engine, error) { if sources.Tracee == nil || output == nil || logWriter == nil { return nil, fmt.Errorf("nil input received") } @@ -46,6 +47,7 @@ func NewEngine(sigs []types.Signature, sources EventSources, output chan types.F engine.logger = *log.New(logWriter, "", 0) engine.inputs = sources engine.output = output + engine.parsedEvents = parsedEvents engine.signaturesMutex.Lock() engine.signatures = make(map[types.Signature]chan types.Event) engine.signaturesIndex = make(map[types.SignatureEventSelector][]types.Signature) @@ -110,14 +112,14 @@ func signatureStart(signature types.Signature, c chan types.Event, wg *sync.Wait // it runs continuously until stopped by the done channel // once done, it cleans all internal resources, which means the engine is not reusable // note that the input and output channels are created by the consumer and therefore are not closed -func (engine *Engine) Start(parsedEvents bool, done chan bool) { +func (engine *Engine) Start(done chan bool) { defer engine.unloadAllSignatures() engine.signaturesMutex.RLock() for s, c := range engine.signatures { go signatureStart(s, c, &engine.waitGroup) } engine.signaturesMutex.RUnlock() - engine.consumeSources(parsedEvents, done) + engine.consumeSources(done) } func (engine *Engine) unloadAllSignatures() { @@ -149,7 +151,7 @@ func (engine *Engine) checkCompletion() bool { // consumeSources starts consuming the input sources // it runs continuously until stopped by the done channel -func (engine *Engine) consumeSources(parsedEvents bool, done <-chan bool) { +func (engine *Engine) consumeSources(done <-chan bool) { for { select { case event, ok := <-engine.inputs.Tracee: @@ -184,16 +186,16 @@ func (engine *Engine) consumeSources(parsedEvents bool, done <-chan bool) { eventOrigin := analyzeEventOrigin(traceeEvt) for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: traceeEvt.EventName, Origin: eventOrigin}] { - engine.dispatchEvent(s, event.(tracee.Event), parsedEvents) + engine.dispatchEvent(s, event.(tracee.Event), engine.parsedEvents) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: traceeEvt.EventName, Origin: ALL_EVENT_ORIGINS}] { - engine.dispatchEvent(s, event.(tracee.Event), parsedEvents) + engine.dispatchEvent(s, event.(tracee.Event), engine.parsedEvents) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: ALL_EVENT_TYPES, Origin: eventOrigin}] { - engine.dispatchEvent(s, event.(tracee.Event), parsedEvents) + engine.dispatchEvent(s, event.(tracee.Event), engine.parsedEvents) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: ALL_EVENT_TYPES, Origin: ALL_EVENT_ORIGINS}] { - engine.dispatchEvent(s, event.(tracee.Event), parsedEvents) + engine.dispatchEvent(s, event.(tracee.Event), engine.parsedEvents) } engine.signaturesMutex.RUnlock() } diff --git a/tracee-rules/engine/engine_test.go b/tracee-rules/engine/engine_test.go index f03ab788e414..9958e0fba953 100644 --- a/tracee-rules/engine/engine_test.go +++ b/tracee-rules/engine/engine_test.go @@ -388,10 +388,10 @@ func TestConsumeSources(t *testing.T) { return nil } - e, err := NewEngine(sigs, inputs, outputChan, logger) + e, err := NewEngine(sigs, inputs, outputChan, logger, tc.enableParsedEvent) require.NoError(t, err, "constructing engine") go func() { - e.Start(tc.enableParsedEvent, done) + e.Start(done) }() // send a test event diff --git a/tracee-rules/main.go b/tracee-rules/main.go index 2727bdbfb544..5edb9ad1aa13 100644 --- a/tracee-rules/main.go +++ b/tracee-rules/main.go @@ -97,11 +97,11 @@ func main() { if err != nil { return err } - e, err := engine.NewEngine(sigs, inputs, output, os.Stderr) + e, err := engine.NewEngine(sigs, inputs, output, os.Stderr, c.Bool("enable-parsed-events")) if err != nil { return fmt.Errorf("constructing engine: %w", err) } - e.Start(c.Bool("enable-parsed-events"), sigHandler()) + e.Start(sigHandler()) return nil }, Flags: []cli.Flag{ From cd8d51e05c0193526763cad53ef76789fe9125ab Mon Sep 17 00:00:00 2001 From: Simar Date: Tue, 7 Sep 2021 15:00:56 -0700 Subject: [PATCH 3/6] fix: Remove unnecessary casts for sending to dispatchEvent() Signed-off-by: Simar --- tracee-rules/engine/engine.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tracee-rules/engine/engine.go b/tracee-rules/engine/engine.go index adb7f0388d41..179091ccf967 100644 --- a/tracee-rules/engine/engine.go +++ b/tracee-rules/engine/engine.go @@ -186,16 +186,16 @@ func (engine *Engine) consumeSources(done <-chan bool) { eventOrigin := analyzeEventOrigin(traceeEvt) for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: traceeEvt.EventName, Origin: eventOrigin}] { - engine.dispatchEvent(s, event.(tracee.Event), engine.parsedEvents) + engine.dispatchEvent(s, traceeEvt, engine.parsedEvents) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: traceeEvt.EventName, Origin: ALL_EVENT_ORIGINS}] { - engine.dispatchEvent(s, event.(tracee.Event), engine.parsedEvents) + engine.dispatchEvent(s, traceeEvt, engine.parsedEvents) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: ALL_EVENT_TYPES, Origin: eventOrigin}] { - engine.dispatchEvent(s, event.(tracee.Event), engine.parsedEvents) + engine.dispatchEvent(s, traceeEvt, engine.parsedEvents) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: ALL_EVENT_TYPES, Origin: ALL_EVENT_ORIGINS}] { - engine.dispatchEvent(s, event.(tracee.Event), engine.parsedEvents) + engine.dispatchEvent(s, traceeEvt, engine.parsedEvents) } engine.signaturesMutex.RUnlock() } From 7b1146e89b8b71c194ac1185b7cfc2f546962f1c Mon Sep 17 00:00:00 2001 From: Simar Date: Tue, 7 Sep 2021 15:02:45 -0700 Subject: [PATCH 4/6] fix: Prefix "rego" for enable-parsed-events flag Signed-off-by: Simar --- tracee-rules/main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tracee-rules/main.go b/tracee-rules/main.go index 5edb9ad1aa13..71330664970a 100644 --- a/tracee-rules/main.go +++ b/tracee-rules/main.go @@ -97,7 +97,7 @@ func main() { if err != nil { return err } - e, err := engine.NewEngine(sigs, inputs, output, os.Stderr, c.Bool("enable-parsed-events")) + e, err := engine.NewEngine(sigs, inputs, output, os.Stderr, c.Bool("rego-enable-parsed-events")) if err != nil { return fmt.Errorf("constructing engine: %w", err) } @@ -147,7 +147,7 @@ func main() { Value: ":7777", }, &cli.BoolFlag{ - Name: "enable-parsed-events", + Name: "rego-enable-parsed-events", Usage: "enables pre parsing of input events to rego prior to evaluation", }, }, From b9f37149bf45a504955e1e6f33dae8436ed50f21 Mon Sep 17 00:00:00 2001 From: Simar Date: Tue, 7 Sep 2021 15:14:05 -0700 Subject: [PATCH 5/6] fix: Update tests Signed-off-by: Simar --- tracee-rules/engine/engine_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tracee-rules/engine/engine_test.go b/tracee-rules/engine/engine_test.go index 9958e0fba953..6c0fcbd4e2eb 100644 --- a/tracee-rules/engine/engine_test.go +++ b/tracee-rules/engine/engine_test.go @@ -447,7 +447,7 @@ func TestGetSelectedEvents(t *testing.T) { }, }, } - e, err := NewEngine(sigs, EventSources{Tracee: make(chan types.Event)}, make(chan types.Finding), &bytes.Buffer{}) + e, err := NewEngine(sigs, EventSources{Tracee: make(chan types.Event)}, make(chan types.Finding), &bytes.Buffer{}, false) require.NoError(t, err, "constructing engine") se := e.GetSelectedEvents() expected := []types.SignatureEventSelector{ From 168329c319028f1b0f0c60d4482dc76300797afc Mon Sep 17 00:00:00 2001 From: Simar Date: Tue, 7 Sep 2021 15:41:02 -0700 Subject: [PATCH 6/6] fix: Simplify the function prototype for dispatchEvent Signed-off-by: Simar --- tracee-rules/engine/engine.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tracee-rules/engine/engine.go b/tracee-rules/engine/engine.go index 179091ccf967..2978ac6696c7 100644 --- a/tracee-rules/engine/engine.go +++ b/tracee-rules/engine/engine.go @@ -186,16 +186,16 @@ func (engine *Engine) consumeSources(done <-chan bool) { eventOrigin := analyzeEventOrigin(traceeEvt) for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: traceeEvt.EventName, Origin: eventOrigin}] { - engine.dispatchEvent(s, traceeEvt, engine.parsedEvents) + engine.dispatchEvent(s, traceeEvt) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: traceeEvt.EventName, Origin: ALL_EVENT_ORIGINS}] { - engine.dispatchEvent(s, traceeEvt, engine.parsedEvents) + engine.dispatchEvent(s, traceeEvt) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: ALL_EVENT_TYPES, Origin: eventOrigin}] { - engine.dispatchEvent(s, traceeEvt, engine.parsedEvents) + engine.dispatchEvent(s, traceeEvt) } for _, s := range engine.signaturesIndex[types.SignatureEventSelector{Source: "tracee", Name: ALL_EVENT_TYPES, Origin: ALL_EVENT_ORIGINS}] { - engine.dispatchEvent(s, traceeEvt, engine.parsedEvents) + engine.dispatchEvent(s, traceeEvt) } engine.signaturesMutex.RUnlock() } @@ -205,10 +205,10 @@ func (engine *Engine) consumeSources(done <-chan bool) { } } -func (engine *Engine) dispatchEvent(s types.Signature, event tracee.Event, parsedEvent bool) { +func (engine *Engine) dispatchEvent(s types.Signature, event tracee.Event) { switch { case strings.Contains(reflect.TypeOf(s).String(), "rego"): - if parsedEvent { + if engine.parsedEvents { pe, err := ToParsedEvent(event) if err != nil { engine.logger.Printf("error converting tracee event to OPA ast.Value: %v", err)