8000 tracee: fix args on signatures events by josedonizetti · Pull Request #2713 · aquasecurity/tracee · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

tracee: fix args on signatures events #2713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 27, 2023
Merged

tracee: fix args on signatures events #2713

merged 1 commit into from
Feb 27, 2023

Conversation

josedonizetti
Copy link
Contributor
@josedonizetti josedonizetti commented Feb 13, 2023
edited
Loading

1. Explain what the PR does

This PR changes signature events to use finding.Data as arguments instead of the original event arguments.
Also, it fix the filtering based on such arguments for signature events.

This PR is part of epic: #2355

2. Explain how to test it

The simplest way to test is to change an existing signature to include same output data, recompile tracee, and test out the feature, eg:

tracee --trace event=anti_debugging --trace anti_debugging.args.arg1=test

3. Other comments

@josedonizetti josedonizetti self-assigned this Feb 13, 2023
@josedonizetti josedonizetti force-pushed the fix-signature-events-args branch 2 times, most recently from db0f07a to 5c30d6b Compare February 14, 2023 02:19
@josedonizetti josedonizetti marked this pull request as ready for review February 14, 2023 02:33
geyslan
geyslan reviewed Feb 14, 2023
View reviewed changes
rafaeldtinoco
rafaeldtinoco suggested changes Feb 21, 2023
View reviewed changes
Copy link
Contributor
@rafaeldtinoco rafaeldtinoco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs rebase.

@josedonizetti is this still valid ?

With the discussion at #2355 (comment) and the about to be merged (#2752) I wasn't sure (since the the Event type is being changed there to have metadata, as the discussion suggests).

@josedonizetti
Copy link
Contributor Author

@rafaeldtinoco yes, still valid. The Metadata PR will only reflect SignatureMetadata, the user still needs access to finding.Data from a signature detection, which will be passed as arguments, and different than metadata it will be filterable.

@josedonizetti josedonizetti force-pushed the fix-signature-events-args branch 2 times, most recently from c614862 to fd92e85 Compare February 24, 2023 18:06
geyslan
geyslan approved these changes Feb 24, 2023
View reviewed changes
Copy link
Member
@geyslan geyslan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

8000

pkg/ebpf/finding.go
return arguments
}

// TODO: we probably should have internal types instead of using kernel, or golang types
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

pkg/events/events.go
Comment on lines +83 to +92
func (e *Event) IsASignatureEvent() bool {

for _, s := range e.Sets {
if s == "signatures" {
return true
}
}

return false
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't yet being used. Will it be checked in a hot path? If so, could it be a preset boolean flag?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@geyslan This is used to avoid the argument name validation when booting tracee, for example, if you do -t security_open_file.args.pathname!=X, there is a validation to check if the pathaname is a paramenter declared on the event when tracee is starting.

As signature events the parameters are dynamic, we are skipping the validation so we don't fail the boot: https://github.com/aquasecurity/tracee/pull/2713/files#diff-a15ccb695c12a7219d07ca60dd20a3e26df991cb65d2313dcd593b5b5295a55cR104

pkg/ebpf/finding.go
return "float"
case float64:
return "long double"
default: // TODO: how to implement int8, uint8, pointers, slices, and maps
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that's trivial by using our own internal types.

yanivagman
yanivagman approved these changes Feb 26, 2023
View reviewed changes
Copy link
Collaborator
@yanivagman yanivagman left a comment
8000

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@josedonizetti josedonizetti force-pushed the fix-signature-events-args branch from fd92e85 to 73d4f65 Compare February 27, 2023 11:19
@yanivagman yanivagman merged commit 0906f7d into aquasecurity:main Feb 27, 2023
@josedonizetti josedonizetti deleted the fix-signature-events-args branch February 27, 2023 12:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NDStrahilevitz NDStrahilevitz NDStrahilevitz left review comments

@geyslan geyslan geyslan approved these changes

@yanivagman yanivagman yanivagman approved these changes

@rafaeldtinoco rafaeldtinoco Awaiting requested review from rafaeldtinoco

Assignees

@josedonizetti josedonizetti

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@josedonizetti @geyslan @rafaeldtinoco @yanivagman @NDStrahilevitz
0