diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1bec23f..59c3cea 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -31,6 +31,9 @@ jobs: - name: Download dependencies run: go mod download + + - name: Fix go + run: go env -w GOTOOLCHAIN=go1.25.0+auto - name: Run tests run: go test ./... diff --git a/README.md b/README.md index 9583d4e..aff7a3b 100644 --- a/README.md +++ b/README.md @@ -26,13 +26,13 @@ spec: description: "Description of what the rule detects" expressions: message: "CEL expression for alert message" - unique_id: "CEL expression for unique identifier" - rule_expression: - - event_type: "event_type_name" + uniqueId: "CEL expression for unique identifier" + ruleExpression: + - eventType: "eventType_name" expression: "CEL expression for detection logic" - profile_dependency: 0 # 0=Required, 1=Optional, 2=NotRequired + profileDependency: 0 # 0=Required, 1=Optional, 2=NotRequired severity: 1 - support_policy: false + supportPolicy: false tags: - "tag1" - "tag2" @@ -47,11 +47,11 @@ spec: | `id` | string | Unique rule identifier (format: R####) | Yes | | `description` | string | Detailed description of the rule | Yes | | `expressions.message` | string | CEL expression for alert message | Yes | -| `expressions.unique_id` | string | CEL expression for unique event ID | Yes | -| `expressions.rule_expression` | array | Array of detection expressions | Yes | -| `profile_dependency` | integer | Profile dependency level (0,1,2) | Yes | +| `expressions.uniqueId` | string | CEL expression for unique event ID | Yes | +| `expressions.ruleExpression` | array | Array of detection expressions | Yes | +| `profileDependency` | integer | Profile dependency level (0,1,2) | Yes | | `severity` | integer | Rule severity level | Yes | -| `support_policy` | boolean | Whether rule supported by rule policy | Yes | +| `supportPolicy` | boolean | Whether rule supported by rule policy | Yes | | `tags` | array | Array of tags for categorization | Yes | | `state` | object | Rule state | No | diff --git a/go.mod b/go.mod index f421fe5..11e0320 100644 --- a/go.mod +++ b/go.mod @@ -1,31 +1,30 @@ module github.com/kubescape/rulelibrary -go 1.24.0 - -toolchain go1.24.5 +go 1.25.0 require ( github.com/goradd/maps v1.0.0 - github.com/inspektor-gadget/inspektor-gadget v0.41.0 - github.com/kubescape/node-agent v0.2.375-0.20250821110035-45cbc9a5224d - github.com/kubescape/storage v0.0.200 - github.com/stretchr/testify v1.10.0 + github.com/inspektor-gadget/inspektor-gadget v0.45.1-0.20251020222545-c91c23581ebf + github.com/kubescape/node-agent v0.2.387-0.20251028144632-fead4536b150 + github.com/kubescape/storage v0.0.221 + github.com/stretchr/testify v1.11.1 gopkg.in/yaml.v3 v3.0.1 - k8s.io/api v0.33.3 + k8s.io/api v0.34.1 ) require ( - cel.dev/expr v0.20.0 // indirect + cel.dev/expr v0.24.0 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect + github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/Microsoft/hcsshim v0.12.9 // indirect + github.com/Microsoft/hcsshim v0.13.0 // indirect github.com/SergJa/jsonhash v0.0.0-20210531165746-fc45f346aa74 // indirect github.com/acobaugh/osrelease v0.1.0 // indirect github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 // indirect - github.com/anchore/packageurl-go v0.1.1-0.20241018175412-5c22e6360c4f // indirect - github.com/anchore/stereoscope v0.0.11 // indirect - github.com/anchore/syft v1.18.1 // indirect + github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 // indirect + github.com/anchore/stereoscope v0.1.9-0.20250826202322-ef061ea78385 // indirect + github.com/anchore/syft v1.32.0 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/armosec/armoapi-go v0.0.605 // indirect github.com/armosec/gojay v1.2.17 // indirect @@ -34,16 +33,17 @@ require ( github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/becheran/wildmatch-go v1.0.0 // indirect github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver v3.5.1+incompatible // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/bmatcuk/doublestar/v4 v4.7.1 // indirect + github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect github.com/briandowns/spinner v1.23.2 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect - github.com/cenkalti/backoff/v5 v5.0.2 // indirect + github.com/cenkalti/backoff/v5 v5.0.3 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/cilium/cilium v1.16.9 // indirect - github.com/cilium/ebpf v0.18.0 // indirect + github.com/cilium/ebpf v0.19.1-0.20250729164112-d994daa25101 // indirect github.com/containerd/cgroups/v3 v3.0.5 // indirect - github.com/containerd/containerd v1.7.27 // indirect + github.com/containerd/containerd v1.7.28 // indirect github.com/containerd/containerd/api v1.8.0 // indirect github.com/containerd/continuity v0.4.4 // indirect github.com/containerd/errdefs v1.0.0 // indirect @@ -53,32 +53,33 @@ require ( github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/ttrpc v1.2.7 // indirect github.com/containerd/typeurl/v2 v2.2.3 // indirect - github.com/containers/common v0.63.0 // indirect + github.com/containers/common v0.64.2 // indirect github.com/coreos/go-oidc/v3 v3.14.1 // indirect - github.com/coreos/go-systemd/v22 v22.5.0 // indirect + github.com/coreos/go-systemd/v22 v22.6.0 // indirect github.com/crewjam/rfc5424 v0.1.0 // indirect - github.com/cyphar/filepath-securejoin v0.4.1 // indirect + github.com/cyphar/filepath-securejoin v0.5.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/deckarep/golang-set/v2 v2.7.0 // indirect github.com/dghubble/trie v0.1.0 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v28.2.1+incompatible // indirect - github.com/docker/docker v28.3.3+incompatible // indirect + github.com/docker/cli v28.5.1+incompatible // indirect + github.com/docker/docker v28.5.1+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.3 // indirect - github.com/docker/go-connections v0.5.0 // indirect + github.com/docker/go-connections v0.6.0 // indirect github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect github.com/docker/go-units v0.5.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect - github.com/emicklei/go-restful/v3 v3.12.1 // indirect + github.com/emicklei/go-restful/v3 v3.12.2 // indirect github.com/facebookincubator/nvdtools v0.1.5 // indirect github.com/fatih/color v1.18.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/francoispqt/gojay v1.2.13 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect - github.com/fxamacker/cbor/v2 v2.8.0 // indirect - github.com/gabriel-vasile/mimetype v1.4.7 // indirect - github.com/github/go-spdx/v2 v2.3.2 // indirect - github.com/go-jose/go-jose/v4 v4.0.5 // indirect + github.com/fxamacker/cbor/v2 v2.9.0 // indirect + github.com/gabriel-vasile/mimetype v1.4.9 // indirect + github.com/github/go-spdx/v2 v2.3.3 // indirect + github.com/go-errors/errors v1.5.1 // indirect + github.com/go-jose/go-jose/v4 v4.1.2 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.23.0 // indirect @@ -91,17 +92,21 @@ require ( github.com/go-openapi/strfmt v0.23.0 // indirect github.com/go-openapi/swag v0.23.1 // indirect github.com/go-openapi/validate v0.24.0 // indirect - github.com/go-viper/mapstructure/v2 v2.3.0 // indirect + github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/godbus/dbus/v5 v5.1.0 // indirect - github.com/gofrs/flock v0.12.1 // indirect + github.com/gofrs/flock v0.13.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/gohugoio/hashstructure v0.5.0 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect - github.com/google/cel-go v0.23.2 // indirect - github.com/google/gnostic-models v0.6.9 // indirect + github.com/google/btree v1.1.3 // indirect + github.com/google/cel-go v0.26.0 // indirect + github.com/google/gnostic-models v0.7.0 // indirect github.com/google/go-cmp v0.7.0 // indirect - github.com/google/go-containerregistry v0.20.3 // indirect + github.com/google/go-containerregistry v0.20.6 // indirect + github.com/google/licensecheck v0.3.1 // indirect github.com/google/uuid v1.6.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect + github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect @@ -113,24 +118,26 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.18.0 // indirect github.com/kubescape/go-logger v0.0.24 // indirect - github.com/kubescape/k8s-interface v0.0.198 // indirect + github.com/kubescape/k8s-interface v0.0.199 // indirect + github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mackerelio/go-osstat v0.2.5 // indirect github.com/mailru/easyjson v0.9.0 // indirect github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect - github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect - github.com/moby/moby v28.2.1+incompatible // indirect + github.com/moby/moby v28.5.1+incompatible // indirect github.com/moby/sys/mountinfo v0.7.2 // indirect github.com/moby/sys/sequential v0.6.0 // indirect github.com/moby/sys/signal v0.7.0 // indirect github.com/moby/sys/user v0.4.0 // indirect github.com/moby/sys/userns v0.1.0 // indirect + github.com/moby/term v0.5.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect + github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/ncruces/go-strftime v0.1.9 // indirect github.com/ncw/directio v1.0.5 // indirect @@ -141,37 +148,38 @@ require ( github.com/opencontainers/runtime-spec v1.2.1 // indirect github.com/opencontainers/selinux v1.12.0 // indirect github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect - github.com/pelletier/go-toml/v2 v2.2.3 // indirect + github.com/pelletier/go-toml/v2 v2.2.4 // indirect + github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43 // indirect github.com/picatz/xcel v0.0.0-20250816143731-885b5f678a12 // indirect github.com/pierrec/lz4/v4 v4.1.22 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/alertmanager v0.27.0 // indirect - github.com/prometheus/client_golang v1.22.0 // indirect + github.com/prometheus/client_golang v1.23.2 // indirect github.com/prometheus/client_model v0.6.2 // indirect - github.com/prometheus/common v0.64.0 // indirect - github.com/prometheus/procfs v0.16.1 // indirect + github.com/prometheus/common v0.66.1 // indirect + github.com/prometheus/procfs v0.17.0 // indirect github.com/puzpuzpuz/xsync/v2 v2.4.1 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect github.com/s3rj1k/go-fanotify/fanotify v0.0.0-20240229202106-bca3154da60a // indirect - github.com/sagikazarmark/locafero v0.7.0 // indirect + github.com/sagikazarmark/locafero v0.11.0 // indirect github.com/sasha-s/go-deadlock v0.3.5 // indirect github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect - github.com/seccomp/libseccomp-golang v0.10.0 // indirect - github.com/sirupsen/logrus v1.9.3 // indirect - github.com/sourcegraph/conc v0.3.0 // indirect - github.com/spf13/afero v1.12.0 // indirect - github.com/spf13/cast v1.7.1 // indirect - github.com/spf13/cobra v1.9.1 // indirect - github.com/spf13/pflag v1.0.6 // indirect - github.com/spf13/viper v1.20.1 // indirect + github.com/seccomp/libseccomp-golang v0.11.0 // indirect + github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect + github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect + github.com/spf13/afero v1.15.0 // indirect + github.com/spf13/cast v1.10.0 // indirect + github.com/spf13/cobra v1.10.1 // indirect + github.com/spf13/pflag v1.0.10 // indirect + github.com/spf13/viper v1.21.0 // indirect github.com/stoewer/go-strcase v1.3.0 // indirect github.com/stripe/stripe-go/v74 v74.30.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect - github.com/sylabs/squashfs v1.0.4 // indirect + github.com/sylabs/squashfs v1.0.6 // indirect github.com/therootcompany/xz v1.0.1 // indirect - github.com/ulikunitz/xz v0.5.12 // indirect + github.com/ulikunitz/xz v0.5.15 // indirect github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2 // indirect github.com/uptrace/opentelemetry-go-extra/otelzap v0.3.2 // indirect github.com/uptrace/uptrace-go v1.35.1 // indirect @@ -180,72 +188,72 @@ require ( github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect github.com/x448/float16 v0.8.4 // indirect + github.com/xlab/treeprint v1.2.0 // indirect github.com/yl2chen/cidranger v1.0.2 // indirect go.mongodb.org/mongo-driver v1.17.1 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect - go.opentelemetry.io/contrib/instrumentation/runtime v0.61.0 // indirect - go.opentelemetry.io/otel v1.36.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect + go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 // indirect + go.opentelemetry.io/otel v1.38.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.11.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 // indirect - go.opentelemetry.io/otel/log v0.12.2 // indirect - go.opentelemetry.io/otel/metric v1.36.0 // indirect - go.opentelemetry.io/otel/sdk v1.36.0 // indirect - go.opentelemetry.io/otel/sdk/log v0.12.2 // indirect - go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect - go.opentelemetry.io/otel/trace v1.36.0 // indirect - go.opentelemetry.io/proto/otlp v1.6.0 // indirect + go.opentelemetry.io/otel/log v0.14.0 // indirect + go.opentelemetry.io/otel/metric v1.38.0 // indirect + go.opentelemetry.io/otel/sdk v1.38.0 // indirect + go.opentelemetry.io/otel/sdk/log v0.14.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect + go.opentelemetry.io/otel/trace v1.38.0 // indirect + go.opentelemetry.io/proto/otlp v1.7.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect + go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect - golang.org/x/crypto v0.38.0 // indirect - golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 // indirect - golang.org/x/net v0.40.0 // indirect + golang.org/x/crypto v0.43.0 // indirect + golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect + golang.org/x/net v0.46.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sync v0.14.0 // indirect - golang.org/x/sys v0.33.0 // indirect - golang.org/x/term v0.32.0 // indirect - golang.org/x/text v0.25.0 // indirect - golang.org/x/time v0.11.0 // indirect + golang.org/x/sync v0.17.0 // indirect + golang.org/x/sys v0.37.0 // indirect + golang.org/x/term v0.36.0 // indirect + golang.org/x/text v0.30.0 // indirect + golang.org/x/time v0.14.0 // indirect google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect - google.golang.org/grpc v1.72.2 // indirect - google.golang.org/protobuf v1.36.6 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect + google.golang.org/grpc v1.76.0 // indirect + google.golang.org/protobuf v1.36.10 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect istio.io/pkg v0.0.0-20231221211216-7635388a563e // indirect - k8s.io/apiextensions-apiserver v0.33.1 // indirect - k8s.io/apimachinery v0.33.3 // indirect - k8s.io/apiserver v0.33.1 // indirect - k8s.io/client-go v0.33.1 // indirect - k8s.io/component-base v0.33.1 // indirect - k8s.io/cri-api v0.33.1 // indirect + k8s.io/apiextensions-apiserver v0.34.1 // indirect + k8s.io/apimachinery v0.34.1 // indirect + k8s.io/apiserver v0.34.1 // indirect + k8s.io/cli-runtime v0.34.1 // indirect + k8s.io/client-go v0.34.1 // indirect + k8s.io/component-base v0.34.1 // indirect + k8s.io/cri-api v0.34.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect - k8s.io/kubelet v0.33.1 // indirect - k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect - modernc.org/libc v1.55.3 // indirect - modernc.org/mathutil v1.6.0 // indirect - modernc.org/memory v1.8.0 // indirect - modernc.org/sqlite v1.34.2 // indirect + k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect + k8s.io/kubelet v0.34.1 // indirect + k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect + modernc.org/libc v1.66.3 // indirect + modernc.org/mathutil v1.7.1 // indirect + modernc.org/memory v1.11.0 // indirect + modernc.org/sqlite v1.38.2 // indirect oras.land/oras-go/v2 v2.6.0 // indirect sigs.k8s.io/controller-runtime v0.21.0 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect + sigs.k8s.io/kustomize/api v0.20.1 // indirect + sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect - sigs.k8s.io/yaml v1.4.0 // indirect + sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect + sigs.k8s.io/yaml v1.6.0 // indirect zombiezen.com/go/sqlite v1.4.0 // indirect ) -replace github.com/vishvananda/netns => github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 - -replace github.com/mholt/archiver/v3 v3.5.1 => github.com/anchore/archiver/v3 v3.5.2 - -replace github.com/inspektor-gadget/inspektor-gadget => github.com/amirmalka/inspektor-gadget v0.40.1-0.20250814111737-3a58864c8d86 - -replace github.com/picatz/xcel => github.com/matthyx/xcel v0.0.0-20250820140400-f8fabef4e2af +replace github.com/inspektor-gadget/inspektor-gadget => github.com/matthyx/inspektor-gadget v0.0.0-20251028120806-bb895db89083 diff --git a/go.sum b/go.sum index c24bf79..060687f 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -cel.dev/expr v0.20.0 h1:OunBvVCfvpWlt4dN7zg3FM6TDkzOePe1+foGJ9AXeeI= -cel.dev/expr v0.20.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= +cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY= +cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.31.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= @@ -49,8 +49,8 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= -dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= +dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= dmitri.shuralyov.com/app/changes v0.0.0-20180602232624-0a106ad413e3/go.mod h1:Yl+fi1br7+Rr3LqpNJf1/uxUdtRUV+Tnj0o93V2B9MU= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0/go.mod h1:JLBrvjyP0v+ecvNYvCpyZgu5/xkfAUhi6wJj28eUfSU= @@ -69,8 +69,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.12.9 h1:2zJy5KA+l0loz1HzEGqyNnjd3fyZA31ZBCGKacp6lLg= -github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEPuoIWYVvZ8Y= +github.com/Microsoft/hcsshim v0.13.0 h1:/BcXOiS6Qi7N9XqUcv27vkIuVOkBEcWstd2pMlWSeaA= +github.com/Microsoft/hcsshim v0.13.0/go.mod h1:9KWJ/8DgU+QzYGupX4tzMhRQE8h6w90lH6HAaclpEok= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/SergJa/jsonhash v0.0.0-20210531165746-fc45f346aa74 h1:zZX7V5abnOB0VTEFnwYxwbuot0GCZUjQZQpjHKnG1Kk= github.com/SergJa/jsonhash v0.0.0-20210531165746-fc45f346aa74/go.mod h1:GE9lvSMBrKhFDkoh660mCThn1v7/jfb1r0Z+DpUX4zQ= @@ -82,22 +82,20 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/amirmalka/inspektor-gadget v0.40.1-0.20250814111737-3a58864c8d86 h1:cLzA/pqfFQdzmI9hnR2W5gMUUMPiP3MXS/bwTFNz6wo= -github.com/amirmalka/inspektor-gadget v0.40.1-0.20250814111737-3a58864c8d86/go.mod h1:W6tNNRa3QDFdrknnOnavk+HD8FI/XUGY6tY6PSonhAk= -github.com/anchore/clio v0.0.0-20241115144204-29e89f9fa837 h1:bIG3WsfosZsJ5LMC7PB9J/ekFM3a0j0ZEDvN3ID6GTI= -github.com/anchore/clio v0.0.0-20241115144204-29e89f9fa837/go.mod h1:tRQVKkjYeejrh9AdM0s1esbwtMU7rdHAHSQWkv4qskE= +github.com/anchore/clio v0.0.0-20250319180342-2cfe4b0cb716 h1:2sIdYJlQESEnyk3Y0WD2vXWW5eD2iMz9Ev8fj1Z8LNA= +github.com/anchore/clio v0.0.0-20250319180342-2cfe4b0cb716/go.mod h1:Utb9i4kwiCWvqAIxZaJeMIXFO9uOgQXlvH2BfbfO/zI= github.com/anchore/fangs v0.0.0-20250402135612-96e29e45f3fe h1:qv/xxpjF5RdKPqZjx8RM0aBi3HUCAO0DhRBMs2xhY1I= github.com/anchore/fangs v0.0.0-20250402135612-96e29e45f3fe/go.mod h1:vrcYMDps9YXwwx2a9AsvipM6Fi5H9//9bymGb8G8BIQ= github.com/anchore/go-homedir v0.0.0-20250319154043-c29668562e4d h1:gT69osH9AsdpOfqxbRwtxcNnSZ1zg4aKy2BevO3ZBdc= github.com/anchore/go-homedir v0.0.0-20250319154043-c29668562e4d/go.mod h1:PhSnuFYknwPZkOWKB1jXBNToChBA+l0FjwOxtViIc50= github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 h1:2SqmFgE7h+Ql4VyBzhjLkRF/3gDrcpUBj8LjvvO6OOM= github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722/go.mod h1:oFuE8YuTCM+spgMXhePGzk3asS94yO9biUfDzVTFqNw= -github.com/anchore/packageurl-go v0.1.1-0.20241018175412-5c22e6360c4f h1:dAQPIrQ3a5PBqZeZ+B9NGZsGmodk4NO9OjDIsQmQyQM= -github.com/anchore/packageurl-go v0.1.1-0.20241018175412-5c22e6360c4f/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI= -github.com/anchore/stereoscope v0.0.11 h1:d+dePyWyQzoQehnWOnx/aISW5HW1zLAQKzvaFIpydsU= -github.com/anchore/stereoscope v0.0.11/go.mod h1:dxQyMHSdvgOCscQd/lInPHeP5xCJsZYxpzvzy8Y804Y= -github.com/anchore/syft v1.18.1 h1:JZ7CLbeWrWolCZa4f6SJBLJ9qGBLFCzHrFd8c4bsm94= -github.com/anchore/syft v1.18.1/go.mod h1:ufXPZcjmoTjERaC0HTEW2+chF+fQdryhaQ9arcUO2WQ= +github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiEjnoGJZ1+Ah0ZZ/mKKqNhGcUZBl0s7PTTDzvY= +github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI= +github.com/anchore/stereoscope v0.1.9-0.20250826202322-ef061ea78385 h1:icCqbvAKGZXf29lEi8JmwvHVCBCYkiyZMuSnk+5ajYo= +github.com/anchore/stereoscope v0.1.9-0.20250826202322-ef061ea78385/go.mod h1:0UCjLz5MdPNiH9F0h2tSNf3yGF6/MnK8ZCPo0YfDQVc= +github.com/anchore/syft v1.32.0 h1:JcX9W+P/Xjv5DNg3TNBtwiEyZommuTaP16/NC9r0Yfo= +github.com/anchore/syft v1.32.0/go.mod h1:E6Kd4iBM2ljUOUQvSt7hVK6vBwaHkMXwcvBZmGMSY5o= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= @@ -125,18 +123,20 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= +github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/bmatcuk/doublestar/v4 v4.7.1 h1:fdDeAqgT47acgwd9bd9HxJRDmc9UAmPpc+2m0CXv75Q= -github.com/bmatcuk/doublestar/v4 v4.7.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= +github.com/bmatcuk/doublestar/v4 v4.9.1 h1:X8jg9rRZmJd4yRy7ZeNDRnM+T3ZfHv15JiBJ/avrEXE= +github.com/bmatcuk/doublestar/v4 v4.9.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/briandowns/spinner v1.23.2 h1:Zc6ecUnI+YzLmJniCfDNaMbW0Wid1d5+qcTq4L2FW8w= github.com/briandowns/spinner v1.23.2/go.mod h1:LaZeM4wm2Ywy6vO571mvhQNRcWfRUnXOs0RcKV0wYKM= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= -github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8= -github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= +github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= +github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= @@ -149,8 +149,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/cilium/cilium v1.16.9 h1:0XqIanSHGiUULererLG085oRo2vNuD8nfJo90B9bSkA= github.com/cilium/cilium v1.16.9/go.mod h1:QGhCRVwVoxVrFk4/L4yIJt/uiRt1vixCNWiXNG+rypE= -github.com/cilium/ebpf v0.18.0 h1:OsSwqS4y+gQHxaKgg2U/+Fev834kdnsQbtzRnbVC6Gs= -github.com/cilium/ebpf v0.18.0/go.mod h1:vmsAT73y4lW2b4peE+qcOqw6MxvWQdC+LiU5gd/xyo4= +github.com/cilium/ebpf v0.19.1-0.20250729164112-d994daa25101 h1:DWbiRLIoIjcHMZ3jXcEYIzMjXPHcSmO6ipjOk+mGDBA= +github.com/cilium/ebpf v0.19.1-0.20250729164112-d994daa25101/go.mod h1:fLCgMo3l8tZmAdM3B2XqdFzXBpwkcSTroaVqN08OWVY= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -166,8 +166,8 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJHo6Bzo= github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins= -github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= -github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0= +github.com/containerd/containerd v1.7.28 h1:Nsgm1AtcmEh4AHAJ4gGlNSaKgXiNccU270Dnf81FQ3c= +github.com/containerd/containerd v1.7.28/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs= github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0= github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc= github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII= @@ -186,21 +186,23 @@ github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRq github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= -github.com/containers/common v0.63.0 h1:ox6vgUYX5TSvt4W+bE36sYBVz/aXMAfRGVAgvknSjBg= -github.com/containers/common v0.63.0/go.mod h1:+3GCotSqNdIqM3sPs152VvW7m5+Mg8Kk+PExT3G9hZw= +github.com/containers/common v0.64.2 h1:1xepE7QwQggUXxmyQ1Dbh6Cn0yd7ktk14sN3McSWf5I= +github.com/containers/common v0.64.2/go.mod h1:o29GfYy4tefUuShm8mOn2AiL5Mpzdio+viHI7n24KJ4= github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk= github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= -github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.6.0 h1:aGVa/v8B7hpb0TKl0MWoAavPDmHvobFe5R5zn0bCJWo= +github.com/coreos/go-systemd/v22 v22.6.0/go.mod h1:iG+pp635Fo7ZmV/j14KUcmEyWF+0X7Lua8rrTWzYgWU= github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= +github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= github.com/crewjam/rfc5424 v0.1.0 h1:MSeXJm22oKovLzWj44AHwaItjIMUMugYGkEzfa831H8= github.com/crewjam/rfc5424 v0.1.0/go.mod h1:RCi9M3xHVOeerf6ULZzqv2xOGRO/zYaVUeRyPnBW3gQ= -github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= -github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.5.0 h1:hIAhkRBMQ8nIeuVwcAoymp7MY4oherZdAxD+m0u9zaw= +github.com/cyphar/filepath-securejoin v0.5.0/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -212,14 +214,14 @@ github.com/dghubble/trie v0.1.0/go.mod h1:sOmnzfBNH7H92ow2292dDFWNsVQuh/izuD7otC github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v28.2.1+incompatible h1:AYyTcuwvhl9dXdyCiXlOGXiIqSNYzTmaDNpxIISPGsM= -github.com/docker/cli v28.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI= -github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/cli v28.5.1+incompatible h1:ESutzBALAD6qyCLqbQSEf1a/U8Ybms5agw59yGVc+yY= +github.com/docker/cli v28.5.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM= +github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8= github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo= -github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= -github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= +github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94= +github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= @@ -227,8 +229,8 @@ github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= -github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU= -github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= +github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -250,8 +252,8 @@ github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= github.com/fatih/set v0.2.1 h1:nn2CaJyknWE/6txyUDGwysr3G5QC6xWB/PtVjPBbeaA= github.com/fatih/set v0.2.1/go.mod h1:+RKtMCH+favT2+3YecHGxcc0b4KyVWA1QWWJUs4E0CI= -github.com/felixge/fgprof v0.9.4 h1:ocDNwMFlnA0NU0zSB3I52xkO4sFXk80VK9lXjLClu88= -github.com/felixge/fgprof v0.9.4/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM= +github.com/felixge/fgprof v0.9.5 h1:8+vR6yu2vvSKn08urWyEuxx75NWPEvybbkBirEpsbVY= +github.com/felixge/fgprof v0.9.5/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= @@ -263,20 +265,22 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= -github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU= -github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= -github.com/gabriel-vasile/mimetype v1.4.7 h1:SKFKl7kD0RiPdbht0s7hFtjl489WcQ1VyPW8ZzUMYCA= -github.com/gabriel-vasile/mimetype v1.4.7/go.mod h1:GDlAgAyIRT27BhFl53XNAFtfjzOkLaF35JdEG0P7LtU= +github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= +github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY= +github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/github/go-spdx/v2 v2.3.2 h1:IfdyNHTqzs4zAJjXdVQfRnxt1XMfycXoHBE2Vsm1bjs= -github.com/github/go-spdx/v2 v2.3.2/go.mod h1:2ZxKsOhvBp+OYBDlsGnUMcchLeo2mrpEBn2L1C+U3IQ= +github.com/github/go-spdx/v2 v2.3.3 h1:QI7evnHWEfWkT54eJwkoV/f3a0xD3gLlnVmT5wQG6LE= +github.com/github/go-spdx/v2 v2.3.3/go.mod h1:2ZxKsOhvBp+OYBDlsGnUMcchLeo2mrpEBn2L1C+U3IQ= github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= +github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= -github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= +github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI= +github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= @@ -316,17 +320,19 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= -github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk= -github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= +github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gofrs/flock v0.7.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= -github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= -github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= +github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw= +github.com/gofrs/flock v0.13.0/go.mod h1:jxeyy9R1auM5S6JYDBhDt+E2TCo7DkratH4Pgi8P+Z0= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/gohugoio/hashstructure v0.5.0 h1:G2fjSBU36RdwEJBWJ+919ERvOVqAg9tfcYp47K9swqg= +github.com/gohugoio/hashstructure v0.5.0/go.mod h1:Ser0TniXuu/eauYmrwM4o64EBvySxNzITEOLlm4igec= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -366,10 +372,12 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/cel-go v0.23.2 h1:UdEe3CvQh3Nv+E/j9r1Y//WO0K0cSyD7/y0bzyLIMI4= -github.com/google/cel-go v0.23.2/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo= -github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= -github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= +github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= +github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI= +github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= +github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= +github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -382,14 +390,15 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI= -github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI= +github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU= +github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/licensecheck v0.3.1 h1:QoxgoDkaeC4nFrtGN1jV7IPmDCHFNIVh54e5hSt6sPs= +github.com/google/licensecheck v0.3.1/go.mod h1:ORkR35t/JjW+emNKtfJDII0zlciG9JgbT7SmsohlHmY= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -427,10 +436,12 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORR github.com/goradd/maps v1.0.0 h1:21HC3xxKFk3p6BdQsELZXg/ByANMVYhCl0Mylzt0R38= github.com/goradd/maps v1.0.0/go.mod h1:O3i5k17BAjHa9h5dzGWWfRJizF03umiBDZsNSqFdbVA= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= github.com/hashicorp/consul/api v1.11.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -477,8 +488,6 @@ github.com/iceber/iouring-go v0.0.0-20230403020409-002cfd2e2a90/go.mod h1:LEzdaZ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 h1:fQqkJ+WkYfzy6BoUh32fr9uYrXfOGtsfw0skMQkfOic= -github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8= github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg= @@ -518,14 +527,16 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kubescape/go-logger v0.0.24 h1:JRNlblY16Ty7hD6MSYNPvWYDxNzVAufsDDX/sZJayL0= github.com/kubescape/go-logger v0.0.24/go.mod h1:sMPVCr3VpW/e+SeMaXig5kClGvmZbDXN8YktUeNU4nY= -github.com/kubescape/k8s-interface v0.0.198 h1:U7PNTyS9ZE9ZkSrLMclLO7Sz4grf/2CLbmpVT6Hc0nU= -github.com/kubescape/k8s-interface v0.0.198/go.mod h1:j9snZbH+RxOaa1yG/bWgTClj90q7To0rGgQepxy4b+k= -github.com/kubescape/node-agent v0.2.375-0.20250821110035-45cbc9a5224d h1:fZvFiCMvPEePqXIOT+ObFhzFpNiHcK3dUk9fUHwKu+s= -github.com/kubescape/node-agent v0.2.375-0.20250821110035-45cbc9a5224d/go.mod h1:H6WzTDUFx17++DhrZ+rvYG3kEUp+0KdFeFQDAnYbDXw= -github.com/kubescape/storage v0.0.200 h1:gLCPiAPxDii03Jo326Ye0qx1cXOAz6KH+A9B0WuL1CE= -github.com/kubescape/storage v0.0.200/go.mod h1:uv4LMQjcTYIn7bgyMFGc0UBZ3gxdl7MNixPSjALP08E= +github.com/kubescape/k8s-interface v0.0.199 h1:D+YBL69q1Dc2idus6jwd/vQcNhRoNZ6tE0m5Miz7TSg= +github.com/kubescape/k8s-interface v0.0.199/go.mod h1:j9snZbH+RxOaa1yG/bWgTClj90q7To0rGgQepxy4b+k= +github.com/kubescape/node-agent v0.2.387-0.20251028144632-fead4536b150 h1:XCb73kikqyISyBejN+FowkJ8L70zxDY9HsjpqWIhbuI= +github.com/kubescape/node-agent v0.2.387-0.20251028144632-fead4536b150/go.mod h1:203YhUZCSXmktqT/AdMcKJW9+KsncvE4Ybp7/GVt4ok= +github.com/kubescape/storage v0.0.221 h1:HLWnNokkKgKo9ka/p797fFQdsbzKxSXT5/RpUWrKWzI= +github.com/kubescape/storage v0.0.221/go.mod h1:L/fF3teor8cUj80TVujqy9E1rKsf+Dox2hZtkS1vjOU= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI= github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w= github.com/mackerelio/go-osstat v0.2.5 h1:+MqTbZUhoIt4m8qzkVoXUJg1EuifwlAJSk4Yl2GXh+o= @@ -534,8 +545,8 @@ github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPK github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= -github.com/matthyx/xcel v0.0.0-20250820140400-f8fabef4e2af h1:rnyCjEsGq/kiMPFwuvj6o/09wgNXqUAAcft9g/2nJXw= -github.com/matthyx/xcel v0.0.0-20250820140400-f8fabef4e2af/go.mod h1:C07puiFpDU4BthRjPfwHYimZm9P072JH6qWAaqPVyQY= +github.com/matthyx/inspektor-gadget v0.0.0-20251028120806-bb895db89083 h1:WNhY6toOm/NckDM5/kFw9akvQ6Tc+CZxHA0RkfGlHcQ= +github.com/matthyx/inspektor-gadget v0.0.0-20251028120806-bb895db89083/go.mod h1:uIHgsbs5cwGdobCBjKNDWYQ63z7KNp6tWqLF3aiRerI= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= @@ -566,8 +577,6 @@ github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXx github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= -github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4= -github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE= github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= @@ -577,10 +586,12 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= -github.com/moby/moby v28.2.1+incompatible h1:UYmHExYP8S0uGKDozhYw7RJ+LpANL51g4fa3qT0Q2GA= -github.com/moby/moby v28.2.1+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc= +github.com/moby/moby v28.5.1+incompatible h1:JD8lBdCDBF2oiHWLqIRofPqI8qvkppRjMJ6EnwrhvX0= +github.com/moby/moby v28.5.1+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc= github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs= +github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk= +github.com/moby/sys/capability v0.4.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I= github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= @@ -598,8 +609,11 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= @@ -627,8 +641,8 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww= github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552 h1:CkXngT0nixZqQUPDVfwVs3GiuhfTqCMk0V+OoHpxIvA= -github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552/go.mod h1:T487Kf80NeF2i0OyVXHiylg217e0buz8pQsa0T791RA= +github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2 h1:2xZEHOdeQBV6PW8ZtimN863bIOl7OCW/X10K0cnxKeA= +github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2/go.mod h1:MXdPzqAA8pHC58USHqNCSjyLnRQ6D+NjbpP+02Z1U/0= github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8= github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U= github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A= @@ -639,11 +653,15 @@ github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144T github.com/pborman/indent v1.2.1 h1:lFiviAbISHv3Rf0jcuh489bi06hj98JsVMtIDZQb9yM= github.com/pborman/indent v1.2.1/go.mod h1:FitS+t35kIYtB5xWTZAPhnmrxcciEEOdbyrrpz5K6Vw= github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= -github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc= +github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4= +github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY= +github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4= github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43 h1:ah1dvbqPMN5+ocrg/ZSgZ6k8bOk+kcZQ7fnyx6UvOm4= github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4= +github.com/picatz/xcel v0.0.0-20250816143731-885b5f678a12 h1:RS7RxrC+OtnYpgI0li0NwvpE0cqYewsZGXUb6wAe0oQ= +github.com/picatz/xcel v0.0.0-20250816143731-885b5f678a12/go.mod h1:jxNaYyVlWe+WPV3G45KzlMLvplS3PQdHLUsFePIcaEg= github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU= github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -664,8 +682,8 @@ github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= -github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= -github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -675,42 +693,42 @@ github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvM github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= -github.com/prometheus/common v0.64.0 h1:pdZeA+g617P7oGv1CzdTzyeShxAGrTBsolKNOLQPGO4= -github.com/prometheus/common v0.64.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8= +github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= +github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= -github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= -github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= +github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= +github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= github.com/puzpuzpuz/xsync/v2 v2.4.1 h1:aGdE1C/HaR/QC6YAFdtZXi60Df8/qBIrs8PKrzkItcM= github.com/puzpuzpuz/xsync/v2 v2.4.1/go.mod h1:gD2H2krq/w52MfPLE+Uy64TzJDVY7lP2znR9qmR35kU= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.13.2-0.20241226121412-a5dc8ff20d0a h1:w3tdWGKbLGBPtR/8/oO74W6hmz0qE5q0z9aqSAewaaM= -github.com/rogpeppe/go-internal v1.13.2-0.20241226121412-a5dc8ff20d0a/go.mod h1:S8kfXMp+yh77OxPD4fdM6YUknrZpQxLhvxzS4gDHENY= +github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= +github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/s3rj1k/go-fanotify/fanotify v0.0.0-20240229202106-bca3154da60a h1:4VFls9SuqkqeioVevnaeTXrYKQ7JiEsxqKHfxp+/ovA= github.com/s3rj1k/go-fanotify/fanotify v0.0.0-20240229202106-bca3154da60a/go.mod h1:2zG1g57bc+D6FpNc68gsRXJgkidteqTMhWiiUP3m8UE= github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig= -github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo= -github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k= +github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc= +github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik= github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU= github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U= github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e h1:7q6NSFZDeGfvvtIRwBrU/aegEYJYmvev0cHAwo17zZQ= github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e/go.mod h1:DkpGd78rljTxKAnTDPFqXSGxvETQnJyuSOQwsHycqfs= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY= -github.com/seccomp/libseccomp-golang v0.10.0/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= +github.com/seccomp/libseccomp-golang v0.11.0 h1:SDkcBRqGLP+sezmMACkxO1EfgbghxIxnRKfd6mHUEis= +github.com/seccomp/libseccomp-golang v0.11.0/go.mod h1:5m1Lk8E9OwgZTTVz4bBOer7JuazaBa+xTkM895tDiWc= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= -github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= +github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw= +github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= github.com/shurcooL/component v0.0.0-20170202220835-f88ec8f54cc4/go.mod h1:XhFIlyj5a1fBNx5aJTbKoIq0mNaPvOagO+HjB3EtxrY= github.com/shurcooL/events v0.0.0-20181021180414-410e4ca65f48/go.mod h1:5u70Mqkb5O5cxEA8nxTsgrgLehJeAw6Oc4Ab1c/P1HM= github.com/shurcooL/github_flavored_markdown v0.0.0-20181002035957-2122de532470/go.mod h1:2dOwnU2uBioM+SGy2aZoq1f/Sd1l9OkAeAUvjSyvgU0= @@ -735,30 +753,31 @@ github.com/shurcooL/users v0.0.0-20180125191416-49c67e49c537/go.mod h1:QJTqeLYED github.com/shurcooL/webdavfs v0.0.0-20170829043945-18c3829fa133/go.mod h1:hKmq5kWdCj2z2KEozexVbfEZIWiTjhE0+UjmZgPqehw= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE= -github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= -github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= +github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw= +github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U= github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= -github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs= -github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4= +github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I= +github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg= github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y= -github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY= +github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo= github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4= -github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= -github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= +github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s= +github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= -github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= +github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM= -github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4= -github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4= +github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU= +github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY= github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -776,23 +795,21 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/stripe/stripe-go/v74 v74.30.0 h1:0Kf0KkeFnY7iRhOwvTerX0Ia1BRw+eV1CVJ51mGYAUY= github.com/stripe/stripe-go/v74 v74.30.0/go.mod h1:f9L6LvaXa35ja7eyvP6GQswoaIPaBRvGAimAO+udbBw= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= -github.com/sylabs/squashfs v1.0.4 h1:uFSw7WXv7zjutPvU+JzY0nY494Vw8s4FAf4+7DhoMdI= -github.com/sylabs/squashfs v1.0.4/go.mod h1:PDgf8YmCntvN4d9Y8hBUBDCZL6qZOzOQwRGxnIdbERk= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/sylabs/squashfs v1.0.6 h1:PvJcDzxr+vIm2kH56mEMbaOzvGu79gK7P7IX+R7BDZI= +github.com/sylabs/squashfs v1.0.6/go.mod h1:DlDeUawVXLWAsSRa085Eo0ZenGzAB32JdAUFaB0LZfE= github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA= github.com/therootcompany/xz v1.0.1 h1:CmOtsn1CbtmyYiusbfmhmkpAAETj0wBIH6kCYaX+xzw= github.com/therootcompany/xz v1.0.1/go.mod h1:3K3UH1yCKgBneZYhuQUvJ9HPD19UEXEI0BWbMn8qNMY= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= -github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc= -github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= +github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2 h1:3/aHKUq7qaFMWxyQV0W2ryNgg8x8rVeKVA20KJUkfS0= github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2/go.mod h1:Zit4b8AQXaXvA68+nzmbyDzqiyFRISyw1JiD5JqUBjw= github.com/uptrace/opentelemetry-go-extra/otelzap v0.3.2 h1:cj/Z6FKTTYBnstI0Lni9PA+k2foounKIPUmj1LBwNiQ= @@ -803,12 +820,16 @@ github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49u github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM= github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0= github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4= +github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY= +github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 h1:jIVmlAFIqV3d+DOxazTR9v+zgj8+VYuQBzPgBZvWBHA= github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651/go.mod h1:b26F2tHLqaoRQf8DywqzVaV1MQ9yvjb0OMcNl7Nxu20= github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 h1:0KGbf+0SMg+UFy4e1A/CPVvXn21f1qtWdeJwxZFoQG8= github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0/go.mod h1:jLXFoL31zFaHKAAyZUh+sxiTDFe1L1ZHrcK2T1itVKA= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= +github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM= github.com/yl2chen/cidranger v1.0.2 h1:lbOWZVCG1tCRX4u24kuM1Tb4nHqWkDxwLdoS+SevawU= @@ -835,12 +856,12 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I= -go.opentelemetry.io/contrib/instrumentation/runtime v0.61.0 h1:oIZsTHd0YcrvvUCN2AaQqyOcd685NQ+rFmrajveCIhA= -go.opentelemetry.io/contrib/instrumentation/runtime v0.61.0/go.mod h1:X4KSPIvxnY/G5c9UOGXtFoL91t1gmlHpDQzeK5Zc/Bw= -go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= -go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q= +go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 h1:PeBoRj6af6xMI7qCupwFvTbbnd49V7n5YpG6pg8iDYQ= +go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0/go.mod h1:ingqBCtMCe8I4vpz/UVzCW6sxoqgZB37nao91mLQ3Bw= +go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= +go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.11.0 h1:C/Wi2F8wEmbxJ9Kuzw/nhP+Z9XaHYMkyDmXy6yR2cjw= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.11.0/go.mod h1:0Lr9vmGKzadCTgsiBydxr6GEZ8SsZ7Ks53LzjWG5Ar4= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 h1:0NIXxOCFx+SKbhCVxwl3ETG8ClLPAa0KuKV6p3yhxP8= @@ -851,23 +872,23 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qH go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 h1:T0Ec2E+3YZf5bgTNQVet8iTDW7oIk03tXHq+wkwIDnE= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0/go.mod h1:30v2gqH+vYGJsesLWFov8u47EpYTcIQcBjKpI6pJThg= -go.opentelemetry.io/otel/log v0.12.2 h1:yob9JVHn2ZY24byZeaXpTVoPS6l+UrrxmxmPKohXTwc= -go.opentelemetry.io/otel/log v0.12.2/go.mod h1:ShIItIxSYxufUMt+1H5a2wbckGli3/iCfuEbVZi/98E= -go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE= -go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs= -go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs= -go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY= -go.opentelemetry.io/otel/sdk/log v0.12.2 h1:yNoETvTByVKi7wHvYS6HMcZrN5hFLD7I++1xIZ/k6W0= -go.opentelemetry.io/otel/sdk/log v0.12.2/go.mod h1:DcpdmUXHJgSqN/dh+XMWa7Vf89u9ap0/AAk/XGLnEzY= +go.opentelemetry.io/otel/log v0.14.0 h1:2rzJ+pOAZ8qmZ3DDHg73NEKzSZkhkGIua9gXtxNGgrM= +go.opentelemetry.io/otel/log v0.14.0/go.mod h1:5jRG92fEAgx0SU/vFPxmJvhIuDU9E1SUnEQrMlJpOno= +go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= +go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= +go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= +go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg= +go.opentelemetry.io/otel/sdk/log v0.14.0 h1:JU/U3O7N6fsAXj0+CXz21Czg532dW2V4gG1HE/e8Zrg= +go.opentelemetry.io/otel/sdk/log v0.14.0/go.mod h1:imQvII+0ZylXfKU7/wtOND8Hn4OpT3YUoIgqJVksUkM= go.opentelemetry.io/otel/sdk/log/logtest v0.0.0-20250604050517-a99f9b56ce46 h1:GhECNd/Fvz8rgvgsQAH8yUFnj9AeiyVy3a9b8PdgghA= go.opentelemetry.io/otel/sdk/log/logtest v0.0.0-20250604050517-a99f9b56ce46/go.mod h1:FaVwnf8BvLN80gFy4T+wMovR87QQonsHsGFFn0R+jw8= -go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis= -go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4= -go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w= -go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA= +go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM= +go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA= +go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= +go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.opentelemetry.io/proto/otlp v1.6.0 h1:jQjP+AQyTf+Fe7OKj/MfkDrmK4MNVtw2NpXsf9fefDI= -go.opentelemetry.io/proto/otlp v1.6.0/go.mod h1:cicgGehlFuNdgZkcALOCh3VE6K/u2tAjzlRhDwmVpZc= +go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= +go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= @@ -879,6 +900,10 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= +go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE= go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M= go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y= @@ -895,8 +920,8 @@ golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= -golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= +golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04= +golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -907,8 +932,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 h1:9kj3STMvgqy3YA4VQXBrN7925ICMxD5wzMRcgA30588= -golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c= +golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o= +golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -936,8 +961,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= -golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U= +golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -984,8 +1009,8 @@ golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4= +golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1019,8 +1044,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= -golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= +golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1095,11 +1120,11 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= +golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q= +golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1109,14 +1134,14 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= +golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k= +golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= -golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= +golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= +golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030000716-a0a13e073c7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1173,12 +1198,14 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU= -golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ= +golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE= +golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= +gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= google.golang.org/api v0.0.0-20180910000450-7ca32eb868bf/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0= google.golang.org/api v0.0.0-20181030000543-1d582fd0359e/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0= google.golang.org/api v0.1.0/go.mod h1:UGEZY7KEX120AnNLIHFMKIo4obdJhkp2tPbaPlQx13Y= @@ -1292,10 +1319,10 @@ google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ6 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697/go.mod h1:JJrvXBWRZaFMxBufik1a4RpFw4HhgVtBBWQeQgUj2cc= -google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 h1:Kog3KlB4xevJlAcbbbzPfRG0+X9fdoGM+UBRKVz6Wr0= -google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237/go.mod h1:ezi0AVyMKDWy5xAncvjLWH7UcLBB5n7y2fQ8MzjJcto= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY= +google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc= google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= @@ -1326,8 +1353,8 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8= -google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= +google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A= +google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -1342,8 +1369,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= -google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= +google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1383,50 +1410,54 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= istio.io/pkg v0.0.0-20231221211216-7635388a563e h1:ZlLVbKDlCzfP0MPbWc6VRcY23d9NdjLxwpPQpDrh3Gc= istio.io/pkg v0.0.0-20231221211216-7635388a563e/go.mod h1:fvmqEdHhZjYYwf6dSiIwvwc7db54kMWVTfsb91KmhzY= -k8s.io/api v0.33.3 h1:SRd5t//hhkI1buzxb288fy2xvjubstenEKL9K51KBI8= -k8s.io/api v0.33.3/go.mod h1:01Y/iLUjNBM3TAvypct7DIj0M0NIZc+PzAHCIo0CYGE= -k8s.io/apiextensions-apiserver v0.33.1 h1:N7ccbSlRN6I2QBcXevB73PixX2dQNIW0ZRuguEE91zI= -k8s.io/apiextensions-apiserver v0.33.1/go.mod h1:uNQ52z1A1Gu75QSa+pFK5bcXc4hq7lpOXbweZgi4dqA= -k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA= -k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= -k8s.io/apiserver v0.33.1 h1:yLgLUPDVC6tHbNcw5uE9mo1T6ELhJj7B0geifra3Qdo= -k8s.io/apiserver v0.33.1/go.mod h1:VMbE4ArWYLO01omz+k8hFjAdYfc3GVAYPrhP2tTKccs= -k8s.io/client-go v0.33.1 h1:ZZV/Ks2g92cyxWkRRnfUDsnhNn28eFpt26aGc8KbXF4= -k8s.io/client-go v0.33.1/go.mod h1:JAsUrl1ArO7uRVFWfcj6kOomSlCv+JpvIsp6usAGefA= -k8s.io/component-base v0.33.1 h1:EoJ0xA+wr77T+G8p6T3l4efT2oNwbqBVKR71E0tBIaI= -k8s.io/component-base v0.33.1/go.mod h1:guT/w/6piyPfTgq7gfvgetyXMIh10zuXA6cRRm3rDuY= -k8s.io/cri-api v0.33.1 h1:CEvLiHZm/uTTp/5qsesU8/OG1a56RPnwMk4Ae73bUvs= -k8s.io/cri-api v0.33.1/go.mod h1:OLQvT45OpIA+tv91ZrpuFIGY+Y2Ho23poS7n115Aocs= +k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= +k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= +k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= +k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= +k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= +k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA= +k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0= +k8s.io/cli-runtime v0.34.1 h1:btlgAgTrYd4sk8vJTRG6zVtqBKt9ZMDeQZo2PIzbL7M= +k8s.io/cli-runtime v0.34.1/go.mod h1:aVA65c+f0MZiMUPbseU/M9l1Wo2byeaGwUuQEQVVveE= +k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= +k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= +k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= +k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= +k8s.io/cri-api v0.34.1 h1:n2bU++FqqJq0CNjP/5pkOs0nIx7aNpb1Xa053TecQkM= +k8s.io/cri-api v0.34.1/go.mod h1:4qVUjidMg7/Z9YGZpqIDygbkPWkg3mkS1PvOx/kpHTE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= -k8s.io/kubelet v0.33.1 h1:x4LCw1/iZVWOKA4RoITnuB8gMHnw31HPB3S0EF0EexE= -k8s.io/kubelet v0.33.1/go.mod h1:8WpdC9M95VmsqIdGSQrajXooTfT5otEj8pGWOm+KKfQ= -k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+ChV2vuAuVRdFbLro= -k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -modernc.org/cc/v4 v4.21.4 h1:3Be/Rdo1fpr8GrQ7IVw9OHtplU4gWbb+wNgeoBMmGLQ= -modernc.org/cc/v4 v4.21.4/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ= -modernc.org/ccgo/v4 v4.19.2 h1:lwQZgvboKD0jBwdaeVCTouxhxAyN6iawF3STraAal8Y= -modernc.org/ccgo/v4 v4.19.2/go.mod h1:ysS3mxiMV38XGRTTcgo0DQTeTmAO4oCmJl1nX9VFI3s= -modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE= -modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ= -modernc.org/gc/v2 v2.4.1 h1:9cNzOqPyMJBvrUipmynX0ZohMhcxPtMccYgGOJdOiBw= -modernc.org/gc/v2 v2.4.1/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU= -modernc.org/libc v1.55.3 h1:AzcW1mhlPNrRtjS5sS+eW2ISCgSOLLNyFzRh/V3Qj/U= -modernc.org/libc v1.55.3/go.mod h1:qFXepLhz+JjFThQ4kzwzOjA/y/artDeg+pcYnY+Q83w= -modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4= -modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo= -modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E= -modernc.org/memory v1.8.0/go.mod h1:XPZ936zp5OMKGWPqbD3JShgd/ZoQ7899TUuQqxY+peU= -modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4= -modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0= -modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc= -modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss= -modernc.org/sqlite v1.34.2 h1:J9n76TPsfYYkFkZ9Uy1QphILYifiVEwwOT7yP5b++2Y= -modernc.org/sqlite v1.34.2/go.mod h1:dnR723UrTtjKpoHCAMN0Q/gZ9MT4r+iRvIBb9umWFkU= -modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA= -modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0= +k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= +k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/kubelet v0.34.1 h1:doAaTA9/Yfzbdq/u/LveZeONp96CwX9giW6b+oHn4m4= +k8s.io/kubelet v0.34.1/go.mod h1:PtV3Ese8iOM19gSooFoQT9iyRisbmJdAPuDImuccbbA= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +modernc.org/cc/v4 v4.26.2 h1:991HMkLjJzYBIfha6ECZdjrIYz2/1ayr+FL8GN+CNzM= +modernc.org/cc/v4 v4.26.2/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0= +modernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU= +modernc.org/ccgo/v4 v4.28.0/go.mod h1:JygV3+9AV6SmPhDasu4JgquwU81XAKLd3OKTUDNOiKE= +modernc.org/fileutil v1.3.8 h1:qtzNm7ED75pd1C7WgAGcK4edm4fvhtBsEiI/0NQ54YM= +modernc.org/fileutil v1.3.8/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc= +modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI= +modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito= +modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks= +modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI= +modernc.org/libc v1.66.3 h1:cfCbjTUcdsKyyZZfEUKfoHcP3S0Wkvz3jgSzByEWVCQ= +modernc.org/libc v1.66.3/go.mod h1:XD9zO8kt59cANKvHPXpx7yS2ELPheAey0vjIuZOhOU8= +modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU= +modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg= +modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI= +modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw= +modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8= +modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns= +modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w= +modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE= +modernc.org/sqlite v1.38.2 h1:Aclu7+tgjgcQVShZqim41Bbw9Cho0y/7WzYptXqkEek= +modernc.org/sqlite v1.38.2/go.mod h1:cPTJYSlgg3Sfg046yBShXENNtPrWrDX8bsbAQBzgQ5E= +modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= +modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= @@ -1438,13 +1469,16 @@ sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytI sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= -sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I= +sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM= +sigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78= +sigs.k8s.io/kustomize/kyaml v0.20.1/go.mod h1:0EmkQHRUsJxY8Ug9Niig1pUMSCGHxQ5RklbpV/Ri6po= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI= -sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= -sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= -sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= +sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck= sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0= zombiezen.com/go/sqlite v1.4.0 h1:N1s3RIljwtp4541Y8rM880qgGIgq3fTD2yks1xftnKU= diff --git a/pkg/rules/r0001-unexpected-process-launched/rule_test.go b/pkg/rules/r0001-unexpected-process-launched/rule_test.go index acc6f38..dda72a2 100644 --- a/pkg/rules/r0001-unexpected-process-launched/rule_test.go +++ b/pkg/rules/r0001-unexpected-process-launched/rule_test.go @@ -12,13 +12,11 @@ import ( "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" "github.com/stretchr/testify/require" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - utils "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/node-agent/pkg/utils" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR0001UnexpectedProcessLaunched(t *testing.T) { @@ -27,26 +25,15 @@ func TestR0001UnexpectedProcessLaunched(t *testing.T) { t.Fatalf("Failed to load rule: %v", err) } // Create a process exec event - e := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "test-process", - Pcomm: "test-process", - ExePath: "/usr/bin/test-process", - Args: []string{"test-process", "arg1"}, - }, + e := &utils.StructEvent{ + Args: []string{"test-process", "arg1"}, + Comm: "test-process", + Container: "test", + ContainerID: "test", + EventType: utils.ExecveEventType, + ExePath: "/usr/bin/test-process", + Pcomm: "test-process", + Pid: 1234, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -74,8 +61,7 @@ func TestR0001UnexpectedProcessLaunched(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: e, + Event: e, } // Evaluate the rule @@ -154,30 +140,18 @@ func BenchmarkEvaluateRuleNative(b *testing.B) { TTL: 1 * time.Microsecond, }, }) - e := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "test-process", - Pcomm: "test-process", - ExePath: "/usr/bin/test-process", - Args: []string{"test-process", "arg1"}, - }, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + EventType: utils.ExecveEventType, + Pid: 1234, + Comm: "test-process", + Pcomm: "test-process", + ExePath: "/usr/bin/test-process", + Args: []string{"test-process", "arg1"}, } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: e, + Event: e, } ruleSpec, err := common.LoadRuleFromYAML("unexpected-process-launched.yaml") require.NoError(b, err) diff --git a/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml b/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml index dd312d6..192b6e3 100644 --- a/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml +++ b/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml @@ -7,21 +7,24 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected process launched" - enabled: true - id: "R0001" - description: "Detects unexpected process launches that are not in the baseline" - expressions: - message: "'Unexpected process launched: ' + exec.comm + ' with PID ' + string(exec.pid)" - unique_id: "exec.comm + '_' + exec.exe_path" - rule_expression: - - event_type: "exec" - expression: "!ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm))" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "process" - - "exec" - - "applicationprofile" + - name: "Unexpected process launched" + enabled: true + id: "R0001" + description: "Detects unexpected process launches that are not in the baseline" + expressions: + message: "'Unexpected process launched: ' + event.comm + ' with PID ' + string(event.pid)" + uniqueId: "event.comm + '_' + event.exepath" + ruleExpression: + - eventType: "exec" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" + profileDependency: 0 + severity: 1 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" + tags: + - "anomaly" + - "process" + - "exec" + - "applicationprofile" diff --git a/pkg/rules/r0002-unexpected-file-access/rule_test.go b/pkg/rules/r0002-unexpected-file-access/rule_test.go index e3a9022..d1657cc 100644 --- a/pkg/rules/r0002-unexpected-file-access/rule_test.go +++ b/pkg/rules/r0002-unexpected-file-access/rule_test.go @@ -11,12 +11,10 @@ import ( "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR0002UnexpectedFileAccess(t *testing.T) { @@ -25,26 +23,14 @@ func TestR0002UnexpectedFileAccess(t *testing.T) { t.Fatalf("Failed to load rule: %v", err) } // Create a file access event - e := &events.OpenEvent{ - Event: traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "test", - Path: "/etc/test", - FullPath: "/etc/test", - Flags: []string{"O_RDONLY"}, - }, + e := &utils.StructEvent{ + Comm: "test", + Container: "test", + ContainerID: "test", + EventType: utils.OpenEventType, + Flags: []string{"O_RDONLY"}, + Path: "/etc/test", + Pid: 1234, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -73,8 +59,7 @@ func TestR0002UnexpectedFileAccess(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: e, + Event: e, } ok, err := celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) diff --git a/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml b/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml index 8952006..6817ea5 100644 --- a/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml +++ b/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml @@ -7,39 +7,42 @@ metadata: app: kubescape spec: rules: - - name: "Files Access Anomalies in container" - enabled: false - id: "R0002" - description: "Detects unexpected file access that is not in the baseline" - expressions: - message: "'Unexpected file access detected: ' + open.comm + ' with PID ' + string(open.pid) + ' to ' + open.full_path" - unique_id: "open.comm + '_' + open.full_path" - rule_expression: - - event_type: "open" - expression: > - (open.full_path.startsWith('/etc/') || - open.full_path.startsWith('/var/log/') || - open.full_path.startsWith('/var/run/') || - open.full_path.startsWith('/run/') || - open.full_path.startsWith('/var/spool/cron/') || - open.full_path.startsWith('/var/www/') || - open.full_path.startsWith('/var/lib/') || - open.full_path.startsWith('/opt/') || - open.full_path.startsWith('/usr/local/') || - open.full_path.startsWith('/app/') || - open.full_path == '/.dockerenv' || - open.full_path == '/proc/self/environ') - && - !(open.full_path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || - open.full_path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || - open.full_path.startsWith('/tmp')) - && - !ap.was_path_opened(open.runtime.container_id, open.full_path) - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "file" - - "open" - - "applicationprofile" + - name: "Files Access Anomalies in container" + enabled: false + id: "R0002" + description: "Detects unexpected file access that is not in the baseline" + expressions: + message: "'Unexpected file access detected: ' + event.comm + ' with PID ' + string(event.pid) + ' to ' + event.path" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: > + (event.path.startsWith('/etc/') || + event.path.startsWith('/var/log/') || + event.path.startsWith('/var/run/') || + event.path.startsWith('/run/') || + event.path.startsWith('/var/spool/cron/') || + event.path.startsWith('/var/www/') || + event.path.startsWith('/var/lib/') || + event.path.startsWith('/opt/') || + event.path.startsWith('/usr/local/') || + event.path.startsWith('/app/') || + event.path == '/.dockerenv' || + event.path == '/proc/self/environ') + && + !(event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/tmp')) + && + !ap.was_path_opened(event.containerId, event.path) + profileDependency: 0 + severity: 1 + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0009" + mitreTechnique: "T1005" + tags: + - "anomaly" + - "file" + - "open" + - "applicationprofile" diff --git a/pkg/rules/r0003-unexpected-system-call/rule_test.go b/pkg/rules/r0003-unexpected-system-call/rule_test.go index af2819c..a48ec81 100644 --- a/pkg/rules/r0003-unexpected-system-call/rule_test.go +++ b/pkg/rules/r0003-unexpected-system-call/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - "github.com/kubescape/node-agent/pkg/rulemanager/types" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,22 +23,13 @@ func TestR0003UnexpectedSystemCall(t *testing.T) { } // Create a syscall event - e := &types.SyscallEvent{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, + e := &utils.StructEvent{ Comm: "test", - SyscallName: "test_syscall", + Container: "test", + ContainerID: "test", + EventType: utils.SyscallEventType, Pid: 1234, + Syscall: "test_syscall", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -69,8 +58,7 @@ func TestR0003UnexpectedSystemCall(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SyscallEventType, - Event: e, + Event: e, } // Evaluate the rule diff --git a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml index 19d9fd8..1c10d71 100644 --- a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml +++ b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Syscalls Anomalies in container" - enabled: true - id: "R0003" - description: "Detects unexpected system calls that are not whitelisted by application profile" - expressions: - message: "'Unexpected system call detected: ' + syscall.syscall_name + ' with PID ' + string(syscall.pid)" - unique_id: "syscall.syscall_name" - rule_expression: - - event_type: "syscall" - expression: "!ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "syscall" - - "applicationprofile" + - name: "Syscalls Anomalies in container" + enabled: true + id: "R0003" + description: "Detects unexpected system calls that are not whitelisted by application profile" + expressions: + message: "'Unexpected system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" + uniqueId: "event.syscallName" + ruleExpression: + - eventType: "syscall" + expression: "!ap.was_syscall_used(event.containerId, event.syscallName)" + profileDependency: 0 + severity: 1 + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0002" + mitreTechnique: "T1059" + tags: + - "anomaly" + - "syscall" + - "applicationprofile" diff --git a/pkg/rules/r0004-unexpected-capability-used/rule_test.go b/pkg/rules/r0004-unexpected-capability-used/rule_test.go index b9cecf8..3a6bf0e 100644 --- a/pkg/rules/r0004-unexpected-capability-used/rule_test.go +++ b/pkg/rules/r0004-unexpected-capability-used/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracercapabilitiestype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/capabilities/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -14,7 +12,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,23 +23,14 @@ func TestR0004UnexpectedCapabilityUsed(t *testing.T) { } // Create a capabilities event - e := &tracercapabilitiestype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "test", - CapName: "test_cap", - Syscall: "test_syscall", - Pid: 1234, + e := &utils.StructEvent{ + CapName: "test_cap", + Comm: "test", + Container: "test", + ContainerID: "test", + EventType: utils.CapabilitiesEventType, + Pid: 1234, + Syscall: "test_syscall", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -70,8 +59,7 @@ func TestR0004UnexpectedCapabilityUsed(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.CapabilitiesEventType, - Event: e, + Event: e, } // Evaluate the rule diff --git a/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml b/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml index 8216d72..c7854c7 100644 --- a/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml +++ b/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Linux Capabilities Anomalies in container" - enabled: true - id: "R0004" - description: "Detects unexpected capabilities that are not whitelisted by application profile" - expressions: - message: "'Unexpected capability used: ' + capabilities.cap_name + ' in syscall ' + capabilities.syscall + ' with PID ' + string(capabilities.pid)" - unique_id: "capabilities.comm + '_' + capabilities.cap_name" - rule_expression: - - event_type: "capabilities" - expression: "!ap.was_capability_used(capabilities.runtime.container_id, capabilities.cap_name)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "capabilities" - - "applicationprofile" + - name: "Linux Capabilities Anomalies in container" + enabled: true + id: "R0004" + description: "Detects unexpected capabilities that are not whitelisted by application profile" + expressions: + message: "'Unexpected capability used: ' + event.capName + ' in syscall ' + event.syscallName + ' with PID ' + string(event.pid)" + uniqueId: "event.comm + '_' + event.capName" + ruleExpression: + - eventType: "capabilities" + expression: "!ap.was_capability_used(event.containerId, event.capName)" + profileDependency: 0 + severity: 1 + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0002" + mitreTechnique: "T1059" + tags: + - "anomaly" + - "capabilities" + - "applicationprofile" diff --git a/pkg/rules/r0005-unexpected-domain-request/rule_test.go b/pkg/rules/r0005-unexpected-domain-request/rule_test.go index 1a6d547..43ac177 100644 --- a/pkg/rules/r0005-unexpected-domain-request/rule_test.go +++ b/pkg/rules/r0005-unexpected-domain-request/rule_test.go @@ -11,12 +11,10 @@ import ( "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR0005UnexpectedDomainRequest(t *testing.T) { @@ -26,23 +24,14 @@ func TestR0005UnexpectedDomainRequest(t *testing.T) { } // Create a DNS event - e := &tracerdnstype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "test-process", - DNSName: "test.com", - Qr: tracerdnstype.DNSPktTypeQuery, + e := &utils.StructEvent{ + Comm: "test-process", + Container: "test", + ContainerID: "test", + DNSName: "test.com", + EventType: utils.DnsEventType, + Pid: 1234, + Qr: utils.DNSPktTypeQuery, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -70,8 +59,7 @@ func TestR0005UnexpectedDomainRequest(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.DnsEventType, - Event: e, + Event: e, } // Test without profile - should trigger alert @@ -88,7 +76,7 @@ func TestR0005UnexpectedDomainRequest(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - if message != "Unexpected domain communication: test.com" { + if message != "Unexpected domain communication: test.com from: test" { t.Fatalf("Message evaluation failed, got: %s", message) } diff --git a/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml b/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml index 57a8bab..7302e0f 100644 --- a/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml +++ b/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "DNS Anomalies in container" - enabled: true - id: "R0005" - description: "Detecting unexpected domain requests that are not whitelisted by application profile." - expressions: - message: "'Unexpected domain communication: ' + dns.dns_name" - unique_id: "dns.comm + '_' + dns.dns_name" - rule_expression: - - event_type: "dns" - expression: "!dns.dns_name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(dns.runtime.container_id, dns.dns_name)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "dns" - - "anomaly" - - "networkprofile" + - name: "DNS Anomalies in container" + enabled: true + id: "R0005" + description: "Detecting unexpected domain requests that are not whitelisted by application profile." + expressions: + message: "'Unexpected domain communication: ' + event.name + ' from: ' + event.containerName" + uniqueId: "event.comm + '_' + event.name" + ruleExpression: + - eventType: "dns" + expression: "!event.name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(event.containerId, event.name)" + profileDependency: 0 + severity: 1 + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0011" + mitreTechnique: "T1071.004" + tags: + - "dns" + - "anomaly" + - "networkprofile" diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go b/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go index 06f8327..22524a1 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go +++ b/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go @@ -1,12 +1,11 @@ package r0006_unexpected_service_account_token_access import ( + "strings" "testing" "time" "github.com/goradd/maps" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -19,29 +18,17 @@ import ( ) // createTestEvent creates a test OpenEvent -func createTestEvent(containerName, containerID, path string, flags []string) *events.OpenEvent { - return &events.OpenEvent{ - Event: traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: containerID, - }, - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: containerName, - }, - }, - }, - }, - Comm: "test-process", - Path: path, - FullPath: path, - Flags: flags, - Pid: 1234, - Uid: 0, - Gid: 0, - }, +func createTestEvent(containerName, containerID, path string, flags []string) *utils.StructEvent { + return &utils.StructEvent{ + Comm: "test-process", + Container: containerName, + ContainerID: containerID, + EventType: utils.OpenEventType, + Flags: flags, + Gid: 0, + Path: path, + Pid: 1234, + Uid: 0, } } @@ -68,7 +55,7 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { tests := []struct { name string - event *events.OpenEvent + event *utils.StructEvent profile *v1beta1.ApplicationProfile expectTrigger bool description string @@ -107,19 +94,19 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { name: "kubernetes service account token access with matching profile", event: createTestEvent("test", "container123", "/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}), profile: createTestProfile("test", []v1beta1.OpenCalls{ - {Path: "/run/secrets/kubernetes.io/serviceaccount/namespace", Flags: []string{"O_RDONLY"}}, + {Path: "/run/secrets/kubernetes.io/serviceaccount/token", Flags: []string{"O_RDONLY"}}, }), expectTrigger: false, - description: "Should not trigger when kubernetes service account path is in application profile", + description: "Should not trigger when kubernetes service account token path is in application profile", }, { name: "eks service account token access with matching profile", event: createTestEvent("test", "container123", "/run/secrets/eks.amazonaws.com/serviceaccount/token", []string{"O_RDONLY"}), profile: createTestProfile("test", []v1beta1.OpenCalls{ - {Path: "/run/secrets/eks.amazonaws.com/serviceaccount/ca.crt", Flags: []string{"O_RDONLY"}}, + {Path: "/run/secrets/eks.amazonaws.com/serviceaccount/token", Flags: []string{"O_RDONLY"}}, }), expectTrigger: false, - description: "Should not trigger when EKS service account path is in application profile", + description: "Should not trigger when EKS service account token path is in application profile", }, { name: "service account token access with different profile path", @@ -131,13 +118,13 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { description: "Should trigger when service account token path is not in application profile", }, { - name: "service account namespace access with matching profile", + name: "service account namespace access (not a token)", event: createTestEvent("test", "container123", "/run/secrets/kubernetes.io/serviceaccount/namespace", []string{"O_RDONLY"}), profile: createTestProfile("test", []v1beta1.OpenCalls{ {Path: "/run/secrets/kubernetes.io/serviceaccount/token", Flags: []string{"O_RDONLY"}}, }), expectTrigger: false, - description: "Should not trigger when service account directory is whitelisted", + description: "Should not trigger for non-token service account paths", }, { name: "similar path but not service account token", @@ -184,8 +171,7 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: tt.event, + Event: tt.event, } // Evaluate the rule @@ -206,7 +192,7 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - expectedMessage := "Unexpected access to service account token: " + tt.event.FullPath + " with flags: " + tt.event.Flags[0] + expectedMessage := "Unexpected access to service account token: " + tt.event.Path + " with flags: " + strings.Join(tt.event.Flags, ",") if message != expectedMessage { t.Errorf("Message evaluation failed. Expected: %s, Got: %s", expectedMessage, message) } @@ -242,16 +228,16 @@ func TestR0006WithTimestampPaths(t *testing.T) { { name: "kubernetes token access with timestamp", accessPath: "/run/secrets/kubernetes.io/serviceaccount/..2024_11_24_09_06_53.3676909075/token", - profilePath: "/run/secrets/kubernetes.io/serviceaccount/..2024_11_21_04_30_58.850095521/namespace", + profilePath: "/run/secrets/kubernetes.io/serviceaccount/..2024_11_21_04_30_58.850095521/token", expectTrigger: false, - description: "Should not trigger when service account directory is whitelisted despite different timestamps", + description: "Should not trigger when service account token path is in application profile despite different timestamps", }, { name: "eks token access with timestamp", accessPath: "/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_1111_24_34_58.850095521/token", - profilePath: "/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_21_04_30_58.850095521/ca.crt", + profilePath: "/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_21_04_30_58.850095521/token", expectTrigger: false, - description: "Should not trigger when EKS service account directory is whitelisted despite different timestamps", + description: "Should not trigger when EKS service account token path is in application profile despite different timestamps", }, } @@ -292,8 +278,7 @@ func TestR0006WithTimestampPaths(t *testing.T) { // Serialize event and evaluate enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: event, + Event: event, } triggered, err := celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml index 50d16d0..29ebf0f 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml +++ b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml @@ -7,28 +7,28 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected service account token access" - enabled: true - id: "R0006" - description: "Detecting unexpected access to service account token." - expressions: - message: "'Unexpected access to service account token: ' + open.full_path + ' with flags: ' + open.flags.join(',')" - unique_id: "open.comm" - rule_expression: - - event_type: "open" - expression: > - ((open.full_path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && open.full_path.endsWith('/token'))) && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/var/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/run/secrets/eks.amazonaws.com/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/var/run/secrets/eks.amazonaws.com/serviceaccount') - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "anomaly" - - "serviceaccount" - - "applicationprofile" + - name: "Unexpected service account token access" + enabled: true + id: "R0006" + description: "Detecting unexpected access to service account token." + expressions: + message: "'Unexpected access to service account token: ' + event.path + ' with flags: ' + event.flags.join(',')" + uniqueId: "event.comm" + ruleExpression: + - eventType: "open" + expression: > + ((event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && + !ap.was_path_opened_with_suffix(event.containerId, '/token') + profileDependency: 0 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1528" + tags: + - "anomaly" + - "serviceaccount" + - "applicationprofile" diff --git a/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml b/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml index 3599dc5..698b7ef 100644 --- a/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml +++ b/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml @@ -7,23 +7,26 @@ metadata: app: kubescape spec: rules: - - name: "Workload uses Kubernetes API unexpectedly" - enabled: true - id: "R0007" - description: "Detecting execution of kubernetes client" - expressions: - message: "event_type == 'exec' ? 'Kubernetes client (' + exec.comm + ') was executed with PID ' + string(exec.pid) : 'Network connection to Kubernetes API server from container ' + network.k8s.container_name" - unique_id: "event_type == 'exec' ? 'exec_' + exec.comm : 'network_' + network.dst_endpoint.addr" - rule_expression: - - event_type: "exec" - expression: "(exec.comm == 'kubectl' || exec.exe_path.endsWith('/kubectl')) && !ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm))" - - event_type: "network" - expression: "network.pkt_type == 'OUTGOING' && k8s.is_api_server_address(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" - profile_dependency: 0 - severity: 5 # Medium - support_policy: false - tags: - - "exec" - - "network" - - "anomaly" - - "applicationprofile" + - name: "Workload uses Kubernetes API unexpectedly" + enabled: true + id: "R0007" + description: "Detecting execution of kubernetes client" + expressions: + message: "eventType == 'exec' ? 'Kubernetes client (' + event.comm + ') was executed with PID ' + string(event.pid) : 'Network connection to Kubernetes API server from container ' + event.containerName" + uniqueId: "eventType == 'exec' ? 'exec_' + event.comm : 'network_' + event.dstAddr" + ruleExpression: + - eventType: "exec" + expression: "(event.comm == 'kubectl' || event.exepath.endsWith('/kubectl')) && !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" + - eventType: "network" + expression: "event.pktType == 'OUTGOING' && k8s.is_api_server_address(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 0 + severity: 5 # Medium + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0008" + mitreTechnique: "T1210" + tags: + - "exec" + - "network" + - "anomaly" + - "applicationprofile" diff --git a/pkg/rules/r0007-kubernetes-client-executed/rule_test.go b/pkg/rules/r0007-kubernetes-client-executed/rule_test.go index 616e7d1..957d4b9 100644 --- a/pkg/rules/r0007-kubernetes-client-executed/rule_test.go +++ b/pkg/rules/r0007-kubernetes-client-executed/rule_test.go @@ -11,13 +11,11 @@ import ( "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - tracernetworktype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/types" eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR0007KubernetesClientExecuted(t *testing.T) { @@ -27,26 +25,15 @@ func TestR0007KubernetesClientExecuted(t *testing.T) { } // Create a kubectl exec event - e := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "kubectl", - Pcomm: "test-process", - ExePath: "/usr/bin/kubectl", - Args: []string{"kubectl", "get", "pods"}, - }, + e := &utils.StructEvent{ + Args: []string{"kubectl", "get", "pods"}, + Comm: "kubectl", + Container: "test", + ContainerID: "test", + EventType: utils.ExecveEventType, + ExePath: "/usr/bin/kubectl", + Pcomm: "test-process", + Pid: 1234, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -74,8 +61,7 @@ func TestR0007KubernetesClientExecuted(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: e, + Event: e, } // Test without profile - should trigger alert @@ -134,8 +120,8 @@ func TestR0007KubernetesClientExecuted(t *testing.T) { } // Test with non-kubectl process (should not trigger) - e.Event.Comm = "nginx" - e.Event.ExePath = "/usr/bin/nginx" + e.Comm = "nginx" + e.ExePath = "/usr/bin/nginx" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { @@ -152,24 +138,15 @@ func TestR0007KubernetesClientExecutedNetwork(t *testing.T) { t.Fatalf("Failed to load rule: %v", err) } - e := &tracernetworktype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - PktType: "OUTGOING", + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", DstEndpoint: eventtypes.L3Endpoint{ Addr: "1.1.1.1", }, - Port: 80, + DstPort: 80, + EventType: utils.NetworkEventType, + PktType: "OUTGOING", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -199,8 +176,7 @@ func TestR0007KubernetesClientExecutedNetwork(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.NetworkEventType, - Event: e, + Event: e, } // Sleep for 1 millisecond to make sure the cache is expired diff --git a/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml b/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml index cb1a0a0..74de3ce 100644 --- a/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml +++ b/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml @@ -7,24 +7,27 @@ metadata: app: kubescape spec: rules: - - name: "Read Environment Variables from procfs" - enabled: true - id: "R0008" - description: "Detecting reading environment variables from procfs." - expressions: - message: "'Reading environment variables from procfs: ' + open.full_path + ' by process ' + open.comm" - unique_id: "open.comm" - rule_expression: - - event_type: "open" - expression: > - open.full_path.startsWith('/proc/') && - open.full_path.endsWith('/environ') && - !ap.was_path_opened_with_suffix(open.runtime.container_id, '/environ') - profile_dependency: 0 # Required - severity: 5 # Medium - support_policy: false - tags: - - "anomaly" - - "procfs" - - "environment" - - "applicationprofile" + - name: "Read Environment Variables from procfs" + enabled: true + id: "R0008" + description: "Detecting reading environment variables from procfs." + expressions: + message: "'Reading environment variables from procfs: ' + event.path + ' by process ' + event.comm" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: > + event.path.startsWith('/proc/') && + event.path.endsWith('/environ') && + !ap.was_path_opened_with_suffix(event.containerId, '/environ') + profileDependency: 0 # Required + severity: 5 # Medium + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1552.001" + tags: + - "anomaly" + - "procfs" + - "environment" + - "applicationprofile" diff --git a/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go b/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go index 897ffba..c478fe2 100644 --- a/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go +++ b/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -20,29 +18,17 @@ import ( ) // createTestEvent creates a test OpenEvent -func createTestEvent(containerName, containerID, path string, flags []string) *events.OpenEvent { - return &events.OpenEvent{ - Event: traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: containerID, - }, - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: containerName, - }, - }, - }, - }, - Comm: "test-process", - Path: path, - FullPath: path, - Flags: flags, - Pid: 1234, - Uid: 0, - Gid: 0, - }, +func createTestEvent(containerName, containerID, path string, flags []string) *utils.StructEvent { + return &utils.StructEvent{ + Comm: "test-process", + Container: containerName, + ContainerID: containerID, + EventType: utils.OpenEventType, + Flags: flags, + Gid: 0, + Path: path, + Pid: 1234, + Uid: 0, } } @@ -69,7 +55,7 @@ func TestR0008ReadEnvironmentVariablesProcFS(t *testing.T) { tests := []struct { name string - event *events.OpenEvent + event *utils.StructEvent profile *v1beta1.ApplicationProfile expectTrigger bool description string @@ -178,8 +164,7 @@ func TestR0008ReadEnvironmentVariablesProcFS(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: tt.event, + Event: tt.event, } // Evaluate the rule @@ -200,7 +185,7 @@ func TestR0008ReadEnvironmentVariablesProcFS(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - expectedMessage := "Reading environment variables from procfs: " + tt.event.FullPath + " by process " + tt.event.Comm + expectedMessage := "Reading environment variables from procfs: " + tt.event.Path + " by process " + tt.event.Comm if message != expectedMessage { t.Errorf("Message evaluation failed. Expected: %s, Got: %s", expectedMessage, message) } @@ -210,7 +195,7 @@ func TestR0008ReadEnvironmentVariablesProcFS(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique ID: %v", err) } - expectedUniqueID := tt.event.Comm + expectedUniqueID := tt.event.Comm + "_" + tt.event.Path if uniqueID != expectedUniqueID { t.Errorf("Unique ID evaluation failed. Expected: %s, Got: %s", expectedUniqueID, uniqueID) } @@ -309,8 +294,7 @@ func TestR0008VariousProcFSPaths(t *testing.T) { // Serialize event and evaluate enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: event, + Event: event, } triggered, err := celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) diff --git a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml index e772463..4b24def 100644 --- a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml +++ b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "eBPF Program Load" - enabled: true - id: "R0009" - description: "Detecting eBPF program load." - expressions: - message: "'bpf system call executed in ' + syscall.k8s.container_name" - unique_id: "syscall.comm + '_' + syscall.syscall_name" - rule_expression: - - event_type: "syscall" - expression: "syscall.syscall_name == 'bpf' && !ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "syscall" - - "ebpf" - - "applicationprofile" + - name: "eBPF Program Load" + enabled: true + id: "R0009" + description: "Detecting eBPF program load." + expressions: + message: "'bpf program load system call (bpf) was called by process (' + event.comm + ') with command (BPF_PROG_LOAD)'" + uniqueId: "event.comm + '_' + 'bpf' + '_' + string(event.cmd)" + ruleExpression: + - eventType: "bpf" + expression: "event.cmd == uint(5) && !ap.was_syscall_used(event.containerId, 'bpf')" + profileDependency: 1 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1218" + tags: + - "bpf" + - "ebpf" + - "applicationprofile" diff --git a/pkg/rules/r0009-ebpf-program-load/rule_test.go b/pkg/rules/r0009-ebpf-program-load/rule_test.go index 10bfe22..a47435b 100644 --- a/pkg/rules/r0009-ebpf-program-load/rule_test.go +++ b/pkg/rules/r0009-ebpf-program-load/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - "github.com/kubescape/node-agent/pkg/rulemanager/types" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,22 +23,14 @@ func TestR0009EbpfProgramLoad(t *testing.T) { } // Create a syscall event with bpf syscall - e := &types.SyscallEvent{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, + e := &utils.StructEvent{ Comm: "test-process", - SyscallName: "bpf", + Container: "test", + ContainerID: "test", + EventType: utils.BpfEventType, + Pid: 1234, + Syscall: "bpf", + Cmd: 5, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -70,8 +60,7 @@ func TestR0009EbpfProgramLoad(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SyscallEventType, - Event: e, + Event: e, } // Test without profile - should trigger alert @@ -88,7 +77,7 @@ func TestR0009EbpfProgramLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - if message != "bpf system call executed in test" { + if message != "bpf program load system call (bpf) was called by process (test-process) with command (BPF_PROG_LOAD)" { t.Fatalf("Message evaluation failed, got: %s", message) } @@ -97,7 +86,7 @@ func TestR0009EbpfProgramLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique id: %v", err) } - if uniqueId != "test-process_bpf" { + if uniqueId != "test-process_bpf_5" { t.Fatalf("Unique id evaluation failed, got: %s", uniqueId) } @@ -125,7 +114,7 @@ func TestR0009EbpfProgramLoad(t *testing.T) { } // Test with non-bpf syscall (should not trigger) - e.SyscallName = "open" + e.Syscall = "open" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go b/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go index 1c28176..c715be1 100644 --- a/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go +++ b/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go @@ -11,12 +11,10 @@ import ( "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { @@ -26,26 +24,14 @@ func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { } // Create a file access event to sensitive file - e := &events.OpenEvent{ - Event: traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "test-process", - Path: "/etc/shadow", - FullPath: "/etc/shadow", - Flags: []string{"O_RDONLY"}, - }, + e := &utils.StructEvent{ + Comm: "test-process", + Container: "test", + ContainerID: "test", + EventType: utils.OpenEventType, + Flags: []string{"O_RDONLY"}, + Path: "/etc/shadow", + Pid: 1234, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -75,8 +61,7 @@ func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: e, + Event: e, } // Test without profile - should trigger alert for sensitive file @@ -135,8 +120,7 @@ func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { } // Test with non-sensitive file (should not trigger) - e.Event.Path = "/tmp/test.txt" - e.Event.FullPath = "/tmp/test.txt" + e.Path = "/tmp/test.txt" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml index bbdd917..6945e50 100644 --- a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml +++ b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected Sensitive File Access" - enabled: true - id: "R0010" - description: "Detecting access to sensitive files." - expressions: - message: "'Unexpected sensitive file access: ' + open.full_path + ' by process ' + open.comm" - unique_id: "open.comm + '_' + open.full_path" - rule_expression: - - event_type: "open" - expression: "open.full_path.startsWith('/etc/shadow') && !ap.was_path_opened(open.runtime.container_id, open.full_path)" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "files" - - "anomaly" - - "applicationprofile" + - name: "Unexpected Sensitive File Access" + enabled: true + id: "R0010" + description: "Detecting access to sensitive files." + expressions: + message: "'Unexpected sensitive file access: ' + event.path + ' by process ' + event.comm" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: "event.path.startsWith('/etc/shadow') && !ap.was_path_opened(event.containerId, event.path)" + profileDependency: 1 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" + tags: + - "files" + - "anomaly" + - "applicationprofile" diff --git a/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go b/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go index 5b6243c..4e232f4 100644 --- a/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go +++ b/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go @@ -5,7 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracernetworktype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/types" eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" @@ -14,7 +13,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,27 +24,18 @@ func TestR0011UnexpectedEgressNetworkTraffic(t *testing.T) { } // Create a network event for outgoing traffic to external IP - e := &tracernetworktype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - PktType: "OUTGOING", + e := &utils.StructEvent{ + Comm: "curl", + Container: "test", + ContainerID: "test", DstEndpoint: eventtypes.L3Endpoint{ Addr: "1.1.1.1", // External IP }, - Port: 80, - Proto: "TCP", - Comm: "curl", - Pid: 1234, + DstPort: 80, + EventType: utils.NetworkEventType, + Pid: 1234, + PktType: "OUTGOING", + Proto: "TCP", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -75,8 +65,7 @@ func TestR0011UnexpectedEgressNetworkTraffic(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.NetworkEventType, - Event: e, + Event: e, } // Test without network neighborhood - should trigger alert @@ -172,7 +161,7 @@ func TestR0011UnexpectedEgressNetworkTraffic(t *testing.T) { // Test with different port and protocol e.DstEndpoint.Addr = "3.3.3.3" // External IP - e.Port = 443 + e.DstPort = 443 e.Proto = "TCP" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) @@ -185,7 +174,7 @@ func TestR0011UnexpectedEgressNetworkTraffic(t *testing.T) { // Test with UDP protocol e.Proto = "UDP" - e.Port = 53 + e.DstPort = 53 ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml b/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml index bb1408f..c808959 100644 --- a/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml +++ b/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml @@ -7,21 +7,24 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected Egress Network Traffic" - enabled: false - id: "R0011" - description: "Detecting unexpected egress network traffic that is not whitelisted by application profile." - expressions: - message: "'Unexpected egress network communication to: ' + network.dst_endpoint.addr + ':' + string(dyn(network.port)) + ' using ' + network.proto + ' from: ' + network.k8s.container_name" - unique_id: "network.dst_endpoint.addr + '_' + string(dyn(network.port)) + '_' + network.proto" - rule_expression: - - event_type: "network" - expression: "network.pkt_type == 'OUTGOING' && !net.is_private_ip(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" - profile_dependency: 0 - severity: 5 # Medium - support_policy: false - tags: - - "whitelisted" - - "network" - - "anomaly" - - "networkprofile" + - name: "Unexpected Egress Network Traffic" + enabled: false + id: "R0011" + description: "Detecting unexpected egress network traffic that is not whitelisted by application profile." + expressions: + message: "'Unexpected egress network communication to: ' + event.dstAddr + ':' + string(event.dstPort) + ' using ' + event.proto + ' from: ' + event.containerName" + uniqueId: "event.dstAddr + '_' + string(event.dstPort) + '_' + event.proto" + ruleExpression: + - eventType: "network" + expression: "event.pktType == 'OUTGOING' && !net.is_private_ip(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 0 + severity: 5 # Medium + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0010" + mitreTechnique: "T1041" + tags: + - "whitelisted" + - "network" + - "anomaly" + - "networkprofile" diff --git a/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml b/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml index b14f716..e7be6e4 100644 --- a/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml +++ b/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml @@ -7,23 +7,26 @@ metadata: app: kubescape spec: rules: - - name: "Process executed from malicious source" - enabled: true - id: "R1000" - description: "Detecting exec calls that are from malicious source like: /dev/shm" - expressions: - message: "'Execution from malicious source: ' + exec.exe_path + ' in directory ' + exec.cwd" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" - rule_expression: - - event_type: "exec" - expression: > - (exec.exe_path == '/dev/shm' || exec.exe_path.startsWith('/dev/shm/')) || - (exec.cwd == '/dev/shm' || exec.cwd.startsWith('/dev/shm/') || - (parse.get_exec_path(exec.args, exec.comm).startsWith('/dev/shm/'))) - profile_dependency: 2 - severity: 8 - support_policy: false - tags: - - "exec" - - "signature" - - "malicious" + - name: "Process executed from malicious source" + enabled: true + id: "R1000" + description: "Detecting exec calls that are from malicious source like: /dev/shm" + expressions: + message: "'Execution from malicious source: ' + event.exepath + ' in directory ' + event.cwd" + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: > + (event.exepath == '/dev/shm' || event.exepath.startsWith('/dev/shm/')) || + (event.cwd == '/dev/shm' || event.cwd.startsWith('/dev/shm/') || + (parse.get_exec_path(event.args, event.comm).startsWith('/dev/shm/'))) + profileDependency: 2 + severity: 8 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" + tags: + - "exec" + - "signature" + - "malicious" diff --git a/pkg/rules/r1000-exec-from-malicious-source/rule_test.go b/pkg/rules/r1000-exec-from-malicious-source/rule_test.go index 0a40028..c7a70c0 100644 --- a/pkg/rules/r1000-exec-from-malicious-source/rule_test.go +++ b/pkg/rules/r1000-exec-from-malicious-source/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -18,31 +16,20 @@ import ( ) // createTestExecEvent creates a test ExecEvent -func createTestExecEvent(containerName, containerID, comm, exePath, cwd string, args []string) *events.ExecEvent { - return &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: containerID, - }, - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: containerName, - }, - }, - }, - }, - Comm: comm, - ExePath: exePath, - Cwd: cwd, - Args: args, - Pid: 1234, - Ppid: 123, - Pcomm: "parent-process", - Uid: 0, - Gid: 0, - }, +func createTestExecEvent(containerName, containerID, comm, exePath, cwd string, args []string) *utils.StructEvent { + return &utils.StructEvent{ + Args: args, + Comm: comm, + Container: containerName, + ContainerID: containerID, + Cwd: cwd, + EventType: utils.ExecveEventType, + ExePath: exePath, + Gid: 0, + Pcomm: "parent-process", + Pid: 1234, + Ppid: 123, + Uid: 0, } } @@ -55,7 +42,7 @@ func TestR1000ExecFromMaliciousSource(t *testing.T) { tests := []struct { name string - event *events.ExecEvent + event *utils.StructEvent expectTrigger bool description string }{ @@ -151,8 +138,7 @@ func TestR1000ExecFromMaliciousSource(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: tt.event, + Event: tt.event, } // Evaluate the rule @@ -290,8 +276,7 @@ func TestR1000MaliciousPathVariants(t *testing.T) { // Serialize event and evaluate enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: event, + Event: event, } triggered, err := celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) diff --git a/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml b/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml index 7540bb9..0671460 100644 --- a/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml +++ b/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml @@ -7,25 +7,28 @@ metadata: app: kubescape spec: rules: - - name: "Drifted process executed" - enabled: true - id: "R1001" - description: "Detecting exec calls of binaries that are not included in the base image" - expressions: - message: "'Process (' + exec.comm + ') was executed and is not part of the image'" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" - rule_expression: - - event_type: "exec" - expression: > - (exec.upper_layer == true || - exec.pupper_layer == true) && - !ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm)) - profile_dependency: 1 - severity: 8 - support_policy: false - tags: - - "exec" - - "malicious" - - "binary" - - "base image" - - "applicationprofile" + - name: "Drifted process executed" + enabled: true + id: "R1001" + description: "Detecting exec calls of binaries that are not included in the base image" + expressions: + message: "'Process (' + event.comm + ') was executed and is not part of the image'" + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: > + (event.upperlayer == true || + event.pupperlayer == true) && + !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) + profileDependency: 1 + severity: 8 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1036" + tags: + - "exec" + - "malicious" + - "binary" + - "base image" + - "applicationprofile" diff --git a/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go b/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go index 672bb31..a6df67c 100644 --- a/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go +++ b/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -19,33 +17,22 @@ import ( ) // createTestExecEvent creates a test ExecEvent -func createTestExecEvent(containerName, containerID, comm, exePath, cwd string, args []string, upperLayer, pupperLayer bool) *events.ExecEvent { - return &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: containerID, - }, - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: containerName, - }, - }, - }, - }, - Comm: comm, - ExePath: exePath, - Cwd: cwd, - Args: args, - Pid: 1234, - Ppid: 123, - Pcomm: "parent-process", - Uid: 0, - Gid: 0, - UpperLayer: upperLayer, - PupperLayer: pupperLayer, - }, +func createTestExecEvent(containerName, containerID, comm, exePath, cwd string, args []string, upperLayer, pupperLayer bool) *utils.StructEvent { + return &utils.StructEvent{ + Args: args, + Comm: comm, + Container: containerName, + ContainerID: containerID, + Cwd: cwd, + EventType: utils.ExecveEventType, + ExePath: exePath, + Gid: 0, + Pcomm: "parent-process", + Pid: 1234, + Ppid: 123, + PupperLayer: pupperLayer, + Uid: 0, + UpperLayer: upperLayer, } } @@ -72,7 +59,7 @@ func TestR1001ExecBinaryNotInBaseImage(t *testing.T) { tests := []struct { name string - event *events.ExecEvent + event *utils.StructEvent profile *v1beta1.ApplicationProfile expectTrigger bool description string @@ -155,7 +142,7 @@ func TestR1001ExecBinaryNotInBaseImage(t *testing.T) { ContainerInfos: map[objectcache.ContainerType][]objectcache.ContainerInfo{ objectcache.Container: { { - Name: tt.event.Event.K8s.BasicK8sMetadata.ContainerName, + Name: tt.event.Container, }, }, }, @@ -179,8 +166,7 @@ func TestR1001ExecBinaryNotInBaseImage(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: tt.event, + Event: tt.event, } // Evaluate the rule @@ -278,7 +264,7 @@ func TestR1001UpperLayerVariants(t *testing.T) { ContainerInfos: map[objectcache.ContainerType][]objectcache.ContainerInfo{ objectcache.Container: { { - Name: event.Event.K8s.BasicK8sMetadata.ContainerName, + Name: event.Container, }, }, }, @@ -297,8 +283,7 @@ func TestR1001UpperLayerVariants(t *testing.T) { // Serialize event and evaluate enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: event, + Event: event, } triggered, err := celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) diff --git a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml index 12ca408..09c18e2 100644 --- a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml +++ b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml @@ -7,23 +7,24 @@ metadata: app: kubescape spec: rules: - - name: "Process tries to load a kernel module" - enabled: true - id: "R1002" - description: "Detecting Kernel Module Load." - expressions: - message: "'Kernel module load syscall (' + syscall.syscall_name + ') was called'" - unique_id: "syscall.syscall_name" - rule_expression: - - event_type: "syscall" - expression: > - syscall.syscall_name == 'init_module' || - syscall.syscall_name == 'finit_module' - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "syscall" - - "kernel" - - "module" - - "load" + - name: "Process tries to load a kernel module" + enabled: true + id: "R1002" + description: "Detecting Kernel Module Load." + expressions: + message: "'Kernel module (' + event.module + ') loading attempt with syscall (' + event.syscallName + ') was called by process (' + event.comm + ')'" + uniqueId: "event.comm + '_' + event.syscallName + '_' + event.module" + ruleExpression: + - eventType: "kmod" + expression: "event.syscallName == 'init_module' || event.syscallName == 'finit_module'" + profileDependency: 2 + severity: 10 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1547.006" + tags: + - "kmod" + - "kernel" + - "module" + - "load" diff --git a/pkg/rules/r1002-kernel-module-load/rule_test.go b/pkg/rules/r1002-kernel-module-load/rule_test.go index ee7a864..964d128 100644 --- a/pkg/rules/r1002-kernel-module-load/rule_test.go +++ b/pkg/rules/r1002-kernel-module-load/rule_test.go @@ -11,31 +11,20 @@ import ( objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - "github.com/kubescape/node-agent/pkg/rulemanager/types" "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/rulelibrary/pkg/common" - - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" ) // createTestSyscallEvent creates a test SyscallEvent -func createTestSyscallEvent(containerName, containerID, comm, syscallName string, pid uint32) *types.SyscallEvent { - return &types.SyscallEvent{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: containerName, - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: containerID, - }, - }, - }, +func createTestKmodEvent(containerName, containerID, comm, syscallName, module string, pid uint32) *utils.StructEvent { + return &utils.StructEvent{ Comm: comm, - SyscallName: syscallName, + Container: containerName, + ContainerID: containerID, + EventType: utils.KmodEventType, Pid: pid, + Syscall: syscallName, + Module: module, } } @@ -48,31 +37,31 @@ func TestR1002KernelModuleLoad(t *testing.T) { tests := []struct { name string - event *types.SyscallEvent + event *utils.StructEvent expectTrigger bool description string }{ { name: "init_module syscall", - event: createTestSyscallEvent("test", "container123", "test-process", "init_module", uint32(1234)), + event: createTestKmodEvent("test", "container123", "test-process", "init_module", "module1", uint32(1234)), expectTrigger: true, description: "Should trigger for init_module syscall", }, { name: "finit_module syscall", - event: createTestSyscallEvent("test", "container123", "test-process", "finit_module", uint32(1234)), + event: createTestKmodEvent("test", "container123", "test-process", "finit_module", "module2", uint32(1234)), expectTrigger: true, description: "Should trigger for finit_module syscall", }, { name: "other syscall", - event: createTestSyscallEvent("test", "container123", "test-process", "open", uint32(1234)), + event: createTestKmodEvent("test", "container123", "test-process", "open", "module3", uint32(1234)), expectTrigger: false, description: "Should not trigger for non-kernel-module syscall", }, { name: "other syscall name", - event: createTestSyscallEvent("test", "container123", "test-process", "read", uint32(1234)), + event: createTestKmodEvent("test", "container123", "test-process", "read", "module4", uint32(1234)), expectTrigger: false, description: "Should not trigger for non-kernel-module syscall", }, @@ -89,7 +78,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { ContainerInfos: map[objectcache.ContainerType][]objectcache.ContainerInfo{ objectcache.Container: { { - Name: tt.event.Event.K8s.BasicK8sMetadata.ContainerName, + //Name: tt.event.Event.K8s.BasicK8sMetadata.ContainerName, }, }, }, @@ -108,8 +97,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SyscallEventType, - Event: tt.event, + Event: tt.event, } // Evaluate the rule @@ -130,7 +118,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - expectedMessage := "Kernel module load syscall (" + tt.event.SyscallName + ") was called" + expectedMessage := "Kernel module (" + tt.event.Module + ") loading attempt with syscall (" + tt.event.Syscall + ") was called by process (" + tt.event.Comm + ")" if message != expectedMessage { t.Errorf("Message evaluation failed. Expected: %s, Got: %s", expectedMessage, message) } @@ -140,7 +128,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique ID: %v", err) } - expectedUniqueID := tt.event.SyscallName + expectedUniqueID := tt.event.Comm + "_" + tt.event.Syscall + "_" + tt.event.Module if uniqueID != expectedUniqueID { t.Errorf("Unique ID evaluation failed. Expected: %s, Got: %s", expectedUniqueID, uniqueID) } diff --git a/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml b/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml index 370e769..178a005 100644 --- a/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml +++ b/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml @@ -7,22 +7,25 @@ metadata: app: kubescape spec: rules: - - name: "Disallowed ssh connection" - enabled: false - id: "R1003" - description: "Detecting ssh connection to disallowed port" - expressions: - message: "'Malicious SSH connection attempt to ' + ssh.dst_ip + ':' + string(dyn(ssh.dst_port))" - unique_id: "ssh.comm + '_' + ssh.dst_ip + '_' + string(dyn(ssh.dst_port))" - rule_expression: - - event_type: "ssh" - expression: "dyn(ssh.src_port) >= 32768 && dyn(ssh.src_port) <= 60999 && !(dyn(ssh.dst_port) in [22, 2022]) && !nn.was_address_in_egress(ssh.runtime.container_id, ssh.dst_ip)" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "ssh" - - "connection" - - "port" - - "malicious" - - "networkprofile" + - name: "Disallowed ssh connection" + enabled: false + id: "R1003" + description: "Detecting ssh connection to disallowed port" + expressions: + message: "'Malicious SSH connection attempt to ' + event.dstIp + ':' + string(dyn(event.dstPort))" + uniqueId: "event.comm + '_' + event.dstIp + '_' + string(dyn(event.dstPort))" + ruleExpression: + - eventType: "ssh" + expression: "dyn(event.srcPort) >= 32768 && dyn(event.srcPort) <= 60999 && !(dyn(event.dstPort) in [22, 2022]) && !nn.was_address_in_egress(event.containerId, event.dstIp)" + profileDependency: 1 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0008" + mitreTechnique: "T1021.001" + tags: + - "ssh" + - "connection" + - "port" + - "malicious" + - "networkprofile" diff --git a/pkg/rules/r1003-malicious-ssh-connection/rule_test.go b/pkg/rules/r1003-malicious-ssh-connection/rule_test.go index 71e04ee..66bfa96 100644 --- a/pkg/rules/r1003-malicious-ssh-connection/rule_test.go +++ b/pkg/rules/r1003-malicious-ssh-connection/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - tracersshtype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/ssh/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -26,30 +24,20 @@ func TestR1003MaliciousSSHConnection(t *testing.T) { } // Create a mock SSH event for outgoing connection to disallowed port - e := &tracersshtype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - SrcIP: "192.168.1.100", - DstIP: "1.1.1.1", - SrcPort: 33333, // Ephemeral port - DstPort: 1234, // Disallowed port - Comm: "ssh", - Pid: 1234, - Uid: 1000, - Gid: 1000, + e := &utils.StructEvent{ + Comm: "ssh", + Container: "test", + ContainerID: "test-container", + DstIP: "1.1.1.1", + DstPort: 1234, // Disallowed port + EventType: utils.SSHEventType, + Gid: 1000, + Namespace: "test-namespace", + Pid: 1234, + Pod: "test-pod", + SrcIP: "192.168.1.100", + SrcPort: 33333, // Ephemeral port + Uid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -79,8 +67,7 @@ func TestR1003MaliciousSSHConnection(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SSHEventType, - Event: e, + Event: e, } // Test without network neighborhood - should trigger alert for disallowed port diff --git a/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml b/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml index f5261ef..2bb9477 100644 --- a/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml +++ b/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Process executed from mount" - enabled: true - id: "R1004" - description: "Detecting exec calls from mounted paths." - expressions: - message: "'Process (' + exec.comm + ') was executed from a mounted path'" - unique_id: "exec.comm + '_' + exec.exe_path" - rule_expression: - - event_type: "exec" - expression: "!ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm)) && k8s.get_container_mount_paths(exec.k8s.namespace, exec.k8s.pod_name, exec.k8s.container_name).exists(mount, exec.exe_path.startsWith(mount) || parse.get_exec_path(exec.args, exec.comm).startsWith(mount))" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "exec" - - "mount" - - "applicationprofile" + - name: "Process executed from mount" + enabled: true + id: "R1004" + description: "Detecting exec calls from mounted paths." + expressions: + message: "'Process (' + event.comm + ') was executed from a mounted path'" + uniqueId: "event.comm" + ruleExpression: + - eventType: "exec" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))" + profileDependency: 1 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" + tags: + - "exec" + - "mount" + - "applicationprofile" diff --git a/pkg/rules/r1004-exec-from-mount/rule_test.go b/pkg/rules/r1004-exec-from-mount/rule_test.go index 9d9e391..49b077d 100644 --- a/pkg/rules/r1004-exec-from-mount/rule_test.go +++ b/pkg/rules/r1004-exec-from-mount/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -14,7 +12,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" corev1 "k8s.io/api/core/v1" ) @@ -26,30 +24,18 @@ func TestR1004ExecFromMount(t *testing.T) { } // Create a mock exec event - e := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - Comm: "/var/test1/test", - ExePath: "/var/test1/test", - Args: []string{"/var/test1/test", "arg1"}, - Pid: 1234, - Uid: 1000, - Gid: 1000, - }, + e := &utils.StructEvent{ + Args: []string{"/var/test1/test", "arg1"}, + Comm: "/var/test1/test", + Container: "test", + ContainerID: "test-container", + EventType: utils.ExecveEventType, + ExePath: "/var/test1/test", + Gid: 1000, + Namespace: "test-namespace", + Pid: 1234, + Pod: "test-pod", + Uid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -118,8 +104,7 @@ func TestR1004ExecFromMount(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: e, + Event: e, } // Test without application profile - should trigger alert for exec from mounted path @@ -146,7 +131,7 @@ func TestR1004ExecFromMount(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique id: %v", err) } - if uniqueId != "/var/test1/test_/var/test1/test" { + if uniqueId != "/var/test1/test" { t.Fatalf("Unique id evaluation failed, got: %s", uniqueId) } diff --git a/pkg/rules/r1005-fileless-execution/fileless-execution.yaml b/pkg/rules/r1005-fileless-execution/fileless-execution.yaml index 367c09f..6c45d49 100644 --- a/pkg/rules/r1005-fileless-execution/fileless-execution.yaml +++ b/pkg/rules/r1005-fileless-execution/fileless-execution.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Fileless execution detected" - enabled: true - id: "R1005" - description: "Detecting Fileless Execution" - expressions: - message: "'Fileless execution detected: exec call \"' + exec.comm + '\" is from a malicious source'" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" - rule_expression: - - event_type: "exec" - expression: "exec.exe_path.contains('memfd') || exec.exe_path.startsWith('/proc/self/fd') || exec.exe_path.matches('/proc/[0-9]+/fd/[0-9]+')" - profile_dependency: 2 - severity: 8 - support_policy: false - tags: - - "fileless" - - "execution" - - "malicious" + - name: "Fileless execution detected" + enabled: true + id: "R1005" + description: "Detecting Fileless Execution" + expressions: + message: '''Fileless execution detected: exec call "'' + event.comm + ''" is from a malicious source''' + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: "event.exepath.contains('memfd') || event.exepath.startsWith('/proc/self/fd') || event.exepath.matches('/proc/[0-9]+/fd/[0-9]+')" + profileDependency: 2 + severity: 8 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1055" + tags: + - "fileless" + - "execution" + - "malicious" diff --git a/pkg/rules/r1005-fileless-execution/rule_test.go b/pkg/rules/r1005-fileless-execution/rule_test.go index 7cf027b..caf29e8 100644 --- a/pkg/rules/r1005-fileless-execution/rule_test.go +++ b/pkg/rules/r1005-fileless-execution/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -14,7 +12,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR1005FilelessExecution(t *testing.T) { @@ -24,31 +22,19 @@ func TestR1005FilelessExecution(t *testing.T) { } // Create a mock exec event for fileless execution via memfd - e := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - Comm: "/memfd:test", - ExePath: "/memfd:test", - Pcomm: "/memfd:test", - Args: []string{"/memfd:test", "arg1"}, - Pid: 1234, - Uid: 1000, - Gid: 1000, - }, + e := &utils.StructEvent{ + Args: []string{"/memfd:test", "arg1"}, + Comm: "/memfd:test", + Container: "test", + ContainerID: "test-container", + EventType: utils.ExecveEventType, + ExePath: "/memfd:test", + Gid: 1000, + Namespace: "test-namespace", + Pcomm: "/memfd:test", + Pid: 1234, + Pod: "test-pod", + Uid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -78,8 +64,7 @@ func TestR1005FilelessExecution(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: e, + Event: e, } // Test with memfd execution - should trigger alert diff --git a/pkg/rules/r1006-unshare-syscall/rule_test.go b/pkg/rules/r1006-unshare-syscall/rule_test.go index ecf7521..e820efb 100644 --- a/pkg/rules/r1006-unshare-syscall/rule_test.go +++ b/pkg/rules/r1006-unshare-syscall/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - "github.com/kubescape/node-agent/pkg/rulemanager/types" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,22 +23,13 @@ func TestR1006UnshareSyscall(t *testing.T) { } // Create a syscall event for unshare - e := &types.SyscallEvent{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "test", - SyscallName: "unshare", + e := &utils.StructEvent{ + Comm: "test-process", + Container: "test", + ContainerID: "test", + EventType: utils.UnshareEventType, Pid: 1234, + Syscall: "unshare", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -70,8 +59,7 @@ func TestR1006UnshareSyscall(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SyscallEventType, - Event: e, + Event: e, } // Evaluate the rule @@ -88,7 +76,7 @@ func TestR1006UnshareSyscall(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - if message != "Unshare system call detected: unshare with PID 1234" { + if message != "Unshare system call (unshare) was called by process (test-process)" { t.Fatalf("Message evaluation failed: %s", message) } @@ -97,7 +85,7 @@ func TestR1006UnshareSyscall(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique id: %v", err) } - if uniqueId != "unshare" { + if uniqueId != "test-process_unshare" { t.Fatalf("Unique id evaluation failed: %s", uniqueId) } @@ -125,7 +113,7 @@ func TestR1006UnshareSyscall(t *testing.T) { } // Test with different syscall - should not trigger - e.SyscallName = "open" + e.Syscall = "open" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml index 0162840..ef35b93 100644 --- a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml +++ b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml @@ -7,22 +7,25 @@ metadata: app: kubescape spec: rules: - - name: "Process tries to escape container" - enabled: true - id: "R1006" - description: "Detecting Unshare System Call usage, which can be used to escape container." - expressions: - message: "'Unshare system call detected: ' + syscall.syscall_name + ' with PID ' + string(syscall.pid)" - unique_id: "syscall.syscall_name" - rule_expression: - - event_type: "syscall" - expression: "syscall.syscall_name == 'unshare' && !ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" - profile_dependency: 2 - severity: 5 - support_policy: false - tags: - - "syscall" - - "escape" - - "unshare" - - "anomaly" - - "applicationprofile" + - name: "Process tries to escape container" + enabled: true + id: "R1006" + description: "Detecting Unshare System Call usage, which can be used to escape container." + expressions: + message: "'Unshare system call (unshare) was called by process (' + event.comm + ')'" + uniqueId: "event.comm + '_' + 'unshare'" + ruleExpression: + - eventType: "unshare" + expression: "event.pcomm != 'runc' && !ap.was_syscall_used(event.containerId, 'unshare')" + profileDependency: 2 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0004" + mitreTechnique: "T1611" + tags: + - "unshare" + - "escape" + - "unshare" + - "anomaly" + - "applicationprofile" diff --git a/pkg/rules/r1007-xmr-crypto-mining/rule_test.go b/pkg/rules/r1007-xmr-crypto-mining/rule_test.go index 1ec4a70..aa9d62b 100644 --- a/pkg/rules/r1007-xmr-crypto-mining/rule_test.go +++ b/pkg/rules/r1007-xmr-crypto-mining/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - tracerrandomxtype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/randomx/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR1007XMRCryptoMining(t *testing.T) { @@ -24,29 +22,19 @@ func TestR1007XMRCryptoMining(t *testing.T) { } // Create a RandomX event for crypto mining detection - e := &tracerrandomxtype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - Comm: "xmrig", - ExePath: "/usr/bin/xmrig", - Pid: 1234, - Uid: 1000, - Gid: 1000, - PPid: 1, - UpperLayer: true, + e := &utils.StructEvent{ + Comm: "xmrig", + Container: "test", + ContainerID: "test-container", + EventType: utils.RandomXEventType, + ExePath: "/usr/bin/xmrig", + Gid: 1000, + Namespace: "test-namespace", + Pid: 1234, + Pod: "test-pod", + Ppid: 1, + Uid: 1000, + UpperLayer: true, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -76,8 +64,7 @@ func TestR1007XMRCryptoMining(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.RandomXEventType, - Event: e, + Event: e, } // Test with RandomX event - should trigger alert diff --git a/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml b/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml index deb7fa4..0e5af29 100644 --- a/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml +++ b/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Crypto miner launched" - enabled: true - id: "R1007" - description: "Detecting XMR Crypto Miners by randomx algorithm usage." - expressions: - message: "'XMR Crypto Miner process: (' + randomx.exe_path + ') executed'" - unique_id: "randomx.exe_path + '_' + randomx.comm" - rule_expression: - - event_type: "randomx" - expression: "true" - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "crypto" - - "miners" - - "malicious" + - name: "Crypto miner launched" + enabled: true + id: "R1007" + description: "Detecting XMR Crypto Miners by randomx algorithm usage." + expressions: + message: "'XMR Crypto Miner process: (' + event.exepath + ') executed'" + uniqueId: "event.exepath + '_' + event.comm" + ruleExpression: + - eventType: "randomx" + expression: "true" + profileDependency: 2 + severity: 10 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0040" + mitreTechnique: "T1496" + tags: + - "crypto" + - "miners" + - "malicious" diff --git a/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml b/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml index a0fb8a6..bb59f36 100644 --- a/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml +++ b/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml @@ -7,22 +7,25 @@ metadata: app: kubescape spec: rules: - - name: "Crypto Mining Domain Communication" - enabled: true - id: "R1008" - description: "Detecting Crypto miners communication by domain" - expressions: - message: "'Communication with a known crypto mining domain: ' + dns.dns_name" - unique_id: "dns.dns_name + '_' + dns.comm" - rule_expression: - - event_type: "dns" - expression: "dns.dns_name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "network" - - "crypto" - - "miners" - - "malicious" - - "dns" + - name: "Crypto Mining Domain Communication" + enabled: true + id: "R1008" + description: "Detecting Crypto miners communication by domain" + expressions: + message: "'Communication with a known crypto mining domain: ' + event.name" + uniqueId: "event.name + '_' + event.comm" + ruleExpression: + - eventType: "dns" + expression: "event.name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" + profileDependency: 2 + severity: 10 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0011" + mitreTechnique: "T1071.004" + tags: + - "network" + - "crypto" + - "miners" + - "malicious" + - "dns" diff --git a/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go b/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go index 7ec6c62..94e844d 100644 --- a/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go +++ b/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -14,7 +12,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR1008CryptoMiningDomainCommunication(t *testing.T) { @@ -24,31 +22,21 @@ func TestR1008CryptoMiningDomainCommunication(t *testing.T) { } // Create a DNS event for crypto mining domain communication - e := &tracerdnstype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - DNSName: "xmr.gntl.uk.", - Comm: "xmrig", - Exepath: "/usr/bin/xmrig", - Pid: 1234, - Uid: 1000, - Gid: 1000, - Ppid: 1, - Pcomm: "bash", - Cwd: "/tmp", + e := &utils.StructEvent{ + Comm: "xmrig", + Container: "test", + ContainerID: "test-container", + Cwd: "/tmp", + DNSName: "xmr.gntl.uk.", + EventType: utils.DnsEventType, + ExePath: "/usr/bin/xmrig", + Gid: 1000, + Namespace: "test-namespace", + Pcomm: "bash", + Pid: 1234, + Pod: "test-pod", + Ppid: 1, + Uid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -78,8 +66,7 @@ func TestR1008CryptoMiningDomainCommunication(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.DnsEventType, - Event: e, + Event: e, } // Test with crypto mining domain - should trigger alert diff --git a/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml b/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml index b3c4540..5a14e2c 100644 --- a/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml +++ b/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml @@ -7,22 +7,25 @@ metadata: app: kubescape spec: rules: - - name: "Crypto Mining Related Port Communication" - enabled: true - id: "R1009" - description: "Detecting Crypto Miners by suspicious port usage." - expressions: - message: "'Detected crypto mining related port communication on port ' + string(dyn(network.port)) + ' to ' + network.dst_endpoint.addr + ' with protocol ' + network.proto" - unique_id: "network.comm + '_' + string(dyn(network.port))" - rule_expression: - - event_type: "network" - expression: "network.proto == 'TCP' && network.pkt_type == 'OUTGOING' && dyn(network.port) in [3333, 45700] && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" - profile_dependency: 1 - severity: 3 - support_policy: false - tags: - - "network" - - "crypto" - - "miners" - - "malicious" - - "networkprofile" + - name: "Crypto Mining Related Port Communication" + enabled: true + id: "R1009" + description: "Detecting Crypto Miners by suspicious port usage." + expressions: + message: "'Detected crypto mining related port communication on port ' + string(event.dstPort) + ' to ' + event.dstAddr + ' with protocol ' + event.proto" + uniqueId: "event.comm + '_' + string(event.dstPort)" + ruleExpression: + - eventType: "network" + expression: "event.proto == 'TCP' && event.pktType == 'OUTGOING' && event.dstPort in [3333, 45700] && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 1 + severity: 3 + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0011" + mitreTechnique: "T1071" + tags: + - "network" + - "crypto" + - "miners" + - "malicious" + - "networkprofile" diff --git a/pkg/rules/r1009-crypto-mining-related-port/rule_test.go b/pkg/rules/r1009-crypto-mining-related-port/rule_test.go index d636718..b3bfd0b 100644 --- a/pkg/rules/r1009-crypto-mining-related-port/rule_test.go +++ b/pkg/rules/r1009-crypto-mining-related-port/rule_test.go @@ -5,7 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracernetworktype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/types" eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" @@ -14,7 +13,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,32 +24,22 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { } // Create a network event for crypto mining port communication - e := &tracernetworktype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - Proto: "TCP", - PktType: "OUTGOING", - Port: 3333, - Comm: "xmrig", - Pid: 1234, - Uid: 1000, - Gid: 1000, + e := &utils.StructEvent{ + Comm: "xmrig", + Container: "test", + ContainerID: "test-container", DstEndpoint: eventtypes.L3Endpoint{ Addr: "1.1.1.1", }, + DstPort: 3333, + EventType: utils.NetworkEventType, + Gid: 1000, + Namespace: "test-namespace", + Pid: 1234, + PktType: "OUTGOING", + Pod: "test-pod", + Proto: "TCP", + Uid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -80,8 +69,7 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.NetworkEventType, - Event: e, + Event: e, } // Test with crypto mining port - should trigger alert @@ -113,7 +101,7 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { } // Test with different crypto mining port - e.Port = 45700 + e.DstPort = 45700 e.Comm = "xmr-stak" e.DstEndpoint.Addr = "2.2.2.2" @@ -126,7 +114,7 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { } // Test with non-crypto mining port - should not trigger - e.Port = 80 + e.DstPort = 80 e.Comm = "curl" e.DstEndpoint.Addr = "3.3.3.3" @@ -139,7 +127,7 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { } // Test with UDP protocol - should not trigger - e.Port = 3333 + e.DstPort = 3333 e.Proto = "UDP" e.Comm = "xmrig" @@ -165,7 +153,7 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { // Test with whitelisted address in network neighborhood e.PktType = "OUTGOING" - e.Port = 3333 + e.DstPort = 3333 e.DstEndpoint.Addr = "4.4.4.4" // Sleep for 1 millisecond to make sure the cache is expired diff --git a/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go b/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go index 139801e..54d32c6 100644 --- a/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go +++ b/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - tracersymlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/symlink/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,22 +23,13 @@ func TestR1010SymlinkCreatedOverSensitiveFile(t *testing.T) { } // Create a symlink event - e := &tracersymlinktype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "test", - OldPath: "/etc/shadow", - NewPath: "/etc/abc", + e := &utils.StructEvent{ + Comm: "test", + Container: "test", + ContainerID: "test", + EventType: utils.SymlinkEventType, + NewPath: "/etc/abc", + OldPath: "/etc/shadow", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -71,8 +60,7 @@ func TestR1010SymlinkCreatedOverSensitiveFile(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SymlinkEventType, - Event: e, + Event: e, } // Evaluate the rule diff --git a/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml b/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml index 36896f0..910c8e9 100644 --- a/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml +++ b/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Soft link created over sensitive file" - enabled: true - id: "R1010" - description: "Detects symlink creation over sensitive files" - expressions: - message: "'Symlink created over sensitive file: ' + symlink.old_path + ' -> ' + symlink.new_path" - unique_id: "symlink.comm + '_' + symlink.old_path" - rule_expression: - - event_type: "symlink" - expression: "(symlink.old_path.startsWith('/etc/shadow') || symlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(symlink.runtime.container_id, symlink.old_path)" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "anomaly" - - "symlink" - - "applicationprofile" + - name: "Soft link created over sensitive file" + enabled: true + id: "R1010" + description: "Detects symlink creation over sensitive files" + expressions: + message: "'Symlink created over sensitive file: ' + event.oldPath + ' -> ' + event.newPath" + uniqueId: "event.comm + '_' + event.oldPath" + ruleExpression: + - eventType: "symlink" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" + profileDependency: 1 + severity: 5 + supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" + tags: + - "anomaly" + - "symlink" + - "applicationprofile" diff --git a/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml b/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml index fc0b790..8d8cd58 100644 --- a/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml +++ b/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml @@ -7,22 +7,25 @@ metadata: app: kubescape spec: rules: - - name: "ld_preload hooks technique detected" - enabled: false - id: "R1011" - description: "Detecting ld_preload hook techniques." - expressions: - message: "event_type == 'exec' ? 'Process (' + exec.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(exec.pid) : 'The dynamic linker configuration file (' + open.full_path + ') was modified by process (' + open.comm + ')'" - unique_id: "event_type == 'exec' ? 'exec_' + exec.comm : 'open_' + open.full_path" - rule_expression: - - event_type: "exec" - expression: "exec.comm != 'java' && exec.k8s.container_name != 'matlab' && process.get_ld_hook_var(exec.pid) != ''" - - event_type: "open" - expression: "open.full_path == '/etc/ld.so.preload' && has(open.flags_raw) && open.flags_raw != 0" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "exec" - - "malicious" - - "applicationprofile" + - name: "ld_preload hooks technique detected" + enabled: false + id: "R1011" + description: "Detecting ld_preload hook techniques." + expressions: + message: "eventType == 'exec' ? 'Process (' + event.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(event.pid) : 'The dynamic linker configuration file (' + event.path + ') was modified by process (' + event.comm + ')'" + uniqueId: "eventType == 'exec' ? 'exec_' + event.comm : 'open_' + event.path" + ruleExpression: + - eventType: "exec" + expression: "event.comm != 'java' && event.containerName != 'matlab' && process.get_ld_hook_var(event.pid) != ''" + - eventType: "open" + expression: "event.path == '/etc/ld.so.preload' && has(event.flagsRaw) && event.flagsRaw != 0" + profileDependency: 1 + severity: 5 + supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1574.006" + tags: + - "exec" + - "malicious" + - "applicationprofile" diff --git a/pkg/rules/r1011-ld-preload-hook/rule_test.go b/pkg/rules/r1011-ld-preload-hook/rule_test.go index 1f802ec..f5457b7 100644 --- a/pkg/rules/r1011-ld-preload-hook/rule_test.go +++ b/pkg/rules/r1011-ld-preload-hook/rule_test.go @@ -5,18 +5,15 @@ import ( "time" "github.com/goradd/maps" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" - events "github.com/kubescape/node-agent/pkg/ebpf/events" + "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" "github.com/kubescape/node-agent/pkg/rulemanager" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -52,32 +49,20 @@ func TestR1011LdPreloadHook(t *testing.T) { } // Test open event with ld.so.preload file opened with write flag - SHOULD TRIGGER - openEvent := &events.OpenEvent{ - Event: traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - Namespace: "default", - PodName: "test-pod", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "test", - FullPath: "/etc/ld.so.preload", - FlagsRaw: 1, // Write flag - }, + openEvent := &utils.StructEvent{ + Comm: "test", + Container: "test", + ContainerID: "test", + EventType: utils.OpenEventType, + FlagsRaw: 1, // Write flag + Namespace: "default", + Path: "/etc/ld.so.preload", + Pod: "test-pod", } // Serialize open event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: openEvent, + Event: openEvent, } // Evaluate the rule for open event - should trigger for write access to ld.so.preload @@ -101,7 +86,7 @@ func TestR1011LdPreloadHook(t *testing.T) { } // Test with different file - SHOULD NOT TRIGGER - openEvent.FullPath = "/etc/passwd" + openEvent.Path = "/etc/passwd" openEvent.FlagsRaw = 1 ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) @@ -113,30 +98,18 @@ func TestR1011LdPreloadHook(t *testing.T) { } // Test exec events - just verify expression compiles and returns false (can't mock PID) - execEvent := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - Namespace: "default", - PodName: "test-pod", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "java", - Pid: 1234, - }, + execEvent := &utils.StructEvent{ + Comm: "java", + Container: "test", + ContainerID: "test", + EventType: utils.ExecveEventType, + Namespace: "default", + Pid: 1234, + Pod: "test-pod", } enrichedEvent2 := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: execEvent, + Event: execEvent, } // For exec events, just verify the expression compiles and returns false @@ -152,7 +125,7 @@ func TestR1011LdPreloadHook(t *testing.T) { // Test exec event with matlab container - should not trigger due to container check execEvent.Comm = "test-process" - execEvent.Event.CommonData.K8s.BasicK8sMetadata.ContainerName = "matlab" + execEvent.Container = "matlab" ok, err = celEngine.EvaluateRule(enrichedEvent2, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { @@ -180,7 +153,7 @@ func TestR1011LdPreloadHook(t *testing.T) { // Test policy validation with whitelisted process openEvent.Comm = "test" - openEvent.FullPath = "/etc/ld.so.preload" + openEvent.Path = "/etc/ld.so.preload" openEvent.FlagsRaw = 1 v := rulemanager.NewRulePolicyValidator(objCache) diff --git a/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml b/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml index e831bea..e83b0ad 100644 --- a/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml +++ b/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Hard link created over sensitive file" - enabled: true - id: "R1012" - description: "Detecting hardlink creation over sensitive files." - expressions: - message: "'Hardlink created over sensitive file: ' + hardlink.old_path + ' - ' + hardlink.new_path" - unique_id: "hardlink.comm + '_' + hardlink.old_path" - rule_expression: - - event_type: "hardlink" - expression: "(hardlink.old_path.startsWith('/etc/shadow') || hardlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(hardlink.runtime.container_id, hardlink.old_path)" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "files" - - "malicious" - - "applicationprofile" + - name: "Hard link created over sensitive file" + enabled: true + id: "R1012" + description: "Detecting hardlink creation over sensitive files." + expressions: + message: "'Hardlink created over sensitive file: ' + event.oldPath + ' - ' + event.newPath" + uniqueId: "event.comm + '_' + event.oldPath" + ruleExpression: + - eventType: "hardlink" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" + profileDependency: 1 + severity: 5 + supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" + tags: + - "files" + - "malicious" + - "applicationprofile" diff --git a/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go b/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go index 9ae7388..7d28371 100644 --- a/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go +++ b/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go @@ -5,17 +5,15 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - tracerhardlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/hardlink/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" "github.com/kubescape/node-agent/pkg/rulemanager" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -26,22 +24,13 @@ func TestR1012HardlinkCreatedOverSensitiveFile(t *testing.T) { } // Create a hardlink event - e := &tracerhardlinktype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "test", - OldPath: "test", - NewPath: "test", + e := &utils.StructEvent{ + Comm: "test", + Container: "test", + ContainerID: "test", + EventType: utils.HardlinkEventType, + NewPath: "test", + OldPath: "test", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -71,8 +60,7 @@ func TestR1012HardlinkCreatedOverSensitiveFile(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.HardlinkEventType, - Event: e, + Event: e, } // Evaluate the rule - should not trigger for non-sensitive file diff --git a/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml b/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml index f204a4e..bdf200e 100644 --- a/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml +++ b/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml @@ -7,19 +7,22 @@ metadata: app: kubescape spec: rules: - - name: "Malicious Ptrace Usage" - enabled: true - id: "R1015" - description: "Detecting potentially malicious ptrace usage." - expressions: - message: "'Malicious ptrace usage detected from: ' + ptrace.comm" - unique_id: "ptrace.exe_path + '_' + ptrace.comm" - rule_expression: - - event_type: "ptrace" - expression: "true" - profile_dependency: 2 - severity: 5 - support_policy: false - tags: - - "process" - - "malicious" + - name: "Malicious Ptrace Usage" + enabled: true + id: "R1015" + description: "Detecting potentially malicious ptrace usage." + expressions: + message: "'Malicious ptrace usage detected from: ' + event.comm" + uniqueId: "event.exepath + '_' + event.comm" + ruleExpression: + - eventType: "ptrace" + expression: "true" + profileDependency: 2 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1622" + tags: + - "process" + - "malicious" diff --git a/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go b/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go index cb94062..c3bc345 100644 --- a/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go +++ b/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - tracerptracetype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/ptrace/tracer/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) const ( @@ -31,26 +29,17 @@ func TestR1015MaliciousPtraceUsage(t *testing.T) { } // Create a ptrace event - e := &tracerptracetype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "malicious_process", - Pid: 1234, - PPid: 5678, - Uid: 1000, - Gid: 1000, - ExePath: "/path/to/malicious_process", - Request: PTRACE_SETREGS, // Malicious ptrace request + e := &utils.StructEvent{ + Comm: "malicious_process", + Container: "test", + ContainerID: "test", + EventType: utils.PtraceEventType, + ExePath: "/path/to/malicious_process", + Gid: 1000, + Pid: 1234, + Ppid: 5678, + PtraceRequest: PTRACE_SETREGS, // Malicious ptrace request + Uid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -80,8 +69,7 @@ func TestR1015MaliciousPtraceUsage(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.PtraceEventType, - Event: e, + Event: e, } // Evaluate the rule - should always return true for ptrace events @@ -114,7 +102,7 @@ func TestR1015MaliciousPtraceUsage(t *testing.T) { } // Test with different ptrace request - e.Request = PTRACE_POKETEXT + e.PtraceRequest = PTRACE_POKETEXT ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { @@ -126,7 +114,7 @@ func TestR1015MaliciousPtraceUsage(t *testing.T) { // Test with different process e.Comm = "processA" - e.Request = PTRACE_POKEDATA + e.PtraceRequest = PTRACE_POKEDATA ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go b/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go index d4920b4..969c4c9 100644 --- a/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go +++ b/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go @@ -5,10 +5,8 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - traceriouringtype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/iouring/tracer/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" "github.com/kubescape/node-agent/pkg/rulemanager" @@ -26,24 +24,15 @@ func TestR1030UnexpectedIouringOperation(t *testing.T) { } // Create an io_uring event - e := &traceriouringtype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Identifier: "test-process", - Opcode: 1, // IORING_OP_NOP - Flags: 0x0, - UserData: 123, - Comm: "test-process", + e := &utils.StructEvent{ + Comm: "test-process", + Container: "test", + ContainerID: "test", + EventType: utils.IoUringEventType, + FlagsRaw: 0x0, + Identifier: "test-process", + Opcode: 1, // IORING_OP_NOP + UserData: 123, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -73,8 +62,7 @@ func TestR1030UnexpectedIouringOperation(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.IoUringEventType, - Event: e, + Event: e, } // Evaluate the rule - should always return true for io_uring events diff --git a/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml b/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml index 853ca18..b5e4638 100644 --- a/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml +++ b/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml @@ -7,20 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected io_uring Operation Detected" - enabled: true - id: "R1030" - description: "Detects io_uring operations that were not recorded during the initial observation period, indicating potential unauthorized activity." - expressions: - message: "'Unexpected io_uring operation detected: (opcode=' + string(iouring.opcode) + ') flags=0x' + (has(iouring.flags) ? string(iouring.flags) : '0') + ' in ' + iouring.comm + '.'" - unique_id: "string(iouring.opcode) + '_' + iouring.comm" - rule_expression: - - event_type: "iouring" - expression: "true" - profile_dependency: 0 - severity: 5 - support_policy: true - tags: - - "syscalls" - - "io_uring" - - "applicationprofile" + - name: "Unexpected io_uring Operation Detected" + enabled: true + id: "R1030" + description: "Detects io_uring operations that were not recorded during the initial observation period, indicating potential unauthorized activity." + expressions: + message: "'Unexpected io_uring operation detected: (opcode=' + string(event.opcode) + ') flags=0x' + (has(event.flagsRaw) ? string(event.flagsRaw) : '0') + ' in ' + event.comm + '.'" + uniqueId: "string(event.opcode) + '_' + event.comm" + ruleExpression: + - eventType: "iouring" + expression: "true" + profileDependency: 0 + severity: 5 + supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1218" + tags: + - "syscalls" + - "io_uring" + - "applicationprofile" diff --git a/rules-crd.yaml b/rules-crd.yaml index d07e340..57c2a21 100644 --- a/rules-crd.yaml +++ b/rules-crd.yaml @@ -9,501 +9,574 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected process launched" - enabled: true - id: "R0001" - description: "Detects unexpected process launches that are not in the baseline" - expressions: - message: "'Unexpected process launched: ' + exec.comm + ' with PID ' + string(exec.pid)" - unique_id: "exec.comm + '_' + exec.exe_path" - rule_expression: - - event_type: "exec" - expression: "!ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm))" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "process" - - "exec" - - "applicationprofile" - - name: "Files Access Anomalies in container" - enabled: false - id: "R0002" - description: "Detects unexpected file access that is not in the baseline" - expressions: - message: "'Unexpected file access detected: ' + open.comm + ' with PID ' + string(open.pid) + ' to ' + open.full_path" - unique_id: "open.comm + '_' + open.full_path" - rule_expression: - - event_type: "open" - expression: > - (open.full_path.startsWith('/etc/') || - open.full_path.startsWith('/var/log/') || - open.full_path.startsWith('/var/run/') || - open.full_path.startsWith('/run/') || - open.full_path.startsWith('/var/spool/cron/') || - open.full_path.startsWith('/var/www/') || - open.full_path.startsWith('/var/lib/') || - open.full_path.startsWith('/opt/') || - open.full_path.startsWith('/usr/local/') || - open.full_path.startsWith('/app/') || - open.full_path == '/.dockerenv' || - open.full_path == '/proc/self/environ') - && - !(open.full_path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || - open.full_path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || - open.full_path.startsWith('/tmp')) - && - !ap.was_path_opened(open.runtime.container_id, open.full_path) - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "file" - - "open" - - "applicationprofile" - - name: "Syscalls Anomalies in container" - enabled: true - id: "R0003" - description: "Detects unexpected system calls that are not whitelisted by application profile" - expressions: - message: "'Unexpected system call detected: ' + syscall.syscall_name + ' with PID ' + string(syscall.pid)" - unique_id: "syscall.syscall_name" - rule_expression: - - event_type: "syscall" - expression: "!ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "syscall" - - "applicationprofile" - - name: "Linux Capabilities Anomalies in container" - enabled: true - id: "R0004" - description: "Detects unexpected capabilities that are not whitelisted by application profile" - expressions: - message: "'Unexpected capability used: ' + capabilities.cap_name + ' in syscall ' + capabilities.syscall + ' with PID ' + string(capabilities.pid)" - unique_id: "capabilities.comm + '_' + capabilities.cap_name" - rule_expression: - - event_type: "capabilities" - expression: "!ap.was_capability_used(capabilities.runtime.container_id, capabilities.cap_name)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "capabilities" - - "applicationprofile" - - name: "DNS Anomalies in container" - enabled: true - id: "R0005" - description: "Detecting unexpected domain requests that are not whitelisted by application profile." - expressions: - message: "'Unexpected domain communication: ' + dns.dns_name" - unique_id: "dns.comm + '_' + dns.dns_name" - rule_expression: - - event_type: "dns" - expression: "!dns.dns_name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(dns.runtime.container_id, dns.dns_name)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "dns" - - "anomaly" - - "networkprofile" - - name: "Unexpected service account token access" - enabled: true - id: "R0006" - description: "Detecting unexpected access to service account token." - expressions: - message: "'Unexpected access to service account token: ' + open.full_path + ' with flags: ' + open.flags.join(',')" - unique_id: "open.comm" - rule_expression: - - event_type: "open" - expression: > - ((open.full_path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && open.full_path.endsWith('/token'))) && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/var/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/run/secrets/eks.amazonaws.com/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/var/run/secrets/eks.amazonaws.com/serviceaccount') - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "anomaly" - - "serviceaccount" - - "applicationprofile" - - name: "Workload uses Kubernetes API unexpectedly" - enabled: true - id: "R0007" - description: "Detecting execution of kubernetes client" - expressions: - message: "event_type == 'exec' ? 'Kubernetes client (' + exec.comm + ') was executed with PID ' + string(exec.pid) : 'Network connection to Kubernetes API server from container ' + network.k8s.container_name" - unique_id: "event_type == 'exec' ? 'exec_' + exec.comm : 'network_' + network.dst_endpoint.addr" - rule_expression: - - event_type: "exec" - expression: "(exec.comm == 'kubectl' || exec.exe_path.endsWith('/kubectl')) && !ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm))" - - event_type: "network" - expression: "network.pkt_type == 'OUTGOING' && k8s.is_api_server_address(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" - profile_dependency: 0 - severity: 5 # Medium - support_policy: false - tags: - - "exec" - - "network" - - "anomaly" - - "applicationprofile" - - name: "Read Environment Variables from procfs" - enabled: true - id: "R0008" - description: "Detecting reading environment variables from procfs." - expressions: - message: "'Reading environment variables from procfs: ' + open.full_path + ' by process ' + open.comm" - unique_id: "open.comm" - rule_expression: - - event_type: "open" - expression: > - open.full_path.startsWith('/proc/') && - open.full_path.endsWith('/environ') && - !ap.was_path_opened_with_suffix(open.runtime.container_id, '/environ') - profile_dependency: 0 # Required - severity: 5 # Medium - support_policy: false - tags: - - "anomaly" - - "procfs" - - "environment" - - "applicationprofile" - - name: "eBPF Program Load" - enabled: true - id: "R0009" - description: "Detecting eBPF program load." - expressions: - message: "'bpf system call executed in ' + syscall.k8s.container_name" - unique_id: "syscall.comm + '_' + syscall.syscall_name" - rule_expression: - - event_type: "syscall" - expression: "syscall.syscall_name == 'bpf' && !ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "syscall" - - "ebpf" - - "applicationprofile" - - name: "Unexpected Sensitive File Access" - enabled: true - id: "R0010" - description: "Detecting access to sensitive files." - expressions: - message: "'Unexpected sensitive file access: ' + open.full_path + ' by process ' + open.comm" - unique_id: "open.comm + '_' + open.full_path" - rule_expression: - - event_type: "open" - expression: "open.full_path.startsWith('/etc/shadow') && !ap.was_path_opened(open.runtime.container_id, open.full_path)" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "files" - - "anomaly" - - "applicationprofile" - - name: "Unexpected Egress Network Traffic" - enabled: false - id: "R0011" - description: "Detecting unexpected egress network traffic that is not whitelisted by application profile." - expressions: - message: "'Unexpected egress network communication to: ' + network.dst_endpoint.addr + ':' + string(dyn(network.port)) + ' using ' + network.proto + ' from: ' + network.k8s.container_name" - unique_id: "network.dst_endpoint.addr + '_' + string(dyn(network.port)) + '_' + network.proto" - rule_expression: - - event_type: "network" - expression: "network.pkt_type == 'OUTGOING' && !net.is_private_ip(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" - profile_dependency: 0 - severity: 5 # Medium - support_policy: false - tags: - - "whitelisted" - - "network" - - "anomaly" - - "networkprofile" - - name: "Process executed from malicious source" - enabled: true - id: "R1000" - description: "Detecting exec calls that are from malicious source like: /dev/shm" - expressions: - message: "'Execution from malicious source: ' + exec.exe_path + ' in directory ' + exec.cwd" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" - rule_expression: - - event_type: "exec" - expression: > - (exec.exe_path == '/dev/shm' || exec.exe_path.startsWith('/dev/shm/')) || - (exec.cwd == '/dev/shm' || exec.cwd.startsWith('/dev/shm/') || - (parse.get_exec_path(exec.args, exec.comm).startsWith('/dev/shm/'))) - profile_dependency: 2 - severity: 8 - support_policy: false - tags: - - "exec" - - "signature" - - "malicious" - - name: "Drifted process executed" - enabled: true - id: "R1001" - description: "Detecting exec calls of binaries that are not included in the base image" - expressions: - message: "'Process (' + exec.comm + ') was executed and is not part of the image'" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" - rule_expression: - - event_type: "exec" - expression: > - (exec.upper_layer == true || - exec.pupper_layer == true) && - !ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm)) - profile_dependency: 1 - severity: 8 - support_policy: false - tags: - - "exec" - - "malicious" - - "binary" - - "base image" - - "applicationprofile" - - name: "Process tries to load a kernel module" - enabled: true - id: "R1002" - description: "Detecting Kernel Module Load." - expressions: - message: "'Kernel module load syscall (' + syscall.syscall_name + ') was called'" - unique_id: "syscall.syscall_name" - rule_expression: - - event_type: "syscall" - expression: > - syscall.syscall_name == 'init_module' || - syscall.syscall_name == 'finit_module' - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "syscall" - - "kernel" - - "module" - - "load" - - name: "Disallowed ssh connection" - enabled: false - id: "R1003" - description: "Detecting ssh connection to disallowed port" - expressions: - message: "'Malicious SSH connection attempt to ' + ssh.dst_ip + ':' + string(dyn(ssh.dst_port))" - unique_id: "ssh.comm + '_' + ssh.dst_ip + '_' + string(dyn(ssh.dst_port))" - rule_expression: - - event_type: "ssh" - expression: "dyn(ssh.src_port) >= 32768 && dyn(ssh.src_port) <= 60999 && !(dyn(ssh.dst_port) in [22, 2022]) && !nn.was_address_in_egress(ssh.runtime.container_id, ssh.dst_ip)" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "ssh" - - "connection" - - "port" - - "malicious" - - "networkprofile" - - name: "Process executed from mount" - enabled: true - id: "R1004" - description: "Detecting exec calls from mounted paths." - expressions: - message: "'Process (' + exec.comm + ') was executed from a mounted path'" - unique_id: "exec.comm + '_' + exec.exe_path" - rule_expression: - - event_type: "exec" - expression: "!ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm)) && k8s.get_container_mount_paths(exec.k8s.namespace, exec.k8s.pod_name, exec.k8s.container_name).exists(mount, exec.exe_path.startsWith(mount) || parse.get_exec_path(exec.args, exec.comm).startsWith(mount))" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "exec" - - "mount" - - "applicationprofile" - - name: "Fileless execution detected" - enabled: true - id: "R1005" - description: "Detecting Fileless Execution" - expressions: - message: "'Fileless execution detected: exec call \"' + exec.comm + '\" is from a malicious source'" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" - rule_expression: - - event_type: "exec" - expression: "exec.exe_path.contains('memfd') || exec.exe_path.startsWith('/proc/self/fd') || exec.exe_path.matches('/proc/[0-9]+/fd/[0-9]+')" - profile_dependency: 2 - severity: 8 - support_policy: false - tags: - - "fileless" - - "execution" - - "malicious" - - name: "Process tries to escape container" - enabled: true - id: "R1006" - description: "Detecting Unshare System Call usage, which can be used to escape container." - expressions: - message: "'Unshare system call detected: ' + syscall.syscall_name + ' with PID ' + string(syscall.pid)" - unique_id: "syscall.syscall_name" - rule_expression: - - event_type: "syscall" - expression: "syscall.syscall_name == 'unshare' && !ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" - profile_dependency: 2 - severity: 5 - support_policy: false - tags: - - "syscall" - - "escape" - - "unshare" - - "anomaly" - - "applicationprofile" - - name: "Crypto miner launched" - enabled: true - id: "R1007" - description: "Detecting XMR Crypto Miners by randomx algorithm usage." - expressions: - message: "'XMR Crypto Miner process: (' + randomx.exe_path + ') executed'" - unique_id: "randomx.exe_path + '_' + randomx.comm" - rule_expression: - - event_type: "randomx" - expression: "true" - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "crypto" - - "miners" - - "malicious" - - name: "Crypto Mining Domain Communication" - enabled: true - id: "R1008" - description: "Detecting Crypto miners communication by domain" - expressions: - message: "'Communication with a known crypto mining domain: ' + dns.dns_name" - unique_id: "dns.dns_name + '_' + dns.comm" - rule_expression: - - event_type: "dns" - expression: "dns.dns_name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "network" - - "crypto" - - "miners" - - "malicious" - - "dns" - - name: "Crypto Mining Related Port Communication" - enabled: true - id: "R1009" - description: "Detecting Crypto Miners by suspicious port usage." - expressions: - message: "'Detected crypto mining related port communication on port ' + string(dyn(network.port)) + ' to ' + network.dst_endpoint.addr + ' with protocol ' + network.proto" - unique_id: "network.comm + '_' + string(dyn(network.port))" - rule_expression: - - event_type: "network" - expression: "network.proto == 'TCP' && network.pkt_type == 'OUTGOING' && dyn(network.port) in [3333, 45700] && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" - profile_dependency: 1 - severity: 3 - support_policy: false - tags: - - "network" - - "crypto" - - "miners" - - "malicious" - - "networkprofile" - - name: "Soft link created over sensitive file" - enabled: true - id: "R1010" - description: "Detects symlink creation over sensitive files" - expressions: - message: "'Symlink created over sensitive file: ' + symlink.old_path + ' -> ' + symlink.new_path" - unique_id: "symlink.comm + '_' + symlink.old_path" - rule_expression: - - event_type: "symlink" - expression: "(symlink.old_path.startsWith('/etc/shadow') || symlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(symlink.runtime.container_id, symlink.old_path)" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "anomaly" - - "symlink" - - "applicationprofile" - - name: "ld_preload hooks technique detected" - enabled: false - id: "R1011" - description: "Detecting ld_preload hook techniques." - expressions: - message: "event_type == 'exec' ? 'Process (' + exec.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(exec.pid) : 'The dynamic linker configuration file (' + open.full_path + ') was modified by process (' + open.comm + ')'" - unique_id: "event_type == 'exec' ? 'exec_' + exec.comm : 'open_' + open.full_path" - rule_expression: - - event_type: "exec" - expression: "exec.comm != 'java' && exec.k8s.container_name != 'matlab' && process.get_ld_hook_var(exec.pid) != ''" - - event_type: "open" - expression: "open.full_path == '/etc/ld.so.preload' && has(open.flags_raw) && open.flags_raw != 0" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "exec" - - "malicious" - - "applicationprofile" - - name: "Hard link created over sensitive file" - enabled: true - id: "R1012" - description: "Detecting hardlink creation over sensitive files." - expressions: - message: "'Hardlink created over sensitive file: ' + hardlink.old_path + ' - ' + hardlink.new_path" - unique_id: "hardlink.comm + '_' + hardlink.old_path" - rule_expression: - - event_type: "hardlink" - expression: "(hardlink.old_path.startsWith('/etc/shadow') || hardlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(hardlink.runtime.container_id, hardlink.old_path)" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "files" - - "malicious" - - "applicationprofile" - - name: "Malicious Ptrace Usage" - enabled: true - id: "R1015" - description: "Detecting potentially malicious ptrace usage." - expressions: - message: "'Malicious ptrace usage detected from: ' + ptrace.comm" - unique_id: "ptrace.exe_path + '_' + ptrace.comm" - rule_expression: - - event_type: "ptrace" - expression: "true" - profile_dependency: 2 - severity: 5 - support_policy: false - tags: - - "process" - - "malicious" - - name: "Unexpected io_uring Operation Detected" - enabled: true - id: "R1030" - description: "Detects io_uring operations that were not recorded during the initial observation period, indicating potential unauthorized activity." - expressions: - message: "'Unexpected io_uring operation detected: (opcode=' + string(iouring.opcode) + ') flags=0x' + (has(iouring.flags) ? string(iouring.flags) : '0') + ' in ' + iouring.comm + '.'" - unique_id: "string(iouring.opcode) + '_' + iouring.comm" - rule_expression: - - event_type: "iouring" - expression: "true" - profile_dependency: 0 - severity: 5 - support_policy: true - tags: - - "syscalls" - - "io_uring" - - "applicationprofile" + - name: "Unexpected process launched" + enabled: true + id: "R0001" + description: "Detects unexpected process launches that are not in the baseline" + expressions: + message: "'Unexpected process launched: ' + event.comm + ' with PID ' + string(event.pid)" + uniqueId: "event.comm + '_' + event.exepath" + ruleExpression: + - eventType: "exec" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" + profileDependency: 0 + severity: 1 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" + tags: + - "anomaly" + - "process" + - "exec" + - "applicationprofile" + - name: "Files Access Anomalies in container" + enabled: false + id: "R0002" + description: "Detects unexpected file access that is not in the baseline" + expressions: + message: "'Unexpected file access detected: ' + event.comm + ' with PID ' + string(event.pid) + ' to ' + event.path" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: > + (event.path.startsWith('/etc/') || + event.path.startsWith('/var/log/') || + event.path.startsWith('/var/run/') || + event.path.startsWith('/run/') || + event.path.startsWith('/var/spool/cron/') || + event.path.startsWith('/var/www/') || + event.path.startsWith('/var/lib/') || + event.path.startsWith('/opt/') || + event.path.startsWith('/usr/local/') || + event.path.startsWith('/app/') || + event.path == '/.dockerenv' || + event.path == '/proc/self/environ') + && + !(event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/tmp')) + && + !ap.was_path_opened(event.containerId, event.path) + profileDependency: 0 + severity: 1 + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0009" + mitreTechnique: "T1005" + tags: + - "anomaly" + - "file" + - "open" + - "applicationprofile" + - name: "Syscalls Anomalies in container" + enabled: true + id: "R0003" + description: "Detects unexpected system calls that are not whitelisted by application profile" + expressions: + message: "'Unexpected system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" + uniqueId: "event.syscallName" + ruleExpression: + - eventType: "syscall" + expression: "!ap.was_syscall_used(event.containerId, event.syscallName)" + profileDependency: 0 + severity: 1 + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0002" + mitreTechnique: "T1059" + tags: + - "anomaly" + - "syscall" + - "applicationprofile" + - name: "Linux Capabilities Anomalies in container" + enabled: true + id: "R0004" + description: "Detects unexpected capabilities that are not whitelisted by application profile" + expressions: + message: "'Unexpected capability used: ' + event.capName + ' in syscall ' + event.syscallName + ' with PID ' + string(event.pid)" + uniqueId: "event.comm + '_' + event.capName" + ruleExpression: + - eventType: "capabilities" + expression: "!ap.was_capability_used(event.containerId, event.capName)" + profileDependency: 0 + severity: 1 + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0002" + mitreTechnique: "T1059" + tags: + - "anomaly" + - "capabilities" + - "applicationprofile" + - name: "DNS Anomalies in container" + enabled: true + id: "R0005" + description: "Detecting unexpected domain requests that are not whitelisted by application profile." + expressions: + message: "'Unexpected domain communication: ' + event.name + ' from: ' + event.containerName" + uniqueId: "event.comm + '_' + event.name" + ruleExpression: + - eventType: "dns" + expression: "!event.name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(event.containerId, event.name)" + profileDependency: 0 + severity: 1 + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0011" + mitreTechnique: "T1071.004" + tags: + - "dns" + - "anomaly" + - "networkprofile" + - name: "Unexpected service account token access" + enabled: true + id: "R0006" + description: "Detecting unexpected access to service account token." + expressions: + message: "'Unexpected access to service account token: ' + event.path + ' with flags: ' + event.flags.join(',')" + uniqueId: "event.comm" + ruleExpression: + - eventType: "open" + expression: > + ((event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && + !ap.was_path_opened_with_suffix(event.containerId, '/token') + profileDependency: 0 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1528" + tags: + - "anomaly" + - "serviceaccount" + - "applicationprofile" + - name: "Workload uses Kubernetes API unexpectedly" + enabled: true + id: "R0007" + description: "Detecting execution of kubernetes client" + expressions: + message: "eventType == 'exec' ? 'Kubernetes client (' + event.comm + ') was executed with PID ' + string(event.pid) : 'Network connection to Kubernetes API server from container ' + event.containerName" + uniqueId: "eventType == 'exec' ? 'exec_' + event.comm : 'network_' + event.dstAddr" + ruleExpression: + - eventType: "exec" + expression: "(event.comm == 'kubectl' || event.exepath.endsWith('/kubectl')) && !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" + - eventType: "network" + expression: "event.pktType == 'OUTGOING' && k8s.is_api_server_address(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 0 + severity: 5 # Medium + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0008" + mitreTechnique: "T1210" + tags: + - "exec" + - "network" + - "anomaly" + - "applicationprofile" + - name: "Read Environment Variables from procfs" + enabled: true + id: "R0008" + description: "Detecting reading environment variables from procfs." + expressions: + message: "'Reading environment variables from procfs: ' + event.path + ' by process ' + event.comm" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: > + event.path.startsWith('/proc/') && + event.path.endsWith('/environ') && + !ap.was_path_opened_with_suffix(event.containerId, '/environ') + profileDependency: 0 # Required + severity: 5 # Medium + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1552.001" + tags: + - "anomaly" + - "procfs" + - "environment" + - "applicationprofile" + - name: "eBPF Program Load" + enabled: true + id: "R0009" + description: "Detecting eBPF program load." + expressions: + message: "'bpf program load system call (bpf) was called by process (' + event.comm + ') with command (BPF_PROG_LOAD)'" + uniqueId: "event.comm + '_' + 'bpf' + '_' + string(event.cmd)" + ruleExpression: + - eventType: "bpf" + expression: "event.cmd == uint(5) && !ap.was_syscall_used(event.containerId, 'bpf')" + profileDependency: 1 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1218" + tags: + - "bpf" + - "ebpf" + - "applicationprofile" + - name: "Unexpected Sensitive File Access" + enabled: true + id: "R0010" + description: "Detecting access to sensitive files." + expressions: + message: "'Unexpected sensitive file access: ' + event.path + ' by process ' + event.comm" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: "event.path.startsWith('/etc/shadow') && !ap.was_path_opened(event.containerId, event.path)" + profileDependency: 1 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" + tags: + - "files" + - "anomaly" + - "applicationprofile" + - name: "Unexpected Egress Network Traffic" + enabled: false + id: "R0011" + description: "Detecting unexpected egress network traffic that is not whitelisted by application profile." + expressions: + message: "'Unexpected egress network communication to: ' + event.dstAddr + ':' + string(event.dstPort) + ' using ' + event.proto + ' from: ' + event.containerName" + uniqueId: "event.dstAddr + '_' + string(event.dstPort) + '_' + event.proto" + ruleExpression: + - eventType: "network" + expression: "event.pktType == 'OUTGOING' && !net.is_private_ip(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 0 + severity: 5 # Medium + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0010" + mitreTechnique: "T1041" + tags: + - "whitelisted" + - "network" + - "anomaly" + - "networkprofile" + - name: "Process executed from malicious source" + enabled: true + id: "R1000" + description: "Detecting exec calls that are from malicious source like: /dev/shm" + expressions: + message: "'Execution from malicious source: ' + event.exepath + ' in directory ' + event.cwd" + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: > + (event.exepath == '/dev/shm' || event.exepath.startsWith('/dev/shm/')) || + (event.cwd == '/dev/shm' || event.cwd.startsWith('/dev/shm/') || + (parse.get_exec_path(event.args, event.comm).startsWith('/dev/shm/'))) + profileDependency: 2 + severity: 8 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" + tags: + - "exec" + - "signature" + - "malicious" + - name: "Drifted process executed" + enabled: true + id: "R1001" + description: "Detecting exec calls of binaries that are not included in the base image" + expressions: + message: "'Process (' + event.comm + ') was executed and is not part of the image'" + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: > + (event.upperlayer == true || + event.pupperlayer == true) && + !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) + profileDependency: 1 + severity: 8 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1036" + tags: + - "exec" + - "malicious" + - "binary" + - "base image" + - "applicationprofile" + - name: "Process tries to load a kernel module" + enabled: true + id: "R1002" + description: "Detecting Kernel Module Load." + expressions: + message: "'Kernel module (' + event.module + ') loading attempt with syscall (' + event.syscallName + ') was called by process (' + event.comm + ')'" + uniqueId: "event.comm + '_' + event.syscallName + '_' + event.module" + ruleExpression: + - eventType: "kmod" + expression: "event.syscallName == 'init_module' || event.syscallName == 'finit_module'" + profileDependency: 2 + severity: 10 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1547.006" + tags: + - "kmod" + - "kernel" + - "module" + - "load" + - name: "Disallowed ssh connection" + enabled: false + id: "R1003" + description: "Detecting ssh connection to disallowed port" + expressions: + message: "'Malicious SSH connection attempt to ' + event.dstIp + ':' + string(dyn(event.dstPort))" + uniqueId: "event.comm + '_' + event.dstIp + '_' + string(dyn(event.dstPort))" + ruleExpression: + - eventType: "ssh" + expression: "dyn(event.srcPort) >= 32768 && dyn(event.srcPort) <= 60999 && !(dyn(event.dstPort) in [22, 2022]) && !nn.was_address_in_egress(event.containerId, event.dstIp)" + profileDependency: 1 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0008" + mitreTechnique: "T1021.001" + tags: + - "ssh" + - "connection" + - "port" + - "malicious" + - "networkprofile" + - name: "Process executed from mount" + enabled: true + id: "R1004" + description: "Detecting exec calls from mounted paths." + expressions: + message: "'Process (' + event.comm + ') was executed from a mounted path'" + uniqueId: "event.comm" + ruleExpression: + - eventType: "exec" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))" + profileDependency: 1 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" + tags: + - "exec" + - "mount" + - "applicationprofile" + - name: "Fileless execution detected" + enabled: true + id: "R1005" + description: "Detecting Fileless Execution" + expressions: + message: '''Fileless execution detected: exec call "'' + event.comm + ''" is from a malicious source''' + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: "event.exepath.contains('memfd') || event.exepath.startsWith('/proc/self/fd') || event.exepath.matches('/proc/[0-9]+/fd/[0-9]+')" + profileDependency: 2 + severity: 8 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1055" + tags: + - "fileless" + - "execution" + - "malicious" + - name: "Process tries to escape container" + enabled: true + id: "R1006" + description: "Detecting Unshare System Call usage, which can be used to escape container." + expressions: + message: "'Unshare system call (unshare) was called by process (' + event.comm + ')'" + uniqueId: "event.comm + '_' + 'unshare'" + ruleExpression: + - eventType: "unshare" + expression: "event.pcomm != 'runc' && !ap.was_syscall_used(event.containerId, 'unshare')" + profileDependency: 2 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0004" + mitreTechnique: "T1611" + tags: + - "unshare" + - "escape" + - "unshare" + - "anomaly" + - "applicationprofile" + - name: "Crypto miner launched" + enabled: true + id: "R1007" + description: "Detecting XMR Crypto Miners by randomx algorithm usage." + expressions: + message: "'XMR Crypto Miner process: (' + event.exepath + ') executed'" + uniqueId: "event.exepath + '_' + event.comm" + ruleExpression: + - eventType: "randomx" + expression: "true" + profileDependency: 2 + severity: 10 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0040" + mitreTechnique: "T1496" + tags: + - "crypto" + - "miners" + - "malicious" + - name: "Crypto Mining Domain Communication" + enabled: true + id: "R1008" + description: "Detecting Crypto miners communication by domain" + expressions: + message: "'Communication with a known crypto mining domain: ' + event.name" + uniqueId: "event.name + '_' + event.comm" + ruleExpression: + - eventType: "dns" + expression: "event.name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" + profileDependency: 2 + severity: 10 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0011" + mitreTechnique: "T1071.004" + tags: + - "network" + - "crypto" + - "miners" + - "malicious" + - "dns" + - name: "Crypto Mining Related Port Communication" + enabled: true + id: "R1009" + description: "Detecting Crypto Miners by suspicious port usage." + expressions: + message: "'Detected crypto mining related port communication on port ' + string(event.dstPort) + ' to ' + event.dstAddr + ' with protocol ' + event.proto" + uniqueId: "event.comm + '_' + string(event.dstPort)" + ruleExpression: + - eventType: "network" + expression: "event.proto == 'TCP' && event.pktType == 'OUTGOING' && event.dstPort in [3333, 45700] && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 1 + severity: 3 + supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0011" + mitreTechnique: "T1071" + tags: + - "network" + - "crypto" + - "miners" + - "malicious" + - "networkprofile" + - name: "Soft link created over sensitive file" + enabled: true + id: "R1010" + description: "Detects symlink creation over sensitive files" + expressions: + message: "'Symlink created over sensitive file: ' + event.oldPath + ' -> ' + event.newPath" + uniqueId: "event.comm + '_' + event.oldPath" + ruleExpression: + - eventType: "symlink" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" + profileDependency: 1 + severity: 5 + supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" + tags: + - "anomaly" + - "symlink" + - "applicationprofile" + - name: "ld_preload hooks technique detected" + enabled: false + id: "R1011" + description: "Detecting ld_preload hook techniques." + expressions: + message: "eventType == 'exec' ? 'Process (' + event.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(event.pid) : 'The dynamic linker configuration file (' + event.path + ') was modified by process (' + event.comm + ')'" + uniqueId: "eventType == 'exec' ? 'exec_' + event.comm : 'open_' + event.path" + ruleExpression: + - eventType: "exec" + expression: "event.comm != 'java' && event.containerName != 'matlab' && process.get_ld_hook_var(event.pid) != ''" + - eventType: "open" + expression: "event.path == '/etc/ld.so.preload' && has(event.flagsRaw) && event.flagsRaw != 0" + profileDependency: 1 + severity: 5 + supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1574.006" + tags: + - "exec" + - "malicious" + - "applicationprofile" + - name: "Hard link created over sensitive file" + enabled: true + id: "R1012" + description: "Detecting hardlink creation over sensitive files." + expressions: + message: "'Hardlink created over sensitive file: ' + event.oldPath + ' - ' + event.newPath" + uniqueId: "event.comm + '_' + event.oldPath" + ruleExpression: + - eventType: "hardlink" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" + profileDependency: 1 + severity: 5 + supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" + tags: + - "files" + - "malicious" + - "applicationprofile" + - name: "Malicious Ptrace Usage" + enabled: true + id: "R1015" + description: "Detecting potentially malicious ptrace usage." + expressions: + message: "'Malicious ptrace usage detected from: ' + event.comm" + uniqueId: "event.exepath + '_' + event.comm" + ruleExpression: + - eventType: "ptrace" + expression: "true" + profileDependency: 2 + severity: 5 + supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1622" + tags: + - "process" + - "malicious" + - name: "Unexpected io_uring Operation Detected" + enabled: true + id: "R1030" + description: "Detects io_uring operations that were not recorded during the initial observation period, indicating potential unauthorized activity." + expressions: + message: "'Unexpected io_uring operation detected: (opcode=' + string(event.opcode) + ') flags=0x' + (has(event.flagsRaw) ? string(event.flagsRaw) : '0') + ' in ' + event.comm + '.'" + uniqueId: "string(event.opcode) + '_' + event.comm" + ruleExpression: + - eventType: "iouring" + expression: "true" + profileDependency: 0 + severity: 5 + supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1218" + tags: + - "syscalls" + - "io_uring" + - "applicationprofile"