From f6e08e7eb6e5b90d555b6bd7febbf5dc3cc4a39d Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Thu, 9 Oct 2025 14:32:03 +0200 Subject: [PATCH 01/11] fix rules for image-based gadgets Signed-off-by: Matthias Bertschy --- go.mod | 200 ++++---- go.sum | 452 ++++++++++-------- .../rule_test.go | 62 +-- .../unexpected-process-launched.yaml | 6 +- .../r0002-unexpected-file-access/rule_test.go | 32 +- .../unexpected-file-access.yaml | 36 +- .../r0003-unexpected-system-call/rule_test.go | 22 +- .../unexpected-system-call.yaml | 6 +- .../rule_test.go | 28 +- .../unexpected-capability-used.yaml | 6 +- .../rule_test.go | 30 +- .../unexpected-domain-request.yaml | 6 +- .../rule_test.go | 38 +- ...expected-service-account-token-access.yaml | 20 +- .../kubernetes-client-executed.yaml | 8 +- .../rule_test.go | 56 +-- .../read-environment-variables-procfs.yaml | 10 +- .../rule_test.go | 40 +- .../ebpf-program-load.yaml | 6 +- .../r0009-ebpf-program-load/rule_test.go | 24 +- .../rule_test.go | 36 +- .../unexpected-sensitive-file-access.yaml | 6 +- .../rule_test.go | 33 +- .../unexpected-egress-network-traffic.yaml | 6 +- .../exec-from-malicious-source.yaml | 10 +- .../rule_test.go | 42 +- .../exec-binary-not-in-base-image.yaml | 10 +- .../rule_test.go | 50 +- .../kernel-module-load.yaml | 8 +- .../r1002-kernel-module-load/rule_test.go | 31 +- .../malicious-ssh-connection.yaml | 6 +- .../rule_test.go | 41 +- .../exec-from-mount.yaml | 6 +- pkg/rules/r1004-exec-from-mount/rule_test.go | 41 +- .../fileless-execution.yaml | 6 +- .../r1005-fileless-execution/rule_test.go | 41 +- pkg/rules/r1006-unshare-syscall/rule_test.go | 25 +- .../unshare-syscall.yaml | 6 +- .../r1007-xmr-crypto-mining/rule_test.go | 39 +- .../xmr-crypto-mining.yaml | 4 +- .../crypto-mining-domain-communication.yaml | 6 +- .../rule_test.go | 43 +- .../crypto-mining-related-port.yaml | 6 +- .../rule_test.go | 46 +- .../rule_test.go | 26 +- .../symlink-created-over-sensitive-file.yaml | 6 +- .../ld-preload-hook.yaml | 8 +- pkg/rules/r1011-ld-preload-hook/rule_test.go | 65 +-- .../hardlink-created-over-sensitive-file.yaml | 6 +- .../rule_test.go | 26 +- .../malicious-ptrace-usage.yaml | 4 +- .../r1015-malicious-ptrace-usage/rule_test.go | 38 +- .../rule_test.go | 28 +- .../unexpected-io_uring-operation.yaml | 4 +- rules-crd.yaml | 44 +- 55 files changed, 779 insertions(+), 1112 deletions(-) diff --git a/go.mod b/go.mod index f421fe5..70c49ab 100644 --- a/go.mod +++ b/go.mod @@ -1,31 +1,30 @@ module github.com/kubescape/rulelibrary -go 1.24.0 - -toolchain go1.24.5 +go 1.25.0 require ( github.com/goradd/maps v1.0.0 - github.com/inspektor-gadget/inspektor-gadget v0.41.0 - github.com/kubescape/node-agent v0.2.375-0.20250821110035-45cbc9a5224d - github.com/kubescape/storage v0.0.200 - github.com/stretchr/testify v1.10.0 + github.com/inspektor-gadget/inspektor-gadget v0.45.0 + github.com/kubescape/node-agent v0.2.387-0.20251016064604-515cf49dff50 + github.com/kubescape/storage v0.0.221 + github.com/stretchr/testify v1.11.1 gopkg.in/yaml.v3 v3.0.1 - k8s.io/api v0.33.3 + k8s.io/api v0.34.1 ) require ( - cel.dev/expr v0.20.0 // indirect + cel.dev/expr v0.24.0 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect + github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/Microsoft/hcsshim v0.12.9 // indirect + github.com/Microsoft/hcsshim v0.13.0 // indirect github.com/SergJa/jsonhash v0.0.0-20210531165746-fc45f346aa74 // indirect github.com/acobaugh/osrelease v0.1.0 // indirect github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 // indirect - github.com/anchore/packageurl-go v0.1.1-0.20241018175412-5c22e6360c4f // indirect - github.com/anchore/stereoscope v0.0.11 // indirect - github.com/anchore/syft v1.18.1 // indirect + github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 // indirect + github.com/anchore/stereoscope v0.1.9-0.20250826202322-ef061ea78385 // indirect + github.com/anchore/syft v1.32.0 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/armosec/armoapi-go v0.0.605 // indirect github.com/armosec/gojay v1.2.17 // indirect @@ -34,16 +33,17 @@ require ( github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/becheran/wildmatch-go v1.0.0 // indirect github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver v3.5.1+incompatible // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/bmatcuk/doublestar/v4 v4.7.1 // indirect + github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect github.com/briandowns/spinner v1.23.2 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect - github.com/cenkalti/backoff/v5 v5.0.2 // indirect + github.com/cenkalti/backoff/v5 v5.0.3 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/cilium/cilium v1.16.9 // indirect - github.com/cilium/ebpf v0.18.0 // indirect + github.com/cilium/ebpf v0.19.1-0.20250729164112-d994daa25101 // indirect github.com/containerd/cgroups/v3 v3.0.5 // indirect - github.com/containerd/containerd v1.7.27 // indirect + github.com/containerd/containerd v1.7.28 // indirect github.com/containerd/containerd/api v1.8.0 // indirect github.com/containerd/continuity v0.4.4 // indirect github.com/containerd/errdefs v1.0.0 // indirect @@ -53,32 +53,33 @@ require ( github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/ttrpc v1.2.7 // indirect github.com/containerd/typeurl/v2 v2.2.3 // indirect - github.com/containers/common v0.63.0 // indirect + github.com/containers/common v0.64.2 // indirect github.com/coreos/go-oidc/v3 v3.14.1 // indirect - github.com/coreos/go-systemd/v22 v22.5.0 // indirect + github.com/coreos/go-systemd/v22 v22.6.0 // indirect github.com/crewjam/rfc5424 v0.1.0 // indirect - github.com/cyphar/filepath-securejoin v0.4.1 // indirect + github.com/cyphar/filepath-securejoin v0.5.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/deckarep/golang-set/v2 v2.7.0 // indirect github.com/dghubble/trie v0.1.0 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v28.2.1+incompatible // indirect - github.com/docker/docker v28.3.3+incompatible // indirect + github.com/docker/cli v28.5.0+incompatible // indirect + github.com/docker/docker v28.5.0+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.3 // indirect - github.com/docker/go-connections v0.5.0 // indirect + github.com/docker/go-connections v0.6.0 // indirect github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect github.com/docker/go-units v0.5.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect - github.com/emicklei/go-restful/v3 v3.12.1 // indirect + github.com/emicklei/go-restful/v3 v3.12.2 // indirect github.com/facebookincubator/nvdtools v0.1.5 // indirect github.com/fatih/color v1.18.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/francoispqt/gojay v1.2.13 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect - github.com/fxamacker/cbor/v2 v2.8.0 // indirect - github.com/gabriel-vasile/mimetype v1.4.7 // indirect - github.com/github/go-spdx/v2 v2.3.2 // indirect - github.com/go-jose/go-jose/v4 v4.0.5 // indirect + github.com/fxamacker/cbor/v2 v2.9.0 // indirect + github.com/gabriel-vasile/mimetype v1.4.9 // indirect + github.com/github/go-spdx/v2 v2.3.3 // indirect + github.com/go-errors/errors v1.5.1 // indirect + github.com/go-jose/go-jose/v4 v4.1.1 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.23.0 // indirect @@ -91,17 +92,21 @@ require ( github.com/go-openapi/strfmt v0.23.0 // indirect github.com/go-openapi/swag v0.23.1 // indirect github.com/go-openapi/validate v0.24.0 // indirect - github.com/go-viper/mapstructure/v2 v2.3.0 // indirect + github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/godbus/dbus/v5 v5.1.0 // indirect github.com/gofrs/flock v0.12.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/gohugoio/hashstructure v0.5.0 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect - github.com/google/cel-go v0.23.2 // indirect - github.com/google/gnostic-models v0.6.9 // indirect + github.com/google/btree v1.1.3 // indirect + github.com/google/cel-go v0.26.0 // indirect + github.com/google/gnostic-models v0.7.0 // indirect github.com/google/go-cmp v0.7.0 // indirect - github.com/google/go-containerregistry v0.20.3 // indirect + github.com/google/go-containerregistry v0.20.6 // indirect + github.com/google/licensecheck v0.3.1 // indirect github.com/google/uuid v1.6.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect + github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect @@ -113,24 +118,26 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.18.0 // indirect github.com/kubescape/go-logger v0.0.24 // indirect - github.com/kubescape/k8s-interface v0.0.198 // indirect + github.com/kubescape/k8s-interface v0.0.199 // indirect + github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mackerelio/go-osstat v0.2.5 // indirect github.com/mailru/easyjson v0.9.0 // indirect github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect - github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect - github.com/moby/moby v28.2.1+incompatible // indirect + github.com/moby/moby v28.5.0+incompatible // indirect github.com/moby/sys/mountinfo v0.7.2 // indirect github.com/moby/sys/sequential v0.6.0 // indirect github.com/moby/sys/signal v0.7.0 // indirect github.com/moby/sys/user v0.4.0 // indirect github.com/moby/sys/userns v0.1.0 // indirect + github.com/moby/term v0.5.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect + github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/ncruces/go-strftime v0.1.9 // indirect github.com/ncw/directio v1.0.5 // indirect @@ -141,37 +148,38 @@ require ( github.com/opencontainers/runtime-spec v1.2.1 // indirect github.com/opencontainers/selinux v1.12.0 // indirect github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect - github.com/pelletier/go-toml/v2 v2.2.3 // indirect + github.com/pelletier/go-toml/v2 v2.2.4 // indirect + github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43 // indirect github.com/picatz/xcel v0.0.0-20250816143731-885b5f678a12 // indirect github.com/pierrec/lz4/v4 v4.1.22 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/alertmanager v0.27.0 // indirect - github.com/prometheus/client_golang v1.22.0 // indirect + github.com/prometheus/client_golang v1.23.2 // indirect github.com/prometheus/client_model v0.6.2 // indirect - github.com/prometheus/common v0.64.0 // indirect - github.com/prometheus/procfs v0.16.1 // indirect + github.com/prometheus/common v0.66.1 // indirect + github.com/prometheus/procfs v0.17.0 // indirect github.com/puzpuzpuz/xsync/v2 v2.4.1 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect github.com/s3rj1k/go-fanotify/fanotify v0.0.0-20240229202106-bca3154da60a // indirect - github.com/sagikazarmark/locafero v0.7.0 // indirect + github.com/sagikazarmark/locafero v0.11.0 // indirect github.com/sasha-s/go-deadlock v0.3.5 // indirect github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect - github.com/seccomp/libseccomp-golang v0.10.0 // indirect - github.com/sirupsen/logrus v1.9.3 // indirect - github.com/sourcegraph/conc v0.3.0 // indirect - github.com/spf13/afero v1.12.0 // indirect - github.com/spf13/cast v1.7.1 // indirect - github.com/spf13/cobra v1.9.1 // indirect - github.com/spf13/pflag v1.0.6 // indirect - github.com/spf13/viper v1.20.1 // indirect + github.com/seccomp/libseccomp-golang v0.11.0 // indirect + github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect + github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect + github.com/spf13/afero v1.15.0 // indirect + github.com/spf13/cast v1.10.0 // indirect + github.com/spf13/cobra v1.10.1 // indirect + github.com/spf13/pflag v1.0.10 // indirect + github.com/spf13/viper v1.21.0 // indirect github.com/stoewer/go-strcase v1.3.0 // indirect github.com/stripe/stripe-go/v74 v74.30.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect - github.com/sylabs/squashfs v1.0.4 // indirect + github.com/sylabs/squashfs v1.0.6 // indirect github.com/therootcompany/xz v1.0.1 // indirect - github.com/ulikunitz/xz v0.5.12 // indirect + github.com/ulikunitz/xz v0.5.15 // indirect github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2 // indirect github.com/uptrace/opentelemetry-go-extra/otelzap v0.3.2 // indirect github.com/uptrace/uptrace-go v1.35.1 // indirect @@ -180,72 +188,70 @@ require ( github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect github.com/x448/float16 v0.8.4 // indirect + github.com/xlab/treeprint v1.2.0 // indirect github.com/yl2chen/cidranger v1.0.2 // indirect go.mongodb.org/mongo-driver v1.17.1 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect - go.opentelemetry.io/contrib/instrumentation/runtime v0.61.0 // indirect - go.opentelemetry.io/otel v1.36.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect + go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 // indirect + go.opentelemetry.io/otel v1.38.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.11.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 // indirect - go.opentelemetry.io/otel/log v0.12.2 // indirect - go.opentelemetry.io/otel/metric v1.36.0 // indirect - go.opentelemetry.io/otel/sdk v1.36.0 // indirect - go.opentelemetry.io/otel/sdk/log v0.12.2 // indirect - go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect - go.opentelemetry.io/otel/trace v1.36.0 // indirect - go.opentelemetry.io/proto/otlp v1.6.0 // indirect + go.opentelemetry.io/otel/log v0.14.0 // indirect + go.opentelemetry.io/otel/metric v1.38.0 // indirect + go.opentelemetry.io/otel/sdk v1.38.0 // indirect + go.opentelemetry.io/otel/sdk/log v0.14.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect + go.opentelemetry.io/otel/trace v1.38.0 // indirect + go.opentelemetry.io/proto/otlp v1.7.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect + go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect - golang.org/x/crypto v0.38.0 // indirect - golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 // indirect - golang.org/x/net v0.40.0 // indirect + golang.org/x/crypto v0.42.0 // indirect + golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect + golang.org/x/net v0.44.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sync v0.14.0 // indirect - golang.org/x/sys v0.33.0 // indirect - golang.org/x/term v0.32.0 // indirect - golang.org/x/text v0.25.0 // indirect - golang.org/x/time v0.11.0 // indirect + golang.org/x/sync v0.17.0 // indirect + golang.org/x/sys v0.36.0 // indirect + golang.org/x/term v0.35.0 // indirect + golang.org/x/text v0.29.0 // indirect + golang.org/x/time v0.13.0 // indirect google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect - google.golang.org/grpc v1.72.2 // indirect - google.golang.org/protobuf v1.36.6 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect + google.golang.org/grpc v1.75.1 // indirect + google.golang.org/protobuf v1.36.10 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect istio.io/pkg v0.0.0-20231221211216-7635388a563e // indirect - k8s.io/apiextensions-apiserver v0.33.1 // indirect - k8s.io/apimachinery v0.33.3 // indirect - k8s.io/apiserver v0.33.1 // indirect - k8s.io/client-go v0.33.1 // indirect - k8s.io/component-base v0.33.1 // indirect - k8s.io/cri-api v0.33.1 // indirect + k8s.io/apiextensions-apiserver v0.34.1 // indirect + k8s.io/apimachinery v0.34.1 // indirect + k8s.io/apiserver v0.34.1 // indirect + k8s.io/cli-runtime v0.34.1 // indirect + k8s.io/client-go v0.34.1 // indirect + k8s.io/component-base v0.34.1 // indirect + k8s.io/cri-api v0.34.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect - k8s.io/kubelet v0.33.1 // indirect - k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect - modernc.org/libc v1.55.3 // indirect - modernc.org/mathutil v1.6.0 // indirect - modernc.org/memory v1.8.0 // indirect - modernc.org/sqlite v1.34.2 // indirect + k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect + k8s.io/kubelet v0.34.1 // indirect + k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect + modernc.org/libc v1.66.3 // indirect + modernc.org/mathutil v1.7.1 // indirect + modernc.org/memory v1.11.0 // indirect + modernc.org/sqlite v1.38.2 // indirect oras.land/oras-go/v2 v2.6.0 // indirect sigs.k8s.io/controller-runtime v0.21.0 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect + sigs.k8s.io/kustomize/api v0.20.1 // indirect + sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect - sigs.k8s.io/yaml v1.4.0 // indirect + sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect + sigs.k8s.io/yaml v1.6.0 // indirect zombiezen.com/go/sqlite v1.4.0 // indirect ) - -replace github.com/vishvananda/netns => github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 - -replace github.com/mholt/archiver/v3 v3.5.1 => github.com/anchore/archiver/v3 v3.5.2 - -replace github.com/inspektor-gadget/inspektor-gadget => github.com/amirmalka/inspektor-gadget v0.40.1-0.20250814111737-3a58864c8d86 - -replace github.com/picatz/xcel => github.com/matthyx/xcel v0.0.0-20250820140400-f8fabef4e2af diff --git a/go.sum b/go.sum index c24bf79..9caf425 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -cel.dev/expr v0.20.0 h1:OunBvVCfvpWlt4dN7zg3FM6TDkzOePe1+foGJ9AXeeI= -cel.dev/expr v0.20.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= +cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY= +cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.31.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= @@ -49,8 +49,8 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= -dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= +dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= dmitri.shuralyov.com/app/changes v0.0.0-20180602232624-0a106ad413e3/go.mod h1:Yl+fi1br7+Rr3LqpNJf1/uxUdtRUV+Tnj0o93V2B9MU= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0/go.mod h1:JLBrvjyP0v+ecvNYvCpyZgu5/xkfAUhi6wJj28eUfSU= @@ -69,8 +69,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.12.9 h1:2zJy5KA+l0loz1HzEGqyNnjd3fyZA31ZBCGKacp6lLg= -github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEPuoIWYVvZ8Y= +github.com/Microsoft/hcsshim v0.13.0 h1:/BcXOiS6Qi7N9XqUcv27vkIuVOkBEcWstd2pMlWSeaA= +github.com/Microsoft/hcsshim v0.13.0/go.mod h1:9KWJ/8DgU+QzYGupX4tzMhRQE8h6w90lH6HAaclpEok= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/SergJa/jsonhash v0.0.0-20210531165746-fc45f346aa74 h1:zZX7V5abnOB0VTEFnwYxwbuot0GCZUjQZQpjHKnG1Kk= github.com/SergJa/jsonhash v0.0.0-20210531165746-fc45f346aa74/go.mod h1:GE9lvSMBrKhFDkoh660mCThn1v7/jfb1r0Z+DpUX4zQ= @@ -82,22 +82,20 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/amirmalka/inspektor-gadget v0.40.1-0.20250814111737-3a58864c8d86 h1:cLzA/pqfFQdzmI9hnR2W5gMUUMPiP3MXS/bwTFNz6wo= -github.com/amirmalka/inspektor-gadget v0.40.1-0.20250814111737-3a58864c8d86/go.mod h1:W6tNNRa3QDFdrknnOnavk+HD8FI/XUGY6tY6PSonhAk= -github.com/anchore/clio v0.0.0-20241115144204-29e89f9fa837 h1:bIG3WsfosZsJ5LMC7PB9J/ekFM3a0j0ZEDvN3ID6GTI= -github.com/anchore/clio v0.0.0-20241115144204-29e89f9fa837/go.mod h1:tRQVKkjYeejrh9AdM0s1esbwtMU7rdHAHSQWkv4qskE= +github.com/anchore/clio v0.0.0-20250319180342-2cfe4b0cb716 h1:2sIdYJlQESEnyk3Y0WD2vXWW5eD2iMz9Ev8fj1Z8LNA= +github.com/anchore/clio v0.0.0-20250319180342-2cfe4b0cb716/go.mod h1:Utb9i4kwiCWvqAIxZaJeMIXFO9uOgQXlvH2BfbfO/zI= github.com/anchore/fangs v0.0.0-20250402135612-96e29e45f3fe h1:qv/xxpjF5RdKPqZjx8RM0aBi3HUCAO0DhRBMs2xhY1I= github.com/anchore/fangs v0.0.0-20250402135612-96e29e45f3fe/go.mod h1:vrcYMDps9YXwwx2a9AsvipM6Fi5H9//9bymGb8G8BIQ= github.com/anchore/go-homedir v0.0.0-20250319154043-c29668562e4d h1:gT69osH9AsdpOfqxbRwtxcNnSZ1zg4aKy2BevO3ZBdc= github.com/anchore/go-homedir v0.0.0-20250319154043-c29668562e4d/go.mod h1:PhSnuFYknwPZkOWKB1jXBNToChBA+l0FjwOxtViIc50= github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 h1:2SqmFgE7h+Ql4VyBzhjLkRF/3gDrcpUBj8LjvvO6OOM= github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722/go.mod h1:oFuE8YuTCM+spgMXhePGzk3asS94yO9biUfDzVTFqNw= -github.com/anchore/packageurl-go v0.1.1-0.20241018175412-5c22e6360c4f h1:dAQPIrQ3a5PBqZeZ+B9NGZsGmodk4NO9OjDIsQmQyQM= -github.com/anchore/packageurl-go v0.1.1-0.20241018175412-5c22e6360c4f/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI= -github.com/anchore/stereoscope v0.0.11 h1:d+dePyWyQzoQehnWOnx/aISW5HW1zLAQKzvaFIpydsU= -github.com/anchore/stereoscope v0.0.11/go.mod h1:dxQyMHSdvgOCscQd/lInPHeP5xCJsZYxpzvzy8Y804Y= -github.com/anchore/syft v1.18.1 h1:JZ7CLbeWrWolCZa4f6SJBLJ9qGBLFCzHrFd8c4bsm94= -github.com/anchore/syft v1.18.1/go.mod h1:ufXPZcjmoTjERaC0HTEW2+chF+fQdryhaQ9arcUO2WQ= +github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiEjnoGJZ1+Ah0ZZ/mKKqNhGcUZBl0s7PTTDzvY= +github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI= +github.com/anchore/stereoscope v0.1.9-0.20250826202322-ef061ea78385 h1:icCqbvAKGZXf29lEi8JmwvHVCBCYkiyZMuSnk+5ajYo= +github.com/anchore/stereoscope v0.1.9-0.20250826202322-ef061ea78385/go.mod h1:0UCjLz5MdPNiH9F0h2tSNf3yGF6/MnK8ZCPo0YfDQVc= +github.com/anchore/syft v1.32.0 h1:JcX9W+P/Xjv5DNg3TNBtwiEyZommuTaP16/NC9r0Yfo= +github.com/anchore/syft v1.32.0/go.mod h1:E6Kd4iBM2ljUOUQvSt7hVK6vBwaHkMXwcvBZmGMSY5o= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= @@ -125,18 +123,20 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= +github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/bmatcuk/doublestar/v4 v4.7.1 h1:fdDeAqgT47acgwd9bd9HxJRDmc9UAmPpc+2m0CXv75Q= -github.com/bmatcuk/doublestar/v4 v4.7.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= +github.com/bmatcuk/doublestar/v4 v4.9.1 h1:X8jg9rRZmJd4yRy7ZeNDRnM+T3ZfHv15JiBJ/avrEXE= +github.com/bmatcuk/doublestar/v4 v4.9.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/briandowns/spinner v1.23.2 h1:Zc6ecUnI+YzLmJniCfDNaMbW0Wid1d5+qcTq4L2FW8w= github.com/briandowns/spinner v1.23.2/go.mod h1:LaZeM4wm2Ywy6vO571mvhQNRcWfRUnXOs0RcKV0wYKM= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= -github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8= -github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= +github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= +github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= @@ -149,8 +149,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/cilium/cilium v1.16.9 h1:0XqIanSHGiUULererLG085oRo2vNuD8nfJo90B9bSkA= github.com/cilium/cilium v1.16.9/go.mod h1:QGhCRVwVoxVrFk4/L4yIJt/uiRt1vixCNWiXNG+rypE= -github.com/cilium/ebpf v0.18.0 h1:OsSwqS4y+gQHxaKgg2U/+Fev834kdnsQbtzRnbVC6Gs= -github.com/cilium/ebpf v0.18.0/go.mod h1:vmsAT73y4lW2b4peE+qcOqw6MxvWQdC+LiU5gd/xyo4= +github.com/cilium/ebpf v0.19.1-0.20250729164112-d994daa25101 h1:DWbiRLIoIjcHMZ3jXcEYIzMjXPHcSmO6ipjOk+mGDBA= +github.com/cilium/ebpf v0.19.1-0.20250729164112-d994daa25101/go.mod h1:fLCgMo3l8tZmAdM3B2XqdFzXBpwkcSTroaVqN08OWVY= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -166,8 +166,8 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJHo6Bzo= github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins= -github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= -github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0= +github.com/containerd/containerd v1.7.28 h1:Nsgm1AtcmEh4AHAJ4gGlNSaKgXiNccU270Dnf81FQ3c= +github.com/containerd/containerd v1.7.28/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs= github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0= github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc= github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII= @@ -186,21 +186,23 @@ github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRq github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= -github.com/containers/common v0.63.0 h1:ox6vgUYX5TSvt4W+bE36sYBVz/aXMAfRGVAgvknSjBg= -github.com/containers/common v0.63.0/go.mod h1:+3GCotSqNdIqM3sPs152VvW7m5+Mg8Kk+PExT3G9hZw= +github.com/containers/common v0.64.2 h1:1xepE7QwQggUXxmyQ1Dbh6Cn0yd7ktk14sN3McSWf5I= +github.com/containers/common v0.64.2/go.mod h1:o29GfYy4tefUuShm8mOn2AiL5Mpzdio+viHI7n24KJ4= github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk= github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= -github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.6.0 h1:aGVa/v8B7hpb0TKl0MWoAavPDmHvobFe5R5zn0bCJWo= +github.com/coreos/go-systemd/v22 v22.6.0/go.mod h1:iG+pp635Fo7ZmV/j14KUcmEyWF+0X7Lua8rrTWzYgWU= github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= +github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= github.com/crewjam/rfc5424 v0.1.0 h1:MSeXJm22oKovLzWj44AHwaItjIMUMugYGkEzfa831H8= github.com/crewjam/rfc5424 v0.1.0/go.mod h1:RCi9M3xHVOeerf6ULZzqv2xOGRO/zYaVUeRyPnBW3gQ= -github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= -github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.5.0 h1:hIAhkRBMQ8nIeuVwcAoymp7MY4oherZdAxD+m0u9zaw= +github.com/cyphar/filepath-securejoin v0.5.0/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -212,14 +214,14 @@ github.com/dghubble/trie v0.1.0/go.mod h1:sOmnzfBNH7H92ow2292dDFWNsVQuh/izuD7otC github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v28.2.1+incompatible h1:AYyTcuwvhl9dXdyCiXlOGXiIqSNYzTmaDNpxIISPGsM= -github.com/docker/cli v28.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI= -github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/cli v28.5.0+incompatible h1:crVqLrtKsrhC9c00ythRx435H8LiQnUKRtJLRR+Auxk= +github.com/docker/cli v28.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/docker v28.5.0+incompatible h1:ZdSQoRUE9XxhFI/B8YLvhnEFMmYN9Pp8Egd2qcaFk1E= +github.com/docker/docker v28.5.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8= github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo= -github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= -github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= +github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94= +github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= @@ -227,8 +229,8 @@ github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= -github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU= -github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= +github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -250,8 +252,8 @@ github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= github.com/fatih/set v0.2.1 h1:nn2CaJyknWE/6txyUDGwysr3G5QC6xWB/PtVjPBbeaA= github.com/fatih/set v0.2.1/go.mod h1:+RKtMCH+favT2+3YecHGxcc0b4KyVWA1QWWJUs4E0CI= -github.com/felixge/fgprof v0.9.4 h1:ocDNwMFlnA0NU0zSB3I52xkO4sFXk80VK9lXjLClu88= -github.com/felixge/fgprof v0.9.4/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM= +github.com/felixge/fgprof v0.9.5 h1:8+vR6yu2vvSKn08urWyEuxx75NWPEvybbkBirEpsbVY= +github.com/felixge/fgprof v0.9.5/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= @@ -263,20 +265,22 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= -github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU= -github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= -github.com/gabriel-vasile/mimetype v1.4.7 h1:SKFKl7kD0RiPdbht0s7hFtjl489WcQ1VyPW8ZzUMYCA= -github.com/gabriel-vasile/mimetype v1.4.7/go.mod h1:GDlAgAyIRT27BhFl53XNAFtfjzOkLaF35JdEG0P7LtU= +github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= +github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY= +github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/github/go-spdx/v2 v2.3.2 h1:IfdyNHTqzs4zAJjXdVQfRnxt1XMfycXoHBE2Vsm1bjs= -github.com/github/go-spdx/v2 v2.3.2/go.mod h1:2ZxKsOhvBp+OYBDlsGnUMcchLeo2mrpEBn2L1C+U3IQ= +github.com/github/go-spdx/v2 v2.3.3 h1:QI7evnHWEfWkT54eJwkoV/f3a0xD3gLlnVmT5wQG6LE= +github.com/github/go-spdx/v2 v2.3.3/go.mod h1:2ZxKsOhvBp+OYBDlsGnUMcchLeo2mrpEBn2L1C+U3IQ= github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= +github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= -github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= +github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI= +github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= @@ -316,8 +320,8 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= -github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk= -github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= +github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -327,6 +331,8 @@ github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeH github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/gohugoio/hashstructure v0.5.0 h1:G2fjSBU36RdwEJBWJ+919ERvOVqAg9tfcYp47K9swqg= +github.com/gohugoio/hashstructure v0.5.0/go.mod h1:Ser0TniXuu/eauYmrwM4o64EBvySxNzITEOLlm4igec= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -366,10 +372,12 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/cel-go v0.23.2 h1:UdEe3CvQh3Nv+E/j9r1Y//WO0K0cSyD7/y0bzyLIMI4= -github.com/google/cel-go v0.23.2/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo= -github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= -github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= +github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= +github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI= +github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= +github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= +github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -382,14 +390,15 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI= -github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI= +github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU= +github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/licensecheck v0.3.1 h1:QoxgoDkaeC4nFrtGN1jV7IPmDCHFNIVh54e5hSt6sPs= +github.com/google/licensecheck v0.3.1/go.mod h1:ORkR35t/JjW+emNKtfJDII0zlciG9JgbT7SmsohlHmY= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -427,10 +436,12 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORR github.com/goradd/maps v1.0.0 h1:21HC3xxKFk3p6BdQsELZXg/ByANMVYhCl0Mylzt0R38= github.com/goradd/maps v1.0.0/go.mod h1:O3i5k17BAjHa9h5dzGWWfRJizF03umiBDZsNSqFdbVA= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= github.com/hashicorp/consul/api v1.11.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -477,8 +488,8 @@ github.com/iceber/iouring-go v0.0.0-20230403020409-002cfd2e2a90/go.mod h1:LEzdaZ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 h1:fQqkJ+WkYfzy6BoUh32fr9uYrXfOGtsfw0skMQkfOic= -github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= +github.com/inspektor-gadget/inspektor-gadget v0.45.0 h1:HMxAW9ZCD9HzAzCmM2azDY4sru5HTYhsKPmDQ4q1lPA= +github.com/inspektor-gadget/inspektor-gadget v0.45.0/go.mod h1:BTfh1IZkqHo8THtoXkoLe8hyEwnt+G/xoVkTwx8IcJU= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8= github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg= @@ -518,14 +529,16 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kubescape/go-logger v0.0.24 h1:JRNlblY16Ty7hD6MSYNPvWYDxNzVAufsDDX/sZJayL0= github.com/kubescape/go-logger v0.0.24/go.mod h1:sMPVCr3VpW/e+SeMaXig5kClGvmZbDXN8YktUeNU4nY= -github.com/kubescape/k8s-interface v0.0.198 h1:U7PNTyS9ZE9ZkSrLMclLO7Sz4grf/2CLbmpVT6Hc0nU= -github.com/kubescape/k8s-interface v0.0.198/go.mod h1:j9snZbH+RxOaa1yG/bWgTClj90q7To0rGgQepxy4b+k= -github.com/kubescape/node-agent v0.2.375-0.20250821110035-45cbc9a5224d h1:fZvFiCMvPEePqXIOT+ObFhzFpNiHcK3dUk9fUHwKu+s= -github.com/kubescape/node-agent v0.2.375-0.20250821110035-45cbc9a5224d/go.mod h1:H6WzTDUFx17++DhrZ+rvYG3kEUp+0KdFeFQDAnYbDXw= -github.com/kubescape/storage v0.0.200 h1:gLCPiAPxDii03Jo326Ye0qx1cXOAz6KH+A9B0WuL1CE= -github.com/kubescape/storage v0.0.200/go.mod h1:uv4LMQjcTYIn7bgyMFGc0UBZ3gxdl7MNixPSjALP08E= +github.com/kubescape/k8s-interface v0.0.199 h1:D+YBL69q1Dc2idus6jwd/vQcNhRoNZ6tE0m5Miz7TSg= +github.com/kubescape/k8s-interface v0.0.199/go.mod h1:j9snZbH+RxOaa1yG/bWgTClj90q7To0rGgQepxy4b+k= +github.com/kubescape/node-agent v0.2.387-0.20251016064604-515cf49dff50 h1:dkvBNXEyly5hBf2jofJmm+y+zjzKfihQ1kj3JanoCfI= +github.com/kubescape/node-agent v0.2.387-0.20251016064604-515cf49dff50/go.mod h1:HN5jZ99TL+DF3rt3JTn1X4NfcOtSMqGFntA1a7i60HI= +github.com/kubescape/storage v0.0.221 h1:HLWnNokkKgKo9ka/p797fFQdsbzKxSXT5/RpUWrKWzI= +github.com/kubescape/storage v0.0.221/go.mod h1:L/fF3teor8cUj80TVujqy9E1rKsf+Dox2hZtkS1vjOU= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI= github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w= github.com/mackerelio/go-osstat v0.2.5 h1:+MqTbZUhoIt4m8qzkVoXUJg1EuifwlAJSk4Yl2GXh+o= @@ -534,8 +547,6 @@ github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPK github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= -github.com/matthyx/xcel v0.0.0-20250820140400-f8fabef4e2af h1:rnyCjEsGq/kiMPFwuvj6o/09wgNXqUAAcft9g/2nJXw= -github.com/matthyx/xcel v0.0.0-20250820140400-f8fabef4e2af/go.mod h1:C07puiFpDU4BthRjPfwHYimZm9P072JH6qWAaqPVyQY= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= @@ -566,8 +577,6 @@ github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXx github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= -github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4= -github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE= github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= @@ -577,10 +586,12 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= -github.com/moby/moby v28.2.1+incompatible h1:UYmHExYP8S0uGKDozhYw7RJ+LpANL51g4fa3qT0Q2GA= -github.com/moby/moby v28.2.1+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc= +github.com/moby/moby v28.5.0+incompatible h1:eN6ksRE7BojoGW18USJGfyqhx/FWJPLs0jqaTNlfSsM= +github.com/moby/moby v28.5.0+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc= github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs= +github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk= +github.com/moby/sys/capability v0.4.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I= github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= @@ -598,8 +609,11 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= @@ -627,8 +641,8 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww= github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552 h1:CkXngT0nixZqQUPDVfwVs3GiuhfTqCMk0V+OoHpxIvA= -github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552/go.mod h1:T487Kf80NeF2i0OyVXHiylg217e0buz8pQsa0T791RA= +github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2 h1:2xZEHOdeQBV6PW8ZtimN863bIOl7OCW/X10K0cnxKeA= +github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2/go.mod h1:MXdPzqAA8pHC58USHqNCSjyLnRQ6D+NjbpP+02Z1U/0= github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8= github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U= github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A= @@ -639,11 +653,15 @@ github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144T github.com/pborman/indent v1.2.1 h1:lFiviAbISHv3Rf0jcuh489bi06hj98JsVMtIDZQb9yM= github.com/pborman/indent v1.2.1/go.mod h1:FitS+t35kIYtB5xWTZAPhnmrxcciEEOdbyrrpz5K6Vw= github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= -github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc= +github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4= +github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY= +github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4= github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43 h1:ah1dvbqPMN5+ocrg/ZSgZ6k8bOk+kcZQ7fnyx6UvOm4= github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4= +github.com/picatz/xcel v0.0.0-20250816143731-885b5f678a12 h1:RS7RxrC+OtnYpgI0li0NwvpE0cqYewsZGXUb6wAe0oQ= +github.com/picatz/xcel v0.0.0-20250816143731-885b5f678a12/go.mod h1:jxNaYyVlWe+WPV3G45KzlMLvplS3PQdHLUsFePIcaEg= github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU= github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -664,8 +682,8 @@ github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= -github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= -github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -675,42 +693,42 @@ github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvM github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= -github.com/prometheus/common v0.64.0 h1:pdZeA+g617P7oGv1CzdTzyeShxAGrTBsolKNOLQPGO4= -github.com/prometheus/common v0.64.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8= +github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= +github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= -github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= -github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= +github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= +github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= github.com/puzpuzpuz/xsync/v2 v2.4.1 h1:aGdE1C/HaR/QC6YAFdtZXi60Df8/qBIrs8PKrzkItcM= github.com/puzpuzpuz/xsync/v2 v2.4.1/go.mod h1:gD2H2krq/w52MfPLE+Uy64TzJDVY7lP2znR9qmR35kU= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.13.2-0.20241226121412-a5dc8ff20d0a h1:w3tdWGKbLGBPtR/8/oO74W6hmz0qE5q0z9aqSAewaaM= -github.com/rogpeppe/go-internal v1.13.2-0.20241226121412-a5dc8ff20d0a/go.mod h1:S8kfXMp+yh77OxPD4fdM6YUknrZpQxLhvxzS4gDHENY= +github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= +github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/s3rj1k/go-fanotify/fanotify v0.0.0-20240229202106-bca3154da60a h1:4VFls9SuqkqeioVevnaeTXrYKQ7JiEsxqKHfxp+/ovA= github.com/s3rj1k/go-fanotify/fanotify v0.0.0-20240229202106-bca3154da60a/go.mod h1:2zG1g57bc+D6FpNc68gsRXJgkidteqTMhWiiUP3m8UE= github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig= -github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo= -github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k= +github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc= +github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik= github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU= github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U= github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e h1:7q6NSFZDeGfvvtIRwBrU/aegEYJYmvev0cHAwo17zZQ= github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e/go.mod h1:DkpGd78rljTxKAnTDPFqXSGxvETQnJyuSOQwsHycqfs= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY= -github.com/seccomp/libseccomp-golang v0.10.0/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= +github.com/seccomp/libseccomp-golang v0.11.0 h1:SDkcBRqGLP+sezmMACkxO1EfgbghxIxnRKfd6mHUEis= +github.com/seccomp/libseccomp-golang v0.11.0/go.mod h1:5m1Lk8E9OwgZTTVz4bBOer7JuazaBa+xTkM895tDiWc= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= -github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= +github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw= +github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= github.com/shurcooL/component v0.0.0-20170202220835-f88ec8f54cc4/go.mod h1:XhFIlyj5a1fBNx5aJTbKoIq0mNaPvOagO+HjB3EtxrY= github.com/shurcooL/events v0.0.0-20181021180414-410e4ca65f48/go.mod h1:5u70Mqkb5O5cxEA8nxTsgrgLehJeAw6Oc4Ab1c/P1HM= github.com/shurcooL/github_flavored_markdown v0.0.0-20181002035957-2122de532470/go.mod h1:2dOwnU2uBioM+SGy2aZoq1f/Sd1l9OkAeAUvjSyvgU0= @@ -735,30 +753,31 @@ github.com/shurcooL/users v0.0.0-20180125191416-49c67e49c537/go.mod h1:QJTqeLYED github.com/shurcooL/webdavfs v0.0.0-20170829043945-18c3829fa133/go.mod h1:hKmq5kWdCj2z2KEozexVbfEZIWiTjhE0+UjmZgPqehw= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE= -github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= -github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= +github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw= +github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U= github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= -github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs= -github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4= +github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I= +github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg= github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y= -github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY= +github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo= github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4= -github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= -github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= +github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s= +github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= -github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= +github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM= -github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4= -github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4= +github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU= +github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY= github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -776,23 +795,21 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/stripe/stripe-go/v74 v74.30.0 h1:0Kf0KkeFnY7iRhOwvTerX0Ia1BRw+eV1CVJ51mGYAUY= github.com/stripe/stripe-go/v74 v74.30.0/go.mod h1:f9L6LvaXa35ja7eyvP6GQswoaIPaBRvGAimAO+udbBw= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= -github.com/sylabs/squashfs v1.0.4 h1:uFSw7WXv7zjutPvU+JzY0nY494Vw8s4FAf4+7DhoMdI= -github.com/sylabs/squashfs v1.0.4/go.mod h1:PDgf8YmCntvN4d9Y8hBUBDCZL6qZOzOQwRGxnIdbERk= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/sylabs/squashfs v1.0.6 h1:PvJcDzxr+vIm2kH56mEMbaOzvGu79gK7P7IX+R7BDZI= +github.com/sylabs/squashfs v1.0.6/go.mod h1:DlDeUawVXLWAsSRa085Eo0ZenGzAB32JdAUFaB0LZfE= github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA= github.com/therootcompany/xz v1.0.1 h1:CmOtsn1CbtmyYiusbfmhmkpAAETj0wBIH6kCYaX+xzw= github.com/therootcompany/xz v1.0.1/go.mod h1:3K3UH1yCKgBneZYhuQUvJ9HPD19UEXEI0BWbMn8qNMY= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= -github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc= -github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= +github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2 h1:3/aHKUq7qaFMWxyQV0W2ryNgg8x8rVeKVA20KJUkfS0= github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2/go.mod h1:Zit4b8AQXaXvA68+nzmbyDzqiyFRISyw1JiD5JqUBjw= github.com/uptrace/opentelemetry-go-extra/otelzap v0.3.2 h1:cj/Z6FKTTYBnstI0Lni9PA+k2foounKIPUmj1LBwNiQ= @@ -803,12 +820,16 @@ github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49u github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM= github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0= github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4= +github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY= +github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 h1:jIVmlAFIqV3d+DOxazTR9v+zgj8+VYuQBzPgBZvWBHA= github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651/go.mod h1:b26F2tHLqaoRQf8DywqzVaV1MQ9yvjb0OMcNl7Nxu20= github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 h1:0KGbf+0SMg+UFy4e1A/CPVvXn21f1qtWdeJwxZFoQG8= github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0/go.mod h1:jLXFoL31zFaHKAAyZUh+sxiTDFe1L1ZHrcK2T1itVKA= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= +github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM= github.com/yl2chen/cidranger v1.0.2 h1:lbOWZVCG1tCRX4u24kuM1Tb4nHqWkDxwLdoS+SevawU= @@ -835,12 +856,12 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I= -go.opentelemetry.io/contrib/instrumentation/runtime v0.61.0 h1:oIZsTHd0YcrvvUCN2AaQqyOcd685NQ+rFmrajveCIhA= -go.opentelemetry.io/contrib/instrumentation/runtime v0.61.0/go.mod h1:X4KSPIvxnY/G5c9UOGXtFoL91t1gmlHpDQzeK5Zc/Bw= -go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= -go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q= +go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 h1:PeBoRj6af6xMI7qCupwFvTbbnd49V7n5YpG6pg8iDYQ= +go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0/go.mod h1:ingqBCtMCe8I4vpz/UVzCW6sxoqgZB37nao91mLQ3Bw= +go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= +go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.11.0 h1:C/Wi2F8wEmbxJ9Kuzw/nhP+Z9XaHYMkyDmXy6yR2cjw= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.11.0/go.mod h1:0Lr9vmGKzadCTgsiBydxr6GEZ8SsZ7Ks53LzjWG5Ar4= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 h1:0NIXxOCFx+SKbhCVxwl3ETG8ClLPAa0KuKV6p3yhxP8= @@ -851,23 +872,23 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qH go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 h1:T0Ec2E+3YZf5bgTNQVet8iTDW7oIk03tXHq+wkwIDnE= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0/go.mod h1:30v2gqH+vYGJsesLWFov8u47EpYTcIQcBjKpI6pJThg= -go.opentelemetry.io/otel/log v0.12.2 h1:yob9JVHn2ZY24byZeaXpTVoPS6l+UrrxmxmPKohXTwc= -go.opentelemetry.io/otel/log v0.12.2/go.mod h1:ShIItIxSYxufUMt+1H5a2wbckGli3/iCfuEbVZi/98E= -go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE= -go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs= -go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs= -go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY= -go.opentelemetry.io/otel/sdk/log v0.12.2 h1:yNoETvTByVKi7wHvYS6HMcZrN5hFLD7I++1xIZ/k6W0= -go.opentelemetry.io/otel/sdk/log v0.12.2/go.mod h1:DcpdmUXHJgSqN/dh+XMWa7Vf89u9ap0/AAk/XGLnEzY= +go.opentelemetry.io/otel/log v0.14.0 h1:2rzJ+pOAZ8qmZ3DDHg73NEKzSZkhkGIua9gXtxNGgrM= +go.opentelemetry.io/otel/log v0.14.0/go.mod h1:5jRG92fEAgx0SU/vFPxmJvhIuDU9E1SUnEQrMlJpOno= +go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= +go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= +go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= +go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg= +go.opentelemetry.io/otel/sdk/log v0.14.0 h1:JU/U3O7N6fsAXj0+CXz21Czg532dW2V4gG1HE/e8Zrg= +go.opentelemetry.io/otel/sdk/log v0.14.0/go.mod h1:imQvII+0ZylXfKU7/wtOND8Hn4OpT3YUoIgqJVksUkM= go.opentelemetry.io/otel/sdk/log/logtest v0.0.0-20250604050517-a99f9b56ce46 h1:GhECNd/Fvz8rgvgsQAH8yUFnj9AeiyVy3a9b8PdgghA= go.opentelemetry.io/otel/sdk/log/logtest v0.0.0-20250604050517-a99f9b56ce46/go.mod h1:FaVwnf8BvLN80gFy4T+wMovR87QQonsHsGFFn0R+jw8= -go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis= -go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4= -go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w= -go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA= +go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM= +go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA= +go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= +go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.opentelemetry.io/proto/otlp v1.6.0 h1:jQjP+AQyTf+Fe7OKj/MfkDrmK4MNVtw2NpXsf9fefDI= -go.opentelemetry.io/proto/otlp v1.6.0/go.mod h1:cicgGehlFuNdgZkcALOCh3VE6K/u2tAjzlRhDwmVpZc= +go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= +go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= @@ -879,6 +900,10 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= +go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE= go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M= go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y= @@ -895,8 +920,8 @@ golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= -golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= +golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI= +golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -907,8 +932,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329 h1:9kj3STMvgqy3YA4VQXBrN7925ICMxD5wzMRcgA30588= -golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c= +golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o= +golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -936,8 +961,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= -golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ= +golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -984,8 +1009,8 @@ golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I= +golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1019,8 +1044,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= -golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= +golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1095,11 +1120,11 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= +golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= +golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1109,14 +1134,14 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= +golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk= +golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= -golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= +golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI= +golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030000716-a0a13e073c7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1173,12 +1198,14 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU= -golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ= +golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= +golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= +gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= google.golang.org/api v0.0.0-20180910000450-7ca32eb868bf/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0= google.golang.org/api v0.0.0-20181030000543-1d582fd0359e/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0= google.golang.org/api v0.1.0/go.mod h1:UGEZY7KEX120AnNLIHFMKIo4obdJhkp2tPbaPlQx13Y= @@ -1292,10 +1319,10 @@ google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ6 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697/go.mod h1:JJrvXBWRZaFMxBufik1a4RpFw4HhgVtBBWQeQgUj2cc= -google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 h1:Kog3KlB4xevJlAcbbbzPfRG0+X9fdoGM+UBRKVz6Wr0= -google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237/go.mod h1:ezi0AVyMKDWy5xAncvjLWH7UcLBB5n7y2fQ8MzjJcto= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY= +google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc= google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= @@ -1326,8 +1353,8 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8= -google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= +google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI= +google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -1342,8 +1369,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= -google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= +google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1383,50 +1410,54 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= istio.io/pkg v0.0.0-20231221211216-7635388a563e h1:ZlLVbKDlCzfP0MPbWc6VRcY23d9NdjLxwpPQpDrh3Gc= istio.io/pkg v0.0.0-20231221211216-7635388a563e/go.mod h1:fvmqEdHhZjYYwf6dSiIwvwc7db54kMWVTfsb91KmhzY= -k8s.io/api v0.33.3 h1:SRd5t//hhkI1buzxb288fy2xvjubstenEKL9K51KBI8= -k8s.io/api v0.33.3/go.mod h1:01Y/iLUjNBM3TAvypct7DIj0M0NIZc+PzAHCIo0CYGE= -k8s.io/apiextensions-apiserver v0.33.1 h1:N7ccbSlRN6I2QBcXevB73PixX2dQNIW0ZRuguEE91zI= -k8s.io/apiextensions-apiserver v0.33.1/go.mod h1:uNQ52z1A1Gu75QSa+pFK5bcXc4hq7lpOXbweZgi4dqA= -k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA= -k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= -k8s.io/apiserver v0.33.1 h1:yLgLUPDVC6tHbNcw5uE9mo1T6ELhJj7B0geifra3Qdo= -k8s.io/apiserver v0.33.1/go.mod h1:VMbE4ArWYLO01omz+k8hFjAdYfc3GVAYPrhP2tTKccs= -k8s.io/client-go v0.33.1 h1:ZZV/Ks2g92cyxWkRRnfUDsnhNn28eFpt26aGc8KbXF4= -k8s.io/client-go v0.33.1/go.mod h1:JAsUrl1ArO7uRVFWfcj6kOomSlCv+JpvIsp6usAGefA= -k8s.io/component-base v0.33.1 h1:EoJ0xA+wr77T+G8p6T3l4efT2oNwbqBVKR71E0tBIaI= -k8s.io/component-base v0.33.1/go.mod h1:guT/w/6piyPfTgq7gfvgetyXMIh10zuXA6cRRm3rDuY= -k8s.io/cri-api v0.33.1 h1:CEvLiHZm/uTTp/5qsesU8/OG1a56RPnwMk4Ae73bUvs= -k8s.io/cri-api v0.33.1/go.mod h1:OLQvT45OpIA+tv91ZrpuFIGY+Y2Ho23poS7n115Aocs= +k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= +k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= +k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= +k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= +k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= +k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA= +k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0= +k8s.io/cli-runtime v0.34.1 h1:btlgAgTrYd4sk8vJTRG6zVtqBKt9ZMDeQZo2PIzbL7M= +k8s.io/cli-runtime v0.34.1/go.mod h1:aVA65c+f0MZiMUPbseU/M9l1Wo2byeaGwUuQEQVVveE= +k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= +k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= +k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= +k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= +k8s.io/cri-api v0.34.1 h1:n2bU++FqqJq0CNjP/5pkOs0nIx7aNpb1Xa053TecQkM= +k8s.io/cri-api v0.34.1/go.mod h1:4qVUjidMg7/Z9YGZpqIDygbkPWkg3mkS1PvOx/kpHTE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= -k8s.io/kubelet v0.33.1 h1:x4LCw1/iZVWOKA4RoITnuB8gMHnw31HPB3S0EF0EexE= -k8s.io/kubelet v0.33.1/go.mod h1:8WpdC9M95VmsqIdGSQrajXooTfT5otEj8pGWOm+KKfQ= -k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+ChV2vuAuVRdFbLro= -k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -modernc.org/cc/v4 v4.21.4 h1:3Be/Rdo1fpr8GrQ7IVw9OHtplU4gWbb+wNgeoBMmGLQ= -modernc.org/cc/v4 v4.21.4/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ= -modernc.org/ccgo/v4 v4.19.2 h1:lwQZgvboKD0jBwdaeVCTouxhxAyN6iawF3STraAal8Y= -modernc.org/ccgo/v4 v4.19.2/go.mod h1:ysS3mxiMV38XGRTTcgo0DQTeTmAO4oCmJl1nX9VFI3s= -modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE= -modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ= -modernc.org/gc/v2 v2.4.1 h1:9cNzOqPyMJBvrUipmynX0ZohMhcxPtMccYgGOJdOiBw= -modernc.org/gc/v2 v2.4.1/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU= -modernc.org/libc v1.55.3 h1:AzcW1mhlPNrRtjS5sS+eW2ISCgSOLLNyFzRh/V3Qj/U= -modernc.org/libc v1.55.3/go.mod h1:qFXepLhz+JjFThQ4kzwzOjA/y/artDeg+pcYnY+Q83w= -modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4= -modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo= -modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E= -modernc.org/memory v1.8.0/go.mod h1:XPZ936zp5OMKGWPqbD3JShgd/ZoQ7899TUuQqxY+peU= -modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4= -modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0= -modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc= -modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss= -modernc.org/sqlite v1.34.2 h1:J9n76TPsfYYkFkZ9Uy1QphILYifiVEwwOT7yP5b++2Y= -modernc.org/sqlite v1.34.2/go.mod h1:dnR723UrTtjKpoHCAMN0Q/gZ9MT4r+iRvIBb9umWFkU= -modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA= -modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0= +k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= +k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/kubelet v0.34.1 h1:doAaTA9/Yfzbdq/u/LveZeONp96CwX9giW6b+oHn4m4= +k8s.io/kubelet v0.34.1/go.mod h1:PtV3Ese8iOM19gSooFoQT9iyRisbmJdAPuDImuccbbA= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +modernc.org/cc/v4 v4.26.2 h1:991HMkLjJzYBIfha6ECZdjrIYz2/1ayr+FL8GN+CNzM= +modernc.org/cc/v4 v4.26.2/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0= +modernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU= +modernc.org/ccgo/v4 v4.28.0/go.mod h1:JygV3+9AV6SmPhDasu4JgquwU81XAKLd3OKTUDNOiKE= +modernc.org/fileutil v1.3.8 h1:qtzNm7ED75pd1C7WgAGcK4edm4fvhtBsEiI/0NQ54YM= +modernc.org/fileutil v1.3.8/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc= +modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI= +modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito= +modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks= +modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI= +modernc.org/libc v1.66.3 h1:cfCbjTUcdsKyyZZfEUKfoHcP3S0Wkvz3jgSzByEWVCQ= +modernc.org/libc v1.66.3/go.mod h1:XD9zO8kt59cANKvHPXpx7yS2ELPheAey0vjIuZOhOU8= +modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU= +modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg= +modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI= +modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw= +modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8= +modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns= +modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w= +modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE= +modernc.org/sqlite v1.38.2 h1:Aclu7+tgjgcQVShZqim41Bbw9Cho0y/7WzYptXqkEek= +modernc.org/sqlite v1.38.2/go.mod h1:cPTJYSlgg3Sfg046yBShXENNtPrWrDX8bsbAQBzgQ5E= +modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= +modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= @@ -1438,13 +1469,16 @@ sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytI sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= -sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I= +sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM= +sigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78= +sigs.k8s.io/kustomize/kyaml v0.20.1/go.mod h1:0EmkQHRUsJxY8Ug9Niig1pUMSCGHxQ5RklbpV/Ri6po= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI= -sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= -sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= -sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= +sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck= sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0= zombiezen.com/go/sqlite v1.4.0 h1:N1s3RIljwtp4541Y8rM880qgGIgq3fTD2yks1xftnKU= diff --git a/pkg/rules/r0001-unexpected-process-launched/rule_test.go b/pkg/rules/r0001-unexpected-process-launched/rule_test.go index acc6f38..c79274f 100644 --- a/pkg/rules/r0001-unexpected-process-launched/rule_test.go +++ b/pkg/rules/r0001-unexpected-process-launched/rule_test.go @@ -12,13 +12,11 @@ import ( "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" "github.com/stretchr/testify/require" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - utils "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/node-agent/pkg/utils" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR0001UnexpectedProcessLaunched(t *testing.T) { @@ -27,26 +25,14 @@ func TestR0001UnexpectedProcessLaunched(t *testing.T) { t.Fatalf("Failed to load rule: %v", err) } // Create a process exec event - e := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "test-process", - Pcomm: "test-process", - ExePath: "/usr/bin/test-process", - Args: []string{"test-process", "arg1"}, - }, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Pid: 1234, + Comm: "test-process", + Pcomm: "test-process", + ExePath: "/usr/bin/test-process", + Args: []string{"test-process", "arg1"}, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -154,26 +140,14 @@ func BenchmarkEvaluateRuleNative(b *testing.B) { TTL: 1 * time.Microsecond, }, }) - e := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "test-process", - Pcomm: "test-process", - ExePath: "/usr/bin/test-process", - Args: []string{"test-process", "arg1"}, - }, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Pid: 1234, + Comm: "test-process", + Pcomm: "test-process", + ExePath: "/usr/bin/test-process", + Args: []string{"test-process", "arg1"}, } enrichedEvent := &events.EnrichedEvent{ EventType: utils.ExecveEventType, diff --git a/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml b/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml index dd312d6..07910fb 100644 --- a/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml +++ b/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml @@ -12,11 +12,11 @@ spec: id: "R0001" description: "Detects unexpected process launches that are not in the baseline" expressions: - message: "'Unexpected process launched: ' + exec.comm + ' with PID ' + string(exec.pid)" - unique_id: "exec.comm + '_' + exec.exe_path" + message: "'Unexpected process launched: ' + event.comm + ' with PID ' + string(event.pid)" + unique_id: "event.comm + '_' + event.exepath" rule_expression: - event_type: "exec" - expression: "!ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm))" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" profile_dependency: 0 severity: 1 support_policy: false diff --git a/pkg/rules/r0002-unexpected-file-access/rule_test.go b/pkg/rules/r0002-unexpected-file-access/rule_test.go index e3a9022..31af0a1 100644 --- a/pkg/rules/r0002-unexpected-file-access/rule_test.go +++ b/pkg/rules/r0002-unexpected-file-access/rule_test.go @@ -11,12 +11,10 @@ import ( "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR0002UnexpectedFileAccess(t *testing.T) { @@ -25,26 +23,14 @@ func TestR0002UnexpectedFileAccess(t *testing.T) { t.Fatalf("Failed to load rule: %v", err) } // Create a file access event - e := &events.OpenEvent{ - Event: traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "test", - Path: "/etc/test", - FullPath: "/etc/test", - Flags: []string{"O_RDONLY"}, - }, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Pid: 1234, + Comm: "test", + Path: "/etc/test", + FullPath: "/etc/test", + Flags: []string{"O_RDONLY"}, } objCache := &objectcachev1.RuleObjectCacheMock{ diff --git a/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml b/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml index 8952006..f0f7db9 100644 --- a/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml +++ b/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml @@ -12,29 +12,29 @@ spec: id: "R0002" description: "Detects unexpected file access that is not in the baseline" expressions: - message: "'Unexpected file access detected: ' + open.comm + ' with PID ' + string(open.pid) + ' to ' + open.full_path" - unique_id: "open.comm + '_' + open.full_path" + message: "'Unexpected file access detected: ' + event.comm + ' with PID ' + string(event.pid) + ' to ' + event.fullPath" + unique_id: "event.comm + '_' + event.fullPath" rule_expression: - event_type: "open" expression: > - (open.full_path.startsWith('/etc/') || - open.full_path.startsWith('/var/log/') || - open.full_path.startsWith('/var/run/') || - open.full_path.startsWith('/run/') || - open.full_path.startsWith('/var/spool/cron/') || - open.full_path.startsWith('/var/www/') || - open.full_path.startsWith('/var/lib/') || - open.full_path.startsWith('/opt/') || - open.full_path.startsWith('/usr/local/') || - open.full_path.startsWith('/app/') || - open.full_path == '/.dockerenv' || - open.full_path == '/proc/self/environ') + (event.fullPath.startsWith('/etc/') || + event.fullPath.startsWith('/var/log/') || + event.fullPath.startsWith('/var/run/') || + event.fullPath.startsWith('/run/') || + event.fullPath.startsWith('/var/spool/cron/') || + event.fullPath.startsWith('/var/www/') || + event.fullPath.startsWith('/var/lib/') || + event.fullPath.startsWith('/opt/') || + event.fullPath.startsWith('/usr/local/') || + event.fullPath.startsWith('/app/') || + event.fullPath == '/.dockerenv' || + event.fullPath == '/proc/self/environ') && - !(open.full_path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || - open.full_path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || - open.full_path.startsWith('/tmp')) + !(event.fullPath.startsWith('/run/secrets/kubernetes.io/serviceaccount') || + event.fullPath.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || + event.fullPath.startsWith('/tmp')) && - !ap.was_path_opened(open.runtime.container_id, open.full_path) + !ap.was_path_opened(event.containerId, event.fullPath) profile_dependency: 0 severity: 1 support_policy: false diff --git a/pkg/rules/r0003-unexpected-system-call/rule_test.go b/pkg/rules/r0003-unexpected-system-call/rule_test.go index af2819c..e71f22b 100644 --- a/pkg/rules/r0003-unexpected-system-call/rule_test.go +++ b/pkg/rules/r0003-unexpected-system-call/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - "github.com/kubescape/node-agent/pkg/rulemanager/types" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,21 +23,11 @@ func TestR0003UnexpectedSystemCall(t *testing.T) { } // Create a syscall event - e := &types.SyscallEvent{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", Comm: "test", - SyscallName: "test_syscall", + Syscall: "test_syscall", Pid: 1234, } diff --git a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml index 19d9fd8..ee5c525 100644 --- a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml +++ b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml @@ -12,11 +12,11 @@ spec: id: "R0003" description: "Detects unexpected system calls that are not whitelisted by application profile" expressions: - message: "'Unexpected system call detected: ' + syscall.syscall_name + ' with PID ' + string(syscall.pid)" - unique_id: "syscall.syscall_name" + message: "'Unexpected system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" + unique_id: "event.syscallName" rule_expression: - event_type: "syscall" - expression: "!ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" + expression: "!ap.was_syscall_used(event.containerId, event.syscallName)" profile_dependency: 0 severity: 1 support_policy: false diff --git a/pkg/rules/r0004-unexpected-capability-used/rule_test.go b/pkg/rules/r0004-unexpected-capability-used/rule_test.go index b9cecf8..8c2afa1 100644 --- a/pkg/rules/r0004-unexpected-capability-used/rule_test.go +++ b/pkg/rules/r0004-unexpected-capability-used/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracercapabilitiestype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/capabilities/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -14,7 +12,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,23 +23,13 @@ func TestR0004UnexpectedCapabilityUsed(t *testing.T) { } // Create a capabilities event - e := &tracercapabilitiestype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "test", - CapName: "test_cap", - Syscall: "test_syscall", - Pid: 1234, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Comm: "test", + CapName: "test_cap", + Syscall: "test_syscall", + Pid: 1234, } objCache := &objectcachev1.RuleObjectCacheMock{ diff --git a/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml b/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml index 8216d72..a990ebf 100644 --- a/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml +++ b/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml @@ -12,11 +12,11 @@ spec: id: "R0004" description: "Detects unexpected capabilities that are not whitelisted by application profile" expressions: - message: "'Unexpected capability used: ' + capabilities.cap_name + ' in syscall ' + capabilities.syscall + ' with PID ' + string(capabilities.pid)" - unique_id: "capabilities.comm + '_' + capabilities.cap_name" + message: "'Unexpected capability used: ' + event.capName + ' in syscall ' + event.syscallName + ' with PID ' + string(event.pid)" + unique_id: "event.comm + '_' + event.capName" rule_expression: - event_type: "capabilities" - expression: "!ap.was_capability_used(capabilities.runtime.container_id, capabilities.cap_name)" + expression: "!ap.was_capability_used(event.containerId, event.capName)" profile_dependency: 0 severity: 1 support_policy: false diff --git a/pkg/rules/r0005-unexpected-domain-request/rule_test.go b/pkg/rules/r0005-unexpected-domain-request/rule_test.go index 1a6d547..923891c 100644 --- a/pkg/rules/r0005-unexpected-domain-request/rule_test.go +++ b/pkg/rules/r0005-unexpected-domain-request/rule_test.go @@ -11,12 +11,10 @@ import ( "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR0005UnexpectedDomainRequest(t *testing.T) { @@ -26,23 +24,13 @@ func TestR0005UnexpectedDomainRequest(t *testing.T) { } // Create a DNS event - e := &tracerdnstype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "test-process", - DNSName: "test.com", - Qr: tracerdnstype.DNSPktTypeQuery, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Pid: 1234, + Comm: "test-process", + DNSName: "test.com", + Qr: utils.DNSPktTypeQuery, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -88,7 +76,7 @@ func TestR0005UnexpectedDomainRequest(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - if message != "Unexpected domain communication: test.com" { + if message != "Unexpected domain communication: test.com from: test" { t.Fatalf("Message evaluation failed, got: %s", message) } diff --git a/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml b/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml index 57a8bab..d69e5ce 100644 --- a/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml +++ b/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml @@ -12,11 +12,11 @@ spec: id: "R0005" description: "Detecting unexpected domain requests that are not whitelisted by application profile." expressions: - message: "'Unexpected domain communication: ' + dns.dns_name" - unique_id: "dns.comm + '_' + dns.dns_name" + message: "'Unexpected domain communication: ' + event.name + ' from: ' + event.containerName" + unique_id: "event.comm + '_' + event.name" rule_expression: - event_type: "dns" - expression: "!dns.dns_name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(dns.runtime.container_id, dns.dns_name)" + expression: "!event.name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(event.containerId, event.name)" profile_dependency: 0 severity: 1 support_policy: false diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go b/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go index 06f8327..515bb37 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go +++ b/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -19,29 +17,17 @@ import ( ) // createTestEvent creates a test OpenEvent -func createTestEvent(containerName, containerID, path string, flags []string) *events.OpenEvent { - return &events.OpenEvent{ - Event: traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: containerID, - }, - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: containerName, - }, - }, - }, - }, - Comm: "test-process", - Path: path, - FullPath: path, - Flags: flags, - Pid: 1234, - Uid: 0, - Gid: 0, - }, +func createTestEvent(containerName, containerID, path string, flags []string) *utils.StructEvent { + return &utils.StructEvent{ + Container: containerName, + ContainerID: containerID, + Comm: "test-process", + Path: path, + FullPath: path, + Flags: flags, + Pid: 1234, + Uid: 0, + Gid: 0, } } @@ -68,7 +54,7 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { tests := []struct { name string - event *events.OpenEvent + event *utils.StructEvent profile *v1beta1.ApplicationProfile expectTrigger bool description string diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml index 50d16d0..68a5e99 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml +++ b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml @@ -12,19 +12,19 @@ spec: id: "R0006" description: "Detecting unexpected access to service account token." expressions: - message: "'Unexpected access to service account token: ' + open.full_path + ' with flags: ' + open.flags.join(',')" - unique_id: "open.comm" + message: "'Unexpected access to service account token: ' + event.fullPath + ' with flags: ' + event.flags.join(',')" + unique_id: "event.comm" rule_expression: - event_type: "open" expression: > - ((open.full_path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && open.full_path.endsWith('/token'))) && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/var/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/run/secrets/eks.amazonaws.com/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/var/run/secrets/eks.amazonaws.com/serviceaccount') + ((event.fullPath.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.fullPath.endsWith('/token')) || + (event.fullPath.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.fullPath.endsWith('/token')) || + (event.fullPath.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.fullPath.endsWith('/token')) || + (event.fullPath.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.fullPath.endsWith('/token'))) && + !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/kubernetes.io/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount') profile_dependency: 1 severity: 5 support_policy: false diff --git a/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml b/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml index 3599dc5..c7b3760 100644 --- a/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml +++ b/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml @@ -12,13 +12,13 @@ spec: id: "R0007" description: "Detecting execution of kubernetes client" expressions: - message: "event_type == 'exec' ? 'Kubernetes client (' + exec.comm + ') was executed with PID ' + string(exec.pid) : 'Network connection to Kubernetes API server from container ' + network.k8s.container_name" - unique_id: "event_type == 'exec' ? 'exec_' + exec.comm : 'network_' + network.dst_endpoint.addr" + message: "event_type == 'exec' ? 'Kubernetes client (' + event.comm + ') was executed with PID ' + string(event.pid) : 'Network connection to Kubernetes API server from container ' + event.containerName" + unique_id: "event_type == 'exec' ? 'exec_' + event.comm : 'network_' + event.dstAddr" rule_expression: - event_type: "exec" - expression: "(exec.comm == 'kubectl' || exec.exe_path.endsWith('/kubectl')) && !ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm))" + expression: "(event.comm == 'kubectl' || event.exepath.endsWith('/kubectl')) && !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" - event_type: "network" - expression: "network.pkt_type == 'OUTGOING' && k8s.is_api_server_address(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" + expression: "event.pktType == 'OUTGOING' && k8s.is_api_server_address(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" profile_dependency: 0 severity: 5 # Medium support_policy: false diff --git a/pkg/rules/r0007-kubernetes-client-executed/rule_test.go b/pkg/rules/r0007-kubernetes-client-executed/rule_test.go index 616e7d1..341a8ec 100644 --- a/pkg/rules/r0007-kubernetes-client-executed/rule_test.go +++ b/pkg/rules/r0007-kubernetes-client-executed/rule_test.go @@ -11,13 +11,11 @@ import ( "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - tracernetworktype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/types" eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR0007KubernetesClientExecuted(t *testing.T) { @@ -27,26 +25,14 @@ func TestR0007KubernetesClientExecuted(t *testing.T) { } // Create a kubectl exec event - e := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "kubectl", - Pcomm: "test-process", - ExePath: "/usr/bin/kubectl", - Args: []string{"kubectl", "get", "pods"}, - }, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Pid: 1234, + Comm: "kubectl", + Pcomm: "test-process", + ExePath: "/usr/bin/kubectl", + Args: []string{"kubectl", "get", "pods"}, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -134,8 +120,8 @@ func TestR0007KubernetesClientExecuted(t *testing.T) { } // Test with non-kubectl process (should not trigger) - e.Event.Comm = "nginx" - e.Event.ExePath = "/usr/bin/nginx" + e.Comm = "nginx" + e.ExePath = "/usr/bin/nginx" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { @@ -152,24 +138,14 @@ func TestR0007KubernetesClientExecutedNetwork(t *testing.T) { t.Fatalf("Failed to load rule: %v", err) } - e := &tracernetworktype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - PktType: "OUTGOING", + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + PktType: "OUTGOING", DstEndpoint: eventtypes.L3Endpoint{ Addr: "1.1.1.1", }, - Port: 80, + DstPort: 80, } objCache := &objectcachev1.RuleObjectCacheMock{ diff --git a/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml b/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml index cb1a0a0..56f073d 100644 --- a/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml +++ b/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml @@ -12,14 +12,14 @@ spec: id: "R0008" description: "Detecting reading environment variables from procfs." expressions: - message: "'Reading environment variables from procfs: ' + open.full_path + ' by process ' + open.comm" - unique_id: "open.comm" + message: "'Reading environment variables from procfs: ' + event.fullPath + ' by process ' + event.comm" + unique_id: "event.comm + '_' + event.fullPath" rule_expression: - event_type: "open" expression: > - open.full_path.startsWith('/proc/') && - open.full_path.endsWith('/environ') && - !ap.was_path_opened_with_suffix(open.runtime.container_id, '/environ') + event.fullPath.startsWith('/proc/') && + event.fullPath.endsWith('/environ') && + !ap.was_path_opened_with_suffix(event.containerId, '/environ') profile_dependency: 0 # Required severity: 5 # Medium support_policy: false diff --git a/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go b/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go index 897ffba..72979ac 100644 --- a/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go +++ b/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -20,29 +18,17 @@ import ( ) // createTestEvent creates a test OpenEvent -func createTestEvent(containerName, containerID, path string, flags []string) *events.OpenEvent { - return &events.OpenEvent{ - Event: traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: containerID, - }, - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: containerName, - }, - }, - }, - }, - Comm: "test-process", - Path: path, - FullPath: path, - Flags: flags, - Pid: 1234, - Uid: 0, - Gid: 0, - }, +func createTestEvent(containerName, containerID, path string, flags []string) *utils.StructEvent { + return &utils.StructEvent{ + Container: containerName, + ContainerID: containerID, + Comm: "test-process", + Path: path, + FullPath: path, + Flags: flags, + Pid: 1234, + Uid: 0, + Gid: 0, } } @@ -69,7 +55,7 @@ func TestR0008ReadEnvironmentVariablesProcFS(t *testing.T) { tests := []struct { name string - event *events.OpenEvent + event *utils.StructEvent profile *v1beta1.ApplicationProfile expectTrigger bool description string @@ -210,7 +196,7 @@ func TestR0008ReadEnvironmentVariablesProcFS(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique ID: %v", err) } - expectedUniqueID := tt.event.Comm + expectedUniqueID := tt.event.Comm + "_" + tt.event.FullPath if uniqueID != expectedUniqueID { t.Errorf("Unique ID evaluation failed. Expected: %s, Got: %s", expectedUniqueID, uniqueID) } diff --git a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml index e772463..dff6e22 100644 --- a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml +++ b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml @@ -12,11 +12,11 @@ spec: id: "R0009" description: "Detecting eBPF program load." expressions: - message: "'bpf system call executed in ' + syscall.k8s.container_name" - unique_id: "syscall.comm + '_' + syscall.syscall_name" + message: "'bpf system call executed in ' + event.containerName" + unique_id: "event.comm + '_' + event.syscallName" rule_expression: - event_type: "syscall" - expression: "syscall.syscall_name == 'bpf' && !ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" + expression: "event.syscallName == 'bpf' && !ap.was_syscall_used(event.containerId, event.syscallName)" profile_dependency: 1 severity: 5 support_policy: false diff --git a/pkg/rules/r0009-ebpf-program-load/rule_test.go b/pkg/rules/r0009-ebpf-program-load/rule_test.go index 10bfe22..d9c7c4f 100644 --- a/pkg/rules/r0009-ebpf-program-load/rule_test.go +++ b/pkg/rules/r0009-ebpf-program-load/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - "github.com/kubescape/node-agent/pkg/rulemanager/types" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,22 +23,12 @@ func TestR0009EbpfProgramLoad(t *testing.T) { } // Create a syscall event with bpf syscall - e := &types.SyscallEvent{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", Pid: 1234, Comm: "test-process", - SyscallName: "bpf", + Syscall: "bpf", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -125,7 +113,7 @@ func TestR0009EbpfProgramLoad(t *testing.T) { } // Test with non-bpf syscall (should not trigger) - e.SyscallName = "open" + e.Syscall = "open" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go b/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go index 1c28176..56f310b 100644 --- a/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go +++ b/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go @@ -11,12 +11,10 @@ import ( "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { @@ -26,26 +24,14 @@ func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { } // Create a file access event to sensitive file - e := &events.OpenEvent{ - Event: traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Pid: 1234, - Comm: "test-process", - Path: "/etc/shadow", - FullPath: "/etc/shadow", - Flags: []string{"O_RDONLY"}, - }, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Pid: 1234, + Comm: "test-process", + Path: "/etc/shadow", + FullPath: "/etc/shadow", + Flags: []string{"O_RDONLY"}, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -135,8 +121,8 @@ func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { } // Test with non-sensitive file (should not trigger) - e.Event.Path = "/tmp/test.txt" - e.Event.FullPath = "/tmp/test.txt" + e.Path = "/tmp/test.txt" + e.FullPath = "/tmp/test.txt" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml index bbdd917..7b03db3 100644 --- a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml +++ b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml @@ -12,11 +12,11 @@ spec: id: "R0010" description: "Detecting access to sensitive files." expressions: - message: "'Unexpected sensitive file access: ' + open.full_path + ' by process ' + open.comm" - unique_id: "open.comm + '_' + open.full_path" + message: "'Unexpected sensitive file access: ' + event.fullPath + ' by process ' + event.comm" + unique_id: "event.comm + '_' + event.fullPath" rule_expression: - event_type: "open" - expression: "open.full_path.startsWith('/etc/shadow') && !ap.was_path_opened(open.runtime.container_id, open.full_path)" + expression: "event.fullPath.startsWith('/etc/shadow') && !ap.was_path_opened(event.containerId, event.fullPath)" profile_dependency: 1 severity: 5 support_policy: false diff --git a/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go b/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go index 5b6243c..59c7449 100644 --- a/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go +++ b/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go @@ -5,7 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracernetworktype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/types" eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" @@ -14,7 +13,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,27 +24,17 @@ func TestR0011UnexpectedEgressNetworkTraffic(t *testing.T) { } // Create a network event for outgoing traffic to external IP - e := &tracernetworktype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - PktType: "OUTGOING", + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + PktType: "OUTGOING", DstEndpoint: eventtypes.L3Endpoint{ Addr: "1.1.1.1", // External IP }, - Port: 80, - Proto: "TCP", - Comm: "curl", - Pid: 1234, + DstPort: 80, + Proto: "TCP", + Comm: "curl", + Pid: 1234, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -172,7 +161,7 @@ func TestR0011UnexpectedEgressNetworkTraffic(t *testing.T) { // Test with different port and protocol e.DstEndpoint.Addr = "3.3.3.3" // External IP - e.Port = 443 + e.DstPort = 443 e.Proto = "TCP" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) @@ -185,7 +174,7 @@ func TestR0011UnexpectedEgressNetworkTraffic(t *testing.T) { // Test with UDP protocol e.Proto = "UDP" - e.Port = 53 + e.DstPort = 53 ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml b/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml index bb1408f..502525c 100644 --- a/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml +++ b/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml @@ -12,11 +12,11 @@ spec: id: "R0011" description: "Detecting unexpected egress network traffic that is not whitelisted by application profile." expressions: - message: "'Unexpected egress network communication to: ' + network.dst_endpoint.addr + ':' + string(dyn(network.port)) + ' using ' + network.proto + ' from: ' + network.k8s.container_name" - unique_id: "network.dst_endpoint.addr + '_' + string(dyn(network.port)) + '_' + network.proto" + message: "'Unexpected egress network communication to: ' + event.dstAddr + ':' + string(event.dstPort) + ' using ' + event.proto + ' from: ' + event.containerName" + unique_id: "event.dstAddr + '_' + string(event.dstPort) + '_' + event.proto" rule_expression: - event_type: "network" - expression: "network.pkt_type == 'OUTGOING' && !net.is_private_ip(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" + expression: "event.pktType == 'OUTGOING' && !net.is_private_ip(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" profile_dependency: 0 severity: 5 # Medium support_policy: false diff --git a/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml b/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml index b14f716..06ea27e 100644 --- a/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml +++ b/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml @@ -12,14 +12,14 @@ spec: id: "R1000" description: "Detecting exec calls that are from malicious source like: /dev/shm" expressions: - message: "'Execution from malicious source: ' + exec.exe_path + ' in directory ' + exec.cwd" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" + message: "'Execution from malicious source: ' + event.exepath + ' in directory ' + event.cwd" + unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" rule_expression: - event_type: "exec" expression: > - (exec.exe_path == '/dev/shm' || exec.exe_path.startsWith('/dev/shm/')) || - (exec.cwd == '/dev/shm' || exec.cwd.startsWith('/dev/shm/') || - (parse.get_exec_path(exec.args, exec.comm).startsWith('/dev/shm/'))) + (event.exepath == '/dev/shm' || event.exepath.startsWith('/dev/shm/')) || + (event.cwd == '/dev/shm' || event.cwd.startsWith('/dev/shm/') || + (parse.get_exec_path(event.args, event.comm).startsWith('/dev/shm/'))) profile_dependency: 2 severity: 8 support_policy: false diff --git a/pkg/rules/r1000-exec-from-malicious-source/rule_test.go b/pkg/rules/r1000-exec-from-malicious-source/rule_test.go index 0a40028..e3b4b54 100644 --- a/pkg/rules/r1000-exec-from-malicious-source/rule_test.go +++ b/pkg/rules/r1000-exec-from-malicious-source/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -18,31 +16,19 @@ import ( ) // createTestExecEvent creates a test ExecEvent -func createTestExecEvent(containerName, containerID, comm, exePath, cwd string, args []string) *events.ExecEvent { - return &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: containerID, - }, - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: containerName, - }, - }, - }, - }, - Comm: comm, - ExePath: exePath, - Cwd: cwd, - Args: args, - Pid: 1234, - Ppid: 123, - Pcomm: "parent-process", - Uid: 0, - Gid: 0, - }, +func createTestExecEvent(containerName, containerID, comm, exePath, cwd string, args []string) *utils.StructEvent { + return &utils.StructEvent{ + Container: containerName, + ContainerID: containerID, + Comm: comm, + ExePath: exePath, + Cwd: cwd, + Args: args, + Pid: 1234, + Ppid: 123, + Pcomm: "parent-process", + Uid: 0, + Gid: 0, } } @@ -55,7 +41,7 @@ func TestR1000ExecFromMaliciousSource(t *testing.T) { tests := []struct { name string - event *events.ExecEvent + event *utils.StructEvent expectTrigger bool description string }{ diff --git a/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml b/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml index 7540bb9..a9c4fb9 100644 --- a/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml +++ b/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml @@ -12,14 +12,14 @@ spec: id: "R1001" description: "Detecting exec calls of binaries that are not included in the base image" expressions: - message: "'Process (' + exec.comm + ') was executed and is not part of the image'" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" + message: "'Process (' + event.comm + ') was executed and is not part of the image'" + unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" rule_expression: - event_type: "exec" expression: > - (exec.upper_layer == true || - exec.pupper_layer == true) && - !ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm)) + (event.upperlayer == true || + event.pupperlayer == true) && + !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) profile_dependency: 1 severity: 8 support_policy: false diff --git a/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go b/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go index 672bb31..d551b7f 100644 --- a/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go +++ b/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -19,33 +17,21 @@ import ( ) // createTestExecEvent creates a test ExecEvent -func createTestExecEvent(containerName, containerID, comm, exePath, cwd string, args []string, upperLayer, pupperLayer bool) *events.ExecEvent { - return &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: containerID, - }, - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: containerName, - }, - }, - }, - }, - Comm: comm, - ExePath: exePath, - Cwd: cwd, - Args: args, - Pid: 1234, - Ppid: 123, - Pcomm: "parent-process", - Uid: 0, - Gid: 0, - UpperLayer: upperLayer, - PupperLayer: pupperLayer, - }, +func createTestExecEvent(containerName, containerID, comm, exePath, cwd string, args []string, upperLayer, pupperLayer bool) *utils.StructEvent { + return &utils.StructEvent{ + Container: containerName, + ContainerID: containerID, + Comm: comm, + ExePath: exePath, + Cwd: cwd, + Args: args, + Pid: 1234, + Ppid: 123, + Pcomm: "parent-process", + Uid: 0, + Gid: 0, + UpperLayer: upperLayer, + PupperLayer: pupperLayer, } } @@ -72,7 +58,7 @@ func TestR1001ExecBinaryNotInBaseImage(t *testing.T) { tests := []struct { name string - event *events.ExecEvent + event *utils.StructEvent profile *v1beta1.ApplicationProfile expectTrigger bool description string @@ -155,7 +141,7 @@ func TestR1001ExecBinaryNotInBaseImage(t *testing.T) { ContainerInfos: map[objectcache.ContainerType][]objectcache.ContainerInfo{ objectcache.Container: { { - Name: tt.event.Event.K8s.BasicK8sMetadata.ContainerName, + Name: tt.event.Container, }, }, }, @@ -278,7 +264,7 @@ func TestR1001UpperLayerVariants(t *testing.T) { ContainerInfos: map[objectcache.ContainerType][]objectcache.ContainerInfo{ objectcache.Container: { { - Name: event.Event.K8s.BasicK8sMetadata.ContainerName, + Name: event.Container, }, }, }, diff --git a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml index 12ca408..8c927e0 100644 --- a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml +++ b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml @@ -12,13 +12,13 @@ spec: id: "R1002" description: "Detecting Kernel Module Load." expressions: - message: "'Kernel module load syscall (' + syscall.syscall_name + ') was called'" - unique_id: "syscall.syscall_name" + message: "'Kernel module load syscall (' + event.syscallName + ') was called'" + unique_id: "event.syscallName" rule_expression: - event_type: "syscall" expression: > - syscall.syscall_name == 'init_module' || - syscall.syscall_name == 'finit_module' + event.syscallName == 'init_module' || + event.syscallName == 'finit_module' profile_dependency: 2 severity: 10 support_policy: false diff --git a/pkg/rules/r1002-kernel-module-load/rule_test.go b/pkg/rules/r1002-kernel-module-load/rule_test.go index ee7a864..ac9473f 100644 --- a/pkg/rules/r1002-kernel-module-load/rule_test.go +++ b/pkg/rules/r1002-kernel-module-load/rule_test.go @@ -11,30 +11,17 @@ import ( objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - "github.com/kubescape/node-agent/pkg/rulemanager/types" "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/rulelibrary/pkg/common" - - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" ) // createTestSyscallEvent creates a test SyscallEvent -func createTestSyscallEvent(containerName, containerID, comm, syscallName string, pid uint32) *types.SyscallEvent { - return &types.SyscallEvent{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: containerName, - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: containerID, - }, - }, - }, +func createTestSyscallEvent(containerName, containerID, comm, syscallName string, pid uint32) *utils.StructEvent { + return &utils.StructEvent{ + Container: containerName, + ContainerID: containerID, Comm: comm, - SyscallName: syscallName, + Syscall: syscallName, Pid: pid, } } @@ -48,7 +35,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { tests := []struct { name string - event *types.SyscallEvent + event *utils.StructEvent expectTrigger bool description string }{ @@ -89,7 +76,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { ContainerInfos: map[objectcache.ContainerType][]objectcache.ContainerInfo{ objectcache.Container: { { - Name: tt.event.Event.K8s.BasicK8sMetadata.ContainerName, + //Name: tt.event.Event.K8s.BasicK8sMetadata.ContainerName, }, }, }, @@ -130,7 +117,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - expectedMessage := "Kernel module load syscall (" + tt.event.SyscallName + ") was called" + expectedMessage := "Kernel module load syscall (" + tt.event.Syscall + ") was called" if message != expectedMessage { t.Errorf("Message evaluation failed. Expected: %s, Got: %s", expectedMessage, message) } @@ -140,7 +127,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique ID: %v", err) } - expectedUniqueID := tt.event.SyscallName + expectedUniqueID := tt.event.Syscall if uniqueID != expectedUniqueID { t.Errorf("Unique ID evaluation failed. Expected: %s, Got: %s", expectedUniqueID, uniqueID) } diff --git a/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml b/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml index 370e769..6df6945 100644 --- a/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml +++ b/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml @@ -12,11 +12,11 @@ spec: id: "R1003" description: "Detecting ssh connection to disallowed port" expressions: - message: "'Malicious SSH connection attempt to ' + ssh.dst_ip + ':' + string(dyn(ssh.dst_port))" - unique_id: "ssh.comm + '_' + ssh.dst_ip + '_' + string(dyn(ssh.dst_port))" + message: "'Malicious SSH connection attempt to ' + event.dstIp + ':' + string(dyn(event.dstPort))" + unique_id: "event.comm + '_' + event.dstIp + '_' + string(dyn(event.dstPort))" rule_expression: - event_type: "ssh" - expression: "dyn(ssh.src_port) >= 32768 && dyn(ssh.src_port) <= 60999 && !(dyn(ssh.dst_port) in [22, 2022]) && !nn.was_address_in_egress(ssh.runtime.container_id, ssh.dst_ip)" + expression: "dyn(event.srcPort) >= 32768 && dyn(event.srcPort) <= 60999 && !(dyn(event.dstPort) in [22, 2022]) && !nn.was_address_in_egress(event.containerId, event.dstIp)" profile_dependency: 1 severity: 5 support_policy: false diff --git a/pkg/rules/r1003-malicious-ssh-connection/rule_test.go b/pkg/rules/r1003-malicious-ssh-connection/rule_test.go index 71e04ee..9b03953 100644 --- a/pkg/rules/r1003-malicious-ssh-connection/rule_test.go +++ b/pkg/rules/r1003-malicious-ssh-connection/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - tracersshtype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/ssh/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -26,30 +24,19 @@ func TestR1003MaliciousSSHConnection(t *testing.T) { } // Create a mock SSH event for outgoing connection to disallowed port - e := &tracersshtype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - SrcIP: "192.168.1.100", - DstIP: "1.1.1.1", - SrcPort: 33333, // Ephemeral port - DstPort: 1234, // Disallowed port - Comm: "ssh", - Pid: 1234, - Uid: 1000, - Gid: 1000, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test-container", + Pod: "test-pod", + Namespace: "test-namespace", + SrcIP: "192.168.1.100", + DstIP: "1.1.1.1", + SrcPort: 33333, // Ephemeral port + DstPort: 1234, // Disallowed port + Comm: "ssh", + Pid: 1234, + Uid: 1000, + Gid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ diff --git a/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml b/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml index f5261ef..e3a9ecd 100644 --- a/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml +++ b/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml @@ -12,11 +12,11 @@ spec: id: "R1004" description: "Detecting exec calls from mounted paths." expressions: - message: "'Process (' + exec.comm + ') was executed from a mounted path'" - unique_id: "exec.comm + '_' + exec.exe_path" + message: "'Process (' + event.comm + ') was executed from a mounted path'" + unique_id: "event.comm + '_' + event.exepath + '_'" rule_expression: - event_type: "exec" - expression: "!ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm)) && k8s.get_container_mount_paths(exec.k8s.namespace, exec.k8s.pod_name, exec.k8s.container_name).exists(mount, exec.exe_path.startsWith(mount) || parse.get_exec_path(exec.args, exec.comm).startsWith(mount))" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))" profile_dependency: 1 severity: 5 support_policy: false diff --git a/pkg/rules/r1004-exec-from-mount/rule_test.go b/pkg/rules/r1004-exec-from-mount/rule_test.go index 9d9e391..74435dc 100644 --- a/pkg/rules/r1004-exec-from-mount/rule_test.go +++ b/pkg/rules/r1004-exec-from-mount/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -14,7 +12,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" corev1 "k8s.io/api/core/v1" ) @@ -26,30 +24,17 @@ func TestR1004ExecFromMount(t *testing.T) { } // Create a mock exec event - e := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - Comm: "/var/test1/test", - ExePath: "/var/test1/test", - Args: []string{"/var/test1/test", "arg1"}, - Pid: 1234, - Uid: 1000, - Gid: 1000, - }, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test-container", + Pod: "test-pod", + Namespace: "test-namespace", + Comm: "/var/test1/test", + ExePath: "/var/test1/test", + Args: []string{"/var/test1/test", "arg1"}, + Pid: 1234, + Uid: 1000, + Gid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -146,7 +131,7 @@ func TestR1004ExecFromMount(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique id: %v", err) } - if uniqueId != "/var/test1/test_/var/test1/test" { + if uniqueId != "/var/test1/test_/var/test1/test_" { t.Fatalf("Unique id evaluation failed, got: %s", uniqueId) } diff --git a/pkg/rules/r1005-fileless-execution/fileless-execution.yaml b/pkg/rules/r1005-fileless-execution/fileless-execution.yaml index 367c09f..b261e96 100644 --- a/pkg/rules/r1005-fileless-execution/fileless-execution.yaml +++ b/pkg/rules/r1005-fileless-execution/fileless-execution.yaml @@ -12,11 +12,11 @@ spec: id: "R1005" description: "Detecting Fileless Execution" expressions: - message: "'Fileless execution detected: exec call \"' + exec.comm + '\" is from a malicious source'" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" + message: "'Fileless execution detected: exec call \"' + event.comm + '\" is from a malicious source'" + unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" rule_expression: - event_type: "exec" - expression: "exec.exe_path.contains('memfd') || exec.exe_path.startsWith('/proc/self/fd') || exec.exe_path.matches('/proc/[0-9]+/fd/[0-9]+')" + expression: "event.exepath.contains('memfd') || event.exepath.startsWith('/proc/self/fd') || event.exepath.matches('/proc/[0-9]+/fd/[0-9]+')" profile_dependency: 2 severity: 8 support_policy: false diff --git a/pkg/rules/r1005-fileless-execution/rule_test.go b/pkg/rules/r1005-fileless-execution/rule_test.go index 7cf027b..846b328 100644 --- a/pkg/rules/r1005-fileless-execution/rule_test.go +++ b/pkg/rules/r1005-fileless-execution/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -14,7 +12,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR1005FilelessExecution(t *testing.T) { @@ -24,31 +22,18 @@ func TestR1005FilelessExecution(t *testing.T) { } // Create a mock exec event for fileless execution via memfd - e := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - Comm: "/memfd:test", - ExePath: "/memfd:test", - Pcomm: "/memfd:test", - Args: []string{"/memfd:test", "arg1"}, - Pid: 1234, - Uid: 1000, - Gid: 1000, - }, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test-container", + Pod: "test-pod", + Namespace: "test-namespace", + Comm: "/memfd:test", + ExePath: "/memfd:test", + Pcomm: "/memfd:test", + Args: []string{"/memfd:test", "arg1"}, + Pid: 1234, + Uid: 1000, + Gid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ diff --git a/pkg/rules/r1006-unshare-syscall/rule_test.go b/pkg/rules/r1006-unshare-syscall/rule_test.go index ecf7521..5589d96 100644 --- a/pkg/rules/r1006-unshare-syscall/rule_test.go +++ b/pkg/rules/r1006-unshare-syscall/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" - "github.com/kubescape/node-agent/pkg/rulemanager/types" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,21 +23,10 @@ func TestR1006UnshareSyscall(t *testing.T) { } // Create a syscall event for unshare - e := &types.SyscallEvent{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "test", - SyscallName: "unshare", + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Syscall: "unshare", Pid: 1234, } @@ -125,7 +112,7 @@ func TestR1006UnshareSyscall(t *testing.T) { } // Test with different syscall - should not trigger - e.SyscallName = "open" + e.Syscall = "open" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml index 0162840..476a260 100644 --- a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml +++ b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml @@ -12,11 +12,11 @@ spec: id: "R1006" description: "Detecting Unshare System Call usage, which can be used to escape container." expressions: - message: "'Unshare system call detected: ' + syscall.syscall_name + ' with PID ' + string(syscall.pid)" - unique_id: "syscall.syscall_name" + message: "'Unshare system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" + unique_id: "event.syscallName" rule_expression: - event_type: "syscall" - expression: "syscall.syscall_name == 'unshare' && !ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" + expression: "event.syscallName == 'unshare' && !ap.was_syscall_used(event.containerId, event.syscallName)" profile_dependency: 2 severity: 5 support_policy: false diff --git a/pkg/rules/r1007-xmr-crypto-mining/rule_test.go b/pkg/rules/r1007-xmr-crypto-mining/rule_test.go index 1ec4a70..e81c3b5 100644 --- a/pkg/rules/r1007-xmr-crypto-mining/rule_test.go +++ b/pkg/rules/r1007-xmr-crypto-mining/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - tracerrandomxtype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/randomx/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR1007XMRCryptoMining(t *testing.T) { @@ -24,29 +22,18 @@ func TestR1007XMRCryptoMining(t *testing.T) { } // Create a RandomX event for crypto mining detection - e := &tracerrandomxtype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - Comm: "xmrig", - ExePath: "/usr/bin/xmrig", - Pid: 1234, - Uid: 1000, - Gid: 1000, - PPid: 1, - UpperLayer: true, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test-container", + Pod: "test-pod", + Namespace: "test-namespace", + Comm: "xmrig", + ExePath: "/usr/bin/xmrig", + Pid: 1234, + Uid: 1000, + Gid: 1000, + Ppid: 1, + UpperLayer: true, } objCache := &objectcachev1.RuleObjectCacheMock{ diff --git a/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml b/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml index deb7fa4..8b584e9 100644 --- a/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml +++ b/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml @@ -12,8 +12,8 @@ spec: id: "R1007" description: "Detecting XMR Crypto Miners by randomx algorithm usage." expressions: - message: "'XMR Crypto Miner process: (' + randomx.exe_path + ') executed'" - unique_id: "randomx.exe_path + '_' + randomx.comm" + message: "'XMR Crypto Miner process: (' + event.exepath + ') executed'" + unique_id: "event.exepath + '_' + event.comm" rule_expression: - event_type: "randomx" expression: "true" diff --git a/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml b/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml index a0fb8a6..2f9c004 100644 --- a/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml +++ b/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml @@ -12,11 +12,11 @@ spec: id: "R1008" description: "Detecting Crypto miners communication by domain" expressions: - message: "'Communication with a known crypto mining domain: ' + dns.dns_name" - unique_id: "dns.dns_name + '_' + dns.comm" + message: "'Communication with a known crypto mining domain: ' + event.name" + unique_id: "event.name + '_' + event.comm" rule_expression: - event_type: "dns" - expression: "dns.dns_name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" + expression: "event.name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" profile_dependency: 2 severity: 10 support_policy: false diff --git a/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go b/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go index 7ec6c62..64b0779 100644 --- a/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go +++ b/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go @@ -5,8 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" @@ -14,7 +12,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) func TestR1008CryptoMiningDomainCommunication(t *testing.T) { @@ -24,31 +22,20 @@ func TestR1008CryptoMiningDomainCommunication(t *testing.T) { } // Create a DNS event for crypto mining domain communication - e := &tracerdnstype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - DNSName: "xmr.gntl.uk.", - Comm: "xmrig", - Exepath: "/usr/bin/xmrig", - Pid: 1234, - Uid: 1000, - Gid: 1000, - Ppid: 1, - Pcomm: "bash", - Cwd: "/tmp", + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test-container", + Pod: "test-pod", + Namespace: "test-namespace", + DNSName: "xmr.gntl.uk.", + Comm: "xmrig", + ExePath: "/usr/bin/xmrig", + Pid: 1234, + Uid: 1000, + Gid: 1000, + Ppid: 1, + Pcomm: "bash", + Cwd: "/tmp", } objCache := &objectcachev1.RuleObjectCacheMock{ diff --git a/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml b/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml index b3c4540..7aa727c 100644 --- a/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml +++ b/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml @@ -12,11 +12,11 @@ spec: id: "R1009" description: "Detecting Crypto Miners by suspicious port usage." expressions: - message: "'Detected crypto mining related port communication on port ' + string(dyn(network.port)) + ' to ' + network.dst_endpoint.addr + ' with protocol ' + network.proto" - unique_id: "network.comm + '_' + string(dyn(network.port))" + message: "'Detected crypto mining related port communication on port ' + string(event.dstPort) + ' to ' + event.dstAddr + ' with protocol ' + event.proto" + unique_id: "event.comm + '_' + string(event.dstPort)" rule_expression: - event_type: "network" - expression: "network.proto == 'TCP' && network.pkt_type == 'OUTGOING' && dyn(network.port) in [3333, 45700] && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" + expression: "event.proto == 'TCP' && event.pktType == 'OUTGOING' && event.dstPort in [3333, 45700] && !nn.was_address_in_egress(event.containerId, event.dstAddr)" profile_dependency: 1 severity: 3 support_policy: false diff --git a/pkg/rules/r1009-crypto-mining-related-port/rule_test.go b/pkg/rules/r1009-crypto-mining-related-port/rule_test.go index d636718..9fe0661 100644 --- a/pkg/rules/r1009-crypto-mining-related-port/rule_test.go +++ b/pkg/rules/r1009-crypto-mining-related-port/rule_test.go @@ -5,7 +5,6 @@ import ( "time" "github.com/goradd/maps" - tracernetworktype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/types" eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" @@ -14,7 +13,7 @@ import ( celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,29 +24,18 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { } // Create a network event for crypto mining port communication - e := &tracernetworktype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - PodName: "test-pod", - Namespace: "test-namespace", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test-container", - ContainerName: "test", - }, - }, - }, - Proto: "TCP", - PktType: "OUTGOING", - Port: 3333, - Comm: "xmrig", - Pid: 1234, - Uid: 1000, - Gid: 1000, + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test-container", + Pod: "test-pod", + Namespace: "test-namespace", + Proto: "TCP", + PktType: "OUTGOING", + DstPort: 3333, + Comm: "xmrig", + Pid: 1234, + Uid: 1000, + Gid: 1000, DstEndpoint: eventtypes.L3Endpoint{ Addr: "1.1.1.1", }, @@ -113,7 +101,7 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { } // Test with different crypto mining port - e.Port = 45700 + e.DstPort = 45700 e.Comm = "xmr-stak" e.DstEndpoint.Addr = "2.2.2.2" @@ -126,7 +114,7 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { } // Test with non-crypto mining port - should not trigger - e.Port = 80 + e.DstPort = 80 e.Comm = "curl" e.DstEndpoint.Addr = "3.3.3.3" @@ -139,7 +127,7 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { } // Test with UDP protocol - should not trigger - e.Port = 3333 + e.DstPort = 3333 e.Proto = "UDP" e.Comm = "xmrig" @@ -165,7 +153,7 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { // Test with whitelisted address in network neighborhood e.PktType = "OUTGOING" - e.Port = 3333 + e.DstPort = 3333 e.DstEndpoint.Addr = "4.4.4.4" // Sleep for 1 millisecond to make sure the cache is expired diff --git a/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go b/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go index 139801e..ce7576e 100644 --- a/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go +++ b/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - tracersymlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/symlink/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -25,22 +23,12 @@ func TestR1010SymlinkCreatedOverSensitiveFile(t *testing.T) { } // Create a symlink event - e := &tracersymlinktype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "test", - OldPath: "/etc/shadow", - NewPath: "/etc/abc", + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Comm: "test", + OldPath: "/etc/shadow", + NewPath: "/etc/abc", } objCache := &objectcachev1.RuleObjectCacheMock{ diff --git a/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml b/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml index 36896f0..c26d304 100644 --- a/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml +++ b/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml @@ -12,11 +12,11 @@ spec: id: "R1010" description: "Detects symlink creation over sensitive files" expressions: - message: "'Symlink created over sensitive file: ' + symlink.old_path + ' -> ' + symlink.new_path" - unique_id: "symlink.comm + '_' + symlink.old_path" + message: "'Symlink created over sensitive file: ' + event.oldPath + ' -> ' + event.newPath" + unique_id: "event.comm + '_' + event.oldPath" rule_expression: - event_type: "symlink" - expression: "(symlink.old_path.startsWith('/etc/shadow') || symlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(symlink.runtime.container_id, symlink.old_path)" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" profile_dependency: 1 severity: 5 support_policy: true diff --git a/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml b/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml index fc0b790..6232d42 100644 --- a/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml +++ b/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml @@ -12,13 +12,13 @@ spec: id: "R1011" description: "Detecting ld_preload hook techniques." expressions: - message: "event_type == 'exec' ? 'Process (' + exec.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(exec.pid) : 'The dynamic linker configuration file (' + open.full_path + ') was modified by process (' + open.comm + ')'" - unique_id: "event_type == 'exec' ? 'exec_' + exec.comm : 'open_' + open.full_path" + message: "event_type == 'exec' ? 'Process (' + event.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(event.pid) : 'The dynamic linker configuration file (' + event.fullPath + ') was modified by process (' + event.comm + ')'" + unique_id: "event_type == 'exec' ? 'exec_' + event.comm : 'open_' + event.fullPath" rule_expression: - event_type: "exec" - expression: "exec.comm != 'java' && exec.k8s.container_name != 'matlab' && process.get_ld_hook_var(exec.pid) != ''" + expression: "event.comm != 'java' && event.containerName != 'matlab' && process.get_ld_hook_var(event.pid) != ''" - event_type: "open" - expression: "open.full_path == '/etc/ld.so.preload' && has(open.flags_raw) && open.flags_raw != 0" + expression: "event.fullPath == '/etc/ld.so.preload' && has(event.flagsRaw) && event.flagsRaw != 0" profile_dependency: 1 severity: 5 support_policy: true diff --git a/pkg/rules/r1011-ld-preload-hook/rule_test.go b/pkg/rules/r1011-ld-preload-hook/rule_test.go index 1f802ec..e20f855 100644 --- a/pkg/rules/r1011-ld-preload-hook/rule_test.go +++ b/pkg/rules/r1011-ld-preload-hook/rule_test.go @@ -5,18 +5,15 @@ import ( "time" "github.com/goradd/maps" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" - events "github.com/kubescape/node-agent/pkg/ebpf/events" + "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" "github.com/kubescape/node-agent/pkg/rulemanager" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -52,26 +49,15 @@ func TestR1011LdPreloadHook(t *testing.T) { } // Test open event with ld.so.preload file opened with write flag - SHOULD TRIGGER - openEvent := &events.OpenEvent{ - Event: traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - Namespace: "default", - PodName: "test-pod", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "test", - FullPath: "/etc/ld.so.preload", - FlagsRaw: 1, // Write flag - }, + openEvent := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Pod: "test-pod", + Namespace: "default", + Comm: "test", + FullPath: "/etc/ld.so.preload", + FlagsRaw: 1, // Write flag + EventType: utils.OpenEventType, } // Serialize open event @@ -113,25 +99,14 @@ func TestR1011LdPreloadHook(t *testing.T) { } // Test exec events - just verify expression compiles and returns false (can't mock PID) - execEvent := &events.ExecEvent{ - Event: tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - Namespace: "default", - PodName: "test-pod", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "java", - Pid: 1234, - }, + execEvent := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Pod: "test-pod", + Namespace: "default", + Comm: "java", + Pid: 1234, + EventType: utils.ExecveEventType, } enrichedEvent2 := &events.EnrichedEvent{ @@ -152,7 +127,7 @@ func TestR1011LdPreloadHook(t *testing.T) { // Test exec event with matlab container - should not trigger due to container check execEvent.Comm = "test-process" - execEvent.Event.CommonData.K8s.BasicK8sMetadata.ContainerName = "matlab" + execEvent.Container = "matlab" ok, err = celEngine.EvaluateRule(enrichedEvent2, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml b/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml index e831bea..4219d07 100644 --- a/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml +++ b/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml @@ -12,11 +12,11 @@ spec: id: "R1012" description: "Detecting hardlink creation over sensitive files." expressions: - message: "'Hardlink created over sensitive file: ' + hardlink.old_path + ' - ' + hardlink.new_path" - unique_id: "hardlink.comm + '_' + hardlink.old_path" + message: "'Hardlink created over sensitive file: ' + event.oldPath + ' - ' + event.newPath" + unique_id: "event.comm + '_' + event.oldPath" rule_expression: - event_type: "hardlink" - expression: "(hardlink.old_path.startsWith('/etc/shadow') || hardlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(hardlink.runtime.container_id, hardlink.old_path)" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" profile_dependency: 1 severity: 5 support_policy: true diff --git a/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go b/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go index 9ae7388..2d21896 100644 --- a/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go +++ b/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go @@ -5,17 +5,15 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - tracerhardlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/hardlink/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" "github.com/kubescape/node-agent/pkg/rulemanager" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -26,22 +24,12 @@ func TestR1012HardlinkCreatedOverSensitiveFile(t *testing.T) { } // Create a hardlink event - e := &tracerhardlinktype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "test", - OldPath: "test", - NewPath: "test", + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Comm: "test", + OldPath: "test", + NewPath: "test", } objCache := &objectcachev1.RuleObjectCacheMock{ diff --git a/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml b/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml index f204a4e..1060fea 100644 --- a/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml +++ b/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml @@ -12,8 +12,8 @@ spec: id: "R1015" description: "Detecting potentially malicious ptrace usage." expressions: - message: "'Malicious ptrace usage detected from: ' + ptrace.comm" - unique_id: "ptrace.exe_path + '_' + ptrace.comm" + message: "'Malicious ptrace usage detected from: ' + event.comm" + unique_id: "event.exepath + '_' + event.comm" rule_expression: - event_type: "ptrace" expression: "true" diff --git a/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go b/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go index cb94062..ed9a85f 100644 --- a/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go +++ b/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go @@ -5,16 +5,14 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - tracerptracetype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/ptrace/tracer/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" celengine "github.com/kubescape/node-agent/pkg/rulemanager/cel" "github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache" "github.com/kubescape/node-agent/pkg/utils" - common "github.com/kubescape/rulelibrary/pkg/common" + "github.com/kubescape/rulelibrary/pkg/common" ) const ( @@ -31,26 +29,16 @@ func TestR1015MaliciousPtraceUsage(t *testing.T) { } // Create a ptrace event - e := &tracerptracetype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Comm: "malicious_process", - Pid: 1234, - PPid: 5678, - Uid: 1000, - Gid: 1000, - ExePath: "/path/to/malicious_process", - Request: PTRACE_SETREGS, // Malicious ptrace request + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Comm: "malicious_process", + Pid: 1234, + Ppid: 5678, + Uid: 1000, + Gid: 1000, + ExePath: "/path/to/malicious_process", + PtraceRequest: PTRACE_SETREGS, // Malicious ptrace request } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -114,7 +102,7 @@ func TestR1015MaliciousPtraceUsage(t *testing.T) { } // Test with different ptrace request - e.Request = PTRACE_POKETEXT + e.PtraceRequest = PTRACE_POKETEXT ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { @@ -126,7 +114,7 @@ func TestR1015MaliciousPtraceUsage(t *testing.T) { // Test with different process e.Comm = "processA" - e.Request = PTRACE_POKEDATA + e.PtraceRequest = PTRACE_POKEDATA ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go b/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go index d4920b4..aca07a5 100644 --- a/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go +++ b/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go @@ -5,10 +5,8 @@ import ( "time" "github.com/goradd/maps" - eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/ebpf/events" - traceriouringtype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/iouring/tracer/types" "github.com/kubescape/node-agent/pkg/objectcache" objectcachev1 "github.com/kubescape/node-agent/pkg/objectcache/v1" "github.com/kubescape/node-agent/pkg/rulemanager" @@ -26,24 +24,14 @@ func TestR1030UnexpectedIouringOperation(t *testing.T) { } // Create an io_uring event - e := &traceriouringtype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", - }, - }, - Runtime: eventtypes.BasicRuntimeMetadata{ - ContainerID: "test", - }, - }, - }, - Identifier: "test-process", - Opcode: 1, // IORING_OP_NOP - Flags: 0x0, - UserData: 123, - Comm: "test-process", + e := &utils.StructEvent{ + Container: "test", + ContainerID: "test", + Identifier: "test-process", + Opcode: 1, // IORING_OP_NOP + FlagsRaw: 0x0, + UserData: 123, + Comm: "test-process", } objCache := &objectcachev1.RuleObjectCacheMock{ diff --git a/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml b/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml index 853ca18..07f889d 100644 --- a/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml +++ b/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml @@ -12,8 +12,8 @@ spec: id: "R1030" description: "Detects io_uring operations that were not recorded during the initial observation period, indicating potential unauthorized activity." expressions: - message: "'Unexpected io_uring operation detected: (opcode=' + string(iouring.opcode) + ') flags=0x' + (has(iouring.flags) ? string(iouring.flags) : '0') + ' in ' + iouring.comm + '.'" - unique_id: "string(iouring.opcode) + '_' + iouring.comm" + message: "'Unexpected io_uring operation detected: (opcode=' + string(event.opcode) + ') flags=0x' + (has(event.flagsRaw) ? string(event.flagsRaw) : '0') + ' in ' + event.comm + '.'" + unique_id: "string(event.opcode) + '_' + event.comm" rule_expression: - event_type: "iouring" expression: "true" diff --git a/rules-crd.yaml b/rules-crd.yaml index d07e340..e3fbbe2 100644 --- a/rules-crd.yaml +++ b/rules-crd.yaml @@ -18,7 +18,7 @@ spec: unique_id: "exec.comm + '_' + exec.exe_path" rule_expression: - event_type: "exec" - expression: "!ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm))" + expression: "!ap.was_executed(exec.containerId, parse.get_exec_path(exec.args, exec.comm))" profile_dependency: 0 severity: 1 support_policy: false @@ -54,7 +54,7 @@ spec: open.full_path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || open.full_path.startsWith('/tmp')) && - !ap.was_path_opened(open.runtime.container_id, open.full_path) + !ap.was_path_opened(open.containerId, open.full_path) profile_dependency: 0 severity: 1 support_policy: false @@ -72,7 +72,7 @@ spec: unique_id: "syscall.syscall_name" rule_expression: - event_type: "syscall" - expression: "!ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" + expression: "!ap.was_syscall_used(syscall.containerId, syscall.syscall_name)" profile_dependency: 0 severity: 1 support_policy: false @@ -89,7 +89,7 @@ spec: unique_id: "capabilities.comm + '_' + capabilities.cap_name" rule_expression: - event_type: "capabilities" - expression: "!ap.was_capability_used(capabilities.runtime.container_id, capabilities.cap_name)" + expression: "!ap.was_capability_used(capabilities.containerId, capabilities.cap_name)" profile_dependency: 0 severity: 1 support_policy: false @@ -106,7 +106,7 @@ spec: unique_id: "dns.comm + '_' + dns.dns_name" rule_expression: - event_type: "dns" - expression: "!dns.dns_name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(dns.runtime.container_id, dns.dns_name)" + expression: "!dns.dns_name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(dns.containerId, dns.dns_name)" profile_dependency: 0 severity: 1 support_policy: false @@ -128,10 +128,10 @@ spec: (open.full_path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && open.full_path.endsWith('/token')) || (open.full_path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && open.full_path.endsWith('/token')) || (open.full_path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && open.full_path.endsWith('/token'))) && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/var/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/run/secrets/eks.amazonaws.com/serviceaccount') && - !ap.was_path_opened_with_prefix(open.runtime.container_id, '/var/run/secrets/eks.amazonaws.com/serviceaccount') + !ap.was_path_opened_with_prefix(open.containerId, '/run/secrets/kubernetes.io/serviceaccount') && + !ap.was_path_opened_with_prefix(open.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && + !ap.was_path_opened_with_prefix(open.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && + !ap.was_path_opened_with_prefix(open.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount') profile_dependency: 1 severity: 5 support_policy: false @@ -148,9 +148,9 @@ spec: unique_id: "event_type == 'exec' ? 'exec_' + exec.comm : 'network_' + network.dst_endpoint.addr" rule_expression: - event_type: "exec" - expression: "(exec.comm == 'kubectl' || exec.exe_path.endsWith('/kubectl')) && !ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm))" + expression: "(exec.comm == 'kubectl' || exec.exe_path.endsWith('/kubectl')) && !ap.was_executed(exec.containerId, parse.get_exec_path(exec.args, exec.comm))" - event_type: "network" - expression: "network.pkt_type == 'OUTGOING' && k8s.is_api_server_address(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" + expression: "network.pkt_type == 'OUTGOING' && k8s.is_api_server_address(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.containerId, network.dst_endpoint.addr)" profile_dependency: 0 severity: 5 # Medium support_policy: false @@ -171,7 +171,7 @@ spec: expression: > open.full_path.startsWith('/proc/') && open.full_path.endsWith('/environ') && - !ap.was_path_opened_with_suffix(open.runtime.container_id, '/environ') + !ap.was_path_opened_with_suffix(open.containerId, '/environ') profile_dependency: 0 # Required severity: 5 # Medium support_policy: false @@ -189,7 +189,7 @@ spec: unique_id: "syscall.comm + '_' + syscall.syscall_name" rule_expression: - event_type: "syscall" - expression: "syscall.syscall_name == 'bpf' && !ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" + expression: "syscall.syscall_name == 'bpf' && !ap.was_syscall_used(syscall.containerId, syscall.syscall_name)" profile_dependency: 1 severity: 5 support_policy: false @@ -206,7 +206,7 @@ spec: unique_id: "open.comm + '_' + open.full_path" rule_expression: - event_type: "open" - expression: "open.full_path.startsWith('/etc/shadow') && !ap.was_path_opened(open.runtime.container_id, open.full_path)" + expression: "open.full_path.startsWith('/etc/shadow') && !ap.was_path_opened(open.containerId, open.full_path)" profile_dependency: 1 severity: 5 support_policy: false @@ -223,7 +223,7 @@ spec: unique_id: "network.dst_endpoint.addr + '_' + string(dyn(network.port)) + '_' + network.proto" rule_expression: - event_type: "network" - expression: "network.pkt_type == 'OUTGOING' && !net.is_private_ip(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" + expression: "network.pkt_type == 'OUTGOING' && !net.is_private_ip(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.containerId, network.dst_endpoint.addr)" profile_dependency: 0 severity: 5 # Medium support_policy: false @@ -264,7 +264,7 @@ spec: expression: > (exec.upper_layer == true || exec.pupper_layer == true) && - !ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm)) + !ap.was_executed(exec.containerId, parse.get_exec_path(exec.args, exec.comm)) profile_dependency: 1 severity: 8 support_policy: false @@ -303,7 +303,7 @@ spec: unique_id: "ssh.comm + '_' + ssh.dst_ip + '_' + string(dyn(ssh.dst_port))" rule_expression: - event_type: "ssh" - expression: "dyn(ssh.src_port) >= 32768 && dyn(ssh.src_port) <= 60999 && !(dyn(ssh.dst_port) in [22, 2022]) && !nn.was_address_in_egress(ssh.runtime.container_id, ssh.dst_ip)" + expression: "dyn(ssh.src_port) >= 32768 && dyn(ssh.src_port) <= 60999 && !(dyn(ssh.dst_port) in [22, 2022]) && !nn.was_address_in_egress(ssh.containerId, ssh.dst_ip)" profile_dependency: 1 severity: 5 support_policy: false @@ -322,7 +322,7 @@ spec: unique_id: "exec.comm + '_' + exec.exe_path" rule_expression: - event_type: "exec" - expression: "!ap.was_executed(exec.runtime.container_id, parse.get_exec_path(exec.args, exec.comm)) && k8s.get_container_mount_paths(exec.k8s.namespace, exec.k8s.pod_name, exec.k8s.container_name).exists(mount, exec.exe_path.startsWith(mount) || parse.get_exec_path(exec.args, exec.comm).startsWith(mount))" + expression: "!ap.was_executed(exec.containerId, parse.get_exec_path(exec.args, exec.comm)) && k8s.get_container_mount_paths(exec.k8s.namespace, exec.k8s.pod_name, exec.k8s.container_name).exists(mount, exec.exe_path.startsWith(mount) || parse.get_exec_path(exec.args, exec.comm).startsWith(mount))" profile_dependency: 1 severity: 5 support_policy: false @@ -356,7 +356,7 @@ spec: unique_id: "syscall.syscall_name" rule_expression: - event_type: "syscall" - expression: "syscall.syscall_name == 'unshare' && !ap.was_syscall_used(syscall.runtime.container_id, syscall.syscall_name)" + expression: "syscall.syscall_name == 'unshare' && !ap.was_syscall_used(syscall.containerId, syscall.syscall_name)" profile_dependency: 2 severity: 5 support_policy: false @@ -411,7 +411,7 @@ spec: unique_id: "network.comm + '_' + string(dyn(network.port))" rule_expression: - event_type: "network" - expression: "network.proto == 'TCP' && network.pkt_type == 'OUTGOING' && dyn(network.port) in [3333, 45700] && !nn.was_address_in_egress(network.runtime.container_id, network.dst_endpoint.addr)" + expression: "network.proto == 'TCP' && network.pkt_type == 'OUTGOING' && dyn(network.port) in [3333, 45700] && !nn.was_address_in_egress(network.containerId, network.dst_endpoint.addr)" profile_dependency: 1 severity: 3 support_policy: false @@ -430,7 +430,7 @@ spec: unique_id: "symlink.comm + '_' + symlink.old_path" rule_expression: - event_type: "symlink" - expression: "(symlink.old_path.startsWith('/etc/shadow') || symlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(symlink.runtime.container_id, symlink.old_path)" + expression: "(symlink.old_path.startsWith('/etc/shadow') || symlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(symlink.containerId, symlink.old_path)" profile_dependency: 1 severity: 5 support_policy: true @@ -466,7 +466,7 @@ spec: unique_id: "hardlink.comm + '_' + hardlink.old_path" rule_expression: - event_type: "hardlink" - expression: "(hardlink.old_path.startsWith('/etc/shadow') || hardlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(hardlink.runtime.container_id, hardlink.old_path)" + expression: "(hardlink.old_path.startsWith('/etc/shadow') || hardlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(hardlink.containerId, hardlink.old_path)" profile_dependency: 1 severity: 5 support_policy: true From b7382e4a48950ea878309167853f0d096626a5fb Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Thu, 16 Oct 2025 11:20:04 +0200 Subject: [PATCH 02/11] remove full path from open events Signed-off-by: Matthias Bertschy --- go.mod | 2 +- go.sum | 4 +-- .../r0002-unexpected-file-access/rule_test.go | 1 - .../unexpected-file-access.yaml | 36 +++++++++---------- .../rule_test.go | 3 +- ...expected-service-account-token-access.yaml | 10 +++--- .../read-environment-variables-procfs.yaml | 8 ++--- .../rule_test.go | 5 ++- .../rule_test.go | 2 -- .../unexpected-sensitive-file-access.yaml | 6 ++-- .../ld-preload-hook.yaml | 6 ++-- pkg/rules/r1011-ld-preload-hook/rule_test.go | 6 ++-- 12 files changed, 42 insertions(+), 47 deletions(-) diff --git a/go.mod b/go.mod index 70c49ab..5a335d6 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.25.0 require ( github.com/goradd/maps v1.0.0 github.com/inspektor-gadget/inspektor-gadget v0.45.0 - github.com/kubescape/node-agent v0.2.387-0.20251016064604-515cf49dff50 + github.com/kubescape/node-agent v0.2.387-0.20251016091756-5b7b07f69bd3 github.com/kubescape/storage v0.0.221 github.com/stretchr/testify v1.11.1 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index 9caf425..c489ede 100644 --- a/go.sum +++ b/go.sum @@ -531,8 +531,8 @@ github.com/kubescape/go-logger v0.0.24 h1:JRNlblY16Ty7hD6MSYNPvWYDxNzVAufsDDX/sZ github.com/kubescape/go-logger v0.0.24/go.mod h1:sMPVCr3VpW/e+SeMaXig5kClGvmZbDXN8YktUeNU4nY= github.com/kubescape/k8s-interface v0.0.199 h1:D+YBL69q1Dc2idus6jwd/vQcNhRoNZ6tE0m5Miz7TSg= github.com/kubescape/k8s-interface v0.0.199/go.mod h1:j9snZbH+RxOaa1yG/bWgTClj90q7To0rGgQepxy4b+k= -github.com/kubescape/node-agent v0.2.387-0.20251016064604-515cf49dff50 h1:dkvBNXEyly5hBf2jofJmm+y+zjzKfihQ1kj3JanoCfI= -github.com/kubescape/node-agent v0.2.387-0.20251016064604-515cf49dff50/go.mod h1:HN5jZ99TL+DF3rt3JTn1X4NfcOtSMqGFntA1a7i60HI= +github.com/kubescape/node-agent v0.2.387-0.20251016091756-5b7b07f69bd3 h1:joW6U4769QIO9klMr2R9SdRcO9BS43xHMSORurh6dtU= +github.com/kubescape/node-agent v0.2.387-0.20251016091756-5b7b07f69bd3/go.mod h1:HN5jZ99TL+DF3rt3JTn1X4NfcOtSMqGFntA1a7i60HI= github.com/kubescape/storage v0.0.221 h1:HLWnNokkKgKo9ka/p797fFQdsbzKxSXT5/RpUWrKWzI= github.com/kubescape/storage v0.0.221/go.mod h1:L/fF3teor8cUj80TVujqy9E1rKsf+Dox2hZtkS1vjOU= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= diff --git a/pkg/rules/r0002-unexpected-file-access/rule_test.go b/pkg/rules/r0002-unexpected-file-access/rule_test.go index 31af0a1..75a6fab 100644 --- a/pkg/rules/r0002-unexpected-file-access/rule_test.go +++ b/pkg/rules/r0002-unexpected-file-access/rule_test.go @@ -29,7 +29,6 @@ func TestR0002UnexpectedFileAccess(t *testing.T) { Pid: 1234, Comm: "test", Path: "/etc/test", - FullPath: "/etc/test", Flags: []string{"O_RDONLY"}, } diff --git a/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml b/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml index f0f7db9..4ae0cbf 100644 --- a/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml +++ b/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml @@ -12,29 +12,29 @@ spec: id: "R0002" description: "Detects unexpected file access that is not in the baseline" expressions: - message: "'Unexpected file access detected: ' + event.comm + ' with PID ' + string(event.pid) + ' to ' + event.fullPath" - unique_id: "event.comm + '_' + event.fullPath" + message: "'Unexpected file access detected: ' + event.comm + ' with PID ' + string(event.pid) + ' to ' + event.path" + unique_id: "event.comm + '_' + event.path" rule_expression: - event_type: "open" expression: > - (event.fullPath.startsWith('/etc/') || - event.fullPath.startsWith('/var/log/') || - event.fullPath.startsWith('/var/run/') || - event.fullPath.startsWith('/run/') || - event.fullPath.startsWith('/var/spool/cron/') || - event.fullPath.startsWith('/var/www/') || - event.fullPath.startsWith('/var/lib/') || - event.fullPath.startsWith('/opt/') || - event.fullPath.startsWith('/usr/local/') || - event.fullPath.startsWith('/app/') || - event.fullPath == '/.dockerenv' || - event.fullPath == '/proc/self/environ') + (event.path.startsWith('/etc/') || + event.path.startsWith('/var/log/') || + event.path.startsWith('/var/run/') || + event.path.startsWith('/run/') || + event.path.startsWith('/var/spool/cron/') || + event.path.startsWith('/var/www/') || + event.path.startsWith('/var/lib/') || + event.path.startsWith('/opt/') || + event.path.startsWith('/usr/local/') || + event.path.startsWith('/app/') || + event.path == '/.dockerenv' || + event.path == '/proc/self/environ') && - !(event.fullPath.startsWith('/run/secrets/kubernetes.io/serviceaccount') || - event.fullPath.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || - event.fullPath.startsWith('/tmp')) + !(event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/tmp')) && - !ap.was_path_opened(event.containerId, event.fullPath) + !ap.was_path_opened(event.containerId, event.path) profile_dependency: 0 severity: 1 support_policy: false diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go b/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go index 515bb37..c626749 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go +++ b/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go @@ -23,7 +23,6 @@ func createTestEvent(containerName, containerID, path string, flags []string) *u ContainerID: containerID, Comm: "test-process", Path: path, - FullPath: path, Flags: flags, Pid: 1234, Uid: 0, @@ -192,7 +191,7 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - expectedMessage := "Unexpected access to service account token: " + tt.event.FullPath + " with flags: " + tt.event.Flags[0] + expectedMessage := "Unexpected access to service account token: " + tt.event.Path + " with flags: " + tt.event.Flags[0] if message != expectedMessage { t.Errorf("Message evaluation failed. Expected: %s, Got: %s", expectedMessage, message) } diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml index 68a5e99..afc72e6 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml +++ b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml @@ -12,15 +12,15 @@ spec: id: "R0006" description: "Detecting unexpected access to service account token." expressions: - message: "'Unexpected access to service account token: ' + event.fullPath + ' with flags: ' + event.flags.join(',')" + message: "'Unexpected access to service account token: ' + event.path + ' with flags: ' + event.flags.join(',')" unique_id: "event.comm" rule_expression: - event_type: "open" expression: > - ((event.fullPath.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.fullPath.endsWith('/token')) || - (event.fullPath.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.fullPath.endsWith('/token')) || - (event.fullPath.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.fullPath.endsWith('/token')) || - (event.fullPath.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.fullPath.endsWith('/token'))) && + ((event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/kubernetes.io/serviceaccount') && !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && diff --git a/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml b/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml index 56f073d..0e7a04f 100644 --- a/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml +++ b/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml @@ -12,13 +12,13 @@ spec: id: "R0008" description: "Detecting reading environment variables from procfs." expressions: - message: "'Reading environment variables from procfs: ' + event.fullPath + ' by process ' + event.comm" - unique_id: "event.comm + '_' + event.fullPath" + message: "'Reading environment variables from procfs: ' + event.path + ' by process ' + event.comm" + unique_id: "event.comm + '_' + event.path" rule_expression: - event_type: "open" expression: > - event.fullPath.startsWith('/proc/') && - event.fullPath.endsWith('/environ') && + event.path.startsWith('/proc/') && + event.path.endsWith('/environ') && !ap.was_path_opened_with_suffix(event.containerId, '/environ') profile_dependency: 0 # Required severity: 5 # Medium diff --git a/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go b/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go index 72979ac..90f360b 100644 --- a/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go +++ b/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go @@ -24,7 +24,6 @@ func createTestEvent(containerName, containerID, path string, flags []string) *u ContainerID: containerID, Comm: "test-process", Path: path, - FullPath: path, Flags: flags, Pid: 1234, Uid: 0, @@ -186,7 +185,7 @@ func TestR0008ReadEnvironmentVariablesProcFS(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - expectedMessage := "Reading environment variables from procfs: " + tt.event.FullPath + " by process " + tt.event.Comm + expectedMessage := "Reading environment variables from procfs: " + tt.event.Path + " by process " + tt.event.Comm if message != expectedMessage { t.Errorf("Message evaluation failed. Expected: %s, Got: %s", expectedMessage, message) } @@ -196,7 +195,7 @@ func TestR0008ReadEnvironmentVariablesProcFS(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique ID: %v", err) } - expectedUniqueID := tt.event.Comm + "_" + tt.event.FullPath + expectedUniqueID := tt.event.Comm + "_" + tt.event.Path if uniqueID != expectedUniqueID { t.Errorf("Unique ID evaluation failed. Expected: %s, Got: %s", expectedUniqueID, uniqueID) } diff --git a/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go b/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go index 56f310b..54883c2 100644 --- a/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go +++ b/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go @@ -30,7 +30,6 @@ func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { Pid: 1234, Comm: "test-process", Path: "/etc/shadow", - FullPath: "/etc/shadow", Flags: []string{"O_RDONLY"}, } @@ -122,7 +121,6 @@ func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { // Test with non-sensitive file (should not trigger) e.Path = "/tmp/test.txt" - e.FullPath = "/tmp/test.txt" ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) if err != nil { diff --git a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml index 7b03db3..b5b2535 100644 --- a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml +++ b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml @@ -12,11 +12,11 @@ spec: id: "R0010" description: "Detecting access to sensitive files." expressions: - message: "'Unexpected sensitive file access: ' + event.fullPath + ' by process ' + event.comm" - unique_id: "event.comm + '_' + event.fullPath" + message: "'Unexpected sensitive file access: ' + event.path + ' by process ' + event.comm" + unique_id: "event.comm + '_' + event.path" rule_expression: - event_type: "open" - expression: "event.fullPath.startsWith('/etc/shadow') && !ap.was_path_opened(event.containerId, event.fullPath)" + expression: "event.path.startsWith('/etc/shadow') && !ap.was_path_opened(event.containerId, event.path)" profile_dependency: 1 severity: 5 support_policy: false diff --git a/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml b/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml index 6232d42..e16cc5b 100644 --- a/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml +++ b/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml @@ -12,13 +12,13 @@ spec: id: "R1011" description: "Detecting ld_preload hook techniques." expressions: - message: "event_type == 'exec' ? 'Process (' + event.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(event.pid) : 'The dynamic linker configuration file (' + event.fullPath + ') was modified by process (' + event.comm + ')'" - unique_id: "event_type == 'exec' ? 'exec_' + event.comm : 'open_' + event.fullPath" + message: "event_type == 'exec' ? 'Process (' + event.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(event.pid) : 'The dynamic linker configuration file (' + event.path + ') was modified by process (' + event.comm + ')'" + unique_id: "event_type == 'exec' ? 'exec_' + event.comm : 'open_' + event.path" rule_expression: - event_type: "exec" expression: "event.comm != 'java' && event.containerName != 'matlab' && process.get_ld_hook_var(event.pid) != ''" - event_type: "open" - expression: "event.fullPath == '/etc/ld.so.preload' && has(event.flagsRaw) && event.flagsRaw != 0" + expression: "event.path == '/etc/ld.so.preload' && has(event.flagsRaw) && event.flagsRaw != 0" profile_dependency: 1 severity: 5 support_policy: true diff --git a/pkg/rules/r1011-ld-preload-hook/rule_test.go b/pkg/rules/r1011-ld-preload-hook/rule_test.go index e20f855..a8efc27 100644 --- a/pkg/rules/r1011-ld-preload-hook/rule_test.go +++ b/pkg/rules/r1011-ld-preload-hook/rule_test.go @@ -55,7 +55,7 @@ func TestR1011LdPreloadHook(t *testing.T) { Pod: "test-pod", Namespace: "default", Comm: "test", - FullPath: "/etc/ld.so.preload", + Path: "/etc/ld.so.preload", FlagsRaw: 1, // Write flag EventType: utils.OpenEventType, } @@ -87,7 +87,7 @@ func TestR1011LdPreloadHook(t *testing.T) { } // Test with different file - SHOULD NOT TRIGGER - openEvent.FullPath = "/etc/passwd" + openEvent.Path = "/etc/passwd" openEvent.FlagsRaw = 1 ok, err = celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) @@ -155,7 +155,7 @@ func TestR1011LdPreloadHook(t *testing.T) { // Test policy validation with whitelisted process openEvent.Comm = "test" - openEvent.FullPath = "/etc/ld.so.preload" + openEvent.Path = "/etc/ld.so.preload" openEvent.FlagsRaw = 1 v := rulemanager.NewRulePolicyValidator(objCache) From 88e8608bddd7efe84a9a0741ae9f79b09e5321c5 Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Thu, 16 Oct 2025 11:21:25 +0000 Subject: [PATCH 03/11] Gen crd Signed-off-by: Amit Schendel --- rules-crd.yaml | 212 ++++++++++++++++++++++++------------------------- 1 file changed, 106 insertions(+), 106 deletions(-) diff --git a/rules-crd.yaml b/rules-crd.yaml index e3fbbe2..96ab530 100644 --- a/rules-crd.yaml +++ b/rules-crd.yaml @@ -14,11 +14,11 @@ spec: id: "R0001" description: "Detects unexpected process launches that are not in the baseline" expressions: - message: "'Unexpected process launched: ' + exec.comm + ' with PID ' + string(exec.pid)" - unique_id: "exec.comm + '_' + exec.exe_path" + message: "'Unexpected process launched: ' + event.comm + ' with PID ' + string(event.pid)" + unique_id: "event.comm + '_' + event.exepath" rule_expression: - event_type: "exec" - expression: "!ap.was_executed(exec.containerId, parse.get_exec_path(exec.args, exec.comm))" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" profile_dependency: 0 severity: 1 support_policy: false @@ -32,29 +32,29 @@ spec: id: "R0002" description: "Detects unexpected file access that is not in the baseline" expressions: - message: "'Unexpected file access detected: ' + open.comm + ' with PID ' + string(open.pid) + ' to ' + open.full_path" - unique_id: "open.comm + '_' + open.full_path" + message: "'Unexpected file access detected: ' + event.comm + ' with PID ' + string(event.pid) + ' to ' + event.path" + unique_id: "event.comm + '_' + event.path" rule_expression: - event_type: "open" expression: > - (open.full_path.startsWith('/etc/') || - open.full_path.startsWith('/var/log/') || - open.full_path.startsWith('/var/run/') || - open.full_path.startsWith('/run/') || - open.full_path.startsWith('/var/spool/cron/') || - open.full_path.startsWith('/var/www/') || - open.full_path.startsWith('/var/lib/') || - open.full_path.startsWith('/opt/') || - open.full_path.startsWith('/usr/local/') || - open.full_path.startsWith('/app/') || - open.full_path == '/.dockerenv' || - open.full_path == '/proc/self/environ') + (event.path.startsWith('/etc/') || + event.path.startsWith('/var/log/') || + event.path.startsWith('/var/run/') || + event.path.startsWith('/run/') || + event.path.startsWith('/var/spool/cron/') || + event.path.startsWith('/var/www/') || + event.path.startsWith('/var/lib/') || + event.path.startsWith('/opt/') || + event.path.startsWith('/usr/local/') || + event.path.startsWith('/app/') || + event.path == '/.dockerenv' || + event.path == '/proc/self/environ') && - !(open.full_path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || - open.full_path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || - open.full_path.startsWith('/tmp')) + !(event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/tmp')) && - !ap.was_path_opened(open.containerId, open.full_path) + !ap.was_path_opened(event.containerId, event.path) profile_dependency: 0 severity: 1 support_policy: false @@ -68,11 +68,11 @@ spec: id: "R0003" description: "Detects unexpected system calls that are not whitelisted by application profile" expressions: - message: "'Unexpected system call detected: ' + syscall.syscall_name + ' with PID ' + string(syscall.pid)" - unique_id: "syscall.syscall_name" + message: "'Unexpected system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" + unique_id: "event.syscallName" rule_expression: - event_type: "syscall" - expression: "!ap.was_syscall_used(syscall.containerId, syscall.syscall_name)" + expression: "!ap.was_syscall_used(event.containerId, event.syscallName)" profile_dependency: 0 severity: 1 support_policy: false @@ -85,11 +85,11 @@ spec: id: "R0004" description: "Detects unexpected capabilities that are not whitelisted by application profile" expressions: - message: "'Unexpected capability used: ' + capabilities.cap_name + ' in syscall ' + capabilities.syscall + ' with PID ' + string(capabilities.pid)" - unique_id: "capabilities.comm + '_' + capabilities.cap_name" + message: "'Unexpected capability used: ' + event.capName + ' in syscall ' + event.syscallName + ' with PID ' + string(event.pid)" + unique_id: "event.comm + '_' + event.capName" rule_expression: - event_type: "capabilities" - expression: "!ap.was_capability_used(capabilities.containerId, capabilities.cap_name)" + expression: "!ap.was_capability_used(event.containerId, event.capName)" profile_dependency: 0 severity: 1 support_policy: false @@ -102,11 +102,11 @@ spec: id: "R0005" description: "Detecting unexpected domain requests that are not whitelisted by application profile." expressions: - message: "'Unexpected domain communication: ' + dns.dns_name" - unique_id: "dns.comm + '_' + dns.dns_name" + message: "'Unexpected domain communication: ' + event.name + ' from: ' + event.containerName" + unique_id: "event.comm + '_' + event.name" rule_expression: - event_type: "dns" - expression: "!dns.dns_name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(dns.containerId, dns.dns_name)" + expression: "!event.name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(event.containerId, event.name)" profile_dependency: 0 severity: 1 support_policy: false @@ -119,19 +119,19 @@ spec: id: "R0006" description: "Detecting unexpected access to service account token." expressions: - message: "'Unexpected access to service account token: ' + open.full_path + ' with flags: ' + open.flags.join(',')" - unique_id: "open.comm" + message: "'Unexpected access to service account token: ' + event.path + ' with flags: ' + event.flags.join(',')" + unique_id: "event.comm" rule_expression: - event_type: "open" expression: > - ((open.full_path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && open.full_path.endsWith('/token')) || - (open.full_path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && open.full_path.endsWith('/token'))) && - !ap.was_path_opened_with_prefix(open.containerId, '/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(open.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(open.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && - !ap.was_path_opened_with_prefix(open.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount') + ((event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && + !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/kubernetes.io/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount') profile_dependency: 1 severity: 5 support_policy: false @@ -144,13 +144,13 @@ spec: id: "R0007" description: "Detecting execution of kubernetes client" expressions: - message: "event_type == 'exec' ? 'Kubernetes client (' + exec.comm + ') was executed with PID ' + string(exec.pid) : 'Network connection to Kubernetes API server from container ' + network.k8s.container_name" - unique_id: "event_type == 'exec' ? 'exec_' + exec.comm : 'network_' + network.dst_endpoint.addr" + message: "event_type == 'exec' ? 'Kubernetes client (' + event.comm + ') was executed with PID ' + string(event.pid) : 'Network connection to Kubernetes API server from container ' + event.containerName" + unique_id: "event_type == 'exec' ? 'exec_' + event.comm : 'network_' + event.dstAddr" rule_expression: - event_type: "exec" - expression: "(exec.comm == 'kubectl' || exec.exe_path.endsWith('/kubectl')) && !ap.was_executed(exec.containerId, parse.get_exec_path(exec.args, exec.comm))" + expression: "(event.comm == 'kubectl' || event.exepath.endsWith('/kubectl')) && !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" - event_type: "network" - expression: "network.pkt_type == 'OUTGOING' && k8s.is_api_server_address(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.containerId, network.dst_endpoint.addr)" + expression: "event.pktType == 'OUTGOING' && k8s.is_api_server_address(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" profile_dependency: 0 severity: 5 # Medium support_policy: false @@ -164,14 +164,14 @@ spec: id: "R0008" description: "Detecting reading environment variables from procfs." expressions: - message: "'Reading environment variables from procfs: ' + open.full_path + ' by process ' + open.comm" - unique_id: "open.comm" + message: "'Reading environment variables from procfs: ' + event.path + ' by process ' + event.comm" + unique_id: "event.comm + '_' + event.path" rule_expression: - event_type: "open" expression: > - open.full_path.startsWith('/proc/') && - open.full_path.endsWith('/environ') && - !ap.was_path_opened_with_suffix(open.containerId, '/environ') + event.path.startsWith('/proc/') && + event.path.endsWith('/environ') && + !ap.was_path_opened_with_suffix(event.containerId, '/environ') profile_dependency: 0 # Required severity: 5 # Medium support_policy: false @@ -185,11 +185,11 @@ spec: id: "R0009" description: "Detecting eBPF program load." expressions: - message: "'bpf system call executed in ' + syscall.k8s.container_name" - unique_id: "syscall.comm + '_' + syscall.syscall_name" + message: "'bpf system call executed in ' + event.containerName" + unique_id: "event.comm + '_' + event.syscallName" rule_expression: - event_type: "syscall" - expression: "syscall.syscall_name == 'bpf' && !ap.was_syscall_used(syscall.containerId, syscall.syscall_name)" + expression: "event.syscallName == 'bpf' && !ap.was_syscall_used(event.containerId, event.syscallName)" profile_dependency: 1 severity: 5 support_policy: false @@ -202,11 +202,11 @@ spec: id: "R0010" description: "Detecting access to sensitive files." expressions: - message: "'Unexpected sensitive file access: ' + open.full_path + ' by process ' + open.comm" - unique_id: "open.comm + '_' + open.full_path" + message: "'Unexpected sensitive file access: ' + event.path + ' by process ' + event.comm" + unique_id: "event.comm + '_' + event.path" rule_expression: - event_type: "open" - expression: "open.full_path.startsWith('/etc/shadow') && !ap.was_path_opened(open.containerId, open.full_path)" + expression: "event.path.startsWith('/etc/shadow') && !ap.was_path_opened(event.containerId, event.path)" profile_dependency: 1 severity: 5 support_policy: false @@ -219,11 +219,11 @@ spec: id: "R0011" description: "Detecting unexpected egress network traffic that is not whitelisted by application profile." expressions: - message: "'Unexpected egress network communication to: ' + network.dst_endpoint.addr + ':' + string(dyn(network.port)) + ' using ' + network.proto + ' from: ' + network.k8s.container_name" - unique_id: "network.dst_endpoint.addr + '_' + string(dyn(network.port)) + '_' + network.proto" + message: "'Unexpected egress network communication to: ' + event.dstAddr + ':' + string(event.dstPort) + ' using ' + event.proto + ' from: ' + event.containerName" + unique_id: "event.dstAddr + '_' + string(event.dstPort) + '_' + event.proto" rule_expression: - event_type: "network" - expression: "network.pkt_type == 'OUTGOING' && !net.is_private_ip(network.dst_endpoint.addr) && !nn.was_address_in_egress(network.containerId, network.dst_endpoint.addr)" + expression: "event.pktType == 'OUTGOING' && !net.is_private_ip(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" profile_dependency: 0 severity: 5 # Medium support_policy: false @@ -237,14 +237,14 @@ spec: id: "R1000" description: "Detecting exec calls that are from malicious source like: /dev/shm" expressions: - message: "'Execution from malicious source: ' + exec.exe_path + ' in directory ' + exec.cwd" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" + message: "'Execution from malicious source: ' + event.exepath + ' in directory ' + event.cwd" + unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" rule_expression: - event_type: "exec" expression: > - (exec.exe_path == '/dev/shm' || exec.exe_path.startsWith('/dev/shm/')) || - (exec.cwd == '/dev/shm' || exec.cwd.startsWith('/dev/shm/') || - (parse.get_exec_path(exec.args, exec.comm).startsWith('/dev/shm/'))) + (event.exepath == '/dev/shm' || event.exepath.startsWith('/dev/shm/')) || + (event.cwd == '/dev/shm' || event.cwd.startsWith('/dev/shm/') || + (parse.get_exec_path(event.args, event.comm).startsWith('/dev/shm/'))) profile_dependency: 2 severity: 8 support_policy: false @@ -257,14 +257,14 @@ spec: id: "R1001" description: "Detecting exec calls of binaries that are not included in the base image" expressions: - message: "'Process (' + exec.comm + ') was executed and is not part of the image'" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" + message: "'Process (' + event.comm + ') was executed and is not part of the image'" + unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" rule_expression: - event_type: "exec" expression: > - (exec.upper_layer == true || - exec.pupper_layer == true) && - !ap.was_executed(exec.containerId, parse.get_exec_path(exec.args, exec.comm)) + (event.upperlayer == true || + event.pupperlayer == true) && + !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) profile_dependency: 1 severity: 8 support_policy: false @@ -279,13 +279,13 @@ spec: id: "R1002" description: "Detecting Kernel Module Load." expressions: - message: "'Kernel module load syscall (' + syscall.syscall_name + ') was called'" - unique_id: "syscall.syscall_name" + message: "'Kernel module load syscall (' + event.syscallName + ') was called'" + unique_id: "event.syscallName" rule_expression: - event_type: "syscall" expression: > - syscall.syscall_name == 'init_module' || - syscall.syscall_name == 'finit_module' + event.syscallName == 'init_module' || + event.syscallName == 'finit_module' profile_dependency: 2 severity: 10 support_policy: false @@ -299,11 +299,11 @@ spec: id: "R1003" description: "Detecting ssh connection to disallowed port" expressions: - message: "'Malicious SSH connection attempt to ' + ssh.dst_ip + ':' + string(dyn(ssh.dst_port))" - unique_id: "ssh.comm + '_' + ssh.dst_ip + '_' + string(dyn(ssh.dst_port))" + message: "'Malicious SSH connection attempt to ' + event.dstIp + ':' + string(dyn(event.dstPort))" + unique_id: "event.comm + '_' + event.dstIp + '_' + string(dyn(event.dstPort))" rule_expression: - event_type: "ssh" - expression: "dyn(ssh.src_port) >= 32768 && dyn(ssh.src_port) <= 60999 && !(dyn(ssh.dst_port) in [22, 2022]) && !nn.was_address_in_egress(ssh.containerId, ssh.dst_ip)" + expression: "dyn(event.srcPort) >= 32768 && dyn(event.srcPort) <= 60999 && !(dyn(event.dstPort) in [22, 2022]) && !nn.was_address_in_egress(event.containerId, event.dstIp)" profile_dependency: 1 severity: 5 support_policy: false @@ -318,11 +318,11 @@ spec: id: "R1004" description: "Detecting exec calls from mounted paths." expressions: - message: "'Process (' + exec.comm + ') was executed from a mounted path'" - unique_id: "exec.comm + '_' + exec.exe_path" + message: "'Process (' + event.comm + ') was executed from a mounted path'" + unique_id: "event.comm + '_' + event.exepath + '_'" rule_expression: - event_type: "exec" - expression: "!ap.was_executed(exec.containerId, parse.get_exec_path(exec.args, exec.comm)) && k8s.get_container_mount_paths(exec.k8s.namespace, exec.k8s.pod_name, exec.k8s.container_name).exists(mount, exec.exe_path.startsWith(mount) || parse.get_exec_path(exec.args, exec.comm).startsWith(mount))" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))" profile_dependency: 1 severity: 5 support_policy: false @@ -335,11 +335,11 @@ spec: id: "R1005" description: "Detecting Fileless Execution" expressions: - message: "'Fileless execution detected: exec call \"' + exec.comm + '\" is from a malicious source'" - unique_id: "exec.comm + '_' + exec.exe_path + '_' + exec.pcomm" + message: "'Fileless execution detected: exec call \"' + event.comm + '\" is from a malicious source'" + unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" rule_expression: - event_type: "exec" - expression: "exec.exe_path.contains('memfd') || exec.exe_path.startsWith('/proc/self/fd') || exec.exe_path.matches('/proc/[0-9]+/fd/[0-9]+')" + expression: "event.exepath.contains('memfd') || event.exepath.startsWith('/proc/self/fd') || event.exepath.matches('/proc/[0-9]+/fd/[0-9]+')" profile_dependency: 2 severity: 8 support_policy: false @@ -352,11 +352,11 @@ spec: id: "R1006" description: "Detecting Unshare System Call usage, which can be used to escape container." expressions: - message: "'Unshare system call detected: ' + syscall.syscall_name + ' with PID ' + string(syscall.pid)" - unique_id: "syscall.syscall_name" + message: "'Unshare system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" + unique_id: "event.syscallName" rule_expression: - event_type: "syscall" - expression: "syscall.syscall_name == 'unshare' && !ap.was_syscall_used(syscall.containerId, syscall.syscall_name)" + expression: "event.syscallName == 'unshare' && !ap.was_syscall_used(event.containerId, event.syscallName)" profile_dependency: 2 severity: 5 support_policy: false @@ -371,8 +371,8 @@ spec: id: "R1007" description: "Detecting XMR Crypto Miners by randomx algorithm usage." expressions: - message: "'XMR Crypto Miner process: (' + randomx.exe_path + ') executed'" - unique_id: "randomx.exe_path + '_' + randomx.comm" + message: "'XMR Crypto Miner process: (' + event.exepath + ') executed'" + unique_id: "event.exepath + '_' + event.comm" rule_expression: - event_type: "randomx" expression: "true" @@ -388,11 +388,11 @@ spec: id: "R1008" description: "Detecting Crypto miners communication by domain" expressions: - message: "'Communication with a known crypto mining domain: ' + dns.dns_name" - unique_id: "dns.dns_name + '_' + dns.comm" + message: "'Communication with a known crypto mining domain: ' + event.name" + unique_id: "event.name + '_' + event.comm" rule_expression: - event_type: "dns" - expression: "dns.dns_name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" + expression: "event.name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" profile_dependency: 2 severity: 10 support_policy: false @@ -407,11 +407,11 @@ spec: id: "R1009" description: "Detecting Crypto Miners by suspicious port usage." expressions: - message: "'Detected crypto mining related port communication on port ' + string(dyn(network.port)) + ' to ' + network.dst_endpoint.addr + ' with protocol ' + network.proto" - unique_id: "network.comm + '_' + string(dyn(network.port))" + message: "'Detected crypto mining related port communication on port ' + string(event.dstPort) + ' to ' + event.dstAddr + ' with protocol ' + event.proto" + unique_id: "event.comm + '_' + string(event.dstPort)" rule_expression: - event_type: "network" - expression: "network.proto == 'TCP' && network.pkt_type == 'OUTGOING' && dyn(network.port) in [3333, 45700] && !nn.was_address_in_egress(network.containerId, network.dst_endpoint.addr)" + expression: "event.proto == 'TCP' && event.pktType == 'OUTGOING' && event.dstPort in [3333, 45700] && !nn.was_address_in_egress(event.containerId, event.dstAddr)" profile_dependency: 1 severity: 3 support_policy: false @@ -426,11 +426,11 @@ spec: id: "R1010" description: "Detects symlink creation over sensitive files" expressions: - message: "'Symlink created over sensitive file: ' + symlink.old_path + ' -> ' + symlink.new_path" - unique_id: "symlink.comm + '_' + symlink.old_path" + message: "'Symlink created over sensitive file: ' + event.oldPath + ' -> ' + event.newPath" + unique_id: "event.comm + '_' + event.oldPath" rule_expression: - event_type: "symlink" - expression: "(symlink.old_path.startsWith('/etc/shadow') || symlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(symlink.containerId, symlink.old_path)" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" profile_dependency: 1 severity: 5 support_policy: true @@ -443,13 +443,13 @@ spec: id: "R1011" description: "Detecting ld_preload hook techniques." expressions: - message: "event_type == 'exec' ? 'Process (' + exec.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(exec.pid) : 'The dynamic linker configuration file (' + open.full_path + ') was modified by process (' + open.comm + ')'" - unique_id: "event_type == 'exec' ? 'exec_' + exec.comm : 'open_' + open.full_path" + message: "event_type == 'exec' ? 'Process (' + event.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(event.pid) : 'The dynamic linker configuration file (' + event.path + ') was modified by process (' + event.comm + ')'" + unique_id: "event_type == 'exec' ? 'exec_' + event.comm : 'open_' + event.path" rule_expression: - event_type: "exec" - expression: "exec.comm != 'java' && exec.k8s.container_name != 'matlab' && process.get_ld_hook_var(exec.pid) != ''" + expression: "event.comm != 'java' && event.containerName != 'matlab' && process.get_ld_hook_var(event.pid) != ''" - event_type: "open" - expression: "open.full_path == '/etc/ld.so.preload' && has(open.flags_raw) && open.flags_raw != 0" + expression: "event.path == '/etc/ld.so.preload' && has(event.flagsRaw) && event.flagsRaw != 0" profile_dependency: 1 severity: 5 support_policy: true @@ -462,11 +462,11 @@ spec: id: "R1012" description: "Detecting hardlink creation over sensitive files." expressions: - message: "'Hardlink created over sensitive file: ' + hardlink.old_path + ' - ' + hardlink.new_path" - unique_id: "hardlink.comm + '_' + hardlink.old_path" + message: "'Hardlink created over sensitive file: ' + event.oldPath + ' - ' + event.newPath" + unique_id: "event.comm + '_' + event.oldPath" rule_expression: - event_type: "hardlink" - expression: "(hardlink.old_path.startsWith('/etc/shadow') || hardlink.old_path.startsWith('/etc/sudoers')) && !ap.was_path_opened(hardlink.containerId, hardlink.old_path)" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" profile_dependency: 1 severity: 5 support_policy: true @@ -479,8 +479,8 @@ spec: id: "R1015" description: "Detecting potentially malicious ptrace usage." expressions: - message: "'Malicious ptrace usage detected from: ' + ptrace.comm" - unique_id: "ptrace.exe_path + '_' + ptrace.comm" + message: "'Malicious ptrace usage detected from: ' + event.comm" + unique_id: "event.exepath + '_' + event.comm" rule_expression: - event_type: "ptrace" expression: "true" @@ -495,8 +495,8 @@ spec: id: "R1030" description: "Detects io_uring operations that were not recorded during the initial observation period, indicating potential unauthorized activity." expressions: - message: "'Unexpected io_uring operation detected: (opcode=' + string(iouring.opcode) + ') flags=0x' + (has(iouring.flags) ? string(iouring.flags) : '0') + ' in ' + iouring.comm + '.'" - unique_id: "string(iouring.opcode) + '_' + iouring.comm" + message: "'Unexpected io_uring operation detected: (opcode=' + string(event.opcode) + ') flags=0x' + (has(event.flagsRaw) ? string(event.flagsRaw) : '0') + ' in ' + event.comm + '.'" + unique_id: "string(event.opcode) + '_' + event.comm" rule_expression: - event_type: "iouring" expression: "true" From 7cf4b47bbe6a8baa699a0d810723c1477893b091 Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Thu, 16 Oct 2025 11:23:09 +0000 Subject: [PATCH 04/11] Fixing go Signed-off-by: Amit Schendel --- .github/workflows/test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1bec23f..59c3cea 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -31,6 +31,9 @@ jobs: - name: Download dependencies run: go mod download + + - name: Fix go + run: go env -w GOTOOLCHAIN=go1.25.0+auto - name: Run tests run: go test ./... From c1a9a9b923bc225c16ec1e6d28baf6e6804b2d72 Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Fri, 17 Oct 2025 21:51:05 +0200 Subject: [PATCH 05/11] fix syscall events Signed-off-by: Matthias Bertschy --- go.mod | 2 +- go.sum | 4 ++-- .../rule_test.go | 16 ++++++------- .../r0002-unexpected-file-access/rule_test.go | 10 ++++---- .../r0003-unexpected-system-call/rule_test.go | 12 +++++----- .../unexpected-system-call.yaml | 6 ++--- .../rule_test.go | 10 ++++---- .../rule_test.go | 8 +++---- .../rule_test.go | 13 +++++----- .../rule_test.go | 20 ++++++++-------- .../rule_test.go | 13 +++++----- .../ebpf-program-load.yaml | 4 ++-- .../r0009-ebpf-program-load/rule_test.go | 6 ++--- .../rule_test.go | 10 ++++---- .../rule_test.go | 14 +++++------ .../rule_test.go | 17 +++++++------ .../rule_test.go | 19 +++++++-------- .../kernel-module-load.yaml | 8 +++---- .../r1002-kernel-module-load/rule_test.go | 12 +++++----- .../rule_test.go | 16 ++++++------- pkg/rules/r1004-exec-from-mount/rule_test.go | 14 +++++------ .../r1005-fileless-execution/rule_test.go | 14 +++++------ pkg/rules/r1006-unshare-syscall/rule_test.go | 6 ++--- .../unshare-syscall.yaml | 6 ++--- .../r1007-xmr-crypto-mining/rule_test.go | 14 +++++------ .../rule_test.go | 18 +++++++------- .../rule_test.go | 22 ++++++++--------- .../rule_test.go | 8 +++---- pkg/rules/r1011-ld-preload-hook/rule_test.go | 20 +++++++--------- .../rule_test.go | 8 +++---- .../r1015-malicious-ptrace-usage/rule_test.go | 12 +++++----- .../rule_test.go | 8 +++---- rules-crd.yaml | 24 +++++++++---------- 33 files changed, 194 insertions(+), 200 deletions(-) diff --git a/go.mod b/go.mod index 5a335d6..406b0a0 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.25.0 require ( github.com/goradd/maps v1.0.0 github.com/inspektor-gadget/inspektor-gadget v0.45.0 - github.com/kubescape/node-agent v0.2.387-0.20251016091756-5b7b07f69bd3 + github.com/kubescape/node-agent v0.2.387-0.20251017195727-48fc07c8d7a3 github.com/kubescape/storage v0.0.221 github.com/stretchr/testify v1.11.1 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index c489ede..745dcd0 100644 --- a/go.sum +++ b/go.sum @@ -531,8 +531,8 @@ github.com/kubescape/go-logger v0.0.24 h1:JRNlblY16Ty7hD6MSYNPvWYDxNzVAufsDDX/sZ github.com/kubescape/go-logger v0.0.24/go.mod h1:sMPVCr3VpW/e+SeMaXig5kClGvmZbDXN8YktUeNU4nY= github.com/kubescape/k8s-interface v0.0.199 h1:D+YBL69q1Dc2idus6jwd/vQcNhRoNZ6tE0m5Miz7TSg= github.com/kubescape/k8s-interface v0.0.199/go.mod h1:j9snZbH+RxOaa1yG/bWgTClj90q7To0rGgQepxy4b+k= -github.com/kubescape/node-agent v0.2.387-0.20251016091756-5b7b07f69bd3 h1:joW6U4769QIO9klMr2R9SdRcO9BS43xHMSORurh6dtU= -github.com/kubescape/node-agent v0.2.387-0.20251016091756-5b7b07f69bd3/go.mod h1:HN5jZ99TL+DF3rt3JTn1X4NfcOtSMqGFntA1a7i60HI= +github.com/kubescape/node-agent v0.2.387-0.20251017195727-48fc07c8d7a3 h1:GbwPBp4liR35T+4TPAktW7y3QLMPERNnf7M7PoBkYzI= +github.com/kubescape/node-agent v0.2.387-0.20251017195727-48fc07c8d7a3/go.mod h1:HN5jZ99TL+DF3rt3JTn1X4NfcOtSMqGFntA1a7i60HI= github.com/kubescape/storage v0.0.221 h1:HLWnNokkKgKo9ka/p797fFQdsbzKxSXT5/RpUWrKWzI= github.com/kubescape/storage v0.0.221/go.mod h1:L/fF3teor8cUj80TVujqy9E1rKsf+Dox2hZtkS1vjOU= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= diff --git a/pkg/rules/r0001-unexpected-process-launched/rule_test.go b/pkg/rules/r0001-unexpected-process-launched/rule_test.go index c79274f..dda72a2 100644 --- a/pkg/rules/r0001-unexpected-process-launched/rule_test.go +++ b/pkg/rules/r0001-unexpected-process-launched/rule_test.go @@ -26,13 +26,14 @@ func TestR0001UnexpectedProcessLaunched(t *testing.T) { } // Create a process exec event e := &utils.StructEvent{ + Args: []string{"test-process", "arg1"}, + Comm: "test-process", Container: "test", ContainerID: "test", - Pid: 1234, - Comm: "test-process", - Pcomm: "test-process", + EventType: utils.ExecveEventType, ExePath: "/usr/bin/test-process", - Args: []string{"test-process", "arg1"}, + Pcomm: "test-process", + Pid: 1234, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -60,8 +61,7 @@ func TestR0001UnexpectedProcessLaunched(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: e, + Event: e, } // Evaluate the rule @@ -143,6 +143,7 @@ func BenchmarkEvaluateRuleNative(b *testing.B) { e := &utils.StructEvent{ Container: "test", ContainerID: "test", + EventType: utils.ExecveEventType, Pid: 1234, Comm: "test-process", Pcomm: "test-process", @@ -150,8 +151,7 @@ func BenchmarkEvaluateRuleNative(b *testing.B) { Args: []string{"test-process", "arg1"}, } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: e, + Event: e, } ruleSpec, err := common.LoadRuleFromYAML("unexpected-process-launched.yaml") require.NoError(b, err) diff --git a/pkg/rules/r0002-unexpected-file-access/rule_test.go b/pkg/rules/r0002-unexpected-file-access/rule_test.go index 75a6fab..d1657cc 100644 --- a/pkg/rules/r0002-unexpected-file-access/rule_test.go +++ b/pkg/rules/r0002-unexpected-file-access/rule_test.go @@ -24,12 +24,13 @@ func TestR0002UnexpectedFileAccess(t *testing.T) { } // Create a file access event e := &utils.StructEvent{ + Comm: "test", Container: "test", ContainerID: "test", - Pid: 1234, - Comm: "test", - Path: "/etc/test", + EventType: utils.OpenEventType, Flags: []string{"O_RDONLY"}, + Path: "/etc/test", + Pid: 1234, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -58,8 +59,7 @@ func TestR0002UnexpectedFileAccess(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: e, + Event: e, } ok, err := celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) diff --git a/pkg/rules/r0003-unexpected-system-call/rule_test.go b/pkg/rules/r0003-unexpected-system-call/rule_test.go index e71f22b..b4d70a4 100644 --- a/pkg/rules/r0003-unexpected-system-call/rule_test.go +++ b/pkg/rules/r0003-unexpected-system-call/rule_test.go @@ -24,11 +24,12 @@ func TestR0003UnexpectedSystemCall(t *testing.T) { // Create a syscall event e := &utils.StructEvent{ + Comm: "test", Container: "test", ContainerID: "test", - Comm: "test", - Syscall: "test_syscall", + EventType: utils.SyscallEventType, Pid: 1234, + Syscall: "test_syscall", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -57,8 +58,7 @@ func TestR0003UnexpectedSystemCall(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SyscallEventType, - Event: e, + Event: e, } // Evaluate the rule @@ -75,7 +75,7 @@ func TestR0003UnexpectedSystemCall(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - if message != "Unexpected system call detected: test_syscall with PID 1234" { + if message != "Unexpected system call detected: todo with PID 1234" { t.Fatalf("Message evaluation failed: %s", message) } @@ -84,7 +84,7 @@ func TestR0003UnexpectedSystemCall(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique id: %v", err) } - if uniqueId != "test_syscall" { + if uniqueId != "todo" { t.Fatalf("Unique id evaluation failed: %s", uniqueId) } diff --git a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml index ee5c525..4e41039 100644 --- a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml +++ b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml @@ -12,11 +12,11 @@ spec: id: "R0003" description: "Detects unexpected system calls that are not whitelisted by application profile" expressions: - message: "'Unexpected system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" - unique_id: "event.syscallName" + message: "'Unexpected system call detected: todo with PID ' + string(event.pid)" + unique_id: "'todo'" rule_expression: - event_type: "syscall" - expression: "!ap.was_syscall_used(event.containerId, event.syscallName)" + expression: "!ap.were_syscalls_used(event.containerId, event.syscalls)" profile_dependency: 0 severity: 1 support_policy: false diff --git a/pkg/rules/r0004-unexpected-capability-used/rule_test.go b/pkg/rules/r0004-unexpected-capability-used/rule_test.go index 8c2afa1..3a6bf0e 100644 --- a/pkg/rules/r0004-unexpected-capability-used/rule_test.go +++ b/pkg/rules/r0004-unexpected-capability-used/rule_test.go @@ -24,12 +24,13 @@ func TestR0004UnexpectedCapabilityUsed(t *testing.T) { // Create a capabilities event e := &utils.StructEvent{ + CapName: "test_cap", + Comm: "test", Container: "test", ContainerID: "test", - Comm: "test", - CapName: "test_cap", - Syscall: "test_syscall", + EventType: utils.CapabilitiesEventType, Pid: 1234, + Syscall: "test_syscall", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -58,8 +59,7 @@ func TestR0004UnexpectedCapabilityUsed(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.CapabilitiesEventType, - Event: e, + Event: e, } // Evaluate the rule diff --git a/pkg/rules/r0005-unexpected-domain-request/rule_test.go b/pkg/rules/r0005-unexpected-domain-request/rule_test.go index 923891c..43ac177 100644 --- a/pkg/rules/r0005-unexpected-domain-request/rule_test.go +++ b/pkg/rules/r0005-unexpected-domain-request/rule_test.go @@ -25,11 +25,12 @@ func TestR0005UnexpectedDomainRequest(t *testing.T) { // Create a DNS event e := &utils.StructEvent{ + Comm: "test-process", Container: "test", ContainerID: "test", - Pid: 1234, - Comm: "test-process", DNSName: "test.com", + EventType: utils.DnsEventType, + Pid: 1234, Qr: utils.DNSPktTypeQuery, } @@ -58,8 +59,7 @@ func TestR0005UnexpectedDomainRequest(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.DnsEventType, - Event: e, + Event: e, } // Test without profile - should trigger alert diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go b/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go index c626749..43d81b1 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go +++ b/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go @@ -19,14 +19,15 @@ import ( // createTestEvent creates a test OpenEvent func createTestEvent(containerName, containerID, path string, flags []string) *utils.StructEvent { return &utils.StructEvent{ + Comm: "test-process", Container: containerName, ContainerID: containerID, - Comm: "test-process", - Path: path, + EventType: utils.OpenEventType, Flags: flags, + Gid: 0, + Path: path, Pid: 1234, Uid: 0, - Gid: 0, } } @@ -169,8 +170,7 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: tt.event, + Event: tt.event, } // Evaluate the rule @@ -277,8 +277,7 @@ func TestR0006WithTimestampPaths(t *testing.T) { // Serialize event and evaluate enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: event, + Event: event, } triggered, err := celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) diff --git a/pkg/rules/r0007-kubernetes-client-executed/rule_test.go b/pkg/rules/r0007-kubernetes-client-executed/rule_test.go index 341a8ec..957d4b9 100644 --- a/pkg/rules/r0007-kubernetes-client-executed/rule_test.go +++ b/pkg/rules/r0007-kubernetes-client-executed/rule_test.go @@ -26,13 +26,14 @@ func TestR0007KubernetesClientExecuted(t *testing.T) { // Create a kubectl exec event e := &utils.StructEvent{ + Args: []string{"kubectl", "get", "pods"}, + Comm: "kubectl", Container: "test", ContainerID: "test", - Pid: 1234, - Comm: "kubectl", - Pcomm: "test-process", + EventType: utils.ExecveEventType, ExePath: "/usr/bin/kubectl", - Args: []string{"kubectl", "get", "pods"}, + Pcomm: "test-process", + Pid: 1234, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -60,8 +61,7 @@ func TestR0007KubernetesClientExecuted(t *testing.T) { t.Fatalf("Failed to create CEL engine: %v", err) } enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: e, + Event: e, } // Test without profile - should trigger alert @@ -141,11 +141,12 @@ func TestR0007KubernetesClientExecutedNetwork(t *testing.T) { e := &utils.StructEvent{ Container: "test", ContainerID: "test", - PktType: "OUTGOING", DstEndpoint: eventtypes.L3Endpoint{ Addr: "1.1.1.1", }, - DstPort: 80, + DstPort: 80, + EventType: utils.NetworkEventType, + PktType: "OUTGOING", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -175,8 +176,7 @@ func TestR0007KubernetesClientExecutedNetwork(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.NetworkEventType, - Event: e, + Event: e, } // Sleep for 1 millisecond to make sure the cache is expired diff --git a/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go b/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go index 90f360b..c478fe2 100644 --- a/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go +++ b/pkg/rules/r0008-read-environment-variables-procfs/rule_test.go @@ -20,14 +20,15 @@ import ( // createTestEvent creates a test OpenEvent func createTestEvent(containerName, containerID, path string, flags []string) *utils.StructEvent { return &utils.StructEvent{ + Comm: "test-process", Container: containerName, ContainerID: containerID, - Comm: "test-process", - Path: path, + EventType: utils.OpenEventType, Flags: flags, + Gid: 0, + Path: path, Pid: 1234, Uid: 0, - Gid: 0, } } @@ -163,8 +164,7 @@ func TestR0008ReadEnvironmentVariablesProcFS(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: tt.event, + Event: tt.event, } // Evaluate the rule @@ -294,8 +294,7 @@ func TestR0008VariousProcFSPaths(t *testing.T) { // Serialize event and evaluate enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: event, + Event: event, } triggered, err := celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) diff --git a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml index dff6e22..430137c 100644 --- a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml +++ b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml @@ -13,10 +13,10 @@ spec: description: "Detecting eBPF program load." expressions: message: "'bpf system call executed in ' + event.containerName" - unique_id: "event.comm + '_' + event.syscallName" + unique_id: "event.comm + '_bpf'" rule_expression: - event_type: "syscall" - expression: "event.syscallName == 'bpf' && !ap.was_syscall_used(event.containerId, event.syscallName)" + expression: "'bpf' in event.syscalls && !ap.was_syscall_used(event.containerId, 'bpf')" profile_dependency: 1 severity: 5 support_policy: false diff --git a/pkg/rules/r0009-ebpf-program-load/rule_test.go b/pkg/rules/r0009-ebpf-program-load/rule_test.go index d9c7c4f..1be26dd 100644 --- a/pkg/rules/r0009-ebpf-program-load/rule_test.go +++ b/pkg/rules/r0009-ebpf-program-load/rule_test.go @@ -24,10 +24,11 @@ func TestR0009EbpfProgramLoad(t *testing.T) { // Create a syscall event with bpf syscall e := &utils.StructEvent{ + Comm: "test-process", Container: "test", ContainerID: "test", + EventType: utils.SyscallEventType, Pid: 1234, - Comm: "test-process", Syscall: "bpf", } @@ -58,8 +59,7 @@ func TestR0009EbpfProgramLoad(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SyscallEventType, - Event: e, + Event: e, } // Test without profile - should trigger alert diff --git a/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go b/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go index 54883c2..c715be1 100644 --- a/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go +++ b/pkg/rules/r0010-unexpected-sensitive-file-access/rule_test.go @@ -25,12 +25,13 @@ func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { // Create a file access event to sensitive file e := &utils.StructEvent{ + Comm: "test-process", Container: "test", ContainerID: "test", - Pid: 1234, - Comm: "test-process", - Path: "/etc/shadow", + EventType: utils.OpenEventType, Flags: []string{"O_RDONLY"}, + Path: "/etc/shadow", + Pid: 1234, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -60,8 +61,7 @@ func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: e, + Event: e, } // Test without profile - should trigger alert for sensitive file diff --git a/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go b/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go index 59c7449..4e232f4 100644 --- a/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go +++ b/pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go @@ -25,16 +25,17 @@ func TestR0011UnexpectedEgressNetworkTraffic(t *testing.T) { // Create a network event for outgoing traffic to external IP e := &utils.StructEvent{ + Comm: "curl", Container: "test", ContainerID: "test", - PktType: "OUTGOING", DstEndpoint: eventtypes.L3Endpoint{ Addr: "1.1.1.1", // External IP }, - DstPort: 80, - Proto: "TCP", - Comm: "curl", - Pid: 1234, + DstPort: 80, + EventType: utils.NetworkEventType, + Pid: 1234, + PktType: "OUTGOING", + Proto: "TCP", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -64,8 +65,7 @@ func TestR0011UnexpectedEgressNetworkTraffic(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.NetworkEventType, - Event: e, + Event: e, } // Test without network neighborhood - should trigger alert diff --git a/pkg/rules/r1000-exec-from-malicious-source/rule_test.go b/pkg/rules/r1000-exec-from-malicious-source/rule_test.go index e3b4b54..c7a70c0 100644 --- a/pkg/rules/r1000-exec-from-malicious-source/rule_test.go +++ b/pkg/rules/r1000-exec-from-malicious-source/rule_test.go @@ -18,17 +18,18 @@ import ( // createTestExecEvent creates a test ExecEvent func createTestExecEvent(containerName, containerID, comm, exePath, cwd string, args []string) *utils.StructEvent { return &utils.StructEvent{ + Args: args, + Comm: comm, Container: containerName, ContainerID: containerID, - Comm: comm, - ExePath: exePath, Cwd: cwd, - Args: args, + EventType: utils.ExecveEventType, + ExePath: exePath, + Gid: 0, + Pcomm: "parent-process", Pid: 1234, Ppid: 123, - Pcomm: "parent-process", Uid: 0, - Gid: 0, } } @@ -137,8 +138,7 @@ func TestR1000ExecFromMaliciousSource(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: tt.event, + Event: tt.event, } // Evaluate the rule @@ -276,8 +276,7 @@ func TestR1000MaliciousPathVariants(t *testing.T) { // Serialize event and evaluate enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: event, + Event: event, } triggered, err := celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) diff --git a/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go b/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go index d551b7f..a6df67c 100644 --- a/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go +++ b/pkg/rules/r1001-exec-binary-not-in-base-image/rule_test.go @@ -19,19 +19,20 @@ import ( // createTestExecEvent creates a test ExecEvent func createTestExecEvent(containerName, containerID, comm, exePath, cwd string, args []string, upperLayer, pupperLayer bool) *utils.StructEvent { return &utils.StructEvent{ + Args: args, + Comm: comm, Container: containerName, ContainerID: containerID, - Comm: comm, - ExePath: exePath, Cwd: cwd, - Args: args, + EventType: utils.ExecveEventType, + ExePath: exePath, + Gid: 0, + Pcomm: "parent-process", Pid: 1234, Ppid: 123, - Pcomm: "parent-process", + PupperLayer: pupperLayer, Uid: 0, - Gid: 0, UpperLayer: upperLayer, - PupperLayer: pupperLayer, } } @@ -165,8 +166,7 @@ func TestR1001ExecBinaryNotInBaseImage(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: tt.event, + Event: tt.event, } // Evaluate the rule @@ -283,8 +283,7 @@ func TestR1001UpperLayerVariants(t *testing.T) { // Serialize event and evaluate enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: event, + Event: event, } triggered, err := celEngine.EvaluateRule(enrichedEvent, ruleSpec.Rules[0].Expressions.RuleExpression) diff --git a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml index 8c927e0..86548ef 100644 --- a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml +++ b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml @@ -12,13 +12,13 @@ spec: id: "R1002" description: "Detecting Kernel Module Load." expressions: - message: "'Kernel module load syscall (' + event.syscallName + ') was called'" - unique_id: "event.syscallName" + message: "'Kernel module load syscall (init_module) was called'" + unique_id: "'init_module'" rule_expression: - event_type: "syscall" expression: > - event.syscallName == 'init_module' || - event.syscallName == 'finit_module' + 'init_module' in event.syscalls || + 'finit_module' in event.syscalls profile_dependency: 2 severity: 10 support_policy: false diff --git a/pkg/rules/r1002-kernel-module-load/rule_test.go b/pkg/rules/r1002-kernel-module-load/rule_test.go index ac9473f..ed06d28 100644 --- a/pkg/rules/r1002-kernel-module-load/rule_test.go +++ b/pkg/rules/r1002-kernel-module-load/rule_test.go @@ -18,11 +18,12 @@ import ( // createTestSyscallEvent creates a test SyscallEvent func createTestSyscallEvent(containerName, containerID, comm, syscallName string, pid uint32) *utils.StructEvent { return &utils.StructEvent{ + Comm: comm, Container: containerName, ContainerID: containerID, - Comm: comm, - Syscall: syscallName, + EventType: utils.SyscallEventType, Pid: pid, + Syscall: syscallName, } } @@ -95,8 +96,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SyscallEventType, - Event: tt.event, + Event: tt.event, } // Evaluate the rule @@ -117,7 +117,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - expectedMessage := "Kernel module load syscall (" + tt.event.Syscall + ") was called" + expectedMessage := "Kernel module load syscall (init_module) was called" if message != expectedMessage { t.Errorf("Message evaluation failed. Expected: %s, Got: %s", expectedMessage, message) } @@ -127,7 +127,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique ID: %v", err) } - expectedUniqueID := tt.event.Syscall + expectedUniqueID := "init_module" if uniqueID != expectedUniqueID { t.Errorf("Unique ID evaluation failed. Expected: %s, Got: %s", expectedUniqueID, uniqueID) } diff --git a/pkg/rules/r1003-malicious-ssh-connection/rule_test.go b/pkg/rules/r1003-malicious-ssh-connection/rule_test.go index 9b03953..66bfa96 100644 --- a/pkg/rules/r1003-malicious-ssh-connection/rule_test.go +++ b/pkg/rules/r1003-malicious-ssh-connection/rule_test.go @@ -25,18 +25,19 @@ func TestR1003MaliciousSSHConnection(t *testing.T) { // Create a mock SSH event for outgoing connection to disallowed port e := &utils.StructEvent{ + Comm: "ssh", Container: "test", ContainerID: "test-container", - Pod: "test-pod", + DstIP: "1.1.1.1", + DstPort: 1234, // Disallowed port + EventType: utils.SSHEventType, + Gid: 1000, Namespace: "test-namespace", + Pid: 1234, + Pod: "test-pod", SrcIP: "192.168.1.100", - DstIP: "1.1.1.1", SrcPort: 33333, // Ephemeral port - DstPort: 1234, // Disallowed port - Comm: "ssh", - Pid: 1234, Uid: 1000, - Gid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -66,8 +67,7 @@ func TestR1003MaliciousSSHConnection(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SSHEventType, - Event: e, + Event: e, } // Test without network neighborhood - should trigger alert for disallowed port diff --git a/pkg/rules/r1004-exec-from-mount/rule_test.go b/pkg/rules/r1004-exec-from-mount/rule_test.go index 74435dc..a16a5d6 100644 --- a/pkg/rules/r1004-exec-from-mount/rule_test.go +++ b/pkg/rules/r1004-exec-from-mount/rule_test.go @@ -25,16 +25,17 @@ func TestR1004ExecFromMount(t *testing.T) { // Create a mock exec event e := &utils.StructEvent{ + Args: []string{"/var/test1/test", "arg1"}, + Comm: "/var/test1/test", Container: "test", ContainerID: "test-container", - Pod: "test-pod", - Namespace: "test-namespace", - Comm: "/var/test1/test", + EventType: utils.ExecveEventType, ExePath: "/var/test1/test", - Args: []string{"/var/test1/test", "arg1"}, + Gid: 1000, + Namespace: "test-namespace", Pid: 1234, + Pod: "test-pod", Uid: 1000, - Gid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -103,8 +104,7 @@ func TestR1004ExecFromMount(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: e, + Event: e, } // Test without application profile - should trigger alert for exec from mounted path diff --git a/pkg/rules/r1005-fileless-execution/rule_test.go b/pkg/rules/r1005-fileless-execution/rule_test.go index 846b328..caf29e8 100644 --- a/pkg/rules/r1005-fileless-execution/rule_test.go +++ b/pkg/rules/r1005-fileless-execution/rule_test.go @@ -23,17 +23,18 @@ func TestR1005FilelessExecution(t *testing.T) { // Create a mock exec event for fileless execution via memfd e := &utils.StructEvent{ + Args: []string{"/memfd:test", "arg1"}, + Comm: "/memfd:test", Container: "test", ContainerID: "test-container", - Pod: "test-pod", - Namespace: "test-namespace", - Comm: "/memfd:test", + EventType: utils.ExecveEventType, ExePath: "/memfd:test", + Gid: 1000, + Namespace: "test-namespace", Pcomm: "/memfd:test", - Args: []string{"/memfd:test", "arg1"}, Pid: 1234, + Pod: "test-pod", Uid: 1000, - Gid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -63,8 +64,7 @@ func TestR1005FilelessExecution(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: e, + Event: e, } // Test with memfd execution - should trigger alert diff --git a/pkg/rules/r1006-unshare-syscall/rule_test.go b/pkg/rules/r1006-unshare-syscall/rule_test.go index 5589d96..4157384 100644 --- a/pkg/rules/r1006-unshare-syscall/rule_test.go +++ b/pkg/rules/r1006-unshare-syscall/rule_test.go @@ -26,8 +26,9 @@ func TestR1006UnshareSyscall(t *testing.T) { e := &utils.StructEvent{ Container: "test", ContainerID: "test", - Syscall: "unshare", + EventType: utils.SyscallEventType, Pid: 1234, + Syscall: "unshare", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -57,8 +58,7 @@ func TestR1006UnshareSyscall(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SyscallEventType, - Event: e, + Event: e, } // Evaluate the rule diff --git a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml index 476a260..73a07d9 100644 --- a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml +++ b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml @@ -12,11 +12,11 @@ spec: id: "R1006" description: "Detecting Unshare System Call usage, which can be used to escape container." expressions: - message: "'Unshare system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" - unique_id: "event.syscallName" + message: "'Unshare system call detected: unshare with PID ' + string(event.pid)" + unique_id: "'unshare'" rule_expression: - event_type: "syscall" - expression: "event.syscallName == 'unshare' && !ap.was_syscall_used(event.containerId, event.syscallName)" + expression: "'unshare' in event.syscalls && !ap.was_syscall_used(event.containerId, 'unshare')" profile_dependency: 2 severity: 5 support_policy: false diff --git a/pkg/rules/r1007-xmr-crypto-mining/rule_test.go b/pkg/rules/r1007-xmr-crypto-mining/rule_test.go index e81c3b5..aa9d62b 100644 --- a/pkg/rules/r1007-xmr-crypto-mining/rule_test.go +++ b/pkg/rules/r1007-xmr-crypto-mining/rule_test.go @@ -23,16 +23,17 @@ func TestR1007XMRCryptoMining(t *testing.T) { // Create a RandomX event for crypto mining detection e := &utils.StructEvent{ + Comm: "xmrig", Container: "test", ContainerID: "test-container", - Pod: "test-pod", - Namespace: "test-namespace", - Comm: "xmrig", + EventType: utils.RandomXEventType, ExePath: "/usr/bin/xmrig", - Pid: 1234, - Uid: 1000, Gid: 1000, + Namespace: "test-namespace", + Pid: 1234, + Pod: "test-pod", Ppid: 1, + Uid: 1000, UpperLayer: true, } @@ -63,8 +64,7 @@ func TestR1007XMRCryptoMining(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.RandomXEventType, - Event: e, + Event: e, } // Test with RandomX event - should trigger alert diff --git a/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go b/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go index 64b0779..94e844d 100644 --- a/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go +++ b/pkg/rules/r1008-crypto-mining-domain-communication/rule_test.go @@ -23,19 +23,20 @@ func TestR1008CryptoMiningDomainCommunication(t *testing.T) { // Create a DNS event for crypto mining domain communication e := &utils.StructEvent{ + Comm: "xmrig", Container: "test", ContainerID: "test-container", - Pod: "test-pod", - Namespace: "test-namespace", + Cwd: "/tmp", DNSName: "xmr.gntl.uk.", - Comm: "xmrig", + EventType: utils.DnsEventType, ExePath: "/usr/bin/xmrig", - Pid: 1234, - Uid: 1000, Gid: 1000, - Ppid: 1, + Namespace: "test-namespace", Pcomm: "bash", - Cwd: "/tmp", + Pid: 1234, + Pod: "test-pod", + Ppid: 1, + Uid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -65,8 +66,7 @@ func TestR1008CryptoMiningDomainCommunication(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.DnsEventType, - Event: e, + Event: e, } // Test with crypto mining domain - should trigger alert diff --git a/pkg/rules/r1009-crypto-mining-related-port/rule_test.go b/pkg/rules/r1009-crypto-mining-related-port/rule_test.go index 9fe0661..b3bfd0b 100644 --- a/pkg/rules/r1009-crypto-mining-related-port/rule_test.go +++ b/pkg/rules/r1009-crypto-mining-related-port/rule_test.go @@ -25,20 +25,21 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { // Create a network event for crypto mining port communication e := &utils.StructEvent{ + Comm: "xmrig", Container: "test", ContainerID: "test-container", - Pod: "test-pod", - Namespace: "test-namespace", - Proto: "TCP", - PktType: "OUTGOING", - DstPort: 3333, - Comm: "xmrig", - Pid: 1234, - Uid: 1000, - Gid: 1000, DstEndpoint: eventtypes.L3Endpoint{ Addr: "1.1.1.1", }, + DstPort: 3333, + EventType: utils.NetworkEventType, + Gid: 1000, + Namespace: "test-namespace", + Pid: 1234, + PktType: "OUTGOING", + Pod: "test-pod", + Proto: "TCP", + Uid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -68,8 +69,7 @@ func TestR1009CryptoMiningRelatedPort(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.NetworkEventType, - Event: e, + Event: e, } // Test with crypto mining port - should trigger alert diff --git a/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go b/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go index ce7576e..54d32c6 100644 --- a/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go +++ b/pkg/rules/r1010-symlink-created-over-sensitive-file/rule_test.go @@ -24,11 +24,12 @@ func TestR1010SymlinkCreatedOverSensitiveFile(t *testing.T) { // Create a symlink event e := &utils.StructEvent{ + Comm: "test", Container: "test", ContainerID: "test", - Comm: "test", - OldPath: "/etc/shadow", + EventType: utils.SymlinkEventType, NewPath: "/etc/abc", + OldPath: "/etc/shadow", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -59,8 +60,7 @@ func TestR1010SymlinkCreatedOverSensitiveFile(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.SymlinkEventType, - Event: e, + Event: e, } // Evaluate the rule diff --git a/pkg/rules/r1011-ld-preload-hook/rule_test.go b/pkg/rules/r1011-ld-preload-hook/rule_test.go index a8efc27..f5457b7 100644 --- a/pkg/rules/r1011-ld-preload-hook/rule_test.go +++ b/pkg/rules/r1011-ld-preload-hook/rule_test.go @@ -50,20 +50,19 @@ func TestR1011LdPreloadHook(t *testing.T) { // Test open event with ld.so.preload file opened with write flag - SHOULD TRIGGER openEvent := &utils.StructEvent{ + Comm: "test", Container: "test", ContainerID: "test", - Pod: "test-pod", + EventType: utils.OpenEventType, + FlagsRaw: 1, // Write flag Namespace: "default", - Comm: "test", Path: "/etc/ld.so.preload", - FlagsRaw: 1, // Write flag - EventType: utils.OpenEventType, + Pod: "test-pod", } // Serialize open event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.OpenEventType, - Event: openEvent, + Event: openEvent, } // Evaluate the rule for open event - should trigger for write access to ld.so.preload @@ -100,18 +99,17 @@ func TestR1011LdPreloadHook(t *testing.T) { // Test exec events - just verify expression compiles and returns false (can't mock PID) execEvent := &utils.StructEvent{ + Comm: "java", Container: "test", ContainerID: "test", - Pod: "test-pod", + EventType: utils.ExecveEventType, Namespace: "default", - Comm: "java", Pid: 1234, - EventType: utils.ExecveEventType, + Pod: "test-pod", } enrichedEvent2 := &events.EnrichedEvent{ - EventType: utils.ExecveEventType, - Event: execEvent, + Event: execEvent, } // For exec events, just verify the expression compiles and returns false diff --git a/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go b/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go index 2d21896..7d28371 100644 --- a/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go +++ b/pkg/rules/r1012-hardlink-created-over-sensitive-file/rule_test.go @@ -25,11 +25,12 @@ func TestR1012HardlinkCreatedOverSensitiveFile(t *testing.T) { // Create a hardlink event e := &utils.StructEvent{ + Comm: "test", Container: "test", ContainerID: "test", - Comm: "test", - OldPath: "test", + EventType: utils.HardlinkEventType, NewPath: "test", + OldPath: "test", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -59,8 +60,7 @@ func TestR1012HardlinkCreatedOverSensitiveFile(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.HardlinkEventType, - Event: e, + Event: e, } // Evaluate the rule - should not trigger for non-sensitive file diff --git a/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go b/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go index ed9a85f..c3bc345 100644 --- a/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go +++ b/pkg/rules/r1015-malicious-ptrace-usage/rule_test.go @@ -30,15 +30,16 @@ func TestR1015MaliciousPtraceUsage(t *testing.T) { // Create a ptrace event e := &utils.StructEvent{ + Comm: "malicious_process", Container: "test", ContainerID: "test", - Comm: "malicious_process", + EventType: utils.PtraceEventType, + ExePath: "/path/to/malicious_process", + Gid: 1000, Pid: 1234, Ppid: 5678, - Uid: 1000, - Gid: 1000, - ExePath: "/path/to/malicious_process", PtraceRequest: PTRACE_SETREGS, // Malicious ptrace request + Uid: 1000, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -68,8 +69,7 @@ func TestR1015MaliciousPtraceUsage(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.PtraceEventType, - Event: e, + Event: e, } // Evaluate the rule - should always return true for ptrace events diff --git a/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go b/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go index aca07a5..969c4c9 100644 --- a/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go +++ b/pkg/rules/r1030-unexpected-io_uring-operation/rule_test.go @@ -25,13 +25,14 @@ func TestR1030UnexpectedIouringOperation(t *testing.T) { // Create an io_uring event e := &utils.StructEvent{ + Comm: "test-process", Container: "test", ContainerID: "test", + EventType: utils.IoUringEventType, + FlagsRaw: 0x0, Identifier: "test-process", Opcode: 1, // IORING_OP_NOP - FlagsRaw: 0x0, UserData: 123, - Comm: "test-process", } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -61,8 +62,7 @@ func TestR1030UnexpectedIouringOperation(t *testing.T) { // Serialize event enrichedEvent := &events.EnrichedEvent{ - EventType: utils.IoUringEventType, - Event: e, + Event: e, } // Evaluate the rule - should always return true for io_uring events diff --git a/rules-crd.yaml b/rules-crd.yaml index 96ab530..bee71d2 100644 --- a/rules-crd.yaml +++ b/rules-crd.yaml @@ -68,11 +68,11 @@ spec: id: "R0003" description: "Detects unexpected system calls that are not whitelisted by application profile" expressions: - message: "'Unexpected system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" - unique_id: "event.syscallName" + message: "'Unexpected system call detected: todo with PID ' + string(event.pid)" + unique_id: "'todo'" rule_expression: - event_type: "syscall" - expression: "!ap.was_syscall_used(event.containerId, event.syscallName)" + expression: "!ap.were_syscalls_used(event.containerId, event.syscalls)" profile_dependency: 0 severity: 1 support_policy: false @@ -186,10 +186,10 @@ spec: description: "Detecting eBPF program load." expressions: message: "'bpf system call executed in ' + event.containerName" - unique_id: "event.comm + '_' + event.syscallName" + unique_id: "event.comm + '_bpf'" rule_expression: - event_type: "syscall" - expression: "event.syscallName == 'bpf' && !ap.was_syscall_used(event.containerId, event.syscallName)" + expression: "'bpf' in event.syscalls && !ap.was_syscall_used(event.containerId, 'bpf')" profile_dependency: 1 severity: 5 support_policy: false @@ -279,13 +279,13 @@ spec: id: "R1002" description: "Detecting Kernel Module Load." expressions: - message: "'Kernel module load syscall (' + event.syscallName + ') was called'" - unique_id: "event.syscallName" + message: "'Kernel module load syscall (init_module) was called'" + unique_id: "'init_module'" rule_expression: - event_type: "syscall" expression: > - event.syscallName == 'init_module' || - event.syscallName == 'finit_module' + 'init_module' in event.syscalls || + 'finit_module' in event.syscalls profile_dependency: 2 severity: 10 support_policy: false @@ -352,11 +352,11 @@ spec: id: "R1006" description: "Detecting Unshare System Call usage, which can be used to escape container." expressions: - message: "'Unshare system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" - unique_id: "event.syscallName" + message: "'Unshare system call detected: unshare with PID ' + string(event.pid)" + unique_id: "'unshare'" rule_expression: - event_type: "syscall" - expression: "event.syscallName == 'unshare' && !ap.was_syscall_used(event.containerId, event.syscallName)" + expression: "'unshare' in event.syscalls && !ap.was_syscall_used(event.containerId, 'unshare')" profile_dependency: 2 severity: 5 support_policy: false From 59c0cd0ee7067e26b93f93df2715aac96db6d354 Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Mon, 20 Oct 2025 09:22:30 +0000 Subject: [PATCH 06/11] Switch to camelCase Signed-off-by: Amit Schendel --- README.md | 18 +- go.mod | 2 +- go.sum | 4 +- .../unexpected-process-launched.yaml | 36 +- .../unexpected-file-access.yaml | 72 +- .../unexpected-system-call.yaml | 34 +- .../unexpected-capability-used.yaml | 34 +- .../unexpected-domain-request.yaml | 34 +- ...expected-service-account-token-access.yaml | 50 +- .../kubernetes-client-executed.yaml | 40 +- .../read-environment-variables-procfs.yaml | 42 +- .../ebpf-program-load.yaml | 34 +- .../unexpected-sensitive-file-access.yaml | 34 +- .../unexpected-egress-network-traffic.yaml | 36 +- .../exec-from-malicious-source.yaml | 40 +- .../exec-binary-not-in-base-image.yaml | 44 +- .../kernel-module-load.yaml | 40 +- .../malicious-ssh-connection.yaml | 38 +- .../exec-from-mount.yaml | 34 +- .../fileless-execution.yaml | 34 +- .../unshare-syscall.yaml | 38 +- .../xmr-crypto-mining.yaml | 34 +- .../crypto-mining-domain-communication.yaml | 38 +- .../crypto-mining-related-port.yaml | 38 +- .../symlink-created-over-sensitive-file.yaml | 34 +- .../ld-preload-hook.yaml | 38 +- .../hardlink-created-over-sensitive-file.yaml | 34 +- .../malicious-ptrace-usage.yaml | 32 +- .../unexpected-io_uring-operation.yaml | 34 +- rules-crd.yaml | 996 +++++++++--------- 30 files changed, 1008 insertions(+), 1008 deletions(-) diff --git a/README.md b/README.md index 9583d4e..aff7a3b 100644 --- a/README.md +++ b/README.md @@ -26,13 +26,13 @@ spec: description: "Description of what the rule detects" expressions: message: "CEL expression for alert message" - unique_id: "CEL expression for unique identifier" - rule_expression: - - event_type: "event_type_name" + uniqueId: "CEL expression for unique identifier" + ruleExpression: + - eventType: "eventType_name" expression: "CEL expression for detection logic" - profile_dependency: 0 # 0=Required, 1=Optional, 2=NotRequired + profileDependency: 0 # 0=Required, 1=Optional, 2=NotRequired severity: 1 - support_policy: false + supportPolicy: false tags: - "tag1" - "tag2" @@ -47,11 +47,11 @@ spec: | `id` | string | Unique rule identifier (format: R####) | Yes | | `description` | string | Detailed description of the rule | Yes | | `expressions.message` | string | CEL expression for alert message | Yes | -| `expressions.unique_id` | string | CEL expression for unique event ID | Yes | -| `expressions.rule_expression` | array | Array of detection expressions | Yes | -| `profile_dependency` | integer | Profile dependency level (0,1,2) | Yes | +| `expressions.uniqueId` | string | CEL expression for unique event ID | Yes | +| `expressions.ruleExpression` | array | Array of detection expressions | Yes | +| `profileDependency` | integer | Profile dependency level (0,1,2) | Yes | | `severity` | integer | Rule severity level | Yes | -| `support_policy` | boolean | Whether rule supported by rule policy | Yes | +| `supportPolicy` | boolean | Whether rule supported by rule policy | Yes | | `tags` | array | Array of tags for categorization | Yes | | `state` | object | Rule state | No | diff --git a/go.mod b/go.mod index 406b0a0..9a01b99 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.25.0 require ( github.com/goradd/maps v1.0.0 github.com/inspektor-gadget/inspektor-gadget v0.45.0 - github.com/kubescape/node-agent v0.2.387-0.20251017195727-48fc07c8d7a3 + github.com/kubescape/node-agent v0.2.387-0.20251020091723-a7e2e0fc9c92 github.com/kubescape/storage v0.0.221 github.com/stretchr/testify v1.11.1 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index 745dcd0..665a5e0 100644 --- a/go.sum +++ b/go.sum @@ -531,8 +531,8 @@ github.com/kubescape/go-logger v0.0.24 h1:JRNlblY16Ty7hD6MSYNPvWYDxNzVAufsDDX/sZ github.com/kubescape/go-logger v0.0.24/go.mod h1:sMPVCr3VpW/e+SeMaXig5kClGvmZbDXN8YktUeNU4nY= github.com/kubescape/k8s-interface v0.0.199 h1:D+YBL69q1Dc2idus6jwd/vQcNhRoNZ6tE0m5Miz7TSg= github.com/kubescape/k8s-interface v0.0.199/go.mod h1:j9snZbH+RxOaa1yG/bWgTClj90q7To0rGgQepxy4b+k= -github.com/kubescape/node-agent v0.2.387-0.20251017195727-48fc07c8d7a3 h1:GbwPBp4liR35T+4TPAktW7y3QLMPERNnf7M7PoBkYzI= -github.com/kubescape/node-agent v0.2.387-0.20251017195727-48fc07c8d7a3/go.mod h1:HN5jZ99TL+DF3rt3JTn1X4NfcOtSMqGFntA1a7i60HI= +github.com/kubescape/node-agent v0.2.387-0.20251020091723-a7e2e0fc9c92 h1:z4JAmm89MBKKNfw6OtMtsGNqndI5B77WHXATDINtZIg= +github.com/kubescape/node-agent v0.2.387-0.20251020091723-a7e2e0fc9c92/go.mod h1:HN5jZ99TL+DF3rt3JTn1X4NfcOtSMqGFntA1a7i60HI= github.com/kubescape/storage v0.0.221 h1:HLWnNokkKgKo9ka/p797fFQdsbzKxSXT5/RpUWrKWzI= github.com/kubescape/storage v0.0.221/go.mod h1:L/fF3teor8cUj80TVujqy9E1rKsf+Dox2hZtkS1vjOU= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= diff --git a/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml b/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml index 07910fb..831fdb8 100644 --- a/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml +++ b/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml @@ -7,21 +7,21 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected process launched" - enabled: true - id: "R0001" - description: "Detects unexpected process launches that are not in the baseline" - expressions: - message: "'Unexpected process launched: ' + event.comm + ' with PID ' + string(event.pid)" - unique_id: "event.comm + '_' + event.exepath" - rule_expression: - - event_type: "exec" - expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "process" - - "exec" - - "applicationprofile" + - name: "Unexpected process launched" + enabled: true + id: "R0001" + description: "Detects unexpected process launches that are not in the baseline" + expressions: + message: "'Unexpected process launched: ' + event.comm + ' with PID ' + string(event.pid)" + uniqueId: "event.comm + '_' + event.exepath" + ruleExpression: + - eventType: "exec" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" + profileDependency: 0 + severity: 1 + supportPolicy: false + tags: + - "anomaly" + - "process" + - "exec" + - "applicationprofile" diff --git a/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml b/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml index 4ae0cbf..ea8c45c 100644 --- a/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml +++ b/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml @@ -7,39 +7,39 @@ metadata: app: kubescape spec: rules: - - name: "Files Access Anomalies in container" - enabled: false - id: "R0002" - description: "Detects unexpected file access that is not in the baseline" - expressions: - message: "'Unexpected file access detected: ' + event.comm + ' with PID ' + string(event.pid) + ' to ' + event.path" - unique_id: "event.comm + '_' + event.path" - rule_expression: - - event_type: "open" - expression: > - (event.path.startsWith('/etc/') || - event.path.startsWith('/var/log/') || - event.path.startsWith('/var/run/') || - event.path.startsWith('/run/') || - event.path.startsWith('/var/spool/cron/') || - event.path.startsWith('/var/www/') || - event.path.startsWith('/var/lib/') || - event.path.startsWith('/opt/') || - event.path.startsWith('/usr/local/') || - event.path.startsWith('/app/') || - event.path == '/.dockerenv' || - event.path == '/proc/self/environ') - && - !(event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || - event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || - event.path.startsWith('/tmp')) - && - !ap.was_path_opened(event.containerId, event.path) - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "file" - - "open" - - "applicationprofile" + - name: "Files Access Anomalies in container" + enabled: false + id: "R0002" + description: "Detects unexpected file access that is not in the baseline" + expressions: + message: "'Unexpected file access detected: ' + event.comm + ' with PID ' + string(event.pid) + ' to ' + event.path" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: > + (event.path.startsWith('/etc/') || + event.path.startsWith('/var/log/') || + event.path.startsWith('/var/run/') || + event.path.startsWith('/run/') || + event.path.startsWith('/var/spool/cron/') || + event.path.startsWith('/var/www/') || + event.path.startsWith('/var/lib/') || + event.path.startsWith('/opt/') || + event.path.startsWith('/usr/local/') || + event.path.startsWith('/app/') || + event.path == '/.dockerenv' || + event.path == '/proc/self/environ') + && + !(event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/tmp')) + && + !ap.was_path_opened(event.containerId, event.path) + profileDependency: 0 + severity: 1 + supportPolicy: false + tags: + - "anomaly" + - "file" + - "open" + - "applicationprofile" diff --git a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml index 4e41039..26481e8 100644 --- a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml +++ b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "Syscalls Anomalies in container" - enabled: true - id: "R0003" - description: "Detects unexpected system calls that are not whitelisted by application profile" - expressions: - message: "'Unexpected system call detected: todo with PID ' + string(event.pid)" - unique_id: "'todo'" - rule_expression: - - event_type: "syscall" - expression: "!ap.were_syscalls_used(event.containerId, event.syscalls)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "syscall" - - "applicationprofile" + - name: "Syscalls Anomalies in container" + enabled: true + id: "R0003" + description: "Detects unexpected system calls that are not whitelisted by application profile" + expressions: + message: "'Unexpected system call detected: todo with PID ' + string(event.pid)" + uniqueId: "'todo'" + ruleExpression: + - eventType: "syscall" + expression: "!ap.were_syscalls_used(event.containerId, event.syscalls)" + profileDependency: 0 + severity: 1 + supportPolicy: false + tags: + - "anomaly" + - "syscall" + - "applicationprofile" diff --git a/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml b/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml index a990ebf..a5a0c25 100644 --- a/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml +++ b/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "Linux Capabilities Anomalies in container" - enabled: true - id: "R0004" - description: "Detects unexpected capabilities that are not whitelisted by application profile" - expressions: - message: "'Unexpected capability used: ' + event.capName + ' in syscall ' + event.syscallName + ' with PID ' + string(event.pid)" - unique_id: "event.comm + '_' + event.capName" - rule_expression: - - event_type: "capabilities" - expression: "!ap.was_capability_used(event.containerId, event.capName)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "capabilities" - - "applicationprofile" + - name: "Linux Capabilities Anomalies in container" + enabled: true + id: "R0004" + description: "Detects unexpected capabilities that are not whitelisted by application profile" + expressions: + message: "'Unexpected capability used: ' + event.capName + ' in syscall ' + event.syscallName + ' with PID ' + string(event.pid)" + uniqueId: "event.comm + '_' + event.capName" + ruleExpression: + - eventType: "capabilities" + expression: "!ap.was_capability_used(event.containerId, event.capName)" + profileDependency: 0 + severity: 1 + supportPolicy: false + tags: + - "anomaly" + - "capabilities" + - "applicationprofile" diff --git a/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml b/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml index d69e5ce..d3d229b 100644 --- a/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml +++ b/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "DNS Anomalies in container" - enabled: true - id: "R0005" - description: "Detecting unexpected domain requests that are not whitelisted by application profile." - expressions: - message: "'Unexpected domain communication: ' + event.name + ' from: ' + event.containerName" - unique_id: "event.comm + '_' + event.name" - rule_expression: - - event_type: "dns" - expression: "!event.name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(event.containerId, event.name)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "dns" - - "anomaly" - - "networkprofile" + - name: "DNS Anomalies in container" + enabled: true + id: "R0005" + description: "Detecting unexpected domain requests that are not whitelisted by application profile." + expressions: + message: "'Unexpected domain communication: ' + event.name + ' from: ' + event.containerName" + uniqueId: "event.comm + '_' + event.name" + ruleExpression: + - eventType: "dns" + expression: "!event.name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(event.containerId, event.name)" + profileDependency: 0 + severity: 1 + supportPolicy: false + tags: + - "dns" + - "anomaly" + - "networkprofile" diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml index afc72e6..3c543ab 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml +++ b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml @@ -7,28 +7,28 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected service account token access" - enabled: true - id: "R0006" - description: "Detecting unexpected access to service account token." - expressions: - message: "'Unexpected access to service account token: ' + event.path + ' with flags: ' + event.flags.join(',')" - unique_id: "event.comm" - rule_expression: - - event_type: "open" - expression: > - ((event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || - (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || - (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || - (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && - !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount') - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "anomaly" - - "serviceaccount" - - "applicationprofile" + - name: "Unexpected service account token access" + enabled: true + id: "R0006" + description: "Detecting unexpected access to service account token." + expressions: + message: "'Unexpected access to service account token: ' + event.path + ' with flags: ' + event.flags.join(',')" + uniqueId: "event.comm" + ruleExpression: + - eventType: "open" + expression: > + ((event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && + !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/kubernetes.io/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount') + profileDependency: 1 + severity: 5 + supportPolicy: false + tags: + - "anomaly" + - "serviceaccount" + - "applicationprofile" diff --git a/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml b/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml index c7b3760..188a006 100644 --- a/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml +++ b/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml @@ -7,23 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Workload uses Kubernetes API unexpectedly" - enabled: true - id: "R0007" - description: "Detecting execution of kubernetes client" - expressions: - message: "event_type == 'exec' ? 'Kubernetes client (' + event.comm + ') was executed with PID ' + string(event.pid) : 'Network connection to Kubernetes API server from container ' + event.containerName" - unique_id: "event_type == 'exec' ? 'exec_' + event.comm : 'network_' + event.dstAddr" - rule_expression: - - event_type: "exec" - expression: "(event.comm == 'kubectl' || event.exepath.endsWith('/kubectl')) && !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" - - event_type: "network" - expression: "event.pktType == 'OUTGOING' && k8s.is_api_server_address(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" - profile_dependency: 0 - severity: 5 # Medium - support_policy: false - tags: - - "exec" - - "network" - - "anomaly" - - "applicationprofile" + - name: "Workload uses Kubernetes API unexpectedly" + enabled: true + id: "R0007" + description: "Detecting execution of kubernetes client" + expressions: + message: "eventType == 'exec' ? 'Kubernetes client (' + event.comm + ') was executed with PID ' + string(event.pid) : 'Network connection to Kubernetes API server from container ' + event.containerName" + uniqueId: "eventType == 'exec' ? 'exec_' + event.comm : 'network_' + event.dstAddr" + ruleExpression: + - eventType: "exec" + expression: "(event.comm == 'kubectl' || event.exepath.endsWith('/kubectl')) && !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" + - eventType: "network" + expression: "event.pktType == 'OUTGOING' && k8s.is_api_server_address(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 0 + severity: 5 # Medium + supportPolicy: false + tags: + - "exec" + - "network" + - "anomaly" + - "applicationprofile" diff --git a/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml b/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml index 0e7a04f..80d041f 100644 --- a/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml +++ b/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml @@ -7,24 +7,24 @@ metadata: app: kubescape spec: rules: - - name: "Read Environment Variables from procfs" - enabled: true - id: "R0008" - description: "Detecting reading environment variables from procfs." - expressions: - message: "'Reading environment variables from procfs: ' + event.path + ' by process ' + event.comm" - unique_id: "event.comm + '_' + event.path" - rule_expression: - - event_type: "open" - expression: > - event.path.startsWith('/proc/') && - event.path.endsWith('/environ') && - !ap.was_path_opened_with_suffix(event.containerId, '/environ') - profile_dependency: 0 # Required - severity: 5 # Medium - support_policy: false - tags: - - "anomaly" - - "procfs" - - "environment" - - "applicationprofile" + - name: "Read Environment Variables from procfs" + enabled: true + id: "R0008" + description: "Detecting reading environment variables from procfs." + expressions: + message: "'Reading environment variables from procfs: ' + event.path + ' by process ' + event.comm" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: > + event.path.startsWith('/proc/') && + event.path.endsWith('/environ') && + !ap.was_path_opened_with_suffix(event.containerId, '/environ') + profileDependency: 0 # Required + severity: 5 # Medium + supportPolicy: false + tags: + - "anomaly" + - "procfs" + - "environment" + - "applicationprofile" diff --git a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml index 430137c..a9456da 100644 --- a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml +++ b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "eBPF Program Load" - enabled: true - id: "R0009" - description: "Detecting eBPF program load." - expressions: - message: "'bpf system call executed in ' + event.containerName" - unique_id: "event.comm + '_bpf'" - rule_expression: - - event_type: "syscall" - expression: "'bpf' in event.syscalls && !ap.was_syscall_used(event.containerId, 'bpf')" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "syscall" - - "ebpf" - - "applicationprofile" + - name: "eBPF Program Load" + enabled: true + id: "R0009" + description: "Detecting eBPF program load." + expressions: + message: "'bpf system call executed in ' + event.containerName" + uniqueId: "event.comm + '_bpf'" + ruleExpression: + - eventType: "syscall" + expression: "'bpf' in event.syscalls && !ap.was_syscall_used(event.containerId, 'bpf')" + profileDependency: 1 + severity: 5 + supportPolicy: false + tags: + - "syscall" + - "ebpf" + - "applicationprofile" diff --git a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml index b5b2535..8343e9a 100644 --- a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml +++ b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected Sensitive File Access" - enabled: true - id: "R0010" - description: "Detecting access to sensitive files." - expressions: - message: "'Unexpected sensitive file access: ' + event.path + ' by process ' + event.comm" - unique_id: "event.comm + '_' + event.path" - rule_expression: - - event_type: "open" - expression: "event.path.startsWith('/etc/shadow') && !ap.was_path_opened(event.containerId, event.path)" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "files" - - "anomaly" - - "applicationprofile" + - name: "Unexpected Sensitive File Access" + enabled: true + id: "R0010" + description: "Detecting access to sensitive files." + expressions: + message: "'Unexpected sensitive file access: ' + event.path + ' by process ' + event.comm" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: "event.path.startsWith('/etc/shadow') && !ap.was_path_opened(event.containerId, event.path)" + profileDependency: 1 + severity: 5 + supportPolicy: false + tags: + - "files" + - "anomaly" + - "applicationprofile" diff --git a/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml b/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml index 502525c..462312b 100644 --- a/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml +++ b/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml @@ -7,21 +7,21 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected Egress Network Traffic" - enabled: false - id: "R0011" - description: "Detecting unexpected egress network traffic that is not whitelisted by application profile." - expressions: - message: "'Unexpected egress network communication to: ' + event.dstAddr + ':' + string(event.dstPort) + ' using ' + event.proto + ' from: ' + event.containerName" - unique_id: "event.dstAddr + '_' + string(event.dstPort) + '_' + event.proto" - rule_expression: - - event_type: "network" - expression: "event.pktType == 'OUTGOING' && !net.is_private_ip(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" - profile_dependency: 0 - severity: 5 # Medium - support_policy: false - tags: - - "whitelisted" - - "network" - - "anomaly" - - "networkprofile" + - name: "Unexpected Egress Network Traffic" + enabled: false + id: "R0011" + description: "Detecting unexpected egress network traffic that is not whitelisted by application profile." + expressions: + message: "'Unexpected egress network communication to: ' + event.dstAddr + ':' + string(event.dstPort) + ' using ' + event.proto + ' from: ' + event.containerName" + uniqueId: "event.dstAddr + '_' + string(event.dstPort) + '_' + event.proto" + ruleExpression: + - eventType: "network" + expression: "event.pktType == 'OUTGOING' && !net.is_private_ip(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 0 + severity: 5 # Medium + supportPolicy: false + tags: + - "whitelisted" + - "network" + - "anomaly" + - "networkprofile" diff --git a/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml b/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml index 06ea27e..2509f11 100644 --- a/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml +++ b/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml @@ -7,23 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Process executed from malicious source" - enabled: true - id: "R1000" - description: "Detecting exec calls that are from malicious source like: /dev/shm" - expressions: - message: "'Execution from malicious source: ' + event.exepath + ' in directory ' + event.cwd" - unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" - rule_expression: - - event_type: "exec" - expression: > - (event.exepath == '/dev/shm' || event.exepath.startsWith('/dev/shm/')) || - (event.cwd == '/dev/shm' || event.cwd.startsWith('/dev/shm/') || - (parse.get_exec_path(event.args, event.comm).startsWith('/dev/shm/'))) - profile_dependency: 2 - severity: 8 - support_policy: false - tags: - - "exec" - - "signature" - - "malicious" + - name: "Process executed from malicious source" + enabled: true + id: "R1000" + description: "Detecting exec calls that are from malicious source like: /dev/shm" + expressions: + message: "'Execution from malicious source: ' + event.exepath + ' in directory ' + event.cwd" + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: > + (event.exepath == '/dev/shm' || event.exepath.startsWith('/dev/shm/')) || + (event.cwd == '/dev/shm' || event.cwd.startsWith('/dev/shm/') || + (parse.get_exec_path(event.args, event.comm).startsWith('/dev/shm/'))) + profileDependency: 2 + severity: 8 + supportPolicy: false + tags: + - "exec" + - "signature" + - "malicious" diff --git a/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml b/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml index a9c4fb9..c5498b4 100644 --- a/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml +++ b/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml @@ -7,25 +7,25 @@ metadata: app: kubescape spec: rules: - - name: "Drifted process executed" - enabled: true - id: "R1001" - description: "Detecting exec calls of binaries that are not included in the base image" - expressions: - message: "'Process (' + event.comm + ') was executed and is not part of the image'" - unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" - rule_expression: - - event_type: "exec" - expression: > - (event.upperlayer == true || - event.pupperlayer == true) && - !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) - profile_dependency: 1 - severity: 8 - support_policy: false - tags: - - "exec" - - "malicious" - - "binary" - - "base image" - - "applicationprofile" + - name: "Drifted process executed" + enabled: true + id: "R1001" + description: "Detecting exec calls of binaries that are not included in the base image" + expressions: + message: "'Process (' + event.comm + ') was executed and is not part of the image'" + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: > + (event.upperlayer == true || + event.pupperlayer == true) && + !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) + profileDependency: 1 + severity: 8 + supportPolicy: false + tags: + - "exec" + - "malicious" + - "binary" + - "base image" + - "applicationprofile" diff --git a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml index 86548ef..4231330 100644 --- a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml +++ b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml @@ -7,23 +7,23 @@ metadata: app: kubescape spec: rules: - - name: "Process tries to load a kernel module" - enabled: true - id: "R1002" - description: "Detecting Kernel Module Load." - expressions: - message: "'Kernel module load syscall (init_module) was called'" - unique_id: "'init_module'" - rule_expression: - - event_type: "syscall" - expression: > - 'init_module' in event.syscalls || - 'finit_module' in event.syscalls - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "syscall" - - "kernel" - - "module" - - "load" + - name: "Process tries to load a kernel module" + enabled: true + id: "R1002" + description: "Detecting Kernel Module Load." + expressions: + message: "'Kernel module load syscall (init_module) was called'" + uniqueId: "'init_module'" + ruleExpression: + - eventType: "syscall" + expression: > + 'init_module' in event.syscalls || + 'finit_module' in event.syscalls + profileDependency: 2 + severity: 10 + supportPolicy: false + tags: + - "syscall" + - "kernel" + - "module" + - "load" diff --git a/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml b/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml index 6df6945..1149d9f 100644 --- a/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml +++ b/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml @@ -7,22 +7,22 @@ metadata: app: kubescape spec: rules: - - name: "Disallowed ssh connection" - enabled: false - id: "R1003" - description: "Detecting ssh connection to disallowed port" - expressions: - message: "'Malicious SSH connection attempt to ' + event.dstIp + ':' + string(dyn(event.dstPort))" - unique_id: "event.comm + '_' + event.dstIp + '_' + string(dyn(event.dstPort))" - rule_expression: - - event_type: "ssh" - expression: "dyn(event.srcPort) >= 32768 && dyn(event.srcPort) <= 60999 && !(dyn(event.dstPort) in [22, 2022]) && !nn.was_address_in_egress(event.containerId, event.dstIp)" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "ssh" - - "connection" - - "port" - - "malicious" - - "networkprofile" + - name: "Disallowed ssh connection" + enabled: false + id: "R1003" + description: "Detecting ssh connection to disallowed port" + expressions: + message: "'Malicious SSH connection attempt to ' + event.dstIp + ':' + string(dyn(event.dstPort))" + uniqueId: "event.comm + '_' + event.dstIp + '_' + string(dyn(event.dstPort))" + ruleExpression: + - eventType: "ssh" + expression: "dyn(event.srcPort) >= 32768 && dyn(event.srcPort) <= 60999 && !(dyn(event.dstPort) in [22, 2022]) && !nn.was_address_in_egress(event.containerId, event.dstIp)" + profileDependency: 1 + severity: 5 + supportPolicy: false + tags: + - "ssh" + - "connection" + - "port" + - "malicious" + - "networkprofile" diff --git a/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml b/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml index e3a9ecd..2c87461 100644 --- a/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml +++ b/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "Process executed from mount" - enabled: true - id: "R1004" - description: "Detecting exec calls from mounted paths." - expressions: - message: "'Process (' + event.comm + ') was executed from a mounted path'" - unique_id: "event.comm + '_' + event.exepath + '_'" - rule_expression: - - event_type: "exec" - expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "exec" - - "mount" - - "applicationprofile" + - name: "Process executed from mount" + enabled: true + id: "R1004" + description: "Detecting exec calls from mounted paths." + expressions: + message: "'Process (' + event.comm + ') was executed from a mounted path'" + uniqueId: "event.comm + '_' + event.exepath + '_'" + ruleExpression: + - eventType: "exec" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))" + profileDependency: 1 + severity: 5 + supportPolicy: false + tags: + - "exec" + - "mount" + - "applicationprofile" diff --git a/pkg/rules/r1005-fileless-execution/fileless-execution.yaml b/pkg/rules/r1005-fileless-execution/fileless-execution.yaml index b261e96..759d0f4 100644 --- a/pkg/rules/r1005-fileless-execution/fileless-execution.yaml +++ b/pkg/rules/r1005-fileless-execution/fileless-execution.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "Fileless execution detected" - enabled: true - id: "R1005" - description: "Detecting Fileless Execution" - expressions: - message: "'Fileless execution detected: exec call \"' + event.comm + '\" is from a malicious source'" - unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" - rule_expression: - - event_type: "exec" - expression: "event.exepath.contains('memfd') || event.exepath.startsWith('/proc/self/fd') || event.exepath.matches('/proc/[0-9]+/fd/[0-9]+')" - profile_dependency: 2 - severity: 8 - support_policy: false - tags: - - "fileless" - - "execution" - - "malicious" + - name: "Fileless execution detected" + enabled: true + id: "R1005" + description: "Detecting Fileless Execution" + expressions: + message: '''Fileless execution detected: exec call "'' + event.comm + ''" is from a malicious source''' + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: "event.exepath.contains('memfd') || event.exepath.startsWith('/proc/self/fd') || event.exepath.matches('/proc/[0-9]+/fd/[0-9]+')" + profileDependency: 2 + severity: 8 + supportPolicy: false + tags: + - "fileless" + - "execution" + - "malicious" diff --git a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml index 73a07d9..1eda9b3 100644 --- a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml +++ b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml @@ -7,22 +7,22 @@ metadata: app: kubescape spec: rules: - - name: "Process tries to escape container" - enabled: true - id: "R1006" - description: "Detecting Unshare System Call usage, which can be used to escape container." - expressions: - message: "'Unshare system call detected: unshare with PID ' + string(event.pid)" - unique_id: "'unshare'" - rule_expression: - - event_type: "syscall" - expression: "'unshare' in event.syscalls && !ap.was_syscall_used(event.containerId, 'unshare')" - profile_dependency: 2 - severity: 5 - support_policy: false - tags: - - "syscall" - - "escape" - - "unshare" - - "anomaly" - - "applicationprofile" + - name: "Process tries to escape container" + enabled: true + id: "R1006" + description: "Detecting Unshare System Call usage, which can be used to escape container." + expressions: + message: "'Unshare system call detected: unshare with PID ' + string(event.pid)" + uniqueId: "'unshare'" + ruleExpression: + - eventType: "syscall" + expression: "'unshare' in event.syscalls && !ap.was_syscall_used(event.containerId, 'unshare')" + profileDependency: 2 + severity: 5 + supportPolicy: false + tags: + - "syscall" + - "escape" + - "unshare" + - "anomaly" + - "applicationprofile" diff --git a/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml b/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml index 8b584e9..b9f685b 100644 --- a/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml +++ b/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "Crypto miner launched" - enabled: true - id: "R1007" - description: "Detecting XMR Crypto Miners by randomx algorithm usage." - expressions: - message: "'XMR Crypto Miner process: (' + event.exepath + ') executed'" - unique_id: "event.exepath + '_' + event.comm" - rule_expression: - - event_type: "randomx" - expression: "true" - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "crypto" - - "miners" - - "malicious" + - name: "Crypto miner launched" + enabled: true + id: "R1007" + description: "Detecting XMR Crypto Miners by randomx algorithm usage." + expressions: + message: "'XMR Crypto Miner process: (' + event.exepath + ') executed'" + uniqueId: "event.exepath + '_' + event.comm" + ruleExpression: + - eventType: "randomx" + expression: "true" + profileDependency: 2 + severity: 10 + supportPolicy: false + tags: + - "crypto" + - "miners" + - "malicious" diff --git a/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml b/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml index 2f9c004..9ccea8b 100644 --- a/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml +++ b/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml @@ -7,22 +7,22 @@ metadata: app: kubescape spec: rules: - - name: "Crypto Mining Domain Communication" - enabled: true - id: "R1008" - description: "Detecting Crypto miners communication by domain" - expressions: - message: "'Communication with a known crypto mining domain: ' + event.name" - unique_id: "event.name + '_' + event.comm" - rule_expression: - - event_type: "dns" - expression: "event.name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "network" - - "crypto" - - "miners" - - "malicious" - - "dns" + - name: "Crypto Mining Domain Communication" + enabled: true + id: "R1008" + description: "Detecting Crypto miners communication by domain" + expressions: + message: "'Communication with a known crypto mining domain: ' + event.name" + uniqueId: "event.name + '_' + event.comm" + ruleExpression: + - eventType: "dns" + expression: "event.name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" + profileDependency: 2 + severity: 10 + supportPolicy: false + tags: + - "network" + - "crypto" + - "miners" + - "malicious" + - "dns" diff --git a/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml b/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml index 7aa727c..91da743 100644 --- a/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml +++ b/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml @@ -7,22 +7,22 @@ metadata: app: kubescape spec: rules: - - name: "Crypto Mining Related Port Communication" - enabled: true - id: "R1009" - description: "Detecting Crypto Miners by suspicious port usage." - expressions: - message: "'Detected crypto mining related port communication on port ' + string(event.dstPort) + ' to ' + event.dstAddr + ' with protocol ' + event.proto" - unique_id: "event.comm + '_' + string(event.dstPort)" - rule_expression: - - event_type: "network" - expression: "event.proto == 'TCP' && event.pktType == 'OUTGOING' && event.dstPort in [3333, 45700] && !nn.was_address_in_egress(event.containerId, event.dstAddr)" - profile_dependency: 1 - severity: 3 - support_policy: false - tags: - - "network" - - "crypto" - - "miners" - - "malicious" - - "networkprofile" + - name: "Crypto Mining Related Port Communication" + enabled: true + id: "R1009" + description: "Detecting Crypto Miners by suspicious port usage." + expressions: + message: "'Detected crypto mining related port communication on port ' + string(event.dstPort) + ' to ' + event.dstAddr + ' with protocol ' + event.proto" + uniqueId: "event.comm + '_' + string(event.dstPort)" + ruleExpression: + - eventType: "network" + expression: "event.proto == 'TCP' && event.pktType == 'OUTGOING' && event.dstPort in [3333, 45700] && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 1 + severity: 3 + supportPolicy: false + tags: + - "network" + - "crypto" + - "miners" + - "malicious" + - "networkprofile" diff --git a/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml b/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml index c26d304..e57f431 100644 --- a/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml +++ b/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "Soft link created over sensitive file" - enabled: true - id: "R1010" - description: "Detects symlink creation over sensitive files" - expressions: - message: "'Symlink created over sensitive file: ' + event.oldPath + ' -> ' + event.newPath" - unique_id: "event.comm + '_' + event.oldPath" - rule_expression: - - event_type: "symlink" - expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "anomaly" - - "symlink" - - "applicationprofile" + - name: "Soft link created over sensitive file" + enabled: true + id: "R1010" + description: "Detects symlink creation over sensitive files" + expressions: + message: "'Symlink created over sensitive file: ' + event.oldPath + ' -> ' + event.newPath" + uniqueId: "event.comm + '_' + event.oldPath" + ruleExpression: + - eventType: "symlink" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" + profileDependency: 1 + severity: 5 + supportPolicy: true + tags: + - "anomaly" + - "symlink" + - "applicationprofile" diff --git a/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml b/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml index e16cc5b..60b38d5 100644 --- a/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml +++ b/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml @@ -7,22 +7,22 @@ metadata: app: kubescape spec: rules: - - name: "ld_preload hooks technique detected" - enabled: false - id: "R1011" - description: "Detecting ld_preload hook techniques." - expressions: - message: "event_type == 'exec' ? 'Process (' + event.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(event.pid) : 'The dynamic linker configuration file (' + event.path + ') was modified by process (' + event.comm + ')'" - unique_id: "event_type == 'exec' ? 'exec_' + event.comm : 'open_' + event.path" - rule_expression: - - event_type: "exec" - expression: "event.comm != 'java' && event.containerName != 'matlab' && process.get_ld_hook_var(event.pid) != ''" - - event_type: "open" - expression: "event.path == '/etc/ld.so.preload' && has(event.flagsRaw) && event.flagsRaw != 0" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "exec" - - "malicious" - - "applicationprofile" + - name: "ld_preload hooks technique detected" + enabled: false + id: "R1011" + description: "Detecting ld_preload hook techniques." + expressions: + message: "eventType == 'exec' ? 'Process (' + event.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(event.pid) : 'The dynamic linker configuration file (' + event.path + ') was modified by process (' + event.comm + ')'" + uniqueId: "eventType == 'exec' ? 'exec_' + event.comm : 'open_' + event.path" + ruleExpression: + - eventType: "exec" + expression: "event.comm != 'java' && event.containerName != 'matlab' && process.get_ld_hook_var(event.pid) != ''" + - eventType: "open" + expression: "event.path == '/etc/ld.so.preload' && has(event.flagsRaw) && event.flagsRaw != 0" + profileDependency: 1 + severity: 5 + supportPolicy: true + tags: + - "exec" + - "malicious" + - "applicationprofile" diff --git a/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml b/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml index 4219d07..c2f005e 100644 --- a/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml +++ b/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "Hard link created over sensitive file" - enabled: true - id: "R1012" - description: "Detecting hardlink creation over sensitive files." - expressions: - message: "'Hardlink created over sensitive file: ' + event.oldPath + ' - ' + event.newPath" - unique_id: "event.comm + '_' + event.oldPath" - rule_expression: - - event_type: "hardlink" - expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "files" - - "malicious" - - "applicationprofile" + - name: "Hard link created over sensitive file" + enabled: true + id: "R1012" + description: "Detecting hardlink creation over sensitive files." + expressions: + message: "'Hardlink created over sensitive file: ' + event.oldPath + ' - ' + event.newPath" + uniqueId: "event.comm + '_' + event.oldPath" + ruleExpression: + - eventType: "hardlink" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" + profileDependency: 1 + severity: 5 + supportPolicy: true + tags: + - "files" + - "malicious" + - "applicationprofile" diff --git a/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml b/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml index 1060fea..c950174 100644 --- a/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml +++ b/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml @@ -7,19 +7,19 @@ metadata: app: kubescape spec: rules: - - name: "Malicious Ptrace Usage" - enabled: true - id: "R1015" - description: "Detecting potentially malicious ptrace usage." - expressions: - message: "'Malicious ptrace usage detected from: ' + event.comm" - unique_id: "event.exepath + '_' + event.comm" - rule_expression: - - event_type: "ptrace" - expression: "true" - profile_dependency: 2 - severity: 5 - support_policy: false - tags: - - "process" - - "malicious" + - name: "Malicious Ptrace Usage" + enabled: true + id: "R1015" + description: "Detecting potentially malicious ptrace usage." + expressions: + message: "'Malicious ptrace usage detected from: ' + event.comm" + uniqueId: "event.exepath + '_' + event.comm" + ruleExpression: + - eventType: "ptrace" + expression: "true" + profileDependency: 2 + severity: 5 + supportPolicy: false + tags: + - "process" + - "malicious" diff --git a/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml b/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml index 07f889d..337c129 100644 --- a/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml +++ b/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml @@ -7,20 +7,20 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected io_uring Operation Detected" - enabled: true - id: "R1030" - description: "Detects io_uring operations that were not recorded during the initial observation period, indicating potential unauthorized activity." - expressions: - message: "'Unexpected io_uring operation detected: (opcode=' + string(event.opcode) + ') flags=0x' + (has(event.flagsRaw) ? string(event.flagsRaw) : '0') + ' in ' + event.comm + '.'" - unique_id: "string(event.opcode) + '_' + event.comm" - rule_expression: - - event_type: "iouring" - expression: "true" - profile_dependency: 0 - severity: 5 - support_policy: true - tags: - - "syscalls" - - "io_uring" - - "applicationprofile" + - name: "Unexpected io_uring Operation Detected" + enabled: true + id: "R1030" + description: "Detects io_uring operations that were not recorded during the initial observation period, indicating potential unauthorized activity." + expressions: + message: "'Unexpected io_uring operation detected: (opcode=' + string(event.opcode) + ') flags=0x' + (has(event.flagsRaw) ? string(event.flagsRaw) : '0') + ' in ' + event.comm + '.'" + uniqueId: "string(event.opcode) + '_' + event.comm" + ruleExpression: + - eventType: "iouring" + expression: "true" + profileDependency: 0 + severity: 5 + supportPolicy: true + tags: + - "syscalls" + - "io_uring" + - "applicationprofile" diff --git a/rules-crd.yaml b/rules-crd.yaml index bee71d2..4242bd6 100644 --- a/rules-crd.yaml +++ b/rules-crd.yaml @@ -9,501 +9,501 @@ metadata: app: kubescape spec: rules: - - name: "Unexpected process launched" - enabled: true - id: "R0001" - description: "Detects unexpected process launches that are not in the baseline" - expressions: - message: "'Unexpected process launched: ' + event.comm + ' with PID ' + string(event.pid)" - unique_id: "event.comm + '_' + event.exepath" - rule_expression: - - event_type: "exec" - expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "process" - - "exec" - - "applicationprofile" - - name: "Files Access Anomalies in container" - enabled: false - id: "R0002" - description: "Detects unexpected file access that is not in the baseline" - expressions: - message: "'Unexpected file access detected: ' + event.comm + ' with PID ' + string(event.pid) + ' to ' + event.path" - unique_id: "event.comm + '_' + event.path" - rule_expression: - - event_type: "open" - expression: > - (event.path.startsWith('/etc/') || - event.path.startsWith('/var/log/') || - event.path.startsWith('/var/run/') || - event.path.startsWith('/run/') || - event.path.startsWith('/var/spool/cron/') || - event.path.startsWith('/var/www/') || - event.path.startsWith('/var/lib/') || - event.path.startsWith('/opt/') || - event.path.startsWith('/usr/local/') || - event.path.startsWith('/app/') || - event.path == '/.dockerenv' || - event.path == '/proc/self/environ') - && - !(event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || - event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || - event.path.startsWith('/tmp')) - && - !ap.was_path_opened(event.containerId, event.path) - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "file" - - "open" - - "applicationprofile" - - name: "Syscalls Anomalies in container" - enabled: true - id: "R0003" - description: "Detects unexpected system calls that are not whitelisted by application profile" - expressions: - message: "'Unexpected system call detected: todo with PID ' + string(event.pid)" - unique_id: "'todo'" - rule_expression: - - event_type: "syscall" - expression: "!ap.were_syscalls_used(event.containerId, event.syscalls)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "syscall" - - "applicationprofile" - - name: "Linux Capabilities Anomalies in container" - enabled: true - id: "R0004" - description: "Detects unexpected capabilities that are not whitelisted by application profile" - expressions: - message: "'Unexpected capability used: ' + event.capName + ' in syscall ' + event.syscallName + ' with PID ' + string(event.pid)" - unique_id: "event.comm + '_' + event.capName" - rule_expression: - - event_type: "capabilities" - expression: "!ap.was_capability_used(event.containerId, event.capName)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "anomaly" - - "capabilities" - - "applicationprofile" - - name: "DNS Anomalies in container" - enabled: true - id: "R0005" - description: "Detecting unexpected domain requests that are not whitelisted by application profile." - expressions: - message: "'Unexpected domain communication: ' + event.name + ' from: ' + event.containerName" - unique_id: "event.comm + '_' + event.name" - rule_expression: - - event_type: "dns" - expression: "!event.name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(event.containerId, event.name)" - profile_dependency: 0 - severity: 1 - support_policy: false - tags: - - "dns" - - "anomaly" - - "networkprofile" - - name: "Unexpected service account token access" - enabled: true - id: "R0006" - description: "Detecting unexpected access to service account token." - expressions: - message: "'Unexpected access to service account token: ' + event.path + ' with flags: ' + event.flags.join(',')" - unique_id: "event.comm" - rule_expression: - - event_type: "open" - expression: > - ((event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || - (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || - (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || - (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && - !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount') - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "anomaly" - - "serviceaccount" - - "applicationprofile" - - name: "Workload uses Kubernetes API unexpectedly" - enabled: true - id: "R0007" - description: "Detecting execution of kubernetes client" - expressions: - message: "event_type == 'exec' ? 'Kubernetes client (' + event.comm + ') was executed with PID ' + string(event.pid) : 'Network connection to Kubernetes API server from container ' + event.containerName" - unique_id: "event_type == 'exec' ? 'exec_' + event.comm : 'network_' + event.dstAddr" - rule_expression: - - event_type: "exec" - expression: "(event.comm == 'kubectl' || event.exepath.endsWith('/kubectl')) && !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" - - event_type: "network" - expression: "event.pktType == 'OUTGOING' && k8s.is_api_server_address(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" - profile_dependency: 0 - severity: 5 # Medium - support_policy: false - tags: - - "exec" - - "network" - - "anomaly" - - "applicationprofile" - - name: "Read Environment Variables from procfs" - enabled: true - id: "R0008" - description: "Detecting reading environment variables from procfs." - expressions: - message: "'Reading environment variables from procfs: ' + event.path + ' by process ' + event.comm" - unique_id: "event.comm + '_' + event.path" - rule_expression: - - event_type: "open" - expression: > - event.path.startsWith('/proc/') && - event.path.endsWith('/environ') && - !ap.was_path_opened_with_suffix(event.containerId, '/environ') - profile_dependency: 0 # Required - severity: 5 # Medium - support_policy: false - tags: - - "anomaly" - - "procfs" - - "environment" - - "applicationprofile" - - name: "eBPF Program Load" - enabled: true - id: "R0009" - description: "Detecting eBPF program load." - expressions: - message: "'bpf system call executed in ' + event.containerName" - unique_id: "event.comm + '_bpf'" - rule_expression: - - event_type: "syscall" - expression: "'bpf' in event.syscalls && !ap.was_syscall_used(event.containerId, 'bpf')" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "syscall" - - "ebpf" - - "applicationprofile" - - name: "Unexpected Sensitive File Access" - enabled: true - id: "R0010" - description: "Detecting access to sensitive files." - expressions: - message: "'Unexpected sensitive file access: ' + event.path + ' by process ' + event.comm" - unique_id: "event.comm + '_' + event.path" - rule_expression: - - event_type: "open" - expression: "event.path.startsWith('/etc/shadow') && !ap.was_path_opened(event.containerId, event.path)" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "files" - - "anomaly" - - "applicationprofile" - - name: "Unexpected Egress Network Traffic" - enabled: false - id: "R0011" - description: "Detecting unexpected egress network traffic that is not whitelisted by application profile." - expressions: - message: "'Unexpected egress network communication to: ' + event.dstAddr + ':' + string(event.dstPort) + ' using ' + event.proto + ' from: ' + event.containerName" - unique_id: "event.dstAddr + '_' + string(event.dstPort) + '_' + event.proto" - rule_expression: - - event_type: "network" - expression: "event.pktType == 'OUTGOING' && !net.is_private_ip(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" - profile_dependency: 0 - severity: 5 # Medium - support_policy: false - tags: - - "whitelisted" - - "network" - - "anomaly" - - "networkprofile" - - name: "Process executed from malicious source" - enabled: true - id: "R1000" - description: "Detecting exec calls that are from malicious source like: /dev/shm" - expressions: - message: "'Execution from malicious source: ' + event.exepath + ' in directory ' + event.cwd" - unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" - rule_expression: - - event_type: "exec" - expression: > - (event.exepath == '/dev/shm' || event.exepath.startsWith('/dev/shm/')) || - (event.cwd == '/dev/shm' || event.cwd.startsWith('/dev/shm/') || - (parse.get_exec_path(event.args, event.comm).startsWith('/dev/shm/'))) - profile_dependency: 2 - severity: 8 - support_policy: false - tags: - - "exec" - - "signature" - - "malicious" - - name: "Drifted process executed" - enabled: true - id: "R1001" - description: "Detecting exec calls of binaries that are not included in the base image" - expressions: - message: "'Process (' + event.comm + ') was executed and is not part of the image'" - unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" - rule_expression: - - event_type: "exec" - expression: > - (event.upperlayer == true || - event.pupperlayer == true) && - !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) - profile_dependency: 1 - severity: 8 - support_policy: false - tags: - - "exec" - - "malicious" - - "binary" - - "base image" - - "applicationprofile" - - name: "Process tries to load a kernel module" - enabled: true - id: "R1002" - description: "Detecting Kernel Module Load." - expressions: - message: "'Kernel module load syscall (init_module) was called'" - unique_id: "'init_module'" - rule_expression: - - event_type: "syscall" - expression: > - 'init_module' in event.syscalls || - 'finit_module' in event.syscalls - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "syscall" - - "kernel" - - "module" - - "load" - - name: "Disallowed ssh connection" - enabled: false - id: "R1003" - description: "Detecting ssh connection to disallowed port" - expressions: - message: "'Malicious SSH connection attempt to ' + event.dstIp + ':' + string(dyn(event.dstPort))" - unique_id: "event.comm + '_' + event.dstIp + '_' + string(dyn(event.dstPort))" - rule_expression: - - event_type: "ssh" - expression: "dyn(event.srcPort) >= 32768 && dyn(event.srcPort) <= 60999 && !(dyn(event.dstPort) in [22, 2022]) && !nn.was_address_in_egress(event.containerId, event.dstIp)" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "ssh" - - "connection" - - "port" - - "malicious" - - "networkprofile" - - name: "Process executed from mount" - enabled: true - id: "R1004" - description: "Detecting exec calls from mounted paths." - expressions: - message: "'Process (' + event.comm + ') was executed from a mounted path'" - unique_id: "event.comm + '_' + event.exepath + '_'" - rule_expression: - - event_type: "exec" - expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))" - profile_dependency: 1 - severity: 5 - support_policy: false - tags: - - "exec" - - "mount" - - "applicationprofile" - - name: "Fileless execution detected" - enabled: true - id: "R1005" - description: "Detecting Fileless Execution" - expressions: - message: "'Fileless execution detected: exec call \"' + event.comm + '\" is from a malicious source'" - unique_id: "event.comm + '_' + event.exepath + '_' + event.pcomm" - rule_expression: - - event_type: "exec" - expression: "event.exepath.contains('memfd') || event.exepath.startsWith('/proc/self/fd') || event.exepath.matches('/proc/[0-9]+/fd/[0-9]+')" - profile_dependency: 2 - severity: 8 - support_policy: false - tags: - - "fileless" - - "execution" - - "malicious" - - name: "Process tries to escape container" - enabled: true - id: "R1006" - description: "Detecting Unshare System Call usage, which can be used to escape container." - expressions: - message: "'Unshare system call detected: unshare with PID ' + string(event.pid)" - unique_id: "'unshare'" - rule_expression: - - event_type: "syscall" - expression: "'unshare' in event.syscalls && !ap.was_syscall_used(event.containerId, 'unshare')" - profile_dependency: 2 - severity: 5 - support_policy: false - tags: - - "syscall" - - "escape" - - "unshare" - - "anomaly" - - "applicationprofile" - - name: "Crypto miner launched" - enabled: true - id: "R1007" - description: "Detecting XMR Crypto Miners by randomx algorithm usage." - expressions: - message: "'XMR Crypto Miner process: (' + event.exepath + ') executed'" - unique_id: "event.exepath + '_' + event.comm" - rule_expression: - - event_type: "randomx" - expression: "true" - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "crypto" - - "miners" - - "malicious" - - name: "Crypto Mining Domain Communication" - enabled: true - id: "R1008" - description: "Detecting Crypto miners communication by domain" - expressions: - message: "'Communication with a known crypto mining domain: ' + event.name" - unique_id: "event.name + '_' + event.comm" - rule_expression: - - event_type: "dns" - expression: "event.name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" - profile_dependency: 2 - severity: 10 - support_policy: false - tags: - - "network" - - "crypto" - - "miners" - - "malicious" - - "dns" - - name: "Crypto Mining Related Port Communication" - enabled: true - id: "R1009" - description: "Detecting Crypto Miners by suspicious port usage." - expressions: - message: "'Detected crypto mining related port communication on port ' + string(event.dstPort) + ' to ' + event.dstAddr + ' with protocol ' + event.proto" - unique_id: "event.comm + '_' + string(event.dstPort)" - rule_expression: - - event_type: "network" - expression: "event.proto == 'TCP' && event.pktType == 'OUTGOING' && event.dstPort in [3333, 45700] && !nn.was_address_in_egress(event.containerId, event.dstAddr)" - profile_dependency: 1 - severity: 3 - support_policy: false - tags: - - "network" - - "crypto" - - "miners" - - "malicious" - - "networkprofile" - - name: "Soft link created over sensitive file" - enabled: true - id: "R1010" - description: "Detects symlink creation over sensitive files" - expressions: - message: "'Symlink created over sensitive file: ' + event.oldPath + ' -> ' + event.newPath" - unique_id: "event.comm + '_' + event.oldPath" - rule_expression: - - event_type: "symlink" - expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "anomaly" - - "symlink" - - "applicationprofile" - - name: "ld_preload hooks technique detected" - enabled: false - id: "R1011" - description: "Detecting ld_preload hook techniques." - expressions: - message: "event_type == 'exec' ? 'Process (' + event.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(event.pid) : 'The dynamic linker configuration file (' + event.path + ') was modified by process (' + event.comm + ')'" - unique_id: "event_type == 'exec' ? 'exec_' + event.comm : 'open_' + event.path" - rule_expression: - - event_type: "exec" - expression: "event.comm != 'java' && event.containerName != 'matlab' && process.get_ld_hook_var(event.pid) != ''" - - event_type: "open" - expression: "event.path == '/etc/ld.so.preload' && has(event.flagsRaw) && event.flagsRaw != 0" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "exec" - - "malicious" - - "applicationprofile" - - name: "Hard link created over sensitive file" - enabled: true - id: "R1012" - description: "Detecting hardlink creation over sensitive files." - expressions: - message: "'Hardlink created over sensitive file: ' + event.oldPath + ' - ' + event.newPath" - unique_id: "event.comm + '_' + event.oldPath" - rule_expression: - - event_type: "hardlink" - expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" - profile_dependency: 1 - severity: 5 - support_policy: true - tags: - - "files" - - "malicious" - - "applicationprofile" - - name: "Malicious Ptrace Usage" - enabled: true - id: "R1015" - description: "Detecting potentially malicious ptrace usage." - expressions: - message: "'Malicious ptrace usage detected from: ' + event.comm" - unique_id: "event.exepath + '_' + event.comm" - rule_expression: - - event_type: "ptrace" - expression: "true" - profile_dependency: 2 - severity: 5 - support_policy: false - tags: - - "process" - - "malicious" - - name: "Unexpected io_uring Operation Detected" - enabled: true - id: "R1030" - description: "Detects io_uring operations that were not recorded during the initial observation period, indicating potential unauthorized activity." - expressions: - message: "'Unexpected io_uring operation detected: (opcode=' + string(event.opcode) + ') flags=0x' + (has(event.flagsRaw) ? string(event.flagsRaw) : '0') + ' in ' + event.comm + '.'" - unique_id: "string(event.opcode) + '_' + event.comm" - rule_expression: - - event_type: "iouring" - expression: "true" - profile_dependency: 0 - severity: 5 - support_policy: true - tags: - - "syscalls" - - "io_uring" - - "applicationprofile" + - name: "Unexpected process launched" + enabled: true + id: "R0001" + description: "Detects unexpected process launches that are not in the baseline" + expressions: + message: "'Unexpected process launched: ' + event.comm + ' with PID ' + string(event.pid)" + uniqueId: "event.comm + '_' + event.exepath" + ruleExpression: + - eventType: "exec" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" + profileDependency: 0 + severity: 1 + supportPolicy: false + tags: + - "anomaly" + - "process" + - "exec" + - "applicationprofile" + - name: "Files Access Anomalies in container" + enabled: false + id: "R0002" + description: "Detects unexpected file access that is not in the baseline" + expressions: + message: "'Unexpected file access detected: ' + event.comm + ' with PID ' + string(event.pid) + ' to ' + event.path" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: > + (event.path.startsWith('/etc/') || + event.path.startsWith('/var/log/') || + event.path.startsWith('/var/run/') || + event.path.startsWith('/run/') || + event.path.startsWith('/var/spool/cron/') || + event.path.startsWith('/var/www/') || + event.path.startsWith('/var/lib/') || + event.path.startsWith('/opt/') || + event.path.startsWith('/usr/local/') || + event.path.startsWith('/app/') || + event.path == '/.dockerenv' || + event.path == '/proc/self/environ') + && + !(event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') || + event.path.startsWith('/tmp')) + && + !ap.was_path_opened(event.containerId, event.path) + profileDependency: 0 + severity: 1 + supportPolicy: false + tags: + - "anomaly" + - "file" + - "open" + - "applicationprofile" + - name: "Syscalls Anomalies in container" + enabled: true + id: "R0003" + description: "Detects unexpected system calls that are not whitelisted by application profile" + expressions: + message: "'Unexpected system call detected: todo with PID ' + string(event.pid)" + uniqueId: "'todo'" + ruleExpression: + - eventType: "syscall" + expression: "!ap.were_syscalls_used(event.containerId, event.syscalls)" + profileDependency: 0 + severity: 1 + supportPolicy: false + tags: + - "anomaly" + - "syscall" + - "applicationprofile" + - name: "Linux Capabilities Anomalies in container" + enabled: true + id: "R0004" + description: "Detects unexpected capabilities that are not whitelisted by application profile" + expressions: + message: "'Unexpected capability used: ' + event.capName + ' in syscall ' + event.syscallName + ' with PID ' + string(event.pid)" + uniqueId: "event.comm + '_' + event.capName" + ruleExpression: + - eventType: "capabilities" + expression: "!ap.was_capability_used(event.containerId, event.capName)" + profileDependency: 0 + severity: 1 + supportPolicy: false + tags: + - "anomaly" + - "capabilities" + - "applicationprofile" + - name: "DNS Anomalies in container" + enabled: true + id: "R0005" + description: "Detecting unexpected domain requests that are not whitelisted by application profile." + expressions: + message: "'Unexpected domain communication: ' + event.name + ' from: ' + event.containerName" + uniqueId: "event.comm + '_' + event.name" + ruleExpression: + - eventType: "dns" + expression: "!event.name.endsWith('.svc.cluster.local.') && !nn.is_domain_in_egress(event.containerId, event.name)" + profileDependency: 0 + severity: 1 + supportPolicy: false + tags: + - "dns" + - "anomaly" + - "networkprofile" + - name: "Unexpected service account token access" + enabled: true + id: "R0006" + description: "Detecting unexpected access to service account token." + expressions: + message: "'Unexpected access to service account token: ' + event.path + ' with flags: ' + event.flags.join(',')" + uniqueId: "event.comm" + ruleExpression: + - eventType: "open" + expression: > + ((event.path.startsWith('/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || + (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && + !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/kubernetes.io/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && + !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount') + profileDependency: 1 + severity: 5 + supportPolicy: false + tags: + - "anomaly" + - "serviceaccount" + - "applicationprofile" + - name: "Workload uses Kubernetes API unexpectedly" + enabled: true + id: "R0007" + description: "Detecting execution of kubernetes client" + expressions: + message: "eventType == 'exec' ? 'Kubernetes client (' + event.comm + ') was executed with PID ' + string(event.pid) : 'Network connection to Kubernetes API server from container ' + event.containerName" + uniqueId: "eventType == 'exec' ? 'exec_' + event.comm : 'network_' + event.dstAddr" + ruleExpression: + - eventType: "exec" + expression: "(event.comm == 'kubectl' || event.exepath.endsWith('/kubectl')) && !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm))" + - eventType: "network" + expression: "event.pktType == 'OUTGOING' && k8s.is_api_server_address(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 0 + severity: 5 # Medium + supportPolicy: false + tags: + - "exec" + - "network" + - "anomaly" + - "applicationprofile" + - name: "Read Environment Variables from procfs" + enabled: true + id: "R0008" + description: "Detecting reading environment variables from procfs." + expressions: + message: "'Reading environment variables from procfs: ' + event.path + ' by process ' + event.comm" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: > + event.path.startsWith('/proc/') && + event.path.endsWith('/environ') && + !ap.was_path_opened_with_suffix(event.containerId, '/environ') + profileDependency: 0 # Required + severity: 5 # Medium + supportPolicy: false + tags: + - "anomaly" + - "procfs" + - "environment" + - "applicationprofile" + - name: "eBPF Program Load" + enabled: true + id: "R0009" + description: "Detecting eBPF program load." + expressions: + message: "'bpf system call executed in ' + event.containerName" + uniqueId: "event.comm + '_bpf'" + ruleExpression: + - eventType: "syscall" + expression: "'bpf' in event.syscalls && !ap.was_syscall_used(event.containerId, 'bpf')" + profileDependency: 1 + severity: 5 + supportPolicy: false + tags: + - "syscall" + - "ebpf" + - "applicationprofile" + - name: "Unexpected Sensitive File Access" + enabled: true + id: "R0010" + description: "Detecting access to sensitive files." + expressions: + message: "'Unexpected sensitive file access: ' + event.path + ' by process ' + event.comm" + uniqueId: "event.comm + '_' + event.path" + ruleExpression: + - eventType: "open" + expression: "event.path.startsWith('/etc/shadow') && !ap.was_path_opened(event.containerId, event.path)" + profileDependency: 1 + severity: 5 + supportPolicy: false + tags: + - "files" + - "anomaly" + - "applicationprofile" + - name: "Unexpected Egress Network Traffic" + enabled: false + id: "R0011" + description: "Detecting unexpected egress network traffic that is not whitelisted by application profile." + expressions: + message: "'Unexpected egress network communication to: ' + event.dstAddr + ':' + string(event.dstPort) + ' using ' + event.proto + ' from: ' + event.containerName" + uniqueId: "event.dstAddr + '_' + string(event.dstPort) + '_' + event.proto" + ruleExpression: + - eventType: "network" + expression: "event.pktType == 'OUTGOING' && !net.is_private_ip(event.dstAddr) && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 0 + severity: 5 # Medium + supportPolicy: false + tags: + - "whitelisted" + - "network" + - "anomaly" + - "networkprofile" + - name: "Process executed from malicious source" + enabled: true + id: "R1000" + description: "Detecting exec calls that are from malicious source like: /dev/shm" + expressions: + message: "'Execution from malicious source: ' + event.exepath + ' in directory ' + event.cwd" + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: > + (event.exepath == '/dev/shm' || event.exepath.startsWith('/dev/shm/')) || + (event.cwd == '/dev/shm' || event.cwd.startsWith('/dev/shm/') || + (parse.get_exec_path(event.args, event.comm).startsWith('/dev/shm/'))) + profileDependency: 2 + severity: 8 + supportPolicy: false + tags: + - "exec" + - "signature" + - "malicious" + - name: "Drifted process executed" + enabled: true + id: "R1001" + description: "Detecting exec calls of binaries that are not included in the base image" + expressions: + message: "'Process (' + event.comm + ') was executed and is not part of the image'" + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: > + (event.upperlayer == true || + event.pupperlayer == true) && + !ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) + profileDependency: 1 + severity: 8 + supportPolicy: false + tags: + - "exec" + - "malicious" + - "binary" + - "base image" + - "applicationprofile" + - name: "Process tries to load a kernel module" + enabled: true + id: "R1002" + description: "Detecting Kernel Module Load." + expressions: + message: "'Kernel module load syscall (init_module) was called'" + uniqueId: "'init_module'" + ruleExpression: + - eventType: "syscall" + expression: > + 'init_module' in event.syscalls || + 'finit_module' in event.syscalls + profileDependency: 2 + severity: 10 + supportPolicy: false + tags: + - "syscall" + - "kernel" + - "module" + - "load" + - name: "Disallowed ssh connection" + enabled: false + id: "R1003" + description: "Detecting ssh connection to disallowed port" + expressions: + message: "'Malicious SSH connection attempt to ' + event.dstIp + ':' + string(dyn(event.dstPort))" + uniqueId: "event.comm + '_' + event.dstIp + '_' + string(dyn(event.dstPort))" + ruleExpression: + - eventType: "ssh" + expression: "dyn(event.srcPort) >= 32768 && dyn(event.srcPort) <= 60999 && !(dyn(event.dstPort) in [22, 2022]) && !nn.was_address_in_egress(event.containerId, event.dstIp)" + profileDependency: 1 + severity: 5 + supportPolicy: false + tags: + - "ssh" + - "connection" + - "port" + - "malicious" + - "networkprofile" + - name: "Process executed from mount" + enabled: true + id: "R1004" + description: "Detecting exec calls from mounted paths." + expressions: + message: "'Process (' + event.comm + ') was executed from a mounted path'" + uniqueId: "event.comm + '_' + event.exepath + '_'" + ruleExpression: + - eventType: "exec" + expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))" + profileDependency: 1 + severity: 5 + supportPolicy: false + tags: + - "exec" + - "mount" + - "applicationprofile" + - name: "Fileless execution detected" + enabled: true + id: "R1005" + description: "Detecting Fileless Execution" + expressions: + message: '''Fileless execution detected: exec call "'' + event.comm + ''" is from a malicious source''' + uniqueId: "event.comm + '_' + event.exepath + '_' + event.pcomm" + ruleExpression: + - eventType: "exec" + expression: "event.exepath.contains('memfd') || event.exepath.startsWith('/proc/self/fd') || event.exepath.matches('/proc/[0-9]+/fd/[0-9]+')" + profileDependency: 2 + severity: 8 + supportPolicy: false + tags: + - "fileless" + - "execution" + - "malicious" + - name: "Process tries to escape container" + enabled: true + id: "R1006" + description: "Detecting Unshare System Call usage, which can be used to escape container." + expressions: + message: "'Unshare system call detected: unshare with PID ' + string(event.pid)" + uniqueId: "'unshare'" + ruleExpression: + - eventType: "syscall" + expression: "'unshare' in event.syscalls && !ap.was_syscall_used(event.containerId, 'unshare')" + profileDependency: 2 + severity: 5 + supportPolicy: false + tags: + - "syscall" + - "escape" + - "unshare" + - "anomaly" + - "applicationprofile" + - name: "Crypto miner launched" + enabled: true + id: "R1007" + description: "Detecting XMR Crypto Miners by randomx algorithm usage." + expressions: + message: "'XMR Crypto Miner process: (' + event.exepath + ') executed'" + uniqueId: "event.exepath + '_' + event.comm" + ruleExpression: + - eventType: "randomx" + expression: "true" + profileDependency: 2 + severity: 10 + supportPolicy: false + tags: + - "crypto" + - "miners" + - "malicious" + - name: "Crypto Mining Domain Communication" + enabled: true + id: "R1008" + description: "Detecting Crypto miners communication by domain" + expressions: + message: "'Communication with a known crypto mining domain: ' + event.name" + uniqueId: "event.name + '_' + event.comm" + ruleExpression: + - eventType: "dns" + expression: "event.name in ['2cryptocalc.com.', '2miners.com.', 'antpool.com.', 'asia1.ethpool.org.', 'bohemianpool.com.', 'botbox.dev.', 'btm.antpool.com.', 'c3pool.com.', 'c4pool.org.', 'ca.minexmr.com.', 'cn.stratum.slushpool.com.', 'dash.antpool.com.', 'data.miningpoolstats.stream.', 'de.minexmr.com.', 'eth-ar.dwarfpool.com.', 'eth-asia.dwarfpool.com.', 'eth-asia1.nanopool.org.', 'eth-au.dwarfpool.com.', 'eth-au1.nanopool.org.', 'eth-br.dwarfpool.com.', 'eth-cn.dwarfpool.com.', 'eth-cn2.dwarfpool.com.', 'eth-eu.dwarfpool.com.', 'eth-eu1.nanopool.org.', 'eth-eu2.nanopool.org.', 'eth-hk.dwarfpool.com.', 'eth-jp1.nanopool.org.', 'eth-ru.dwarfpool.com.', 'eth-ru2.dwarfpool.com.', 'eth-sg.dwarfpool.com.', 'eth-us-east1.nanopool.org.', 'eth-us-west1.nanopool.org.', 'eth-us.dwarfpool.com.', 'eth-us2.dwarfpool.com.', 'eth.antpool.com.', 'eu.stratum.slushpool.com.', 'eu1.ethermine.org.', 'eu1.ethpool.org.', 'fastpool.xyz.', 'fr.minexmr.com.', 'kriptokyng.com.', 'mine.moneropool.com.', 'mine.xmrpool.net.', 'miningmadness.com.', 'monero.cedric-crispin.com.', 'monero.crypto-pool.fr.', 'monero.fairhash.org.', 'monero.hashvault.pro.', 'monero.herominers.com.', 'monerod.org.', 'monerohash.com.', 'moneroocean.stream.', 'monerop.com.', 'multi-pools.com.', 'p2pool.io.', 'pool.kryptex.com.', 'pool.minexmr.com.', 'pool.monero.hashvault.pro.', 'pool.rplant.xyz.', 'pool.supportxmr.com.', 'pool.xmr.pt.', 'prohashing.com.', 'rx.unmineable.com.', 'sg.minexmr.com.', 'sg.stratum.slushpool.com.', 'skypool.org.', 'solo-xmr.2miners.com.', 'ss.antpool.com.', 'stratum-btm.antpool.com.', 'stratum-dash.antpool.com.', 'stratum-eth.antpool.com.', 'stratum-ltc.antpool.com.', 'stratum-xmc.antpool.com.', 'stratum-zec.antpool.com.', 'stratum.antpool.com.', 'supportxmr.com.', 'trustpool.cc.', 'us-east.stratum.slushpool.com.', 'us1.ethermine.org.', 'us1.ethpool.org.', 'us2.ethermine.org.', 'us2.ethpool.org.', 'web.xmrpool.eu.', 'www.domajorpool.com.', 'www.dxpool.com.', 'www.mining-dutch.nl.', 'xmc.antpool.com.', 'xmr-asia1.nanopool.org.', 'xmr-au1.nanopool.org.', 'xmr-eu1.nanopool.org.', 'xmr-eu2.nanopool.org.', 'xmr-jp1.nanopool.org.', 'xmr-us-east1.nanopool.org.', 'xmr-us-west1.nanopool.org.', 'xmr.2miners.com.', 'xmr.crypto-pool.fr.', 'xmr.gntl.uk.', 'xmr.nanopool.org.', 'xmr.pool-pay.com.', 'xmr.pool.minergate.com.', 'xmr.solopool.org.', 'xmr.volt-mine.com.', 'xmr.zeropool.io.', 'zec.antpool.com.', 'zergpool.com.', 'auto.c3pool.org.', 'us.monero.herominers.com.']" + profileDependency: 2 + severity: 10 + supportPolicy: false + tags: + - "network" + - "crypto" + - "miners" + - "malicious" + - "dns" + - name: "Crypto Mining Related Port Communication" + enabled: true + id: "R1009" + description: "Detecting Crypto Miners by suspicious port usage." + expressions: + message: "'Detected crypto mining related port communication on port ' + string(event.dstPort) + ' to ' + event.dstAddr + ' with protocol ' + event.proto" + uniqueId: "event.comm + '_' + string(event.dstPort)" + ruleExpression: + - eventType: "network" + expression: "event.proto == 'TCP' && event.pktType == 'OUTGOING' && event.dstPort in [3333, 45700] && !nn.was_address_in_egress(event.containerId, event.dstAddr)" + profileDependency: 1 + severity: 3 + supportPolicy: false + tags: + - "network" + - "crypto" + - "miners" + - "malicious" + - "networkprofile" + - name: "Soft link created over sensitive file" + enabled: true + id: "R1010" + description: "Detects symlink creation over sensitive files" + expressions: + message: "'Symlink created over sensitive file: ' + event.oldPath + ' -> ' + event.newPath" + uniqueId: "event.comm + '_' + event.oldPath" + ruleExpression: + - eventType: "symlink" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" + profileDependency: 1 + severity: 5 + supportPolicy: true + tags: + - "anomaly" + - "symlink" + - "applicationprofile" + - name: "ld_preload hooks technique detected" + enabled: false + id: "R1011" + description: "Detecting ld_preload hook techniques." + expressions: + message: "eventType == 'exec' ? 'Process (' + event.comm + ') is using a dynamic linker hook: ' + process.get_ld_hook_var(event.pid) : 'The dynamic linker configuration file (' + event.path + ') was modified by process (' + event.comm + ')'" + uniqueId: "eventType == 'exec' ? 'exec_' + event.comm : 'open_' + event.path" + ruleExpression: + - eventType: "exec" + expression: "event.comm != 'java' && event.containerName != 'matlab' && process.get_ld_hook_var(event.pid) != ''" + - eventType: "open" + expression: "event.path == '/etc/ld.so.preload' && has(event.flagsRaw) && event.flagsRaw != 0" + profileDependency: 1 + severity: 5 + supportPolicy: true + tags: + - "exec" + - "malicious" + - "applicationprofile" + - name: "Hard link created over sensitive file" + enabled: true + id: "R1012" + description: "Detecting hardlink creation over sensitive files." + expressions: + message: "'Hardlink created over sensitive file: ' + event.oldPath + ' - ' + event.newPath" + uniqueId: "event.comm + '_' + event.oldPath" + ruleExpression: + - eventType: "hardlink" + expression: "(event.oldPath.startsWith('/etc/shadow') || event.oldPath.startsWith('/etc/sudoers')) && !ap.was_path_opened(event.containerId, event.oldPath)" + profileDependency: 1 + severity: 5 + supportPolicy: true + tags: + - "files" + - "malicious" + - "applicationprofile" + - name: "Malicious Ptrace Usage" + enabled: true + id: "R1015" + description: "Detecting potentially malicious ptrace usage." + expressions: + message: "'Malicious ptrace usage detected from: ' + event.comm" + uniqueId: "event.exepath + '_' + event.comm" + ruleExpression: + - eventType: "ptrace" + expression: "true" + profileDependency: 2 + severity: 5 + supportPolicy: false + tags: + - "process" + - "malicious" + - name: "Unexpected io_uring Operation Detected" + enabled: true + id: "R1030" + description: "Detects io_uring operations that were not recorded during the initial observation period, indicating potential unauthorized activity." + expressions: + message: "'Unexpected io_uring operation detected: (opcode=' + string(event.opcode) + ') flags=0x' + (has(event.flagsRaw) ? string(event.flagsRaw) : '0') + ' in ' + event.comm + '.'" + uniqueId: "string(event.opcode) + '_' + event.comm" + ruleExpression: + - eventType: "iouring" + expression: "true" + profileDependency: 0 + severity: 5 + supportPolicy: true + tags: + - "syscalls" + - "io_uring" + - "applicationprofile" From 943b98d53a2a6292424732111827f216b2391229 Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Mon, 20 Oct 2025 12:19:29 +0200 Subject: [PATCH 07/11] adjust rules for one syscall per eval Signed-off-by: Matthias Bertschy --- go.mod | 2 +- go.sum | 4 ++-- .../r0003-unexpected-system-call/rule_test.go | 4 ++-- .../unexpected-system-call.yaml | 6 ++--- .../ebpf-program-load.yaml | 4 ++-- .../kernel-module-load.yaml | 8 +++---- .../r1002-kernel-module-load/rule_test.go | 4 ++-- .../unshare-syscall.yaml | 6 ++--- rules-crd.yaml | 24 +++++++++---------- 9 files changed, 31 insertions(+), 31 deletions(-) diff --git a/go.mod b/go.mod index 9a01b99..7d99c64 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.25.0 require ( github.com/goradd/maps v1.0.0 github.com/inspektor-gadget/inspektor-gadget v0.45.0 - github.com/kubescape/node-agent v0.2.387-0.20251020091723-a7e2e0fc9c92 + github.com/kubescape/node-agent v0.2.387-0.20251020101804-c375f2d7a553 github.com/kubescape/storage v0.0.221 github.com/stretchr/testify v1.11.1 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index 665a5e0..dcbb84d 100644 --- a/go.sum +++ b/go.sum @@ -531,8 +531,8 @@ github.com/kubescape/go-logger v0.0.24 h1:JRNlblY16Ty7hD6MSYNPvWYDxNzVAufsDDX/sZ github.com/kubescape/go-logger v0.0.24/go.mod h1:sMPVCr3VpW/e+SeMaXig5kClGvmZbDXN8YktUeNU4nY= github.com/kubescape/k8s-interface v0.0.199 h1:D+YBL69q1Dc2idus6jwd/vQcNhRoNZ6tE0m5Miz7TSg= github.com/kubescape/k8s-interface v0.0.199/go.mod h1:j9snZbH+RxOaa1yG/bWgTClj90q7To0rGgQepxy4b+k= -github.com/kubescape/node-agent v0.2.387-0.20251020091723-a7e2e0fc9c92 h1:z4JAmm89MBKKNfw6OtMtsGNqndI5B77WHXATDINtZIg= -github.com/kubescape/node-agent v0.2.387-0.20251020091723-a7e2e0fc9c92/go.mod h1:HN5jZ99TL+DF3rt3JTn1X4NfcOtSMqGFntA1a7i60HI= +github.com/kubescape/node-agent v0.2.387-0.20251020101804-c375f2d7a553 h1:6TZiyLiFB8VI/9jfWLbEMtQDEi3yqTwdUOpY+WDgexQ= +github.com/kubescape/node-agent v0.2.387-0.20251020101804-c375f2d7a553/go.mod h1:HN5jZ99TL+DF3rt3JTn1X4NfcOtSMqGFntA1a7i60HI= github.com/kubescape/storage v0.0.221 h1:HLWnNokkKgKo9ka/p797fFQdsbzKxSXT5/RpUWrKWzI= github.com/kubescape/storage v0.0.221/go.mod h1:L/fF3teor8cUj80TVujqy9E1rKsf+Dox2hZtkS1vjOU= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= diff --git a/pkg/rules/r0003-unexpected-system-call/rule_test.go b/pkg/rules/r0003-unexpected-system-call/rule_test.go index b4d70a4..a48ec81 100644 --- a/pkg/rules/r0003-unexpected-system-call/rule_test.go +++ b/pkg/rules/r0003-unexpected-system-call/rule_test.go @@ -75,7 +75,7 @@ func TestR0003UnexpectedSystemCall(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - if message != "Unexpected system call detected: todo with PID 1234" { + if message != "Unexpected system call detected: test_syscall with PID 1234" { t.Fatalf("Message evaluation failed: %s", message) } @@ -84,7 +84,7 @@ func TestR0003UnexpectedSystemCall(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique id: %v", err) } - if uniqueId != "todo" { + if uniqueId != "test_syscall" { t.Fatalf("Unique id evaluation failed: %s", uniqueId) } diff --git a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml index 26481e8..5ffa14c 100644 --- a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml +++ b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml @@ -12,11 +12,11 @@ spec: id: "R0003" description: "Detects unexpected system calls that are not whitelisted by application profile" expressions: - message: "'Unexpected system call detected: todo with PID ' + string(event.pid)" - uniqueId: "'todo'" + message: "'Unexpected system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" + uniqueId: "event.syscallName" ruleExpression: - eventType: "syscall" - expression: "!ap.were_syscalls_used(event.containerId, event.syscalls)" + expression: "!ap.was_syscall_used(event.containerId, event.syscallName)" profileDependency: 0 severity: 1 supportPolicy: false diff --git a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml index a9456da..ae9aab3 100644 --- a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml +++ b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml @@ -13,10 +13,10 @@ spec: description: "Detecting eBPF program load." expressions: message: "'bpf system call executed in ' + event.containerName" - uniqueId: "event.comm + '_bpf'" + uniqueId: "event.comm + '_' + event.syscallName" ruleExpression: - eventType: "syscall" - expression: "'bpf' in event.syscalls && !ap.was_syscall_used(event.containerId, 'bpf')" + expression: "event.syscallName == 'bpf' && !ap.was_syscall_used(event.containerId, event.syscallName)" profileDependency: 1 severity: 5 supportPolicy: false diff --git a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml index 4231330..596e758 100644 --- a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml +++ b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml @@ -12,13 +12,13 @@ spec: id: "R1002" description: "Detecting Kernel Module Load." expressions: - message: "'Kernel module load syscall (init_module) was called'" - uniqueId: "'init_module'" + message: "'Kernel module load syscall (' + event.syscallName + ') was called'" + uniqueId: "event.syscallName" ruleExpression: - eventType: "syscall" expression: > - 'init_module' in event.syscalls || - 'finit_module' in event.syscalls + event.syscallName == 'init_module' || + event.syscallName == 'finit_module' profileDependency: 2 severity: 10 supportPolicy: false diff --git a/pkg/rules/r1002-kernel-module-load/rule_test.go b/pkg/rules/r1002-kernel-module-load/rule_test.go index ed06d28..2fd7cbb 100644 --- a/pkg/rules/r1002-kernel-module-load/rule_test.go +++ b/pkg/rules/r1002-kernel-module-load/rule_test.go @@ -117,7 +117,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - expectedMessage := "Kernel module load syscall (init_module) was called" + expectedMessage := "Kernel module load syscall (" + tt.event.Syscall + ") was called" if message != expectedMessage { t.Errorf("Message evaluation failed. Expected: %s, Got: %s", expectedMessage, message) } @@ -127,7 +127,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique ID: %v", err) } - expectedUniqueID := "init_module" + expectedUniqueID := tt.event.Syscall if uniqueID != expectedUniqueID { t.Errorf("Unique ID evaluation failed. Expected: %s, Got: %s", expectedUniqueID, uniqueID) } diff --git a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml index 1eda9b3..0a1512d 100644 --- a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml +++ b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml @@ -12,11 +12,11 @@ spec: id: "R1006" description: "Detecting Unshare System Call usage, which can be used to escape container." expressions: - message: "'Unshare system call detected: unshare with PID ' + string(event.pid)" - uniqueId: "'unshare'" + message: "'Unshare system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" + uniqueId: "event.syscallName" ruleExpression: - eventType: "syscall" - expression: "'unshare' in event.syscalls && !ap.was_syscall_used(event.containerId, 'unshare')" + expression: "event.syscallName == 'unshare' && !ap.was_syscall_used(event.containerId, event.syscallName)" profileDependency: 2 severity: 5 supportPolicy: false diff --git a/rules-crd.yaml b/rules-crd.yaml index 4242bd6..f8315cc 100644 --- a/rules-crd.yaml +++ b/rules-crd.yaml @@ -68,11 +68,11 @@ spec: id: "R0003" description: "Detects unexpected system calls that are not whitelisted by application profile" expressions: - message: "'Unexpected system call detected: todo with PID ' + string(event.pid)" - uniqueId: "'todo'" + message: "'Unexpected system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" + uniqueId: "event.syscallName" ruleExpression: - eventType: "syscall" - expression: "!ap.were_syscalls_used(event.containerId, event.syscalls)" + expression: "!ap.was_syscall_used(event.containerId, event.syscallName)" profileDependency: 0 severity: 1 supportPolicy: false @@ -186,10 +186,10 @@ spec: description: "Detecting eBPF program load." expressions: message: "'bpf system call executed in ' + event.containerName" - uniqueId: "event.comm + '_bpf'" + uniqueId: "event.comm + '_' + event.syscallName" ruleExpression: - eventType: "syscall" - expression: "'bpf' in event.syscalls && !ap.was_syscall_used(event.containerId, 'bpf')" + expression: "event.syscallName == 'bpf' && !ap.was_syscall_used(event.containerId, event.syscallName)" profileDependency: 1 severity: 5 supportPolicy: false @@ -279,13 +279,13 @@ spec: id: "R1002" description: "Detecting Kernel Module Load." expressions: - message: "'Kernel module load syscall (init_module) was called'" - uniqueId: "'init_module'" + message: "'Kernel module load syscall (' + event.syscallName + ') was called'" + uniqueId: "event.syscallName" ruleExpression: - eventType: "syscall" expression: > - 'init_module' in event.syscalls || - 'finit_module' in event.syscalls + event.syscallName == 'init_module' || + event.syscallName == 'finit_module' profileDependency: 2 severity: 10 supportPolicy: false @@ -352,11 +352,11 @@ spec: id: "R1006" description: "Detecting Unshare System Call usage, which can be used to escape container." expressions: - message: "'Unshare system call detected: unshare with PID ' + string(event.pid)" - uniqueId: "'unshare'" + message: "'Unshare system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" + uniqueId: "event.syscallName" ruleExpression: - eventType: "syscall" - expression: "'unshare' in event.syscalls && !ap.was_syscall_used(event.containerId, 'unshare')" + expression: "event.syscallName == 'unshare' && !ap.was_syscall_used(event.containerId, event.syscallName)" profileDependency: 2 severity: 5 supportPolicy: false From 09aa93d90700dd98f37d9340e384362660ca782d Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Thu, 23 Oct 2025 08:40:38 +0000 Subject: [PATCH 08/11] Adding new rules Signed-off-by: Amit Schendel --- go.mod | 28 ++++---- go.sum | 64 +++++++++---------- .../ebpf-program-load.yaml | 10 +-- .../r0009-ebpf-program-load/rule_test.go | 7 +- .../kernel-module-load.yaml | 12 ++-- .../r1002-kernel-module-load/rule_test.go | 17 ++--- pkg/rules/r1006-unshare-syscall/rule_test.go | 7 +- .../unshare-syscall.yaml | 10 +-- rules-crd.yaml | 32 +++++----- 9 files changed, 93 insertions(+), 94 deletions(-) diff --git a/go.mod b/go.mod index 7d99c64..6939cf3 100644 --- a/go.mod +++ b/go.mod @@ -4,8 +4,8 @@ go 1.25.0 require ( github.com/goradd/maps v1.0.0 - github.com/inspektor-gadget/inspektor-gadget v0.45.0 - github.com/kubescape/node-agent v0.2.387-0.20251020101804-c375f2d7a553 + github.com/inspektor-gadget/inspektor-gadget v0.45.1-0.20251020222545-c91c23581ebf + github.com/kubescape/node-agent v0.2.387-0.20251023081123-8575bdb5c9c4 github.com/kubescape/storage v0.0.221 github.com/stretchr/testify v1.11.1 gopkg.in/yaml.v3 v3.0.1 @@ -62,8 +62,8 @@ require ( github.com/deckarep/golang-set/v2 v2.7.0 // indirect github.com/dghubble/trie v0.1.0 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v28.5.0+incompatible // indirect - github.com/docker/docker v28.5.0+incompatible // indirect + github.com/docker/cli v28.5.1+incompatible // indirect + github.com/docker/docker v28.5.1+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.3 // indirect github.com/docker/go-connections v0.6.0 // indirect github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect @@ -79,7 +79,7 @@ require ( github.com/gabriel-vasile/mimetype v1.4.9 // indirect github.com/github/go-spdx/v2 v2.3.3 // indirect github.com/go-errors/errors v1.5.1 // indirect - github.com/go-jose/go-jose/v4 v4.1.1 // indirect + github.com/go-jose/go-jose/v4 v4.1.2 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.23.0 // indirect @@ -94,7 +94,7 @@ require ( github.com/go-openapi/validate v0.24.0 // indirect github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/godbus/dbus/v5 v5.1.0 // indirect - github.com/gofrs/flock v0.12.1 // indirect + github.com/gofrs/flock v0.13.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/gohugoio/hashstructure v0.5.0 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect @@ -128,7 +128,7 @@ require ( github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect - github.com/moby/moby v28.5.0+incompatible // indirect + github.com/moby/moby v28.5.1+incompatible // indirect github.com/moby/sys/mountinfo v0.7.2 // indirect github.com/moby/sys/sequential v0.6.0 // indirect github.com/moby/sys/signal v0.7.0 // indirect @@ -213,19 +213,19 @@ require ( go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect - golang.org/x/crypto v0.42.0 // indirect + golang.org/x/crypto v0.43.0 // indirect golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect - golang.org/x/net v0.44.0 // indirect + golang.org/x/net v0.46.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect golang.org/x/sync v0.17.0 // indirect - golang.org/x/sys v0.36.0 // indirect - golang.org/x/term v0.35.0 // indirect - golang.org/x/text v0.29.0 // indirect - golang.org/x/time v0.13.0 // indirect + golang.org/x/sys v0.37.0 // indirect + golang.org/x/term v0.36.0 // indirect + golang.org/x/text v0.30.0 // indirect + golang.org/x/time v0.14.0 // indirect google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect - google.golang.org/grpc v1.75.1 // indirect + google.golang.org/grpc v1.76.0 // indirect google.golang.org/protobuf v1.36.10 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index dcbb84d..0de1229 100644 --- a/go.sum +++ b/go.sum @@ -214,10 +214,10 @@ github.com/dghubble/trie v0.1.0/go.mod h1:sOmnzfBNH7H92ow2292dDFWNsVQuh/izuD7otC github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v28.5.0+incompatible h1:crVqLrtKsrhC9c00ythRx435H8LiQnUKRtJLRR+Auxk= -github.com/docker/cli v28.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/docker v28.5.0+incompatible h1:ZdSQoRUE9XxhFI/B8YLvhnEFMmYN9Pp8Egd2qcaFk1E= -github.com/docker/docker v28.5.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/cli v28.5.1+incompatible h1:ESutzBALAD6qyCLqbQSEf1a/U8Ybms5agw59yGVc+yY= +github.com/docker/cli v28.5.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM= +github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8= github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo= github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94= @@ -279,8 +279,8 @@ github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3Bop github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI= -github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA= +github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI= +github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= @@ -326,8 +326,8 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gofrs/flock v0.7.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= -github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= -github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= +github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw= +github.com/gofrs/flock v0.13.0/go.mod h1:jxeyy9R1auM5S6JYDBhDt+E2TCo7DkratH4Pgi8P+Z0= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= @@ -488,8 +488,8 @@ github.com/iceber/iouring-go v0.0.0-20230403020409-002cfd2e2a90/go.mod h1:LEzdaZ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/inspektor-gadget/inspektor-gadget v0.45.0 h1:HMxAW9ZCD9HzAzCmM2azDY4sru5HTYhsKPmDQ4q1lPA= -github.com/inspektor-gadget/inspektor-gadget v0.45.0/go.mod h1:BTfh1IZkqHo8THtoXkoLe8hyEwnt+G/xoVkTwx8IcJU= +github.com/inspektor-gadget/inspektor-gadget v0.45.1-0.20251020222545-c91c23581ebf h1:VsLpHCG6A3BpRMwFA0/7GzFiw62ccJPrGBvrq+bLEug= +github.com/inspektor-gadget/inspektor-gadget v0.45.1-0.20251020222545-c91c23581ebf/go.mod h1:uIHgsbs5cwGdobCBjKNDWYQ63z7KNp6tWqLF3aiRerI= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8= github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg= @@ -531,8 +531,8 @@ github.com/kubescape/go-logger v0.0.24 h1:JRNlblY16Ty7hD6MSYNPvWYDxNzVAufsDDX/sZ github.com/kubescape/go-logger v0.0.24/go.mod h1:sMPVCr3VpW/e+SeMaXig5kClGvmZbDXN8YktUeNU4nY= github.com/kubescape/k8s-interface v0.0.199 h1:D+YBL69q1Dc2idus6jwd/vQcNhRoNZ6tE0m5Miz7TSg= github.com/kubescape/k8s-interface v0.0.199/go.mod h1:j9snZbH+RxOaa1yG/bWgTClj90q7To0rGgQepxy4b+k= -github.com/kubescape/node-agent v0.2.387-0.20251020101804-c375f2d7a553 h1:6TZiyLiFB8VI/9jfWLbEMtQDEi3yqTwdUOpY+WDgexQ= -github.com/kubescape/node-agent v0.2.387-0.20251020101804-c375f2d7a553/go.mod h1:HN5jZ99TL+DF3rt3JTn1X4NfcOtSMqGFntA1a7i60HI= +github.com/kubescape/node-agent v0.2.387-0.20251023081123-8575bdb5c9c4 h1:D2PyCbsi6fb5M4hnT5wX2mFNzA0f0E4m16zWveYxLEA= +github.com/kubescape/node-agent v0.2.387-0.20251023081123-8575bdb5c9c4/go.mod h1:I/3Hz4zq+O/lRulh1HkKPX78V7CzXXH7cw2Jy2t1/xM= github.com/kubescape/storage v0.0.221 h1:HLWnNokkKgKo9ka/p797fFQdsbzKxSXT5/RpUWrKWzI= github.com/kubescape/storage v0.0.221/go.mod h1:L/fF3teor8cUj80TVujqy9E1rKsf+Dox2hZtkS1vjOU= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= @@ -586,8 +586,8 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= -github.com/moby/moby v28.5.0+incompatible h1:eN6ksRE7BojoGW18USJGfyqhx/FWJPLs0jqaTNlfSsM= -github.com/moby/moby v28.5.0+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc= +github.com/moby/moby v28.5.1+incompatible h1:JD8lBdCDBF2oiHWLqIRofPqI8qvkppRjMJ6EnwrhvX0= +github.com/moby/moby v28.5.1+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc= github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs= github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk= @@ -920,8 +920,8 @@ golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI= -golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8= +golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04= +golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -961,8 +961,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ= -golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc= +golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U= +golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1009,8 +1009,8 @@ golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I= -golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY= +golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4= +golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1120,11 +1120,11 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= -golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= +golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= -golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= +golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q= +golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1134,14 +1134,14 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk= -golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4= +golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k= +golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI= -golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= +golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= +golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030000716-a0a13e073c7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1198,8 +1198,8 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= -golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= +golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE= +golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1353,8 +1353,8 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI= -google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ= +google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A= +google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= diff --git a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml index ae9aab3..027c753 100644 --- a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml +++ b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml @@ -12,15 +12,15 @@ spec: id: "R0009" description: "Detecting eBPF program load." expressions: - message: "'bpf system call executed in ' + event.containerName" - uniqueId: "event.comm + '_' + event.syscallName" + message: "'bpf program load system call (bpf) was called by process (' + event.comm + ') with command (BPF_PROG_LOAD)'" + uniqueId: "event.comm + '_' + 'bpf' + '_' + string(event.cmd)" ruleExpression: - - eventType: "syscall" - expression: "event.syscallName == 'bpf' && !ap.was_syscall_used(event.containerId, event.syscallName)" + - eventType: "bpf" + expression: "event.cmd == uint(5) && !ap.was_syscall_used(event.containerId, 'bpf')" profileDependency: 1 severity: 5 supportPolicy: false tags: - - "syscall" + - "bpf" - "ebpf" - "applicationprofile" diff --git a/pkg/rules/r0009-ebpf-program-load/rule_test.go b/pkg/rules/r0009-ebpf-program-load/rule_test.go index 1be26dd..a47435b 100644 --- a/pkg/rules/r0009-ebpf-program-load/rule_test.go +++ b/pkg/rules/r0009-ebpf-program-load/rule_test.go @@ -27,9 +27,10 @@ func TestR0009EbpfProgramLoad(t *testing.T) { Comm: "test-process", Container: "test", ContainerID: "test", - EventType: utils.SyscallEventType, + EventType: utils.BpfEventType, Pid: 1234, Syscall: "bpf", + Cmd: 5, } objCache := &objectcachev1.RuleObjectCacheMock{ @@ -76,7 +77,7 @@ func TestR0009EbpfProgramLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - if message != "bpf system call executed in test" { + if message != "bpf program load system call (bpf) was called by process (test-process) with command (BPF_PROG_LOAD)" { t.Fatalf("Message evaluation failed, got: %s", message) } @@ -85,7 +86,7 @@ func TestR0009EbpfProgramLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique id: %v", err) } - if uniqueId != "test-process_bpf" { + if uniqueId != "test-process_bpf_5" { t.Fatalf("Unique id evaluation failed, got: %s", uniqueId) } diff --git a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml index 596e758..d28b672 100644 --- a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml +++ b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml @@ -12,18 +12,16 @@ spec: id: "R1002" description: "Detecting Kernel Module Load." expressions: - message: "'Kernel module load syscall (' + event.syscallName + ') was called'" - uniqueId: "event.syscallName" + message: "'Kernel module (' + event.module + ') loading attempt with syscall (' + event.syscallName + ') was called by process (' + event.comm + ')'" + uniqueId: "event.comm + '_' + event.syscallName + '_' + event.module" ruleExpression: - - eventType: "syscall" - expression: > - event.syscallName == 'init_module' || - event.syscallName == 'finit_module' + - eventType: "kmod" + expression: "event.syscallName == 'init_module' || event.syscallName == 'finit_module'" profileDependency: 2 severity: 10 supportPolicy: false tags: - - "syscall" + - "kmod" - "kernel" - "module" - "load" diff --git a/pkg/rules/r1002-kernel-module-load/rule_test.go b/pkg/rules/r1002-kernel-module-load/rule_test.go index 2fd7cbb..964d128 100644 --- a/pkg/rules/r1002-kernel-module-load/rule_test.go +++ b/pkg/rules/r1002-kernel-module-load/rule_test.go @@ -16,14 +16,15 @@ import ( ) // createTestSyscallEvent creates a test SyscallEvent -func createTestSyscallEvent(containerName, containerID, comm, syscallName string, pid uint32) *utils.StructEvent { +func createTestKmodEvent(containerName, containerID, comm, syscallName, module string, pid uint32) *utils.StructEvent { return &utils.StructEvent{ Comm: comm, Container: containerName, ContainerID: containerID, - EventType: utils.SyscallEventType, + EventType: utils.KmodEventType, Pid: pid, Syscall: syscallName, + Module: module, } } @@ -42,25 +43,25 @@ func TestR1002KernelModuleLoad(t *testing.T) { }{ { name: "init_module syscall", - event: createTestSyscallEvent("test", "container123", "test-process", "init_module", uint32(1234)), + event: createTestKmodEvent("test", "container123", "test-process", "init_module", "module1", uint32(1234)), expectTrigger: true, description: "Should trigger for init_module syscall", }, { name: "finit_module syscall", - event: createTestSyscallEvent("test", "container123", "test-process", "finit_module", uint32(1234)), + event: createTestKmodEvent("test", "container123", "test-process", "finit_module", "module2", uint32(1234)), expectTrigger: true, description: "Should trigger for finit_module syscall", }, { name: "other syscall", - event: createTestSyscallEvent("test", "container123", "test-process", "open", uint32(1234)), + event: createTestKmodEvent("test", "container123", "test-process", "open", "module3", uint32(1234)), expectTrigger: false, description: "Should not trigger for non-kernel-module syscall", }, { name: "other syscall name", - event: createTestSyscallEvent("test", "container123", "test-process", "read", uint32(1234)), + event: createTestKmodEvent("test", "container123", "test-process", "read", "module4", uint32(1234)), expectTrigger: false, description: "Should not trigger for non-kernel-module syscall", }, @@ -117,7 +118,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - expectedMessage := "Kernel module load syscall (" + tt.event.Syscall + ") was called" + expectedMessage := "Kernel module (" + tt.event.Module + ") loading attempt with syscall (" + tt.event.Syscall + ") was called by process (" + tt.event.Comm + ")" if message != expectedMessage { t.Errorf("Message evaluation failed. Expected: %s, Got: %s", expectedMessage, message) } @@ -127,7 +128,7 @@ func TestR1002KernelModuleLoad(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique ID: %v", err) } - expectedUniqueID := tt.event.Syscall + expectedUniqueID := tt.event.Comm + "_" + tt.event.Syscall + "_" + tt.event.Module if uniqueID != expectedUniqueID { t.Errorf("Unique ID evaluation failed. Expected: %s, Got: %s", expectedUniqueID, uniqueID) } diff --git a/pkg/rules/r1006-unshare-syscall/rule_test.go b/pkg/rules/r1006-unshare-syscall/rule_test.go index 4157384..e820efb 100644 --- a/pkg/rules/r1006-unshare-syscall/rule_test.go +++ b/pkg/rules/r1006-unshare-syscall/rule_test.go @@ -24,9 +24,10 @@ func TestR1006UnshareSyscall(t *testing.T) { // Create a syscall event for unshare e := &utils.StructEvent{ + Comm: "test-process", Container: "test", ContainerID: "test", - EventType: utils.SyscallEventType, + EventType: utils.UnshareEventType, Pid: 1234, Syscall: "unshare", } @@ -75,7 +76,7 @@ func TestR1006UnshareSyscall(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - if message != "Unshare system call detected: unshare with PID 1234" { + if message != "Unshare system call (unshare) was called by process (test-process)" { t.Fatalf("Message evaluation failed: %s", message) } @@ -84,7 +85,7 @@ func TestR1006UnshareSyscall(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique id: %v", err) } - if uniqueId != "unshare" { + if uniqueId != "test-process_unshare" { t.Fatalf("Unique id evaluation failed: %s", uniqueId) } diff --git a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml index 0a1512d..38dcd4b 100644 --- a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml +++ b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml @@ -12,16 +12,16 @@ spec: id: "R1006" description: "Detecting Unshare System Call usage, which can be used to escape container." expressions: - message: "'Unshare system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" - uniqueId: "event.syscallName" + message: "'Unshare system call (unshare) was called by process (' + event.comm + ')'" + uniqueId: "event.comm + '_' + 'unshare'" ruleExpression: - - eventType: "syscall" - expression: "event.syscallName == 'unshare' && !ap.was_syscall_used(event.containerId, event.syscallName)" + - eventType: "unshare" + expression: "!ap.was_syscall_used(event.containerId, 'unshare')" profileDependency: 2 severity: 5 supportPolicy: false tags: - - "syscall" + - "unshare" - "escape" - "unshare" - "anomaly" diff --git a/rules-crd.yaml b/rules-crd.yaml index f8315cc..18c934c 100644 --- a/rules-crd.yaml +++ b/rules-crd.yaml @@ -185,16 +185,16 @@ spec: id: "R0009" description: "Detecting eBPF program load." expressions: - message: "'bpf system call executed in ' + event.containerName" - uniqueId: "event.comm + '_' + event.syscallName" + message: "'bpf program load system call (bpf) was called by process (' + event.comm + ') with command (BPF_PROG_LOAD)'" + uniqueId: "event.comm + '_' + 'bpf' + '_' + string(event.cmd)" ruleExpression: - - eventType: "syscall" - expression: "event.syscallName == 'bpf' && !ap.was_syscall_used(event.containerId, event.syscallName)" + - eventType: "bpf" + expression: "event.cmd == uint(5) && !ap.was_syscall_used(event.containerId, 'bpf')" profileDependency: 1 severity: 5 supportPolicy: false tags: - - "syscall" + - "bpf" - "ebpf" - "applicationprofile" - name: "Unexpected Sensitive File Access" @@ -279,18 +279,16 @@ spec: id: "R1002" description: "Detecting Kernel Module Load." expressions: - message: "'Kernel module load syscall (' + event.syscallName + ') was called'" - uniqueId: "event.syscallName" + message: "'Kernel module (' + event.module + ') loading attempt with syscall (' + event.syscallName + ') was called by process (' + event.comm + ')'" + uniqueId: "event.comm + '_' + event.syscallName + '_' + event.module" ruleExpression: - - eventType: "syscall" - expression: > - event.syscallName == 'init_module' || - event.syscallName == 'finit_module' + - eventType: "kmod" + expression: "event.syscallName == 'init_module' || event.syscallName == 'finit_module'" profileDependency: 2 severity: 10 supportPolicy: false tags: - - "syscall" + - "kmod" - "kernel" - "module" - "load" @@ -352,16 +350,16 @@ spec: id: "R1006" description: "Detecting Unshare System Call usage, which can be used to escape container." expressions: - message: "'Unshare system call detected: ' + event.syscallName + ' with PID ' + string(event.pid)" - uniqueId: "event.syscallName" + message: "'Unshare system call (unshare) was called by process (' + event.comm + ')'" + uniqueId: "event.comm + '_' + 'unshare'" ruleExpression: - - eventType: "syscall" - expression: "event.syscallName == 'unshare' && !ap.was_syscall_used(event.containerId, event.syscallName)" + - eventType: "unshare" + expression: "!ap.was_syscall_used(event.containerId, 'unshare')" profileDependency: 2 severity: 5 supportPolicy: false tags: - - "syscall" + - "unshare" - "escape" - "unshare" - "anomaly" From 71f0eadce31d7a4e2ad9eccea84fea50c48ef910 Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Tue, 28 Oct 2025 14:47:58 +0000 Subject: [PATCH 09/11] Adding fields Signed-off-by: Amit Schendel --- go.mod | 4 +- go.sum | 8 +- .../unexpected-process-launched.yaml | 3 + .../unexpected-file-access.yaml | 3 + .../unexpected-system-call.yaml | 3 + .../unexpected-capability-used.yaml | 3 + .../unexpected-domain-request.yaml | 3 + ...expected-service-account-token-access.yaml | 3 + .../kubernetes-client-executed.yaml | 3 + .../read-environment-variables-procfs.yaml | 3 + .../ebpf-program-load.yaml | 3 + .../unexpected-sensitive-file-access.yaml | 3 + .../unexpected-egress-network-traffic.yaml | 3 + .../exec-from-malicious-source.yaml | 3 + .../exec-binary-not-in-base-image.yaml | 3 + .../kernel-module-load.yaml | 3 + .../malicious-ssh-connection.yaml | 3 + .../exec-from-mount.yaml | 3 + .../fileless-execution.yaml | 3 + .../unshare-syscall.yaml | 3 + .../xmr-crypto-mining.yaml | 3 + .../crypto-mining-domain-communication.yaml | 3 + .../crypto-mining-related-port.yaml | 3 + .../symlink-created-over-sensitive-file.yaml | 3 + .../ld-preload-hook.yaml | 3 + .../hardlink-created-over-sensitive-file.yaml | 3 + .../malicious-ptrace-usage.yaml | 3 + .../unexpected-io_uring-operation.yaml | 3 + rules-crd.yaml | 78 +++++++++++++++++++ 29 files changed, 163 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 6939cf3..11e0320 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.25.0 require ( github.com/goradd/maps v1.0.0 github.com/inspektor-gadget/inspektor-gadget v0.45.1-0.20251020222545-c91c23581ebf - github.com/kubescape/node-agent v0.2.387-0.20251023081123-8575bdb5c9c4 + github.com/kubescape/node-agent v0.2.387-0.20251028144632-fead4536b150 github.com/kubescape/storage v0.0.221 github.com/stretchr/testify v1.11.1 gopkg.in/yaml.v3 v3.0.1 @@ -255,3 +255,5 @@ require ( sigs.k8s.io/yaml v1.6.0 // indirect zombiezen.com/go/sqlite v1.4.0 // indirect ) + +replace github.com/inspektor-gadget/inspektor-gadget => github.com/matthyx/inspektor-gadget v0.0.0-20251028120806-bb895db89083 diff --git a/go.sum b/go.sum index 0de1229..060687f 100644 --- a/go.sum +++ b/go.sum @@ -488,8 +488,6 @@ github.com/iceber/iouring-go v0.0.0-20230403020409-002cfd2e2a90/go.mod h1:LEzdaZ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/inspektor-gadget/inspektor-gadget v0.45.1-0.20251020222545-c91c23581ebf h1:VsLpHCG6A3BpRMwFA0/7GzFiw62ccJPrGBvrq+bLEug= -github.com/inspektor-gadget/inspektor-gadget v0.45.1-0.20251020222545-c91c23581ebf/go.mod h1:uIHgsbs5cwGdobCBjKNDWYQ63z7KNp6tWqLF3aiRerI= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8= github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg= @@ -531,8 +529,8 @@ github.com/kubescape/go-logger v0.0.24 h1:JRNlblY16Ty7hD6MSYNPvWYDxNzVAufsDDX/sZ github.com/kubescape/go-logger v0.0.24/go.mod h1:sMPVCr3VpW/e+SeMaXig5kClGvmZbDXN8YktUeNU4nY= github.com/kubescape/k8s-interface v0.0.199 h1:D+YBL69q1Dc2idus6jwd/vQcNhRoNZ6tE0m5Miz7TSg= github.com/kubescape/k8s-interface v0.0.199/go.mod h1:j9snZbH+RxOaa1yG/bWgTClj90q7To0rGgQepxy4b+k= -github.com/kubescape/node-agent v0.2.387-0.20251023081123-8575bdb5c9c4 h1:D2PyCbsi6fb5M4hnT5wX2mFNzA0f0E4m16zWveYxLEA= -github.com/kubescape/node-agent v0.2.387-0.20251023081123-8575bdb5c9c4/go.mod h1:I/3Hz4zq+O/lRulh1HkKPX78V7CzXXH7cw2Jy2t1/xM= +github.com/kubescape/node-agent v0.2.387-0.20251028144632-fead4536b150 h1:XCb73kikqyISyBejN+FowkJ8L70zxDY9HsjpqWIhbuI= +github.com/kubescape/node-agent v0.2.387-0.20251028144632-fead4536b150/go.mod h1:203YhUZCSXmktqT/AdMcKJW9+KsncvE4Ybp7/GVt4ok= github.com/kubescape/storage v0.0.221 h1:HLWnNokkKgKo9ka/p797fFQdsbzKxSXT5/RpUWrKWzI= github.com/kubescape/storage v0.0.221/go.mod h1:L/fF3teor8cUj80TVujqy9E1rKsf+Dox2hZtkS1vjOU= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= @@ -547,6 +545,8 @@ github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPK github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/matthyx/inspektor-gadget v0.0.0-20251028120806-bb895db89083 h1:WNhY6toOm/NckDM5/kFw9akvQ6Tc+CZxHA0RkfGlHcQ= +github.com/matthyx/inspektor-gadget v0.0.0-20251028120806-bb895db89083/go.mod h1:uIHgsbs5cwGdobCBjKNDWYQ63z7KNp6tWqLF3aiRerI= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= diff --git a/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml b/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml index 831fdb8..192b6e3 100644 --- a/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml +++ b/pkg/rules/r0001-unexpected-process-launched/unexpected-process-launched.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 0 severity: 1 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" tags: - "anomaly" - "process" diff --git a/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml b/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml index ea8c45c..6817ea5 100644 --- a/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml +++ b/pkg/rules/r0002-unexpected-file-access/unexpected-file-access.yaml @@ -38,6 +38,9 @@ spec: profileDependency: 0 severity: 1 supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0009" + mitreTechnique: "T1005" tags: - "anomaly" - "file" diff --git a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml index 5ffa14c..1c10d71 100644 --- a/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml +++ b/pkg/rules/r0003-unexpected-system-call/unexpected-system-call.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 0 severity: 1 supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0002" + mitreTechnique: "T1059" tags: - "anomaly" - "syscall" diff --git a/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml b/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml index a5a0c25..c7854c7 100644 --- a/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml +++ b/pkg/rules/r0004-unexpected-capability-used/unexpected-capability-used.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 0 severity: 1 supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0002" + mitreTechnique: "T1059" tags: - "anomaly" - "capabilities" diff --git a/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml b/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml index d3d229b..7302e0f 100644 --- a/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml +++ b/pkg/rules/r0005-unexpected-domain-request/unexpected-domain-request.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 0 severity: 1 supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0011" + mitreTechnique: "T1071.004" tags: - "dns" - "anomaly" diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml index 3c543ab..6b4ae66 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml +++ b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml @@ -28,6 +28,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1528" tags: - "anomaly" - "serviceaccount" diff --git a/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml b/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml index 188a006..698b7ef 100644 --- a/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml +++ b/pkg/rules/r0007-kubernetes-client-executed/kubernetes-client-executed.yaml @@ -22,6 +22,9 @@ spec: profileDependency: 0 severity: 5 # Medium supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0008" + mitreTechnique: "T1210" tags: - "exec" - "network" diff --git a/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml b/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml index 80d041f..74de3ce 100644 --- a/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml +++ b/pkg/rules/r0008-read-environment-variables-procfs/read-environment-variables-procfs.yaml @@ -23,6 +23,9 @@ spec: profileDependency: 0 # Required severity: 5 # Medium supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1552.001" tags: - "anomaly" - "procfs" diff --git a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml index 027c753..4b24def 100644 --- a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml +++ b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1218" tags: - "bpf" - "ebpf" diff --git a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml index 8343e9a..6945e50 100644 --- a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml +++ b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" tags: - "files" - "anomaly" diff --git a/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml b/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml index 462312b..c808959 100644 --- a/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml +++ b/pkg/rules/r0011-unexpected-egress-network-traffic/unexpected-egress-network-traffic.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 0 severity: 5 # Medium supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0010" + mitreTechnique: "T1041" tags: - "whitelisted" - "network" diff --git a/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml b/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml index 2509f11..e7be6e4 100644 --- a/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml +++ b/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml @@ -23,6 +23,9 @@ spec: profileDependency: 2 severity: 8 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" tags: - "exec" - "signature" diff --git a/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml b/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml index c5498b4..0671460 100644 --- a/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml +++ b/pkg/rules/r1001-exec-binary-not-in-base-image/exec-binary-not-in-base-image.yaml @@ -23,6 +23,9 @@ spec: profileDependency: 1 severity: 8 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1036" tags: - "exec" - "malicious" diff --git a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml index d28b672..09c18e2 100644 --- a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml +++ b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 2 severity: 10 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1547.006" tags: - "kmod" - "kernel" diff --git a/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml b/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml index 1149d9f..178a005 100644 --- a/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml +++ b/pkg/rules/r1003-malicious-ssh-connection/malicious-ssh-connection.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0008" + mitreTechnique: "T1021.001" tags: - "ssh" - "connection" diff --git a/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml b/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml index 2c87461..e1bb67c 100644 --- a/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml +++ b/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" tags: - "exec" - "mount" diff --git a/pkg/rules/r1005-fileless-execution/fileless-execution.yaml b/pkg/rules/r1005-fileless-execution/fileless-execution.yaml index 759d0f4..6c45d49 100644 --- a/pkg/rules/r1005-fileless-execution/fileless-execution.yaml +++ b/pkg/rules/r1005-fileless-execution/fileless-execution.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 2 severity: 8 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1055" tags: - "fileless" - "execution" diff --git a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml index 38dcd4b..8fa0912 100644 --- a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml +++ b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 2 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0004" + mitreTechnique: "T1611" tags: - "unshare" - "escape" diff --git a/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml b/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml index b9f685b..0e5af29 100644 --- a/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml +++ b/pkg/rules/r1007-xmr-crypto-mining/xmr-crypto-mining.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 2 severity: 10 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0040" + mitreTechnique: "T1496" tags: - "crypto" - "miners" diff --git a/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml b/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml index 9ccea8b..bb59f36 100644 --- a/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml +++ b/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 2 severity: 10 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0011" + mitreTechnique: "T1071.004" tags: - "network" - "crypto" diff --git a/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml b/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml index 91da743..5a14e2c 100644 --- a/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml +++ b/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 1 severity: 3 supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0011" + mitreTechnique: "T1071" tags: - "network" - "crypto" diff --git a/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml b/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml index e57f431..910c8e9 100644 --- a/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml +++ b/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" tags: - "anomaly" - "symlink" diff --git a/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml b/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml index 60b38d5..8d8cd58 100644 --- a/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml +++ b/pkg/rules/r1011-ld-preload-hook/ld-preload-hook.yaml @@ -22,6 +22,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1574.006" tags: - "exec" - "malicious" diff --git a/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml b/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml index c2f005e..e83b0ad 100644 --- a/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml +++ b/pkg/rules/r1012-hardlink-created-over-sensitive-file/hardlink-created-over-sensitive-file.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" tags: - "files" - "malicious" diff --git a/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml b/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml index c950174..bdf200e 100644 --- a/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml +++ b/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 2 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1622" tags: - "process" - "malicious" diff --git a/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml b/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml index 337c129..b5e4638 100644 --- a/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml +++ b/pkg/rules/r1030-unexpected-io_uring-operation/unexpected-io_uring-operation.yaml @@ -20,6 +20,9 @@ spec: profileDependency: 0 severity: 5 supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1218" tags: - "syscalls" - "io_uring" diff --git a/rules-crd.yaml b/rules-crd.yaml index 18c934c..c27713e 100644 --- a/rules-crd.yaml +++ b/rules-crd.yaml @@ -22,6 +22,9 @@ spec: profileDependency: 0 severity: 1 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" tags: - "anomaly" - "process" @@ -58,6 +61,9 @@ spec: profileDependency: 0 severity: 1 supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0009" + mitreTechnique: "T1005" tags: - "anomaly" - "file" @@ -76,6 +82,9 @@ spec: profileDependency: 0 severity: 1 supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0002" + mitreTechnique: "T1059" tags: - "anomaly" - "syscall" @@ -93,6 +102,9 @@ spec: profileDependency: 0 severity: 1 supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0002" + mitreTechnique: "T1059" tags: - "anomaly" - "capabilities" @@ -110,6 +122,9 @@ spec: profileDependency: 0 severity: 1 supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0011" + mitreTechnique: "T1071.004" tags: - "dns" - "anomaly" @@ -135,6 +150,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1528" tags: - "anomaly" - "serviceaccount" @@ -154,6 +172,9 @@ spec: profileDependency: 0 severity: 5 # Medium supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0008" + mitreTechnique: "T1210" tags: - "exec" - "network" @@ -175,6 +196,9 @@ spec: profileDependency: 0 # Required severity: 5 # Medium supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1552.001" tags: - "anomaly" - "procfs" @@ -193,6 +217,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1218" tags: - "bpf" - "ebpf" @@ -210,6 +237,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" tags: - "files" - "anomaly" @@ -227,6 +257,9 @@ spec: profileDependency: 0 severity: 5 # Medium supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0010" + mitreTechnique: "T1041" tags: - "whitelisted" - "network" @@ -248,6 +281,9 @@ spec: profileDependency: 2 severity: 8 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" tags: - "exec" - "signature" @@ -268,6 +304,9 @@ spec: profileDependency: 1 severity: 8 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1036" tags: - "exec" - "malicious" @@ -287,6 +326,9 @@ spec: profileDependency: 2 severity: 10 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1547.006" tags: - "kmod" - "kernel" @@ -305,6 +347,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0008" + mitreTechnique: "T1021.001" tags: - "ssh" - "connection" @@ -324,6 +369,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1059" tags: - "exec" - "mount" @@ -341,6 +389,9 @@ spec: profileDependency: 2 severity: 8 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1055" tags: - "fileless" - "execution" @@ -358,6 +409,9 @@ spec: profileDependency: 2 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0004" + mitreTechnique: "T1611" tags: - "unshare" - "escape" @@ -377,6 +431,9 @@ spec: profileDependency: 2 severity: 10 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0040" + mitreTechnique: "T1496" tags: - "crypto" - "miners" @@ -394,6 +451,9 @@ spec: profileDependency: 2 severity: 10 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0011" + mitreTechnique: "T1071.004" tags: - "network" - "crypto" @@ -413,6 +473,9 @@ spec: profileDependency: 1 severity: 3 supportPolicy: false + isTriggerAlert: false + mitreTactic: "TA0011" + mitreTechnique: "T1071" tags: - "network" - "crypto" @@ -432,6 +495,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" tags: - "anomaly" - "symlink" @@ -451,6 +517,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1574.006" tags: - "exec" - "malicious" @@ -468,6 +537,9 @@ spec: profileDependency: 1 severity: 5 supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0006" + mitreTechnique: "T1005" tags: - "files" - "malicious" @@ -485,6 +557,9 @@ spec: profileDependency: 2 severity: 5 supportPolicy: false + isTriggerAlert: true + mitreTactic: "TA0005" + mitreTechnique: "T1622" tags: - "process" - "malicious" @@ -501,6 +576,9 @@ spec: profileDependency: 0 severity: 5 supportPolicy: true + isTriggerAlert: true + mitreTactic: "TA0002" + mitreTechnique: "T1218" tags: - "syscalls" - "io_uring" From effcc995594f3abb988f0ebac28c1869f1675ef2 Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Mon, 10 Nov 2025 10:12:53 +0000 Subject: [PATCH 10/11] Reducing false positives Signed-off-by: Amit Schendel --- .../rule_test.go | 23 ++++++++++--------- ...expected-service-account-token-access.yaml | 7 ++---- .../exec-from-mount.yaml | 2 +- pkg/rules/r1004-exec-from-mount/rule_test.go | 2 +- rules-crd.yaml | 9 +++----- 5 files changed, 19 insertions(+), 24 deletions(-) diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go b/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go index 43d81b1..22524a1 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go +++ b/pkg/rules/r0006-unexpected-service-account-token-access/rule_test.go @@ -1,6 +1,7 @@ package r0006_unexpected_service_account_token_access import ( + "strings" "testing" "time" @@ -93,19 +94,19 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { name: "kubernetes service account token access with matching profile", event: createTestEvent("test", "container123", "/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}), profile: createTestProfile("test", []v1beta1.OpenCalls{ - {Path: "/run/secrets/kubernetes.io/serviceaccount/namespace", Flags: []string{"O_RDONLY"}}, + {Path: "/run/secrets/kubernetes.io/serviceaccount/token", Flags: []string{"O_RDONLY"}}, }), expectTrigger: false, - description: "Should not trigger when kubernetes service account path is in application profile", + description: "Should not trigger when kubernetes service account token path is in application profile", }, { name: "eks service account token access with matching profile", event: createTestEvent("test", "container123", "/run/secrets/eks.amazonaws.com/serviceaccount/token", []string{"O_RDONLY"}), profile: createTestProfile("test", []v1beta1.OpenCalls{ - {Path: "/run/secrets/eks.amazonaws.com/serviceaccount/ca.crt", Flags: []string{"O_RDONLY"}}, + {Path: "/run/secrets/eks.amazonaws.com/serviceaccount/token", Flags: []string{"O_RDONLY"}}, }), expectTrigger: false, - description: "Should not trigger when EKS service account path is in application profile", + description: "Should not trigger when EKS service account token path is in application profile", }, { name: "service account token access with different profile path", @@ -117,13 +118,13 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { description: "Should trigger when service account token path is not in application profile", }, { - name: "service account namespace access with matching profile", + name: "service account namespace access (not a token)", event: createTestEvent("test", "container123", "/run/secrets/kubernetes.io/serviceaccount/namespace", []string{"O_RDONLY"}), profile: createTestProfile("test", []v1beta1.OpenCalls{ {Path: "/run/secrets/kubernetes.io/serviceaccount/token", Flags: []string{"O_RDONLY"}}, }), expectTrigger: false, - description: "Should not trigger when service account directory is whitelisted", + description: "Should not trigger for non-token service account paths", }, { name: "similar path but not service account token", @@ -191,7 +192,7 @@ func TestR0006UnexpectedServiceAccountTokenAccess(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate message: %v", err) } - expectedMessage := "Unexpected access to service account token: " + tt.event.Path + " with flags: " + tt.event.Flags[0] + expectedMessage := "Unexpected access to service account token: " + tt.event.Path + " with flags: " + strings.Join(tt.event.Flags, ",") if message != expectedMessage { t.Errorf("Message evaluation failed. Expected: %s, Got: %s", expectedMessage, message) } @@ -227,16 +228,16 @@ func TestR0006WithTimestampPaths(t *testing.T) { { name: "kubernetes token access with timestamp", accessPath: "/run/secrets/kubernetes.io/serviceaccount/..2024_11_24_09_06_53.3676909075/token", - profilePath: "/run/secrets/kubernetes.io/serviceaccount/..2024_11_21_04_30_58.850095521/namespace", + profilePath: "/run/secrets/kubernetes.io/serviceaccount/..2024_11_21_04_30_58.850095521/token", expectTrigger: false, - description: "Should not trigger when service account directory is whitelisted despite different timestamps", + description: "Should not trigger when service account token path is in application profile despite different timestamps", }, { name: "eks token access with timestamp", accessPath: "/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_1111_24_34_58.850095521/token", - profilePath: "/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_21_04_30_58.850095521/ca.crt", + profilePath: "/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_21_04_30_58.850095521/token", expectTrigger: false, - description: "Should not trigger when EKS service account directory is whitelisted despite different timestamps", + description: "Should not trigger when EKS service account token path is in application profile despite different timestamps", }, } diff --git a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml index 6b4ae66..29ebf0f 100644 --- a/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml +++ b/pkg/rules/r0006-unexpected-service-account-token-access/unexpected-service-account-token-access.yaml @@ -21,11 +21,8 @@ spec: (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && - !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount') - profileDependency: 1 + !ap.was_path_opened_with_suffix(event.containerId, '/token') + profileDependency: 0 severity: 5 supportPolicy: false isTriggerAlert: true diff --git a/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml b/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml index e1bb67c..2bb9477 100644 --- a/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml +++ b/pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml @@ -13,7 +13,7 @@ spec: description: "Detecting exec calls from mounted paths." expressions: message: "'Process (' + event.comm + ') was executed from a mounted path'" - uniqueId: "event.comm + '_' + event.exepath + '_'" + uniqueId: "event.comm" ruleExpression: - eventType: "exec" expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))" diff --git a/pkg/rules/r1004-exec-from-mount/rule_test.go b/pkg/rules/r1004-exec-from-mount/rule_test.go index a16a5d6..49b077d 100644 --- a/pkg/rules/r1004-exec-from-mount/rule_test.go +++ b/pkg/rules/r1004-exec-from-mount/rule_test.go @@ -131,7 +131,7 @@ func TestR1004ExecFromMount(t *testing.T) { if err != nil { t.Fatalf("Failed to evaluate unique id: %v", err) } - if uniqueId != "/var/test1/test_/var/test1/test_" { + if uniqueId != "/var/test1/test" { t.Fatalf("Unique id evaluation failed, got: %s", uniqueId) } diff --git a/rules-crd.yaml b/rules-crd.yaml index c27713e..c4bf933 100644 --- a/rules-crd.yaml +++ b/rules-crd.yaml @@ -143,11 +143,8 @@ spec: (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && - !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/kubernetes.io/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/run/secrets/eks.amazonaws.com/serviceaccount') && - !ap.was_path_opened_with_prefix(event.containerId, '/var/run/secrets/eks.amazonaws.com/serviceaccount') - profileDependency: 1 + !ap.was_path_opened_with_suffix(event.containerId, '/token') + profileDependency: 0 severity: 5 supportPolicy: false isTriggerAlert: true @@ -362,7 +359,7 @@ spec: description: "Detecting exec calls from mounted paths." expressions: message: "'Process (' + event.comm + ') was executed from a mounted path'" - uniqueId: "event.comm + '_' + event.exepath + '_'" + uniqueId: "event.comm" ruleExpression: - eventType: "exec" expression: "!ap.was_executed(event.containerId, parse.get_exec_path(event.args, event.comm)) && k8s.get_container_mount_paths(event.namespace, event.podName, event.containerName).exists(mount, event.exepath.startsWith(mount) || parse.get_exec_path(event.args, event.comm).startsWith(mount))" From 6adb2589ea8f028ea43ffa1706ad9eef63c5067f Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Thu, 13 Nov 2025 16:24:30 +0000 Subject: [PATCH 11/11] Adding fixes Signed-off-by: Amit Schendel --- pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml | 2 +- rules-crd.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml index 8fa0912..ef35b93 100644 --- a/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml +++ b/pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml @@ -16,7 +16,7 @@ spec: uniqueId: "event.comm + '_' + 'unshare'" ruleExpression: - eventType: "unshare" - expression: "!ap.was_syscall_used(event.containerId, 'unshare')" + expression: "event.pcomm != 'runc' && !ap.was_syscall_used(event.containerId, 'unshare')" profileDependency: 2 severity: 5 supportPolicy: false diff --git a/rules-crd.yaml b/rules-crd.yaml index c4bf933..57c2a21 100644 --- a/rules-crd.yaml +++ b/rules-crd.yaml @@ -402,7 +402,7 @@ spec: uniqueId: "event.comm + '_' + 'unshare'" ruleExpression: - eventType: "unshare" - expression: "!ap.was_syscall_used(event.containerId, 'unshare')" + expression: "event.pcomm != 'runc' && !ap.was_syscall_used(event.containerId, 'unshare')" profileDependency: 2 severity: 5 supportPolicy: false