Merge pull request #348 from kubescape/feature/dns-skip

Stop dns monitoring over dns servers containers
kubescape · Aug 27, 2024 · 2a29640 · 2a29640
2 parents d2b4e22 + 530889b
commit 2a29640
Show file tree

Hide file tree

Showing 29 changed files with 126 additions and 164 deletions.
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/kubescape/node-agent
 go 1.22.5
 
 require (
-	github.com/armosec/armoapi-go v0.0.425
+	github.com/armosec/armoapi-go v0.0.439
 	github.com/armosec/utils-k8s-go v0.0.26
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cilium/ebpf v0.15.0

diff --git a/go.sum b/go.sum
@@ -106,8 +106,8 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/armosec/armoapi-go v0.0.425 h1:+VZJ9TBgu14gY2R93nXssTH97FY3o7OSoZZkfBDCSls=
-github.com/armosec/armoapi-go v0.0.425/go.mod h1:mpok+lZaolcN5XRz/JxpwhfF8nln1OEKnGuvwAN+7Lo=
+github.com/armosec/armoapi-go v0.0.439 h1:IqpxEbVaopgh35JNm61zGHvuzy6YavfAs8PfSD+x9OQ=
+github.com/armosec/armoapi-go v0.0.439/go.mod h1:mpok+lZaolcN5XRz/JxpwhfF8nln1OEKnGuvwAN+7Lo=
 github.com/armosec/gojay v1.2.17 h1:VSkLBQzD1c2V+FMtlGFKqWXNsdNvIKygTKJI9ysY8eM=
 github.com/armosec/gojay v1.2.17/go.mod h1:vuvX3DlY0nbVrJ0qCklSS733AWMoQboq3cFyuQW9ybc=
 github.com/armosec/utils-go v0.0.57 h1:0RaqexK+t7HeKWfldBv2C1JiLLGuUx9FP0DGWDNRJpg=
@@ -594,8 +594,6 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/moby v27.0.2+incompatible h1:iYtGEjFi9lkX2m/Bop2H/peXzx3VtzmPlE9r0JHyH0s=
-github.com/moby/moby v27.0.2+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
 github.com/moby/moby v27.1.2+incompatible h1:vqOs4c7YktTdEBnPQNm0Q+M+IOuxxTCkrYJLBAVsEHQ=
 github.com/moby/moby v27.1.2+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
 github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8=

diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go
@@ -126,14 +126,11 @@ type IGContainerWatcher struct {
 	sshWorkerChan          chan *tracersshtype.Event
 
 	preRunningContainersIDs mapset.Set[string]
-
-	timeBasedContainers mapset.Set[string] // list of containers to track based on ticker
-	ruleManagedPods     mapset.Set[string] // list of pods to track based on rules
-	metrics             metricsmanager.MetricsManager
-
+	timeBasedContainers     mapset.Set[string] // list of containers to track based on ticker
+	ruleManagedPods         mapset.Set[string] // list of pods to track based on rules
+	metrics                 metricsmanager.MetricsManager
 	// cache
 	ruleBindingPodNotify *chan rulebinding.RuleBindingNotify
-
 	// container runtime
 	runtime *containerutilsTypes.RuntimeConfig
 }
@@ -243,6 +240,10 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli
 	dnsWorkerPool, err := ants.NewPoolWithFunc(dnsWorkerPoolSize, func(i interface{}) {
 		event := i.(tracerdnstype.Event)
 
+		if event.K8s.ContainerName == "" {
+			return
+		}
+
 		// ignore DNS events that are not responses
 		if event.Qr != tracerdnstype.DNSPktTypeResponse {
 			return
@@ -354,11 +355,9 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli
 
 		// cache
 		ruleBindingPodNotify: ruleBindingPodNotify,
-
-		timeBasedContainers: mapset.NewSet[string](),
-		ruleManagedPods:     mapset.NewSet[string](),
-
-		runtime: runtime,
+		timeBasedContainers:  mapset.NewSet[string](),
+		ruleManagedPods:      mapset.NewSet[string](),
+		runtime:              runtime,
 	}, nil
 }
 

diff --git a/pkg/malwaremanager/v1/clamav/clamav.go b/pkg/malwaremanager/v1/clamav/clamav.go
@@ -19,6 +19,7 @@ var _ malwaremanager.MalwareScanner = (*ClamAVClient)(nil)
 
 const (
 	FixSuggestions = "Please remove the file from the system. If the file is required, please contact your security team for further investigation."
+	maxFileSize    = 50 * 1024 * 1024 // 50MB
 )
 
 func CreateClamAVClient(clamavSocket string) (*ClamAVClient, error) {

diff --git a/pkg/malwaremanager/v1/clamav/exec.go b/pkg/malwaremanager/v1/clamav/exec.go
@@ -38,22 +38,20 @@ func (c *ClamAVClient) handleExecEvent(event *types.Event, containerPid uint32)
 	for result := range response {
 		if result.Status == clamd.RES_FOUND {
 			// A malware was found, send an alert.
-			sha256hash, err := utils.CalculateSHA256FileHash(result.Path)
-			if err != nil {
-				logger.L().Error("Error calculating hash of %s", helpers.String("path", result.Path), helpers.Error(err))
-			}
-			sha1hash, err := utils.CalculateSHA1FileHash(result.Path)
-			if err != nil {
-				logger.L().Error("Error calculating hash of %s", helpers.String("path", result.Path), helpers.Error(err))
-			}
-			md5hash, err := utils.CalculateMD5FileHash(result.Path)
-			if err != nil {
-				logger.L().Error("Error calculating hash of %s", helpers.String("path", result.Path), helpers.Error(err))
-			}
 			size, err := utils.GetFileSize(result.Path)
 			if err != nil {
 				logger.L().Error("Error getting file size of %s", helpers.String("path", result.Path), helpers.Error(err))
 			}
+
+			sha1hash := ""
+			md5hash := ""
+			if size != 0 && size < maxFileSize {
+				sha1hash, md5hash, err = utils.CalculateFileHashes(result.Path)
+				if err != nil {
+					logger.L().Error("Error getting file hashes", helpers.Error(err))
+				}
+			}
+
 			path := strings.TrimPrefix(result.Path, os.Getenv("HOST_ROOT"))
 
 			return &malwaremanager2.GenericMalwareResult{
@@ -62,7 +60,6 @@ func (c *ClamAVClient) handleExecEvent(event *types.Event, containerPid uint32)
 					InfectedPID:    event.Pid,
 					FixSuggestions: FixSuggestions,
 					SHA1Hash:       sha1hash,
-					SHA256Hash:     sha256hash,
 					MD5Hash:        md5hash,
 					Severity:       10, // TODO: Get severity from api.
 					Size:           humanize.IBytes(uint64(size)),

diff --git a/pkg/malwaremanager/v1/clamav/open.go b/pkg/malwaremanager/v1/clamav/open.go
@@ -43,22 +43,19 @@ func (c *ClamAVClient) handleOpenEvent(event *types.Event, containerPid uint32)
 	for result := range response {
 		if result.Status == clamd.RES_FOUND {
 			// A malware was found, send an alert.
-			sha256hash, err := utils.CalculateSHA256FileHash(result.Path)
-			if err != nil {
-				logger.L().Error("Error calculating hash of %s", helpers.String("path", result.Path), helpers.Error(err))
-			}
-			sha1hash, err := utils.CalculateSHA1FileHash(result.Path)
-			if err != nil {
-				logger.L().Error("Error calculating hash of %s", helpers.String("path", result.Path), helpers.Error(err))
-			}
-			md5hash, err := utils.CalculateMD5FileHash(result.Path)
-			if err != nil {
-				logger.L().Error("Error calculating hash of %s", helpers.String("path", result.Path), helpers.Error(err))
-			}
 			size, err := utils.GetFileSize(result.Path)
 			if err != nil {
 				logger.L().Error("Error getting file size of %s", helpers.String("path", result.Path), helpers.Error(err))
 			}
+
+			sha1hash := ""
+			md5hash := ""
+			if size != 0 && size < maxFileSize {
+				sha1hash, md5hash, err = utils.CalculateFileHashes(result.Path)
+				if err != nil {
+					logger.L().Error("Error getting file hashes", helpers.Error(err))
+				}
+			}
 			path := strings.TrimPrefix(result.Path, os.Getenv("HOST_ROOT"))
 
 			return &malwaremanager2.GenericMalwareResult{
@@ -67,7 +64,6 @@ func (c *ClamAVClient) handleOpenEvent(event *types.Event, containerPid uint32)
 					InfectedPID:    event.Pid,
 					FixSuggestions: FixSuggestions,
 					SHA1Hash:       sha1hash,
-					SHA256Hash:     sha256hash,
 					MD5Hash:        md5hash,
 					Severity:       10, // TODO: Get severity from api.
 					Size:           humanize.IBytes(uint64(size)),

diff --git a/pkg/malwaremanager/v1/malware_manager.go b/pkg/malwaremanager/v1/malware_manager.go
@@ -26,7 +26,10 @@ import (
 	"github.com/kubescape/k8s-interface/workloadinterface"
 )
 
-const ScannedFilesMaxBufferLength = 10000
+const (
+	ScannedFilesMaxBufferLength = 10000
+	maxFileSize                 = 50 * 1024 * 1024 // 50MB
+)
 
 type MalwareManager struct {
 	scannedFiles         maps.SafeMap[string, mapset.Set[string]]
@@ -209,38 +212,25 @@ func (mm *MalwareManager) enrichMalwareResult(malwareResult malwaremanager.Malwa
 
 	baseRuntimeAlert.Timestamp = time.Unix(0, int64(malwareResult.GetTriggerEvent().Timestamp))
 
-	if baseRuntimeAlert.MD5Hash == "" && hostPath != "" {
-		md5hash, err := utils.CalculateMD5FileHash(hostPath)
+	var size int64 = 0
+	if hostPath != "" {
+		size, err = utils.GetFileSize(hostPath)
 		if err != nil {
-			md5hash = ""
+			size = 0
 		}
-		baseRuntimeAlert.MD5Hash = md5hash
 	}
 
-	if baseRuntimeAlert.SHA1Hash == "" && hostPath != "" {
-		sha1hash, err := utils.CalculateSHA1FileHash(hostPath)
-		if err != nil {
-			sha1hash = ""
-		}
-
-		baseRuntimeAlert.SHA1Hash = sha1hash
+	if baseRuntimeAlert.Size == "" && hostPath != "" && size != 0 {
+		baseRuntimeAlert.Size = humanize.Bytes(uint64(size))
 	}
 
-	if baseRuntimeAlert.SHA256Hash == "" && hostPath != "" {
-		sha256hash, err := utils.CalculateSHA256FileHash(hostPath)
-		if err != nil {
-			sha256hash = ""
-		}
-
-		baseRuntimeAlert.SHA256Hash = sha256hash
-	}
-
-	if baseRuntimeAlert.Size == "" && hostPath != "" {
-		size, err := utils.GetFileSize(hostPath)
-		if err != nil {
-			baseRuntimeAlert.Size = ""
-		} else {
-			baseRuntimeAlert.Size = humanize.Bytes(uint64(size))
+	if size != 0 && size < maxFileSize && hostPath != "" {
+		if baseRuntimeAlert.MD5Hash == "" || baseRuntimeAlert.SHA1Hash == "" {
+			sha1hash, md5hash, err := utils.CalculateFileHashes(hostPath)
+			if err == nil {
+				baseRuntimeAlert.MD5Hash = md5hash
+				baseRuntimeAlert.SHA1Hash = sha1hash
+			}
 		}
 	}
 

diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go
@@ -141,7 +141,8 @@ func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventTy
 			RuleDescription: fmt.Sprintf("Unexpected process launched: %s in: %s", execPath, execEvent.GetContainer()),
 		},
 		RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-			PodName: execEvent.GetPod(),
+			PodName:   execEvent.GetPod(),
+			PodLabels: execEvent.K8s.PodLabels,
 		},
 		RuleID: rule.ID(),
 	}

diff --git a/pkg/ruleengine/v1/r0005_unexpected_domain_request.go b/pkg/ruleengine/v1/r0005_unexpected_domain_request.go
@@ -117,7 +117,8 @@ func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType
 			RuleDescription: fmt.Sprintf("Unexpected domain communication: %s from: %s", domainEvent.DNSName, domainEvent.GetContainer()),
 		},
 		RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-			PodName: domainEvent.GetPod(),
+			PodName:   domainEvent.GetPod(),
+			PodLabels: domainEvent.K8s.PodLabels,
 		},
 		RuleID: rule.ID(),
 	}

diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go
@@ -138,7 +138,8 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti
 			RuleDescription: fmt.Sprintf("Unexpected access to service account token: %s with flags: %s in: %s", openEvent.FullPath, strings.Join(openEvent.Flags, ","), openEvent.GetContainer()),
 		},
 		RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-			PodName: openEvent.GetPod(),
+			PodName:   openEvent.GetPod(),
+			PodLabels: openEvent.K8s.PodLabels,
 		},
 		RuleID: rule.ID(),
 	}

diff --git a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go
@@ -116,7 +116,8 @@ func (rule *R0007KubernetesClientExecuted) handleNetworkEvent(event *tracernetwo
 			RuleDescription: fmt.Sprintf("Kubernetes client executed: %s", event.Comm),
 		},
 		RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-			PodName: event.GetPod(),
+			PodName:   event.GetPod(),
+			PodLabels: event.K8s.PodLabels,
 		},
 		RuleID: rule.ID(),
 	}
@@ -173,7 +174,8 @@ func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *tracerexectype
 				RuleDescription: fmt.Sprintf("Kubernetes client %s was executed in: %s", execPath, event.GetContainer()),
 			},
 			RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-				PodName: event.GetPod(),
+				PodName:   event.GetPod(),
+				PodLabels: event.K8s.PodLabels,
 			},
 			RuleID: rule.ID(),
 		}

diff --git a/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go b/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go
@@ -104,7 +104,8 @@ func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.Ev
 			RuleDescription: fmt.Sprintf("Reading environment variables from procfs: %s", openEvent.GetContainer()),
 		},
 		RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-			PodName: openEvent.GetPod(),
+			PodName:   openEvent.GetPod(),
+			PodLabels: openEvent.K8s.PodLabels,
 		},
 		RuleID: rule.ID(),
 	}

diff --git a/pkg/ruleengine/v1/r0009_ebpf_program_load.go b/pkg/ruleengine/v1/r0009_ebpf_program_load.go
@@ -106,6 +106,7 @@ func (rule *R0009EbpfProgramLoad) ProcessEvent(eventType utils.EventType, event
 			},
 			RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
 				PodName: syscallEvent.GetPod(),
+				PodLabels: syscallEvent.K8s.PodLabels,
 			},
 			RuleID: rule.ID(),
 		}

diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go
@@ -135,7 +135,8 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve
 			RuleDescription: fmt.Sprintf("Unexpected sensitive file access: %s in: %s", openEvent.FullPath, openEvent.GetContainer()),
 		},
 		RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-			PodName: openEvent.GetPod(),
+			PodName:   openEvent.GetPod(),
+			PodLabels: openEvent.K8s.PodLabels,
 		},
 		RuleID: rule.ID(),
 	}

diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go
@@ -102,7 +102,8 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType
 					RuleDescription: fmt.Sprintf("Execution from malicious source: %s in: %s", execPathDir, execEvent.GetContainer()),
 				},
 				RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-					PodName: execEvent.GetPod(),
+					PodName:   execEvent.GetPod(),
+					PodLabels: execEvent.K8s.PodLabels,
 				},
 				RuleID: rule.ID(),
 			}

diff --git a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go
@@ -97,7 +97,8 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventTyp
 				RuleDescription: fmt.Sprintf("Process (%s) was executed in: %s and is not part of the image", execEvent.Comm, execEvent.GetContainer()),
 			},
 			RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-				PodName: execEvent.GetPod(),
+				PodName:   execEvent.GetPod(),
+				PodLabels: execEvent.K8s.PodLabels,
 			},
 			RuleID: rule.ID(),
 		}

diff --git a/pkg/ruleengine/v1/r1002_load_kernel_module.go b/pkg/ruleengine/v1/r1002_load_kernel_module.go
@@ -89,7 +89,8 @@ func (rule *R1002LoadKernelModule) ProcessEvent(eventType utils.EventType, event
 				RuleDescription: fmt.Sprintf("Kernel module load syscall (%s) was called in: %s", syscallEvent.SyscallName, syscallEvent.GetContainer()),
 			},
 			RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-				PodName: syscallEvent.GetPod(),
+				PodName:   syscallEvent.GetPod(),
+				PodLabels: syscallEvent.K8s.PodLabels,
 			},
 			RuleID: rule.ID(),
 		}

diff --git a/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go b/pkg/ruleengine/v1/r1003_malicious_ssh_connection.go
@@ -116,7 +116,8 @@ func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType utils.EventType,
 				RuleDescription: fmt.Sprintf("SSH connection to disallowed port %s:%d", sshEvent.DstIP, sshEvent.DstPort),
 			},
 			RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-				PodName: sshEvent.GetPod(),
+				PodName:   sshEvent.GetPod(),
+				PodLabels: sshEvent.K8s.PodLabels,
 			},
 			RuleID: rule.ID(),
 		}

diff --git a/pkg/ruleengine/v1/r1004_exec_from_mount.go b/pkg/ruleengine/v1/r1004_exec_from_mount.go
@@ -106,7 +106,8 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event in
 					RuleDescription: fmt.Sprintf("Process (%s) was executed from a mounted path (%s) in: %s", fullPath, mount, execEvent.GetContainer()),
 				},
 				RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-					PodName: execEvent.GetPod(),
+					PodName:   execEvent.GetPod(),
+					PodLabels: execEvent.K8s.PodLabels,
 				},
 				RuleID: R1004ID,
 			}

diff --git a/pkg/ruleengine/v1/r1005_fileless_execution.go b/pkg/ruleengine/v1/r1005_fileless_execution.go
@@ -104,7 +104,8 @@ func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *tracerexectype.
 				RuleDescription: fmt.Sprintf("Fileless execution detected: exec call \"%s\" is from a malicious source \"%s\"", execPathDir, "/proc/self/fd"),
 			},
 			RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-				PodName: execEvent.GetPod(),
+				PodName:   execEvent.GetPod(),
+				PodLabels: execEvent.K8s.PodLabels,
 			},
 			RuleID: rule.ID(),
 		}

diff --git a/pkg/ruleengine/v1/r1006_unshare_system_call.go b/pkg/ruleengine/v1/r1006_unshare_system_call.go
@@ -91,7 +91,8 @@ func (rule *R1006UnshareSyscall) ProcessEvent(eventType utils.EventType, event i
 				RuleDescription: fmt.Sprintf("unshare system call executed in %s", syscallEvent.GetContainer()),
 			},
 			RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-				PodName: syscallEvent.GetPod(),
+				PodName:   syscallEvent.GetPod(),
+				PodLabels: syscallEvent.K8s.PodLabels,
 			},
 			RuleID: rule.ID(),
 		}

diff --git a/pkg/ruleengine/v1/r1007_xmr_crypto_mining.go b/pkg/ruleengine/v1/r1007_xmr_crypto_mining.go
@@ -85,7 +85,8 @@ func (rule *R1007XMRCryptoMining) ProcessEvent(eventType utils.EventType, event
 				RuleDescription: fmt.Sprintf("XMR Crypto Miner process: (%s) executed in: %s", randomXEvent.ExePath, randomXEvent.GetContainer()),
 			},
 			RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-				PodName: randomXEvent.GetPod(),
+				PodName:   randomXEvent.GetPod(),
+				PodLabels: randomXEvent.K8s.PodLabels,
 			},
 			RuleID: rule.ID(),
 		}

diff --git a/pkg/ruleengine/v1/r1008_crypto_mining_domain.go b/pkg/ruleengine/v1/r1008_crypto_mining_domain.go
@@ -190,7 +190,8 @@ func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.E
 					RuleDescription: fmt.Sprintf("Communication with a known crypto mining domain: %s in: %s", dnsEvent.DNSName, dnsEvent.GetContainer()),
 				},
 				RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{
-					PodName: dnsEvent.GetPod(),
+					PodName:   dnsEvent.GetPod(),
+					PodLabels: dnsEvent.K8s.PodLabels,
 				},
 				RuleID: rule.ID(),
 			}
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,6 +19,7 @@ var _ malwaremanager.MalwareScanner = (*ClamAVClient)(nil) @@
     const (
     	FixSuggestions = "Please remove the file from the system. If the file is required, please contact your security team for further investigation."
+    	maxFileSize    = 50 * 1024 * 1024 // 50MB
     )
     func CreateClamAVClient(clamavSocket string) (*ClamAVClient, error) {
@@ Expand Down @@