Merge pull request #293 from kubescape/bugfix/upper-layer-ptr

Bugfix/upper layer ptr

go.mod

@@ -1,11 +1,11 @@
 module node-agent
 
-go 1.22.0
+go 1.22.2
 
 toolchain go1.22.3
 
 require (
-	github.com/armosec/armoapi-go v0.0.385
+	github.com/armosec/armoapi-go v0.0.412
 	github.com/armosec/utils-k8s-go v0.0.26
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cilium/ebpf v0.15.0

go.sum

@@ -108,8 +108,8 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/armosec/armoapi-go v0.0.385 h1:zkVQ/ZHcdE8cYP6Ca/tWsgVsgxTQxHfUNQ907RQykE4=
-github.com/armosec/armoapi-go v0.0.385/go.mod h1:THr0weLNkxJvZPgwk2GSCtGWw4ERGDYo81g9MqHOUwk=
+github.com/armosec/armoapi-go v0.0.412 h1:OJ3vI67+WwjEmc/Nr4rIULESmI5WqaB1FF8A6def5mM=
+github.com/armosec/armoapi-go v0.0.412/go.mod h1:U73HFBiAv03owOtIDYWZrh9NA8+C/MIr/lF5H5fHVic=
 github.com/armosec/gojay v1.2.17 h1:VSkLBQzD1c2V+FMtlGFKqWXNsdNvIKygTKJI9ysY8eM=
 github.com/armosec/gojay v1.2.17/go.mod h1:vuvX3DlY0nbVrJ0qCklSS733AWMoQboq3cFyuQW9ybc=
 github.com/armosec/utils-go v0.0.57 h1:0RaqexK+t7HeKWfldBv2C1JiLLGuUx9FP0DGWDNRJpg=

pkg/malwaremanager/v1/clamav/exec.go

@@ -74,7 +74,7 @@ func (c *ClamAVClient) handleExecEvent(event *types.Event, containerPid uint32)
 						Gid:        &event.Gid,
 						PID:        event.Pid,
 						Uid:        &event.Uid,
-						UpperLayer: event.UpperLayer,
+						UpperLayer: &event.UpperLayer,
 						PPID:       event.Ppid,
 						Pcomm:      event.Pcomm,
 						Cwd:        event.Cwd,

pkg/ruleengine/v1/r0001_unexpected_process_launched.go

@@ -122,11 +122,12 @@ func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventTy
 				Gid:        &execEvent.Gid,
 				PID:        execEvent.Pid,
 				Uid:        &execEvent.Uid,
-				UpperLayer: execEvent.UpperLayer,
+				UpperLayer: &execEvent.UpperLayer,
 				PPID:       execEvent.Ppid,
 				Pcomm:      execEvent.Pcomm,
 				Cwd:        execEvent.Cwd,
 				Hardlink:   execEvent.ExePath,
+				Path:       getExecFullPathFromEvent(execEvent),
 				Cmdline:    fmt.Sprintf("%s %s", execPath, strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")),
 			},
 			ContainerID: execEvent.Runtime.ContainerID,

pkg/ruleengine/v1/r0007_kubernetes_client_executed.go

@@ -154,11 +154,12 @@ func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *tracerexectype
 					Gid:        &event.Gid,
 					PID:        event.Pid,
 					Uid:        &event.Uid,
-					UpperLayer: event.UpperLayer,
+					UpperLayer: &event.UpperLayer,
 					PPID:       event.Ppid,
 					Pcomm:      event.Pcomm,
 					Cwd:        event.Cwd,
 					Hardlink:   event.ExePath,
+					Path:       execPath,
 					Cmdline:    fmt.Sprintf("%s %s", execPath, strings.Join(utils.GetExecArgsFromEvent(event), " ")),
 				},
 				ContainerID: event.Runtime.ContainerID,

pkg/ruleengine/v1/r1000_exec_from_malicious_source.go

@@ -65,7 +65,8 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType
 		"/proc/self",
 	}
 
-	execPathDir := filepath.Dir(getExecFullPathFromEvent(execEvent))
+	execPath := getExecFullPathFromEvent(execEvent)
+	execPathDir := filepath.Dir(execPath)
 	for _, maliciousExecPathPrefix := range maliciousExecPathPrefixes {
 		// if the exec path or the current dir is from a malicious source
 		if strings.HasPrefix(execPathDir, maliciousExecPathPrefix) || strings.HasPrefix(execEvent.Cwd, maliciousExecPathPrefix) || strings.HasPrefix(execEvent.ExePath, maliciousExecPathPrefix) {
@@ -85,11 +86,12 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType
 						Gid:        &execEvent.Gid,
 						PID:        execEvent.Pid,
 						Uid:        &execEvent.Uid,
-						UpperLayer: execEvent.UpperLayer,
+						UpperLayer: &execEvent.UpperLayer,
 						PPID:       execEvent.Ppid,
 						Pcomm:      execEvent.Pcomm,
 						Cwd:        execEvent.Cwd,
 						Hardlink:   execEvent.ExePath,
+						Path:       execPath,
 						Cmdline:    fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")),
 					},
 					ContainerID: execEvent.Runtime.ContainerID,

pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go

@@ -62,7 +62,6 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventTyp
 	}
 
 	if execEvent.UpperLayer {
-
 		// Check if the event is expected, if so return nil
 		// No application profile also returns nil
 		if whiteListed, err := isExecEventInProfile(execEvent, objectCache, false); whiteListed || errors.Is(err, ProfileNotFound) {
@@ -82,11 +81,12 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventTyp
 					Gid:        &execEvent.Gid,
 					PID:        execEvent.Pid,
 					Uid:        &execEvent.Uid,
-					UpperLayer: execEvent.UpperLayer,
+					UpperLayer: &execEvent.UpperLayer,
 					PPID:       execEvent.Ppid,
 					Pcomm:      execEvent.Pcomm,
 					Cwd:        execEvent.Cwd,
 					Hardlink:   execEvent.ExePath,
+					Path:       getExecFullPathFromEvent(execEvent),
 					Cmdline:    fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")),
 				},
 				ContainerID: execEvent.Runtime.ContainerID,

pkg/ruleengine/v1/r1004_exec_from_mount.go

@@ -89,11 +89,12 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event in
 						Gid:        &execEvent.Gid,
 						PID:        execEvent.Pid,
 						Uid:        &execEvent.Uid,
-						UpperLayer: execEvent.UpperLayer,
+						UpperLayer: &execEvent.UpperLayer,
 						PPID:       execEvent.Ppid,
 						Pcomm:      execEvent.Pcomm,
 						Cwd:        execEvent.Cwd,
 						Hardlink:   execEvent.ExePath,
+						Path:       fullPath,
 						Cmdline:    fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")),
 					},
 					ContainerID: execEvent.Runtime.ContainerID,

pkg/ruleengine/v1/r1005_fileless_execution.go

@@ -107,8 +107,8 @@ func (rule *R1005FilelessExecution) handleSyscallEvent(syscallEvent *ruleenginet
 }
 
 func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *tracerexectype.Event) ruleengine.RuleFailure {
-
-	execPathDir := filepath.Dir(getExecFullPathFromEvent(execEvent))
+	execFullPath := getExecFullPathFromEvent(execEvent)
+	execPathDir := filepath.Dir(execFullPath)
 
 	// /proc/self/fd/<n> is classic way to hide malicious execs
 	// (see ezuri packer for example)
@@ -132,11 +132,12 @@ func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *tracerexectype.
 					Gid:        &execEvent.Gid,
 					PID:        execEvent.Pid,
 					Uid:        &execEvent.Uid,
-					UpperLayer: execEvent.UpperLayer,
+					UpperLayer: &execEvent.UpperLayer,
 					PPID:       execEvent.Ppid,
 					Pcomm:      execEvent.Pcomm,
 					Cwd:        execEvent.Cwd,
 					Hardlink:   execEvent.ExePath,
+					Path:       execFullPath,
 					Cmdline:    fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")),
 				},
 				ContainerID: execEvent.Runtime.ContainerID,

pkg/ruleengine/v1/r1007_xmr_crypto_mining.go

@@ -72,7 +72,7 @@ func (rule *R1007XMRCryptoMining) ProcessEvent(eventType utils.EventType, event
 					Gid:        &randomXEvent.Gid,
 					PID:        randomXEvent.Pid,
 					Uid:        &randomXEvent.Uid,
-					UpperLayer: randomXEvent.UpperLayer,
+					UpperLayer: &randomXEvent.UpperLayer,
 					PPID:       randomXEvent.PPid,
 				},
 				ContainerID: randomXEvent.Runtime.ContainerID,