Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/ig bump #328

Merged
merged 4 commits into from
Jul 16, 2024
Merged

Feature/ig bump #328

merged 4 commits into from
Jul 16, 2024

Conversation

amitschendel
Copy link
Collaborator

Overview

@amitschendel
Adding pupper layer to rules
d65ad54 
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
@amitschendel
Adding fixed uid/gid for enrichment
c787408 
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
@amitschendel
Bumping IG to v0.30.0 and removing fork dependency
3ba865f 
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
@amitschendel amitschendel added the release Create release label Jul 15, 2024
@amitschendel amitschendel requested a review from matthyx July 15, 2024 14:57
@amitschendel
Removing comments
832e175 
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
matthyx
matthyx requested changes Jul 15, 2024
View reviewed changes
Copy link
Contributor

@matthyx matthyx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe try to modify all rules to be as similar as possible?

pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go
// Check if the event is expected, if so return nil
// No application profile also returns nil
if whiteListed, err := isExecEventInProfile(execEvent, objectCache, false); whiteListed || errors.Is(err, ProfileNotFound) {
return nil
}

upperLayer := true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do you set to true here

pkg/ruleengine/v1/r1004_exec_from_mount.go
@@ -74,6 +74,7 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event in
for _, mount := range mounts {
fullPath := getExecFullPathFromEvent(execEvent)
if rule.isPathContained(fullPath, mount) || rule.isPathContained(execEvent.ExePath, mount) {
upperLayer := execEvent.UpperLayer || execEvent.PupperLayer
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and not here as well?

pkg/ruleengine/v1/r1005_fileless_execution.go
@@ -72,6 +72,7 @@ func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *tracerexectype.
// is memory mapped file

if strings.HasPrefix(execPathDir, "/proc/self/fd") || strings.HasPrefix(execEvent.Cwd, "/proc/self/fd") || strings.HasPrefix(execEvent.ExePath, "/proc/self/fd") {
upperLayer := execEvent.UpperLayer || execEvent.PupperLayer
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

@github-actions GitHub Actions
Copy link

Summary:

  • License scan: success
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

@amitschendel amitschendel merged commit dd748f4 into main Jul 16, 2024
16 checks passed
@amitschendel amitschendel deleted the feature/ig-bump branch July 16, 2024 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthyx matthyx matthyx approved these changes

Assignees
No one assigned
Labels
release Create release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@amitschendel @matthyx