Closed NDStrahilevitz closed 1 year ago
I think the thing here is that we don't copy the event in engineEvents()
as we do in derivedEvents()
https://github.com/aquasecurity/tracee/blob/bc31a5d1aa081b35f11a8ffdc895a145f64835d0/pkg/ebpf/events_pipeline.go#L455 Then the base event matchedPolicies is zeroed and we don't see it in the output
I think the thing here is that we don't copy the event in
engineEvents()
as we do inderivedEvents()
Then the base event matchedPolicies is zeroed and we don't see it in the output
@yanivagman I think what @NDStrahilevitz reported is related to "although" dynamic_code_loading
is not set, it is being submitted and emitted.
So, I listed all values that is being set in events_map
via a default sudo ./dist/tracee
:
diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
index f8151b2f..49caf797 100644
--- a/pkg/ebpf/tracee.go
+++ b/pkg/ebpf/tracee.go
@@ -995,6 +995,7 @@ func (t *Tracee) populateBPFMaps() error {
}
binary.LittleEndian.PutUint64(eventConfigVal[8:16], paramTypes)
+ fmt.Printf("event: %s, id: %d, ecfg: %+v - sets %+v\n", events.Definitions.Get(id).Name, id, ecfg, events.Definitions.Get(id).Sets)
err := eventsMap.Update(unsafe.Pointer(&id), unsafe.Pointer(&eventConfigVal[0]))
event: process_vm_write_inject, id: 6020, ecfg: {submit:1 emit:1} - sets [signatures default]
event: security_inode_unlink, id: 731, ecfg: {submit:1 emit:1} - sets [default lsm_hooks fs fs_file_ops]
event: proc_mem_access, id: 6016, ecfg: {submit:1 emit:1} - sets [signatures default]
event: chown, id: 92, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: process_vm_readv, id: 310, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: fchown, id: 93, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: hidden_file_created, id: 6017, ecfg: {submit:1 emit:1} - sets [signatures default]
event: security_socket_accept, id: 735, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: security_inode_rename, id: 766, ecfg: {submit:1 emit:0} - sets []
event: sched_process_exec, id: 713, ecfg: {submit:1 emit:1} - sets [default proc]
event: cgroup_release_agent, id: 6012, ecfg: {submit:1 emit:1} - sets [signatures default]
event: security_bprm_check, id: 729, ecfg: {submit:1 emit:0} - sets [lsm_hooks proc proc_life]
event: container_remove, id: 2015, ecfg: {submit:1 emit:1} - sets [default containers]
event: process_vm_writev, id: 311, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: security_socket_connect, id: 734, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: mem_prot_alert, id: 722, ecfg: {submit:1 emit:0} - sets []
event: net_packet_dns_base, id: 706, ecfg: {submit:1 emit:0} - sets [network_events]
event: proc_kcore_read, id: 6015, ecfg: {submit:1 emit:1} - sets [signatures default]
event: net_packet_icmp, id: 2004, ecfg: {submit:1 emit:1} - sets [default network_events]
event: sched_process_fork, id: 712, ecfg: {submit:0 emit:0} - sets []
event: rcd_modification, id: 6013, ecfg: {submit:1 emit:1} - sets [signatures default]
event: dropped_executable, id: 6029, ecfg: {submit:1 emit:1} - sets [signatures default]
event: finit_module, id: 313, ecfg: {submit:1 emit:1} - sets [default syscalls system system_module]
event: disk_mount, id: 6021, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setpgid, id: 109, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: net_packet_icmp_base, id: 704, ecfg: {submit:1 emit:0} - sets [network_events]
event: sudoers_modification, id: 6009, ecfg: {submit:1 emit:1} - sets [signatures default]
event: memfd_create, id: 319, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_ops]
event: net_packet_http_request, id: 2010, ecfg: {submit:1 emit:1} - sets [default network_events]
event: default_loader_mod, id: 6008, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setreuid, id: 113, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: aslr_inspection, id: 6002, ecfg: {submit:1 emit:1} - sets [signatures default]
event: k8s_cert_theft, id: 6026, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fchmod, id: 91, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: setns, id: 308, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: print_syscall_table, id: 755, ecfg: {submit:1 emit:0} - sets []
event: net_packet_http_base, id: 707, ecfg: {submit:1 emit:0} - sets [network_events]
event: ptrace_code_injection, id: 6019, ecfg: {submit:1 emit:1} - sets [signatures default]
event: cgroup_notify_on_release, id: 6007, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setfsgid, id: 123, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: dynamic_code_loading, id: 6022, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fileless_execution, id: 6023, ecfg: {submit:1 emit:1} - sets [signatures default]
event: security_file_open, id: 730, ecfg: {submit:1 emit:0} - sets [lsm_hooks fs fs_file_ops]
event: setgid, id: 106, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: core_pattern_modification, id: 6014, ecfg: {submit:1 emit:1} - sets [signatures default]
event: proc_fops_hooking, id: 6027, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setsid, id: 112, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: net_packet_http_response, id: 2011, ecfg: {submit:1 emit:1} - sets [default network_events]
event: magic_write, id: 725, ecfg: {submit:1 emit:0} - sets []
event: move_mount, id: 429, ecfg: {submit:1 emit:1} - sets [default syscalls fs]
event: net_packet_base, id: 700, ecfg: {submit:1 emit:0} - sets [network_events]
event: cgroup_rmdir, id: 728, ecfg: {submit:18446744073709551615 emit:0} - sets []
event: sched_debug_recon, id: 6010, ecfg: {submit:1 emit:1} - sets [signatures default]
event: ptrace, id: 101, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: setuid, id: 105, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: net_packet_dns_response, id: 2008, ecfg: {submit:1 emit:1} - sets [default network_events]
event: ld_preload, id: 6006, ecfg: {submit:1 emit:1} - sets [signatures default]
event: scheduled_task_mod, id: 6005, ecfg: {submit:1 emit:1} - sets [signatures default]
event: illegitimate_shell, id: 6024, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fchownat, id: 260, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: security_socket_bind, id: 736, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: do_init_module, id: 760, ecfg: {submit:1 emit:0} - sets []
event: net_packet_icmpv6_base, id: 705, ecfg: {submit:1 emit:0} - sets [network_events]
event: security_sb_mount, id: 738, ecfg: {submit:1 emit:1} - sets [default lsm_hooks fs]
event: net_packet_dns_request, id: 2007, ecfg: {submit:1 emit:1} - sets [default network_events]
event: setresuid, id: 117, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: hooked_syscalls, id: 2017, ecfg: {submit:1 emit:0} - sets []
event: docker_abuse, id: 6004, ecfg: {submit:1 emit:1} - sets [signatures default]
event: syscall_hooking, id: 6028, ecfg: {submit:1 emit:1} - sets [signatures default]
event: anti_debugging, id: 6018, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fchmodat, id: 268, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: proc_mem_code_injection, id: 6003, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setregid, id: 114, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: kernel_module_loading, id: 6025, ecfg: {submit:1 emit:1} - sets [signatures default]
event: lchown, id: 94, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: creat, id: 85, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_ops]
event: setfsuid, id: 122, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: chmod, id: 90, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: setresgid, id: 119, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: system_request_key_mod, id: 6011, ecfg: {submit:1 emit:1} - sets [signatures default]
event: hooked_proc_fops, id: 763, ecfg: {submit:1 emit:0} - sets []
event: security_kernel_read_file, id: 741, ecfg: {submit:1 emit:0} - sets [lsm_hooks]
event: stdio_over_socket, id: 6000, ecfg: {submit:1 emit:1} - sets [signatures default]
event: socket_dup, id: 747, ecfg: {submit:1 emit:0} - sets []
event: sched_process_exit, id: 714, ecfg: {submit:0 emit:0} - sets [proc proc_life]
event: cgroup_mkdir, id: 727, ecfg: {submit:18446744073709551615 emit:0} - sets []
event: net_packet_icmpv6, id: 2005, ecfg: {submit:1 emit:1} - sets [default network_events]
event: container_create, id: 2014, ecfg: {submit:1 emit:1} - sets [default containers]
event: k8s_api_connection, id: 6001, ecfg: {submit:1 emit:1} - sets [signatures default]
event: init_module, id: 175, ecfg: {submit:1 emit:1} - sets [default syscalls system system_module]
Filtering submit == 1 && emit == 1
:
event: proc_kcore_read, id: 6015, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fchownat, id: 260, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: disk_mount, id: 6021, ecfg: {submit:1 emit:1} - sets [signatures default]
event: process_vm_writev, id: 311, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: ld_preload, id: 6006, ecfg: {submit:1 emit:1} - sets [signatures default]
event: finit_module, id: 313, ecfg: {submit:1 emit:1} - sets [default syscalls system system_module]
event: sched_process_exec, id: 713, ecfg: {submit:1 emit:1} - sets [default proc]
event: security_sb_mount, id: 738, ecfg: {submit:1 emit:1} - sets [default lsm_hooks fs]
event: security_socket_connect, id: 734, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: chmod, id: 90, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: creat, id: 85, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_ops]
event: hidden_file_created, id: 6017, ecfg: {submit:1 emit:1} - sets [signatures default]
event: syscall_hooking, id: 6028, ecfg: {submit:1 emit:1} - sets [signatures default]
event: chown, id: 92, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: process_vm_readv, id: 310, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: dropped_executable, id: 6029, ecfg: {submit:1 emit:1} - sets [signatures default]
event: docker_abuse, id: 6004, ecfg: {submit:1 emit:1} - sets [signatures default]
event: container_remove, id: 2015, ecfg: {submit:1 emit:1} - sets [default containers]
event: setfsgid, id: 123, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: anti_debugging, id: 6018, ecfg: {submit:1 emit:1} - sets [signatures default]
event: cgroup_release_agent, id: 6012, ecfg: {submit:1 emit:1} - sets [signatures default]
event: net_packet_http_response, id: 2011, ecfg: {submit:1 emit:1} - sets [default network_events]
event: security_socket_accept, id: 735, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: fchmod, id: 91, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: aslr_inspection, id: 6002, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fileless_execution, id: 6023, ecfg: {submit:1 emit:1} - sets [signatures default]
event: net_packet_dns_request, id: 2007, ecfg: {submit:1 emit:1} - sets [default network_events]
event: fchmodat, id: 268, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: sudoers_modification, id: 6009, ecfg: {submit:1 emit:1} - sets [signatures default]
event: ptrace_code_injection, id: 6019, ecfg: {submit:1 emit:1} - sets [signatures default]
event: lchown, id: 94, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: k8s_api_connection, id: 6001, ecfg: {submit:1 emit:1} - sets [signatures default]
event: ptrace, id: 101, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: proc_fops_hooking, id: 6027, ecfg: {submit:1 emit:1} - sets [signatures default]
event: move_mount, id: 429, ecfg: {submit:1 emit:1} - sets [default syscalls fs]
event: setresuid, id: 117, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: setresgid, id: 119, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: net_packet_http_request, id: 2010, ecfg: {submit:1 emit:1} - sets [default network_events]
event: cgroup_notify_on_release, id: 6007, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setregid, id: 114, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: security_inode_unlink, id: 731, ecfg: {submit:1 emit:1} - sets [default lsm_hooks fs fs_file_ops]
event: memfd_create, id: 319, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_ops]
event: setpgid, id: 109, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: setfsuid, id: 122, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: sched_debug_recon, id: 6010, ecfg: {submit:1 emit:1} - sets [signatures default]
event: proc_mem_access, id: 6016, ecfg: {submit:1 emit:1} - sets [signatures default]
event: illegitimate_shell, id: 6024, ecfg: {submit:1 emit:1} - sets [signatures default]
event: k8s_cert_theft, id: 6026, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setreuid, id: 113, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: net_packet_icmp, id: 2004, ecfg: {submit:1 emit:1} - sets [default network_events]
event: kernel_module_loading, id: 6025, ecfg: {submit:1 emit:1} - sets [signatures default]
event: net_packet_dns_response, id: 2008, ecfg: {submit:1 emit:1} - sets [default network_events]
event: system_request_key_mod, id: 6011, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setuid, id: 105, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: proc_mem_code_injection, id: 6003, ecfg: {submit:1 emit:1} - sets [signatures default]
event: scheduled_task_mod, id: 6005, ecfg: {submit:1 emit:1} - sets [signatures default]
event: init_module, id: 175, ecfg: {submit:1 emit:1} - sets [default syscalls system system_module]
event: stdio_over_socket, id: 6000, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setsid, id: 112, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: dynamic_code_loading, id: 6022, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setgid, id: 106, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: fchown, id: 93, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: process_vm_write_inject, id: 6020, ecfg: {submit:1 emit:1} - sets [signatures default]
event: core_pattern_modification, id: 6014, ecfg: {submit:1 emit:1} - sets [signatures default]
event: rcd_modification, id: 6013, ecfg: {submit:1 emit:1} - sets [signatures default]
event: container_create, id: 2014, ecfg: {submit:1 emit:1} - sets [default containers]
event: default_loader_mod, id: 6008, ecfg: {submit:1 emit:1} - sets [signatures default]
event: security_socket_bind, id: 736, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: setns, id: 308, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: net_packet_icmpv6, id: 2005, ecfg: {submit:1 emit:1} - sets [default network_events]
We can notice that dynamic_code_loading
is {submit:1 emit:1}
and is part of default set [signatures default]
. So far, the behaviour is not a bug.
722 - mem_prot_alert (subjacent to 6022)
6022 - dynamic_code_loading
But if we put the debug mentioned by @NDStrahilevitz in line 71 (!t.shouldProcessEvent(event)
branch), - not in 66 -, we get the log of dropped events indeed.
And copying the event as suggested by @yanivagman, the drops stop (no longer entering that branch).
Description
signature_engine.go
under line 66 add the following:logger.Debugw("shouldn't process from engine", "event", event.EventName, "sig_id", finding.SigMetadata.ID)
sudo ./dist/tracee --log file:./bruh.log --log debug
dynamic_code_loading
Output of
tracee -v
:Tracee version "v0.12.0-105-g5dd68dce"
Output of
uname -a
:Linux ip-172-31-75-171 5.15.0-1031-aws #35-Ubuntu SMP Fri Feb 10 02:07:18 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux