search

aquasecurity / tracee

Linux Runtime Security and Forensics using eBPF
https://aquasecurity.github.io/tracee/latest
Apache License 2.0
3.55k stars 412 forks source link

dynamic_code_loading filtered with no filter arguments #2970

Closed NDStrahilevitz closed 1 year ago

NDStrahilevitz commented 1 year ago

Description

  1. in signature_engine.go under line 66 add the following: logger.Debugw("shouldn't process from engine", "event", event.EventName, "sig_id", finding.SigMetadata.ID)
  2. run sudo ./dist/tracee --log file:./bruh.log --log debug
  3. let it run for a while
  4. notice that there are filtered events
  5. in the log file you should see that the filtered events are dynamic_code_loading

Output of tracee -v:

Tracee version "v0.12.0-105-g5dd68dce"

Output of uname -a:

Linux ip-172-31-75-171 5.15.0-1031-aws #35-Ubuntu SMP Fri Feb 10 02:07:18 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

yanivagman commented 1 year ago

I think the thing here is that we don't copy the event in engineEvents()as we do in derivedEvents() https://github.com/aquasecurity/tracee/blob/bc31a5d1aa081b35f11a8ffdc895a145f64835d0/pkg/ebpf/events_pipeline.go#L455 Then the base event matchedPolicies is zeroed and we don't see it in the output

geyslan commented 1 year ago

I think the thing here is that we don't copy the event in engineEvents()as we do in derivedEvents()

https://github.com/aquasecurity/tracee/blob/bc31a5d1aa081b35f11a8ffdc895a145f64835d0/pkg/ebpf/events_pipeline.go#L455

Then the base event matchedPolicies is zeroed and we don't see it in the output

@yanivagman I think what @NDStrahilevitz reported is related to "although" dynamic_code_loading is not set, it is being submitted and emitted.

So, I listed all values that is being set in events_map via a default sudo ./dist/tracee:

diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
index f8151b2f..49caf797 100644
--- a/pkg/ebpf/tracee.go
+++ b/pkg/ebpf/tracee.go
@@ -995,6 +995,7 @@ func (t *Tracee) populateBPFMaps() error {
                }
                binary.LittleEndian.PutUint64(eventConfigVal[8:16], paramTypes)

+               fmt.Printf("event: %s, id: %d, ecfg: %+v - sets %+v\n", events.Definitions.Get(id).Name, id, ecfg, events.Definitions.Get(id).Sets)
                err := eventsMap.Update(unsafe.Pointer(&id), unsafe.Pointer(&eventConfigVal[0]))
event: process_vm_write_inject, id: 6020, ecfg: {submit:1 emit:1} - sets [signatures default]
event: security_inode_unlink, id: 731, ecfg: {submit:1 emit:1} - sets [default lsm_hooks fs fs_file_ops]
event: proc_mem_access, id: 6016, ecfg: {submit:1 emit:1} - sets [signatures default]
event: chown, id: 92, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: process_vm_readv, id: 310, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: fchown, id: 93, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: hidden_file_created, id: 6017, ecfg: {submit:1 emit:1} - sets [signatures default]
event: security_socket_accept, id: 735, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: security_inode_rename, id: 766, ecfg: {submit:1 emit:0} - sets []
event: sched_process_exec, id: 713, ecfg: {submit:1 emit:1} - sets [default proc]
event: cgroup_release_agent, id: 6012, ecfg: {submit:1 emit:1} - sets [signatures default]
event: security_bprm_check, id: 729, ecfg: {submit:1 emit:0} - sets [lsm_hooks proc proc_life]
event: container_remove, id: 2015, ecfg: {submit:1 emit:1} - sets [default containers]
event: process_vm_writev, id: 311, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: security_socket_connect, id: 734, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: mem_prot_alert, id: 722, ecfg: {submit:1 emit:0} - sets []
event: net_packet_dns_base, id: 706, ecfg: {submit:1 emit:0} - sets [network_events]
event: proc_kcore_read, id: 6015, ecfg: {submit:1 emit:1} - sets [signatures default]
event: net_packet_icmp, id: 2004, ecfg: {submit:1 emit:1} - sets [default network_events]
event: sched_process_fork, id: 712, ecfg: {submit:0 emit:0} - sets []
event: rcd_modification, id: 6013, ecfg: {submit:1 emit:1} - sets [signatures default]
event: dropped_executable, id: 6029, ecfg: {submit:1 emit:1} - sets [signatures default]
event: finit_module, id: 313, ecfg: {submit:1 emit:1} - sets [default syscalls system system_module]
event: disk_mount, id: 6021, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setpgid, id: 109, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: net_packet_icmp_base, id: 704, ecfg: {submit:1 emit:0} - sets [network_events]
event: sudoers_modification, id: 6009, ecfg: {submit:1 emit:1} - sets [signatures default]
event: memfd_create, id: 319, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_ops]
event: net_packet_http_request, id: 2010, ecfg: {submit:1 emit:1} - sets [default network_events]
event: default_loader_mod, id: 6008, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setreuid, id: 113, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: aslr_inspection, id: 6002, ecfg: {submit:1 emit:1} - sets [signatures default]
event: k8s_cert_theft, id: 6026, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fchmod, id: 91, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: setns, id: 308, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: print_syscall_table, id: 755, ecfg: {submit:1 emit:0} - sets []
event: net_packet_http_base, id: 707, ecfg: {submit:1 emit:0} - sets [network_events]
event: ptrace_code_injection, id: 6019, ecfg: {submit:1 emit:1} - sets [signatures default]
event: cgroup_notify_on_release, id: 6007, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setfsgid, id: 123, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: dynamic_code_loading, id: 6022, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fileless_execution, id: 6023, ecfg: {submit:1 emit:1} - sets [signatures default]
event: security_file_open, id: 730, ecfg: {submit:1 emit:0} - sets [lsm_hooks fs fs_file_ops]
event: setgid, id: 106, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: core_pattern_modification, id: 6014, ecfg: {submit:1 emit:1} - sets [signatures default]
event: proc_fops_hooking, id: 6027, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setsid, id: 112, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: net_packet_http_response, id: 2011, ecfg: {submit:1 emit:1} - sets [default network_events]
event: magic_write, id: 725, ecfg: {submit:1 emit:0} - sets []
event: move_mount, id: 429, ecfg: {submit:1 emit:1} - sets [default syscalls fs]
event: net_packet_base, id: 700, ecfg: {submit:1 emit:0} - sets [network_events]
event: cgroup_rmdir, id: 728, ecfg: {submit:18446744073709551615 emit:0} - sets []
event: sched_debug_recon, id: 6010, ecfg: {submit:1 emit:1} - sets [signatures default]
event: ptrace, id: 101, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: setuid, id: 105, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: net_packet_dns_response, id: 2008, ecfg: {submit:1 emit:1} - sets [default network_events]
event: ld_preload, id: 6006, ecfg: {submit:1 emit:1} - sets [signatures default]
event: scheduled_task_mod, id: 6005, ecfg: {submit:1 emit:1} - sets [signatures default]
event: illegitimate_shell, id: 6024, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fchownat, id: 260, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: security_socket_bind, id: 736, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: do_init_module, id: 760, ecfg: {submit:1 emit:0} - sets []
event: net_packet_icmpv6_base, id: 705, ecfg: {submit:1 emit:0} - sets [network_events]
event: security_sb_mount, id: 738, ecfg: {submit:1 emit:1} - sets [default lsm_hooks fs]
event: net_packet_dns_request, id: 2007, ecfg: {submit:1 emit:1} - sets [default network_events]
event: setresuid, id: 117, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: hooked_syscalls, id: 2017, ecfg: {submit:1 emit:0} - sets []
event: docker_abuse, id: 6004, ecfg: {submit:1 emit:1} - sets [signatures default]
event: syscall_hooking, id: 6028, ecfg: {submit:1 emit:1} - sets [signatures default]
event: anti_debugging, id: 6018, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fchmodat, id: 268, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: proc_mem_code_injection, id: 6003, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setregid, id: 114, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: kernel_module_loading, id: 6025, ecfg: {submit:1 emit:1} - sets [signatures default]
event: lchown, id: 94, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: creat, id: 85, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_ops]
event: setfsuid, id: 122, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: chmod, id: 90, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: setresgid, id: 119, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: system_request_key_mod, id: 6011, ecfg: {submit:1 emit:1} - sets [signatures default]
event: hooked_proc_fops, id: 763, ecfg: {submit:1 emit:0} - sets []
event: security_kernel_read_file, id: 741, ecfg: {submit:1 emit:0} - sets [lsm_hooks]
event: stdio_over_socket, id: 6000, ecfg: {submit:1 emit:1} - sets [signatures default]
event: socket_dup, id: 747, ecfg: {submit:1 emit:0} - sets []
event: sched_process_exit, id: 714, ecfg: {submit:0 emit:0} - sets [proc proc_life]
event: cgroup_mkdir, id: 727, ecfg: {submit:18446744073709551615 emit:0} - sets []
event: net_packet_icmpv6, id: 2005, ecfg: {submit:1 emit:1} - sets [default network_events]
event: container_create, id: 2014, ecfg: {submit:1 emit:1} - sets [default containers]
event: k8s_api_connection, id: 6001, ecfg: {submit:1 emit:1} - sets [signatures default]
event: init_module, id: 175, ecfg: {submit:1 emit:1} - sets [default syscalls system system_module]

Filtering submit == 1 && emit == 1:

event: proc_kcore_read, id: 6015, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fchownat, id: 260, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: disk_mount, id: 6021, ecfg: {submit:1 emit:1} - sets [signatures default]
event: process_vm_writev, id: 311, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: ld_preload, id: 6006, ecfg: {submit:1 emit:1} - sets [signatures default]
event: finit_module, id: 313, ecfg: {submit:1 emit:1} - sets [default syscalls system system_module]
event: sched_process_exec, id: 713, ecfg: {submit:1 emit:1} - sets [default proc]
event: security_sb_mount, id: 738, ecfg: {submit:1 emit:1} - sets [default lsm_hooks fs]
event: security_socket_connect, id: 734, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: chmod, id: 90, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: creat, id: 85, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_ops]
event: hidden_file_created, id: 6017, ecfg: {submit:1 emit:1} - sets [signatures default]
event: syscall_hooking, id: 6028, ecfg: {submit:1 emit:1} - sets [signatures default]
event: chown, id: 92, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: process_vm_readv, id: 310, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: dropped_executable, id: 6029, ecfg: {submit:1 emit:1} - sets [signatures default]
event: docker_abuse, id: 6004, ecfg: {submit:1 emit:1} - sets [signatures default]
event: container_remove, id: 2015, ecfg: {submit:1 emit:1} - sets [default containers]
event: setfsgid, id: 123, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: anti_debugging, id: 6018, ecfg: {submit:1 emit:1} - sets [signatures default]
event: cgroup_release_agent, id: 6012, ecfg: {submit:1 emit:1} - sets [signatures default]
event: net_packet_http_response, id: 2011, ecfg: {submit:1 emit:1} - sets [default network_events]
event: security_socket_accept, id: 735, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: fchmod, id: 91, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: aslr_inspection, id: 6002, ecfg: {submit:1 emit:1} - sets [signatures default]
event: fileless_execution, id: 6023, ecfg: {submit:1 emit:1} - sets [signatures default]
event: net_packet_dns_request, id: 2007, ecfg: {submit:1 emit:1} - sets [default network_events]
event: fchmodat, id: 268, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: sudoers_modification, id: 6009, ecfg: {submit:1 emit:1} - sets [signatures default]
event: ptrace_code_injection, id: 6019, ecfg: {submit:1 emit:1} - sets [signatures default]
event: lchown, id: 94, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: k8s_api_connection, id: 6001, ecfg: {submit:1 emit:1} - sets [signatures default]
event: ptrace, id: 101, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: proc_fops_hooking, id: 6027, ecfg: {submit:1 emit:1} - sets [signatures default]
event: move_mount, id: 429, ecfg: {submit:1 emit:1} - sets [default syscalls fs]
event: setresuid, id: 117, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: setresgid, id: 119, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: net_packet_http_request, id: 2010, ecfg: {submit:1 emit:1} - sets [default network_events]
event: cgroup_notify_on_release, id: 6007, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setregid, id: 114, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: security_inode_unlink, id: 731, ecfg: {submit:1 emit:1} - sets [default lsm_hooks fs fs_file_ops]
event: memfd_create, id: 319, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_ops]
event: setpgid, id: 109, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: setfsuid, id: 122, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: sched_debug_recon, id: 6010, ecfg: {submit:1 emit:1} - sets [signatures default]
event: proc_mem_access, id: 6016, ecfg: {submit:1 emit:1} - sets [signatures default]
event: illegitimate_shell, id: 6024, ecfg: {submit:1 emit:1} - sets [signatures default]
event: k8s_cert_theft, id: 6026, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setreuid, id: 113, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: net_packet_icmp, id: 2004, ecfg: {submit:1 emit:1} - sets [default network_events]
event: kernel_module_loading, id: 6025, ecfg: {submit:1 emit:1} - sets [signatures default]
event: net_packet_dns_response, id: 2008, ecfg: {submit:1 emit:1} - sets [default network_events]
event: system_request_key_mod, id: 6011, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setuid, id: 105, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: proc_mem_code_injection, id: 6003, ecfg: {submit:1 emit:1} - sets [signatures default]
event: scheduled_task_mod, id: 6005, ecfg: {submit:1 emit:1} - sets [signatures default]
event: init_module, id: 175, ecfg: {submit:1 emit:1} - sets [default syscalls system system_module]
event: stdio_over_socket, id: 6000, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setsid, id: 112, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: dynamic_code_loading, id: 6022, ecfg: {submit:1 emit:1} - sets [signatures default]
event: setgid, id: 106, ecfg: {submit:1 emit:1} - sets [default syscalls proc proc_ids]
event: fchown, id: 93, ecfg: {submit:1 emit:1} - sets [default syscalls fs fs_file_attr]
event: process_vm_write_inject, id: 6020, ecfg: {submit:1 emit:1} - sets [signatures default]
event: core_pattern_modification, id: 6014, ecfg: {submit:1 emit:1} - sets [signatures default]
event: rcd_modification, id: 6013, ecfg: {submit:1 emit:1} - sets [signatures default]
event: container_create, id: 2014, ecfg: {submit:1 emit:1} - sets [default containers]
event: default_loader_mod, id: 6008, ecfg: {submit:1 emit:1} - sets [signatures default]
event: security_socket_bind, id: 736, ecfg: {submit:1 emit:1} - sets [default lsm_hooks net net_sock]
event: setns, id: 308, ecfg: {submit:1 emit:1} - sets [default syscalls proc]
event: net_packet_icmpv6, id: 2005, ecfg: {submit:1 emit:1} - sets [default network_events]

We can notice that dynamic_code_loading is {submit:1 emit:1} and is part of default set [signatures default]. So far, the behaviour is not a bug.

geyslan commented 1 year ago

722 - mem_prot_alert (subjacent to 6022)

6022 - dynamic_code_loading

image

geyslan commented 1 year ago

But if we put the debug mentioned by @NDStrahilevitz in line 71 (!t.shouldProcessEvent(event) branch), - not in 66 -, we get the log of dropped events indeed.

image

And copying the event as suggested by @yanivagman, the drops stop (no longer entering that branch).

image