search

falcosecurity / event-generator

Generate a variety of suspect actions that are detected by Falco rulesets
Apache License 2.0
94 stars 40 forks source link

Added an event for default stable rule 'Drop and execute new binary in container' #196

Closed GLVSKiriti closed 7 months ago

GLVSKiriti commented 8 months ago

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind documentation

/kind tests

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area commands

/area pkg

/area events

What this PR does / why we need it:

Added an event for default stable rule 'Drop and execute new binary in container' as mentioned here

Which issue(s) this PR fixes:

Fixes #195

Special notes for your reviewer:

GLVSKiriti commented 7 months ago

@FedeDP @leogr this rule also triggering fine but the question is whats your feedback on generating an executable binary with go build command.

In order to execute this event to trigger the rule we need a executable binary which is not part of base image. So IMO best option is creating a executable, so I used go build. Wdyt? Is there any better alternative to generate this event

leogr commented 7 months ago

@FedeDP @leogr this rule also triggering fine but the question is whats your feedback on generating an executable binary with go build command.

I think we should definitively avoid depending on any compiler, including Go.

I hope we can exploit the event-generator binary itself for these purposes. I'm waiting @loresuso for this https://github.com/falcosecurity/event-generator/pull/198#pullrequestreview-1980059940, then we will see.

Thank you for your patience :innocent:

GLVSKiriti commented 7 months ago

@leogr @FedeDP I came up with a new solution please provide the feedback.

Instead of creating a new binary be relying on go lang etc..

I copied the binary file of ls command i.e, /bin/ls and created a new binary in /bin i.e, /bin/ls-created-by-event-generator

Now I executed the command ls-created-by-event-generator which is new binary created by us in container i.e, it is not part of docker image used to create container. So even the command is unsuccessful it triggers the rule.

I tested it by running the following commands in alpine container

cp /bin/ls /bin/ls-created-by-event-generator"
ls-created-by-event-generator"
GLVSKiriti commented 7 months ago

And this method is working fine. It triggers the rule perfectly

dropandexecutenewbinary

FedeDP commented 7 months ago

It LGTM, cc @leogr wdyt?

poiana commented 7 months ago

LGTM label has been added.

Git tree hash: 7e05ae089e2399fc64323527587f51e3abe901f9

poiana commented 7 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: GLVSKiriti, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/falcosecurity/event-generator/blob/main/OWNERS)~~ [leogr] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment