Fixing all rules descriptions

amitschendel commented 7 months ago

User description

Overview

Type

enhancement

Description

Enhanced rule descriptions to include container information across various security rules.
Updated descriptions for better clarity and added container context to improve incident analysis.
Removed unnecessary logging for SSH related file detection.

Changes walkthrough

Relevant files

Enhancement

17 files

r0001_unexpected_process_launched.go `Enhance Unexpected Process Launch Rule Description` pkg/ruleengine/v1/r0001_unexpected_process_launched.go Updated rule description to include container information for unexpected process launch.	+1/-1
r0002_unexpected_file_access.go `Update Unexpected File Access Rule Description` pkg/ruleengine/v1/r0002_unexpected_file_access.go Rule description now includes container information and flags for unexpected file access.	+1/-1
r0003_unexpected_system_call.go `Enhance Unexpected System Call Rule Description` pkg/ruleengine/v1/r0003_unexpected_system_call.go Updated rule description to include container information for unexpected system call.	+1/-1
r0004_unexpected_capability_used.go `Update Unexpected Capability Usage Rule Description` pkg/ruleengine/v1/r0004_unexpected_capability_used.go Rule description now includes container information for unexpected capability usage.	+1/-1
r0005_unexpected_domain_request.go `Enhance Unexpected Domain Communication Rule Description` pkg/ruleengine/v1/r0005_unexpected_domain_request.go Updated rule description to include container information for unexpected domain communication.	+1/-1
r0006_unexpected_service_account_token_access.go `Update Unexpected Service Account Token Access Rule Description` pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go Rule description now includes container information and flags for unexpected service account token access.	+1/-1
r0007_kubernetes_client_executed.go `Enhance Kubernetes Client Execution Rule Description` pkg/ruleengine/v1/r0007_kubernetes_client_executed.go Updated rule description to include container information for Kubernetes client execution.	+1/-1
r1000_exec_from_malicious_source.go `Update Execution from Malicious Source Rule Description` pkg/ruleengine/v1/r1000_exec_from_malicious_source.go Rule description now includes container information for execution from malicious source.	+1/-1
r1001_exec_binary_not_in_base_image.go `Enhance Binary Execution Not in Base Image Rule Description` pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go Updated rule description to include container information for binary execution not in base image.	+1/-1
r1002_load_kernel_module.go `Update Kernel Module Load Syscall Rule Description` pkg/ruleengine/v1/r1002_load_kernel_module.go Rule description now includes container information for kernel module load syscall.	+2/-1
r1003_malicious_ssh_connection.go `Enhance Malicious SSH Connection Rule Description and Cleanup` pkg/ruleengine/v1/r1003_malicious_ssh_connection.go Updated rule description for SSH connection to disallowed port. Removed unnecessary logging for SSH related file detection.	+1/-3
r1004_exec_from_mount.go `Update Execution from Mounted Path Rule Description` pkg/ruleengine/v1/r1004_exec_from_mount.go Rule description now includes container information for execution from a mounted path.	+2/-1
r1005_fileless_execution.go `Enhance Fileless Execution Detection Rule Description` pkg/ruleengine/v1/r1005_fileless_execution.go Updated rule description to include container information for fileless execution detection.	+1/-1
r1006_unshare_system_call.go `Update Unshare System Call Execution Rule Description` pkg/ruleengine/v1/r1006_unshare_system_call.go Rule description now includes container information for unshare system call execution.	+2/-1
r1007_xmr_crypto_mining.go `Enhance XMR Crypto Mining Process Execution Rule Description` pkg/ruleengine/v1/r1007_xmr_crypto_mining.go Updated rule description to include container information for XMR crypto mining process execution.	+2/-1
r1008_crypto_mining_domain.go `Update Communication with Crypto Mining Domain Rule Description` pkg/ruleengine/v1/r1008_crypto_mining_domain.go Rule description now includes container information for communication with a known crypto mining domain.	+2/-1
r1009_crypto_mining_port.go `Enhance Communication on Crypto Mining Port Rule Description` pkg/ruleengine/v1/r1009_crypto_mining_port.go Updated rule description to include container information for communication on a commonly used crypto mining port.	+1/-1

✨ PR-Agent usage: Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

codiumai-pr-agent-free[bot] commented 7 months ago

PR Description updated to latest commit (https://github.com/kubescape/node-agent/commit/afd405ae4abec9149c9c63983da741dd1eb09db6)

codiumai-pr-agent-free[bot] commented 7 months ago

PR Review

⏱️ Estimated effort to review [1-5]	2, because the changes are straightforward and involve updating rule descriptions to include more context about the container involved in the event. The modifications are consistent across different rule files, which makes the review process easier.
🧪 Relevant tests	No
🔍 Possible issues	Clarity on Container Context: While the addition of container context in rule descriptions is beneficial, it's important to ensure that the `GetContainer()` method reliably returns meaningful and accurate container identifiers across different environments and scenarios.
🔍 Possible issues	Consistency in Description Format: The format and structure of the updated rule descriptions vary slightly. Ensuring consistency in how descriptions are formulated (e.g., order of information presented) could improve readability and standardization.
🔒 Security concerns	No

✨ Review tool usage guide:

**Overview:** The `review` tool scans the PR code changes, and generates a PR review which includes several types of feedbacks, such as possible PR issues, security threats and relevant test in the PR. More feedbacks can be [added](https://pr-agent-docs.codium.ai/tools/review/#general-configurations) by configuring the tool. The tool can be triggered [automatically](https://pr-agent-docs.codium.ai/usage-guide/automations_and_usage/#github-app-automatic-tools-when-a-new-pr-is-opened) every time a new PR is opened, or can be invoked manually by commenting on any PR. - When commenting, to edit [configurations](https://github.com/Codium-ai/pr-agent/blob/main/pr_agent/settings/configuration.toml#L23) related to the review tool (`pr_reviewer` section), use the following template: ``` /review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=... ``` - With a [configuration file](https://pr-agent-docs.codium.ai/usage-guide/configuration_options/), use the following template: ``` [pr_reviewer] some_config1=... some_config2=... ``` See the review [usage page](https://pr-agent-docs.codium.ai/tools/review/) for a comprehensive guide on using this tool.

codiumai-pr-agent-free[bot] commented 7 months ago

PR Code Suggestions

Category	Suggestions
Enhancement	Improve readability by adding a space after each comma in the list of flags. ___ Consider using `strings.Join(openEvent.Flags, ", ")` to improve readability by adding a space after each comma in the list of flags. [pkg/ruleengine/v1/r0002_unexpected_file_access.go [184]](https://github.com/kubescape/node-agent/pull/243/files#diff-90d1aefc909570233d7720d28979df55666d6e53899a1804cb20fea684236645R184-R184) ```diff -fmt.Sprintf("Unexpected file access: %s with flags %s in: %s", openEvent.Path, strings.Join(openEvent.Flags, ","), openEvent.GetContainer()) +fmt.Sprintf("Unexpected file access: %s with flags %s in: %s", openEvent.Path, strings.Join(openEvent.Flags, ", "), openEvent.GetContainer()) ```
	Add a space after each comma in the list of flags for better readability. ___ For consistency and readability, consider using `strings.Join(openEvent.Flags, ", ")` to add a space after each comma in the list of flags. [pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go [132]](https://github.com/kubescape/node-agent/pull/243/files#diff-397dd96e7b0070e47905927ec1d599ef0cae06f2dcaaa1af58743ebd710f9fa5R132-R132) ```diff -fmt.Sprintf("Unexpected access to service account token: %s with flags: %s in: %s", openEvent.Path, strings.Join(openEvent.Flags, ","), openEvent.GetContainer()) +fmt.Sprintf("Unexpected access to service account token: %s with flags: %s in: %s", openEvent.Path, strings.Join(openEvent.Flags, ", "), openEvent.GetContainer()) ```
	Clarify the rule description by specifying the disallowed port range or criteria. ___ To enhance the clarity of the rule description, consider specifying the disallowed port range or criteria, if applicable. [pkg/ruleengine/v1/r1003_malicious_ssh_connection.go [166]](https://github.com/kubescape/node-agent/pull/243/files#diff-4caaeaf9d44ed40d0917224bc264b00ef40c6516b5672eed2020e68de8c5c7feR166-R166) ```diff -fmt.Sprintf("SSH connection to disallowed port %d", networkEvent.Port) +fmt.Sprintf("SSH connection to disallowed port %d (ports X-Y are not allowed)", networkEvent.Port) ```
	Include the type of mount in the rule description for better accuracy. ___ To improve the accuracy of the description, consider including the type of mount (e.g., volume, bind mount) if this information is available. [pkg/ruleengine/v1/r1004_exec_from_mount.go [92]](https://github.com/kubescape/node-agent/pull/243/files#diff-8f5b768a5ef0c288aced9e6b01d68113ed010afcf9df9343db29b6d5376b80efR92-R92) ```diff -fmt.Sprintf("Process (%s) was executed from a mounted path (%s) in: %s", p, mount, execEvent.GetContainer()) +fmt.Sprintf("Process (%s) was executed from a mounted path (%s, type: volume/bind) in: %s", p, mount, execEvent.GetContainer()) ```
	Clarify why `memfd_create` execution is considered fileless. ___ For enhanced clarity and specificity, consider adding the reason why `memfd_create` execution is considered fileless execution. [pkg/ruleengine/v1/r1005_fileless_execution.go [92]](https://github.com/kubescape/node-agent/pull/243/files#diff-ef0155bc510f47092b9799316b90b72f6eda3347ee96da897e27fe9961f06792R92-R92) ```diff -fmt.Sprintf("Fileless execution detected: syscall memfd_create executed in: %s", syscallEvent.GetContainer()) +fmt.Sprintf("Fileless execution detected: syscall memfd_create (allows execution without a file on disk) executed in: %s", syscallEvent.GetContainer()) ```

✨ Improve tool usage guide:

**Overview:** The `improve` tool scans the PR code changes, and automatically generates suggestions for improving the PR code. The tool can be triggered [automatically](https://pr-agent-docs.codium.ai/usage-guide/automations_and_usage/#github-app-automatic-tools-when-a-new-pr-is-opened) every time a new PR is opened, or can be invoked manually by commenting on a PR. - When commenting, to edit [configurations](https://github.com/Codium-ai/pr-agent/blob/main/pr_agent/settings/configuration.toml#L78) related to the improve tool (`pr_code_suggestions` section), use the following template: ``` /improve --pr_code_suggestions.some_config1=... --pr_code_suggestions.some_config2=... ``` - With a [configuration file](https://pr-agent-docs.codium.ai/usage-guide/configuration_options/), use the following template: ``` [pr_code_suggestions] some_config1=... some_config2=... ``` See the improve [usage page](https://pr-agent-docs.codium.ai/tools/improve/) for a comprehensive guide on using this tool.

github-actions[bot] commented 7 months ago

Summary:

License scan: failure
Credentials scan: failure
Vulnerabilities scan: success
Unit test: success
Go linting: success

Category	Suggestions
Enhancement	Improve readability by adding a space after each comma in the list of flags. ___ Consider using `strings.Join(openEvent.Flags, ", ")` to improve readability by adding a space after each comma in the list of flags. [pkg/ruleengine/v1/r0002_unexpected_file_access.go [184]](https://github.com/kubescape/node-agent/pull/243/files#diff-90d1aefc909570233d7720d28979df55666d6e53899a1804cb20fea684236645R184-R184) ```diff -fmt.Sprintf("Unexpected file access: %s with flags %s in: %s", openEvent.Path, strings.Join(openEvent.Flags, ","), openEvent.GetContainer()) +fmt.Sprintf("Unexpected file access: %s with flags %s in: %s", openEvent.Path, strings.Join(openEvent.Flags, ", "), openEvent.GetContainer()) ```
	Add a space after each comma in the list of flags for better readability. ___ For consistency and readability, consider using `strings.Join(openEvent.Flags, ", ")` to add a space after each comma in the list of flags. [pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go [132]](https://github.com/kubescape/node-agent/pull/243/files#diff-397dd96e7b0070e47905927ec1d599ef0cae06f2dcaaa1af58743ebd710f9fa5R132-R132) ```diff -fmt.Sprintf("Unexpected access to service account token: %s with flags: %s in: %s", openEvent.Path, strings.Join(openEvent.Flags, ","), openEvent.GetContainer()) +fmt.Sprintf("Unexpected access to service account token: %s with flags: %s in: %s", openEvent.Path, strings.Join(openEvent.Flags, ", "), openEvent.GetContainer()) ```
	Clarify the rule description by specifying the disallowed port range or criteria. ___ To enhance the clarity of the rule description, consider specifying the disallowed port range or criteria, if applicable. [pkg/ruleengine/v1/r1003_malicious_ssh_connection.go [166]](https://github.com/kubescape/node-agent/pull/243/files#diff-4caaeaf9d44ed40d0917224bc264b00ef40c6516b5672eed2020e68de8c5c7feR166-R166) ```diff -fmt.Sprintf("SSH connection to disallowed port %d", networkEvent.Port) +fmt.Sprintf("SSH connection to disallowed port %d (ports X-Y are not allowed)", networkEvent.Port) ```
	Include the type of mount in the rule description for better accuracy. ___ To improve the accuracy of the description, consider including the type of mount (e.g., volume, bind mount) if this information is available. [pkg/ruleengine/v1/r1004_exec_from_mount.go [92]](https://github.com/kubescape/node-agent/pull/243/files#diff-8f5b768a5ef0c288aced9e6b01d68113ed010afcf9df9343db29b6d5376b80efR92-R92) ```diff -fmt.Sprintf("Process (%s) was executed from a mounted path (%s) in: %s", p, mount, execEvent.GetContainer()) +fmt.Sprintf("Process (%s) was executed from a mounted path (%s, type: volume/bind) in: %s", p, mount, execEvent.GetContainer()) ```
	Clarify why `memfd_create` execution is considered fileless. ___ For enhanced clarity and specificity, consider adding the reason why `memfd_create` execution is considered fileless execution. [pkg/ruleengine/v1/r1005_fileless_execution.go [92]](https://github.com/kubescape/node-agent/pull/243/files#diff-ef0155bc510f47092b9799316b90b72f6eda3347ee96da897e27fe9961f06792R92-R92) ```diff -fmt.Sprintf("Fileless execution detected: syscall memfd_create executed in: %s", syscallEvent.GetContainer()) +fmt.Sprintf("Fileless execution detected: syscall memfd_create (allows execution without a file on disk) executed in: %s", syscallEvent.GetContainer()) ```

kubescape / node-agent