signature: add disk_mount.go sig

Author: roikol

signatures/golang/disk_mount.go

@@ -0,0 +1,91 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+type DiskMount struct {
+	cb     detect.SignatureHandler
+	devDir string
+}
+
+func (sig *DiskMount) Init(cb detect.SignatureHandler) error {
+	sig.cb = cb
+	sig.devDir = "/dev/"
+	return nil
+}
+
+func (sig *DiskMount) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "TRC-27",
+		Version:     "1",
+		Name:        "Container device mount detected",
+		Description: "Container device filesystem mount detected. A mount of a host device filesystem can be exploited by adversaries to perform container escape.",
+		Properties: map[string]interface{}{
+			"Severity":             3,
+			"Category":             "privilege-escalation",
+			"Technique":            "Escape to Host",
+			"Kubernetes_Technique": "",
+			"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+			"external_id":          "T1611",
+		},
+	}, nil
+}
+
+func (sig *DiskMount) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "security_sb_mount", Origin: "container"},
+	}, nil
+}
+
+func (sig *DiskMount) OnEvent(event protocol.Event) error {
+
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("invalid event")
+	}
+
+	switch eventObj.EventName {
+
+	case "security_sb_mount":
+
+		deviceName, err := helpers.GetTraceeStringArgumentByName(eventObj, "dev_name")
+		if err != nil {
+			return nil
+		}
+
+		if !isRunc(eventObj) && strings.HasPrefix(deviceName, sig.devDir) {
+			metadata, err := sig.GetMetadata()
+			if err != nil {
+				return err
+			}
+			sig.cb(detect.Finding{
+				SigMetadata: metadata,
+				Event:       event,
+				Data:        nil,
+			})
+		}
+
+	}
+
+	return nil
+}
+
+func (sig *DiskMount) OnSignal(s detect.Signal) error {
+	return nil
+}
+func (sig *DiskMount) Close() {}
+
+func isRunc(event trace.Event) bool {
+	if event.ThreadID == 1 && strings.HasPrefix(event.ProcessName, "runc:") {
+		return true
+	}
+
+	return false
+}

signatures/golang/disk_mount_test.go

@@ -0,0 +1,122 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/tracee/signatures/signaturestest"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/trace"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDiskMount(t *testing.T) {
+	testCases := []struct {
+		Name     string
+		Events   []trace.Event
+		Findings map[string]detect.Finding
+	}{
+		{
+			Name: "should trigger detection",
+			Events: []trace.Event{
+				{
+					ProcessName: "mal",
+					ThreadID:    8,
+					EventName:   "security_sb_mount",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "dev_name",
+							},
+							Value: interface{}("/dev/sda1"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-27": {
+					Data: nil,
+					Event: trace.Event{
+						ProcessName: "mal",
+						ThreadID:    8,
+						EventName:   "security_sb_mount",
+						Args: []trace.Argument{
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "dev_name",
+								},
+								Value: interface{}("/dev/sda1"),
+							},
+						},
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-27",
+						Version:     "1",
+						Name:        "Container device mount detected",
+						Description: "Container device filesystem mount detected. A mount of a host device filesystem can be exploited by adversaries to perform container escape.",
+						Properties: map[string]interface{}{
+							"Severity":             3,
+							"Category":             "privilege-escalation",
+							"Technique":            "Escape to Host",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+							"external_id":          "T1611",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should not trigger detection - runc",
+			Events: []trace.Event{
+				{
+					ProcessName: "runc:[init]",
+					ThreadID:    1,
+					EventName:   "security_sb_mount",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "dev_name",
+							},
+							Value: interface{}("/dev/sda1"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+		{
+			Name: "should not trigger detection - wrong path",
+			Events: []trace.Event{
+				{
+					ProcessName: "runc:[init]",
+					ThreadID:    8,
+					EventName:   "security_sb_mount",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "dev_name",
+							},
+							Value: interface{}("/tmp/something"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			holder := signaturestest.FindingsHolder{}
+			sig := DiskMount{}
+			sig.Init(holder.OnFinding)
+
+			for _, e := range tc.Events {
+				err := sig.OnEvent(e.ToProtocol())
+				require.NoError(t, err)
+			}
+			assert.Equal(t, tc.Findings, holder.GroupBySigID())
+		})
+	}
+}

signatures/golang/export.go

@@ -27,4 +27,5 @@ var ExportedSignatures = []detect.Signature{
 	&AntiDebuggingPtraceme{},
 	&PtraceCodeInjection{},
 	&ProcessVmWriteCodeInjection{},
+	&DiskMount{},
 }