signature: add cgroup_notify_on_release_modification.go sig

roikol · rafaeldtinoco · commit ab1f7b1bf485 · 2022-10-20T22:55:13.000-03:00
diff --git a/signatures/golang/cgroup_notify_on_release_modification.go b/signatures/golang/cgroup_notify_on_release_modification.go
@@ -0,0 +1,87 @@
+package main
+
+import (
+	"fmt"
+	"path"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+type CgroupNotifyOnReleaseModification struct {
+	cb             detect.SignatureHandler
+	notifyFileName string
+}
+
+func (sig *CgroupNotifyOnReleaseModification) Init(cb detect.SignatureHandler) error {
+	sig.cb = cb
+	sig.notifyFileName = "notify_on_release"
+	return nil
+}
+
+func (sig *CgroupNotifyOnReleaseModification) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "TRC-30",
+		Version:     "1",
+		Name:        "Cgroups notify_on_release file modification",
+		Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
+		Properties: map[string]interface{}{
+			"Severity":             3,
+			"Category":             "privilege-escalation",
+			"Technique":            "Escape to Host",
+			"Kubernetes_Technique": "",
+			"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+			"external_id":          "T1611",
+		},
+	}, nil
+}
+
+func (sig *CgroupNotifyOnReleaseModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "security_file_open", Origin: "container"},
+	}, nil
+}
+
+func (sig *CgroupNotifyOnReleaseModification) OnEvent(event protocol.Event) error {
+
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("invalid event")
+	}
+
+	switch eventObj.EventName {
+
+	case "security_file_open":
+
+		pathname, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname")
+		if err != nil {
+			return err
+		}
+		basename := path.Base(pathname)
+
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
+		if err != nil {
+			return err
+		}
+
+		if basename == sig.notifyFileName && helpers.IsFileWrite(flags) {
+			metadata, err := sig.GetMetadata()
+			if err != nil {
+				return err
+			}
+			sig.cb(detect.Finding{
+				SigMetadata: metadata,
+				Event:       event,
+				Data:        nil,
+			})
+		}
+	}
+	return nil
+}
+
+func (sig *CgroupNotifyOnReleaseModification) OnSignal(s detect.Signal) error {
+	return nil
+}
+func (sig *CgroupNotifyOnReleaseModification) Close() {}
diff --git a/signatures/golang/cgroup_notify_on_release_modification_test.go b/signatures/golang/cgroup_notify_on_release_modification_test.go
@@ -0,0 +1,138 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/tracee/signatures/signaturestest"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/trace"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCgroupNotifyOnReleaseModification(t *testing.T) {
+	testCases := []struct {
+		Name     string
+		Events   []trace.Event
+		Findings map[string]detect.Finding
+	}{
+		{
+			Name: "should trigger detection",
+			Events: []trace.Event{
+				{
+					EventName: "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/tmp/cgrp/x/notify_on_release"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_WRONLY"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-30": {
+					Data: nil,
+					Event: trace.Event{
+						EventName: "security_file_open",
+						Args: []trace.Argument{
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "pathname",
+								},
+								Value: interface{}("/tmp/cgrp/x/notify_on_release"),
+							},
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "flags",
+								},
+								Value: interface{}("O_WRONLY"),
+							},
+						},
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-30",
+						Version:     "1",
+						Name:        "Cgroups notify_on_release file modification",
+						Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
+						Properties: map[string]interface{}{
+							"Severity":             3,
+							"Category":             "privilege-escalation",
+							"Technique":            "Escape to Host",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+							"external_id":          "T1611",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should not trigger detection - wrong open flags",
+			Events: []trace.Event{
+				{
+					EventName: "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/tmp/cgrp/x/notify_on_release"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_RDONLY"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+		{
+			Name: "should not trigger detection - wrong path",
+			Events: []trace.Event{
+				{
+					EventName: "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/tmp/something"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_WRONLY"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			holder := signaturestest.FindingsHolder{}
+			sig := CgroupNotifyOnReleaseModification{}
+			sig.Init(holder.OnFinding)
+
+			for _, e := range tc.Events {
+				err := sig.OnEvent(e.ToProtocol())
+				require.NoError(t, err)
+			}
+			assert.Equal(t, tc.Findings, holder.GroupBySigID())
+		})
+	}
+}
diff --git a/signatures/golang/export.go b/signatures/golang/export.go
@@ -13,4 +13,5 @@ var ExportedSignatures = []detect.Signature{
 	&DockerAbuse{},
 	&ScheduledTaskModification{},
 	&LdPreload{},
+	&CgroupNotifyOnReleaseModification{},
 }

Original file line number	Diff line number	Diff line change
`@@ -13,4 +13,5 @@ var ExportedSignatures = []detect.Signature{`
`13`	`13`	`&DockerAbuse{},`
`14`	`14`	`&ScheduledTaskModification{},`
`15`	`15`	`&LdPreload{},`
	`16`	`+ &CgroupNotifyOnReleaseModification{},`
`16`	`17`	`}`