signature: add proc_kcore_read.go sig

Author: roikol

signatures/golang/export.go

@@ -21,4 +21,5 @@ var ExportedSignatures = []detect.Signature{
 	&CgroupReleaseAgentModification{},
 	&RcdModification{},
 	&CorePatternModification{},
+	&ProcKcoreRead{},
 }

signatures/golang/proc_kcore_read.go

@@ -0,0 +1,87 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+type ProcKcoreRead struct {
+	cb        detect.SignatureHandler
+	kcorePath string
+}
+
+func (sig *ProcKcoreRead) Init(cb detect.SignatureHandler) error {
+	sig.cb = cb
+	sig.kcorePath = "/proc/kcore"
+	return nil
+}
+
+func (sig *ProcKcoreRead) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "TRC-96",
+		Version:     "1",
+		Name:        "Kcore memory file read",
+		Description: "An attempt to read /proc/kcore file was detected. KCore provides a full dump of the physical memory of the system in the core file format. Adversaries may read this file to get all of the host memory and use this information for container escape.",
+		Properties: map[string]interface{}{
+			"Severity":             2,
+			"Category":             "privilege-escalation",
+			"Technique":            "Escape to Host",
+			"Kubernetes_Technique": "",
+			"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+			"external_id":          "T1611",
+		},
+	}, nil
+}
+
+func (sig *ProcKcoreRead) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "security_file_open", Origin: "container"},
+	}, nil
+}
+
+func (sig *ProcKcoreRead) OnEvent(event protocol.Event) error {
+
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("invalid event")
+	}
+
+	switch eventObj.EventName {
+
+	case "security_file_open":
+		pathname, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname")
+		if err != nil {
+			return err
+		}
+
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
+		if err != nil {
+			return err
+		}
+
+		if strings.HasSuffix(pathname, sig.kcorePath) && helpers.IsFileRead(flags) {
+			metadata, err := sig.GetMetadata()
+			if err != nil {
+				return err
+			}
+			sig.cb(detect.Finding{
+				SigMetadata: metadata,
+				Event:       event,
+				Data:        nil,
+			})
+		}
+
+	}
+
+	return nil
+}
+
+func (sig *ProcKcoreRead) OnSignal(s detect.Signal) error {
+	return nil
+}
+func (sig *ProcKcoreRead) Close() {}

signatures/golang/proc_kcore_read_test.go

@@ -0,0 +1,138 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/tracee/signatures/signaturestest"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/trace"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestProcKcoreRead(t *testing.T) {
+	testCases := []struct {
+		Name     string
+		Events   []trace.Event
+		Findings map[string]detect.Finding
+	}{
+		{
+			Name: "should trigger detection",
+			Events: []trace.Event{
+				{
+					EventName: "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_RDONLY"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/proc/kcore"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-96": {
+					Data: nil,
+					Event: trace.Event{
+						EventName: "security_file_open",
+						Args: []trace.Argument{
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "flags",
+								},
+								Value: interface{}("O_RDONLY"),
+							},
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "pathname",
+								},
+								Value: interface{}("/proc/kcore"),
+							},
+						},
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-96",
+						Version:     "1",
+						Name:        "Kcore memory file read",
+						Description: "An attempt to read /proc/kcore file was detected. KCore provides a full dump of the physical memory of the system in the core file format. Adversaries may read this file to get all of the host memory and use this information for container escape.",
+						Properties: map[string]interface{}{
+							"Severity":             2,
+							"Category":             "privilege-escalation",
+							"Technique":            "Escape to Host",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+							"external_id":          "T1611",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should not trigger detection - wrong open flags",
+			Events: []trace.Event{
+				{
+					EventName: "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/proc/kcore"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_WRONLY"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+		{
+			Name: "should not trigger detection - wrong path",
+			Events: []trace.Event{
+				{
+					EventName: "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/proc/something"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_RDONLY"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			holder := signaturestest.FindingsHolder{}
+			sig := ProcKcoreRead{}
+			sig.Init(holder.OnFinding)
+
+			for _, e := range tc.Events {
+				err := sig.OnEvent(e.ToProtocol())
+				require.NoError(t, err)
+			}
+			assert.Equal(t, tc.Findings, holder.GroupBySigID())
+		})
+	}
+}