Skip to content

Commit

Permalink
send custom event when detecting an event with missing args/envs
Browse files Browse the repository at this point in the history
  • Loading branch information
@YoannGh
YoannGh committed Jun 6, 2024
1 parent 58a77b3 commit bd17fc1
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 0 deletions.
6 changes: 6 additions & 0 deletions pkg/security/events/custom.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,11 @@ const (
// BrokenProcessLineageErrorRuleDesc is the rule description for events with a broken process lineage
BrokenProcessLineageErrorRuleDesc = "Broken process lineage detected"

// NoProcessArgsEnvsErrorRuleID is the rule ID for events with no process args/envs
NoProcessArgsEnvsErrorRuleID = "no_process_args_envs"
// NoProcessArgsEnvsErrorRuleDesc is the rule description for events with no process args/envs
NoProcessArgsEnvsErrorRuleDesc = "Missing process arguments or environment variables detected"

// RefreshUserCacheRuleID is the rule ID used to refresh users and groups cache
RefreshUserCacheRuleID = "refresh_user_cache"

Expand Down Expand Up @@ -102,6 +107,7 @@ func AllCustomRuleIDs() []string {
NoProcessContextErrorRuleID,
BrokenProcessLineageErrorRuleID,
InternalCoreDumpRuleID,
NoProcessArgsEnvsErrorRuleID,
}
}

Expand Down
1 change: 1 addition & 0 deletions pkg/security/events/rate_limiter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ var (
BrokenProcessLineageErrorRuleID: NewStdLimiter(rate.Every(30*time.Second), 1),
EBPFLessHelloMessageRuleID: NewStdLimiter(rate.Inf, 1), // No limit on hello message
InternalCoreDumpRuleID: NewStdLimiter(rate.Every(30*time.Second), 1),
NoProcessArgsEnvsErrorRuleID: NewStdLimiter(rate.Every(30*time.Second), 1),
}
)

Expand Down
7 changes: 7 additions & 0 deletions pkg/security/probe/probe_monitor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,4 +181,11 @@ func (m *EBPFMonitors) ProcessEvent(event *model.Event) {
NewAbnormalEvent(events.BrokenProcessLineageErrorRuleID, events.BrokenProcessLineageErrorRuleDesc, event, event.Error),
)
}

var argsEnvsErr *model.ErrProcessArgsEnvsResolution
if errors.As(event.Error, &argsEnvsErr) {
m.ebpfProbe.probe.DispatchCustomEvent(
NewAbnormalEvent(events.NoProcessArgsEnvsErrorRuleID, events.NoProcessArgsEnvsErrorRuleDesc, event, event.Error),
)
}

Check warning on line 190 in pkg/security/probe/probe_monitor.go

View check run for this annotation

Codecov / codecov/patch

pkg/security/probe/probe_monitor.go#L185-L190 

Added lines #L185 - L190 were not covered by tests
}

0 comments on commit bd17fc1

Please sign in to comment.