chore: add events triggers (scripts)

aquasecurity · Jan 8, 2025 · 5bd63e3 · 5bd63e3
1 parent 687cdb1
commit 5bd63e3
Show file tree

Hide file tree

Showing 36 changed files with 189 additions and 0 deletions.
diff --git a/cmd/evt/cmd/trigger/triggers/arch_prctl.sh b/cmd/evt/cmd/trigger/triggers/arch_prctl.sh
@@ -0,0 +1 @@
+common/true.sh
diff --git a/cmd/evt/cmd/trigger/triggers/bpf_attach.sh b/cmd/evt/cmd/trigger/triggers/bpf_attach.sh
@@ -0,0 +1 @@
+common/bpftrace.sh
diff --git a/cmd/evt/cmd/trigger/triggers/commit_creds.sh b/cmd/evt/cmd/trigger/triggers/commit_creds.sh
@@ -0,0 +1 @@
+common/sudo.sh
diff --git a/cmd/evt/cmd/trigger/triggers/common/bpftrace.sh b/cmd/evt/cmd/trigger/triggers/common/bpftrace.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# common
+
+# security_file_open   60
+# shared_object_loaded 44
+# sched_process_exec    2
+# arch_prctl            2
+# security_bpf_prog     4
+# kallsyms_lookup_name  2
+# kprobe_attach         1
+# bpf_attach            1
+# sched_process_exit    2
+
+bpftrace -e 'kprobe:__do_sys_vfork { }' &
+bpftrace_pid=$!
+sleep 3
+kill -KILL $bpftrace_pid
diff --git a/cmd/evt/cmd/trigger/triggers/common/docker.sh b/cmd/evt/cmd/trigger/triggers/common/docker.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# common
+
+sh -c 'docker run --rm -it ubuntu /bin/bash'
diff --git a/cmd/evt/cmd/trigger/triggers/common/mktemp-ln-rm.sh b/cmd/evt/cmd/trigger/triggers/common/mktemp-ln-rm.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# common
+
+# sched_process_exec      5
+# security_file_open     17
+# shared_object_loaded    5
+# arch_prctl              5
+# security_inode_unlink   3
+# security_inode_symlink  1
+# sched_process_exit      5
+
+file=$(mktemp /tmp/fileXXXXXX)
+link1=$(mktemp /tmp/link1XXXXXX)
+
+rm -f "$link1"
+
+ln -s "$file" "$link1"
+rm "$file" "$link1"
diff --git a/cmd/evt/cmd/trigger/triggers/common/ping.sh b/cmd/evt/cmd/trigger/triggers/common/ping.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# common
+
+# sched_process_exec      1
+# security_file_open      8
+# shared_object_loaded    4
+# arch_prctl              1
+# security_socket_create  3
+# security_socket_connect 1
+# sched_process_exit      1
+
+ping 0.0.0.0 -c 1
diff --git a/cmd/evt/cmd/trigger/triggers/common/self-comm.sh b/cmd/evt/cmd/trigger/triggers/common/self-comm.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# common
+
+# magic_write        2
+# security_file_open 1
+# do_truncate        1
+# sched_process_exit 1
+
+echo "fake-comm" > /proc/self/comm # trigger magic-write by fake-comm
+echo "fake-comm" > /proc/self/comm # trigger do_truncate by fake-comm
diff --git a/cmd/evt/cmd/trigger/triggers/common/sudo.sh b/cmd/evt/cmd/trigger/triggers/common/sudo.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# common
+
+# sched_process_exec       3
+# security_file_open     113
+# shared_object_loaded    40
+# arch_prctl               3
+# security_socket_create  19
+# commit_creds             4
+# sched_process_fork       3
+# sched_process_exit       3
+# socket_dup               2
+
+sudo echo sudo >/dev/null
diff --git a/cmd/evt/cmd/trigger/triggers/common/timeout-nc.sh b/cmd/evt/cmd/trigger/triggers/common/timeout-nc.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# sched_process_exec      2
+# security_file_open     11
+# shared_object_loaded    2
+# arch_prctl              2
+# security_file_open     12
+# sched_process_fork      1
+# process_execute_failed  5 (the amount of wrong PATH entries)
+# security_socket_create  1
+# security_socket_bind    1
+# sched_process_exit      2
+
+basename=$(basename "$0")
+socket_path=$(mktemp -u /tmp/"$basename"_XXXXXX)
+timeout 0.1 nc -l -U "$socket_path"
+rm -f "$socket_path"
diff --git a/cmd/evt/cmd/trigger/triggers/common/true.sh b/cmd/evt/cmd/trigger/triggers/common/true.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# common
+
+# sched_process_exec   1
+# security_file_open   2
+# shared_object_loaded 1
+# arch_prctl           1
+# sched_process_exit   1
+
+/bin/true # full path to avoid shell built-in
diff --git a/cmd/evt/cmd/trigger/triggers/common/unshare-mkdir.sh b/cmd/evt/cmd/trigger/triggers/common/unshare-mkdir.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# common
+
+# sched_process_exec      2
+# security_file_open     13
+# shared_object_loaded    2
+# arch_prctl              2
+# debugfs_create_dir      1
+# debugfs_create_file     2
+# security_socket_create 15
+# device_add              1
+# switch_task_ns          1
+# sched_process_fork      1
+# magic_write             3
+# security_sb_mount       1
+# process_execute_failed  4
+# sched_process_exit      2
+
+unshare --mount --pid --net --ipc --uts --user --fork --map-root-user sh &
+sleep 1 # wait for the unshare to complete and exit
+exit 0
diff --git a/cmd/evt/cmd/trigger/triggers/debugfs_create_dir.sh b/cmd/evt/cmd/trigger/triggers/debugfs_create_dir.sh
@@ -0,0 +1 @@
+common/unshare-mkdir.sh
diff --git a/cmd/evt/cmd/trigger/triggers/debugfs_create_file.sh b/cmd/evt/cmd/trigger/triggers/debugfs_create_file.sh
@@ -0,0 +1 @@
+common/unshare-mkdir.sh
diff --git a/cmd/evt/cmd/trigger/triggers/device_add.sh b/cmd/evt/cmd/trigger/triggers/device_add.sh
@@ -0,0 +1 @@
+common/unshare-mkdir.sh
diff --git a/cmd/evt/cmd/trigger/triggers/do_truncate.sh b/cmd/evt/cmd/trigger/triggers/do_truncate.sh
@@ -0,0 +1 @@
+common/self-comm.sh
diff --git a/cmd/evt/cmd/trigger/triggers/kallsyms_lookup_name.sh b/cmd/evt/cmd/trigger/triggers/kallsyms_lookup_name.sh
@@ -0,0 +1 @@
+common/bpftrace.sh
diff --git a/cmd/evt/cmd/trigger/triggers/kprobe_attach.sh b/cmd/evt/cmd/trigger/triggers/kprobe_attach.sh
@@ -0,0 +1 @@
+common/bpftrace.sh
diff --git a/cmd/evt/cmd/trigger/triggers/magic_write.sh b/cmd/evt/cmd/trigger/triggers/magic_write.sh
@@ -0,0 +1 @@
+common/self-comm.sh
diff --git a/cmd/evt/cmd/trigger/triggers/process_execute_failed.sh b/cmd/evt/cmd/trigger/triggers/process_execute_failed.sh
@@ -0,0 +1 @@
+common/timeout-nc.sh
diff --git a/cmd/evt/cmd/trigger/triggers/ptrace.sh b/cmd/evt/cmd/trigger/triggers/ptrace.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# ptrace
+
+# sched_process_exec    2
+# security_file_open   14
+# shared_object_loaded  6
+# arch_prctl            2
+# sched_process_fork    2
+# ptrace              287
+# sched_process_exit    4
+
+strace /bin/true # full path to avoid shell built-in
diff --git a/cmd/evt/cmd/trigger/triggers/sched_process_exec.sh b/cmd/evt/cmd/trigger/triggers/sched_process_exec.sh
@@ -0,0 +1 @@
+common/true.sh
diff --git a/cmd/evt/cmd/trigger/triggers/sched_process_exit.sh b/cmd/evt/cmd/trigger/triggers/sched_process_exit.sh
@@ -0,0 +1 @@
+common/true.sh
diff --git a/cmd/evt/cmd/trigger/triggers/sched_process_fork.sh b/cmd/evt/cmd/trigger/triggers/sched_process_fork.sh
@@ -0,0 +1 @@
+common/timeout-nc.sh
diff --git a/cmd/evt/cmd/trigger/triggers/security_bpf_prog.sh b/cmd/evt/cmd/trigger/triggers/security_bpf_prog.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# security_bpf_prog
+
+# sched_process_exec   1
+# arch_prctl           2
+# security_bpf_prog  487
+# security_file_open   3
+# sched_process_exit   1
+
+bpftool prog dump xlated name trace_execute_finished
diff --git a/cmd/evt/cmd/trigger/triggers/security_file_open.sh b/cmd/evt/cmd/trigger/triggers/security_file_open.sh
@@ -0,0 +1 @@
+common/true.sh
diff --git a/cmd/evt/cmd/trigger/triggers/security_inode_symlink.sh b/cmd/evt/cmd/trigger/triggers/security_inode_symlink.sh
@@ -0,0 +1 @@
+common/mktemp-ln-rm.sh
diff --git a/cmd/evt/cmd/trigger/triggers/security_inode_unlink.sh b/cmd/evt/cmd/trigger/triggers/security_inode_unlink.sh
@@ -0,0 +1 @@
+common/mktemp-ln-rm.sh
diff --git a/cmd/evt/cmd/trigger/triggers/security_path_notify.sh b/cmd/evt/cmd/trigger/triggers/security_path_notify.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# sched_process_exec    1
+# security_file_open    6
+# shared_object_loaded  5
+# arch_prctl            1
+# security_path_notify  1
+# sched_process_exit    1
+
+inotifywait -m /tmp -t 1
diff --git a/cmd/evt/cmd/trigger/triggers/security_sb_mount.sh b/cmd/evt/cmd/trigger/triggers/security_sb_mount.sh
@@ -0,0 +1 @@
+common/unshare-mkdir.sh
diff --git a/cmd/evt/cmd/trigger/triggers/security_socket_bind.sh b/cmd/evt/cmd/trigger/triggers/security_socket_bind.sh
@@ -0,0 +1 @@
+common/timeout-nc.sh
diff --git a/cmd/evt/cmd/trigger/triggers/security_socket_connect.sh b/cmd/evt/cmd/trigger/triggers/security_socket_connect.sh
@@ -0,0 +1 @@
+common/ping.sh
diff --git a/cmd/evt/cmd/trigger/triggers/security_socket_create.sh b/cmd/evt/cmd/trigger/triggers/security_socket_create.sh
@@ -0,0 +1 @@
+common/ping.sh
diff --git a/cmd/evt/cmd/trigger/triggers/shared_object_loaded.sh b/cmd/evt/cmd/trigger/triggers/shared_object_loaded.sh
@@ -0,0 +1 @@
+common/true.sh
diff --git a/cmd/evt/cmd/trigger/triggers/socked_dup.sh b/cmd/evt/cmd/trigger/triggers/socked_dup.sh
@@ -0,0 +1 @@
+common/sudo.sh
diff --git a/cmd/evt/cmd/trigger/triggers/switch_task_ns.sh b/cmd/evt/cmd/trigger/triggers/switch_task_ns.sh
@@ -0,0 +1 @@
+common/unshare-mkdir.sh