From 5bd63e383de9d5216bb788044eacfa964d245e8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Geyslan=20Greg=C3=B3rio?= Date: Tue, 7 Jan 2025 18:32:31 -0300 Subject: [PATCH] chore: add events triggers (scripts) --- cmd/evt/cmd/trigger/triggers/arch_prctl.sh | 1 + cmd/evt/cmd/trigger/triggers/bpf_attach.sh | 1 + cmd/evt/cmd/trigger/triggers/commit_creds.sh | 1 + .../cmd/trigger/triggers/common/bpftrace.sh | 18 +++++++++++++++ cmd/evt/cmd/trigger/triggers/common/docker.sh | 5 +++++ .../trigger/triggers/common/mktemp-ln-rm.sh | 19 ++++++++++++++++ cmd/evt/cmd/trigger/triggers/common/ping.sh | 13 +++++++++++ .../cmd/trigger/triggers/common/self-comm.sh | 11 ++++++++++ cmd/evt/cmd/trigger/triggers/common/sudo.sh | 15 +++++++++++++ .../cmd/trigger/triggers/common/timeout-nc.sh | 17 ++++++++++++++ cmd/evt/cmd/trigger/triggers/common/true.sh | 11 ++++++++++ .../trigger/triggers/common/unshare-mkdir.sh | 22 +++++++++++++++++++ .../trigger/triggers/debugfs_create_dir.sh | 1 + .../trigger/triggers/debugfs_create_file.sh | 1 + cmd/evt/cmd/trigger/triggers/device_add.sh | 1 + cmd/evt/cmd/trigger/triggers/do_truncate.sh | 1 + .../trigger/triggers/kallsyms_lookup_name.sh | 1 + cmd/evt/cmd/trigger/triggers/kprobe_attach.sh | 1 + cmd/evt/cmd/trigger/triggers/magic_write.sh | 1 + .../triggers/process_execute_failed.sh | 1 + cmd/evt/cmd/trigger/triggers/ptrace.sh | 13 +++++++++++ .../trigger/triggers/sched_process_exec.sh | 1 + .../trigger/triggers/sched_process_exit.sh | 1 + .../trigger/triggers/sched_process_fork.sh | 1 + .../cmd/trigger/triggers/security_bpf_prog.sh | 11 ++++++++++ .../trigger/triggers/security_file_open.sh | 1 + .../triggers/security_inode_symlink.sh | 1 + .../trigger/triggers/security_inode_unlink.sh | 1 + .../trigger/triggers/security_path_notify.sh | 10 +++++++++ .../cmd/trigger/triggers/security_sb_mount.sh | 1 + .../trigger/triggers/security_socket_bind.sh | 1 + .../triggers/security_socket_connect.sh | 1 + .../triggers/security_socket_create.sh | 1 + .../trigger/triggers/shared_object_loaded.sh | 1 + cmd/evt/cmd/trigger/triggers/socked_dup.sh | 1 + .../cmd/trigger/triggers/switch_task_ns.sh | 1 + 36 files changed, 189 insertions(+) create mode 120000 cmd/evt/cmd/trigger/triggers/arch_prctl.sh create mode 120000 cmd/evt/cmd/trigger/triggers/bpf_attach.sh create mode 120000 cmd/evt/cmd/trigger/triggers/commit_creds.sh create mode 100755 cmd/evt/cmd/trigger/triggers/common/bpftrace.sh create mode 100755 cmd/evt/cmd/trigger/triggers/common/docker.sh create mode 100755 cmd/evt/cmd/trigger/triggers/common/mktemp-ln-rm.sh create mode 100755 cmd/evt/cmd/trigger/triggers/common/ping.sh create mode 100755 cmd/evt/cmd/trigger/triggers/common/self-comm.sh create mode 100755 cmd/evt/cmd/trigger/triggers/common/sudo.sh create mode 100755 cmd/evt/cmd/trigger/triggers/common/timeout-nc.sh create mode 100755 cmd/evt/cmd/trigger/triggers/common/true.sh create mode 100755 cmd/evt/cmd/trigger/triggers/common/unshare-mkdir.sh create mode 120000 cmd/evt/cmd/trigger/triggers/debugfs_create_dir.sh create mode 120000 cmd/evt/cmd/trigger/triggers/debugfs_create_file.sh create mode 120000 cmd/evt/cmd/trigger/triggers/device_add.sh create mode 120000 cmd/evt/cmd/trigger/triggers/do_truncate.sh create mode 120000 cmd/evt/cmd/trigger/triggers/kallsyms_lookup_name.sh create mode 120000 cmd/evt/cmd/trigger/triggers/kprobe_attach.sh create mode 120000 cmd/evt/cmd/trigger/triggers/magic_write.sh create mode 120000 cmd/evt/cmd/trigger/triggers/process_execute_failed.sh create mode 100755 cmd/evt/cmd/trigger/triggers/ptrace.sh create mode 120000 cmd/evt/cmd/trigger/triggers/sched_process_exec.sh create mode 120000 cmd/evt/cmd/trigger/triggers/sched_process_exit.sh create mode 120000 cmd/evt/cmd/trigger/triggers/sched_process_fork.sh create mode 100755 cmd/evt/cmd/trigger/triggers/security_bpf_prog.sh create mode 120000 cmd/evt/cmd/trigger/triggers/security_file_open.sh create mode 120000 cmd/evt/cmd/trigger/triggers/security_inode_symlink.sh create mode 120000 cmd/evt/cmd/trigger/triggers/security_inode_unlink.sh create mode 100755 cmd/evt/cmd/trigger/triggers/security_path_notify.sh create mode 120000 cmd/evt/cmd/trigger/triggers/security_sb_mount.sh create mode 120000 cmd/evt/cmd/trigger/triggers/security_socket_bind.sh create mode 120000 cmd/evt/cmd/trigger/triggers/security_socket_connect.sh create mode 120000 cmd/evt/cmd/trigger/triggers/security_socket_create.sh create mode 120000 cmd/evt/cmd/trigger/triggers/shared_object_loaded.sh create mode 120000 cmd/evt/cmd/trigger/triggers/socked_dup.sh create mode 120000 cmd/evt/cmd/trigger/triggers/switch_task_ns.sh diff --git a/cmd/evt/cmd/trigger/triggers/arch_prctl.sh b/cmd/evt/cmd/trigger/triggers/arch_prctl.sh new file mode 120000 index 000000000000..f00670e47d78 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/arch_prctl.sh @@ -0,0 +1 @@ +common/true.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/bpf_attach.sh b/cmd/evt/cmd/trigger/triggers/bpf_attach.sh new file mode 120000 index 000000000000..8bb8ef0f5c5b --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/bpf_attach.sh @@ -0,0 +1 @@ +common/bpftrace.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/commit_creds.sh b/cmd/evt/cmd/trigger/triggers/commit_creds.sh new file mode 120000 index 000000000000..a93f46bb9bb4 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/commit_creds.sh @@ -0,0 +1 @@ +common/sudo.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/common/bpftrace.sh b/cmd/evt/cmd/trigger/triggers/common/bpftrace.sh new file mode 100755 index 000000000000..74f08e27dc5a --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/common/bpftrace.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# common + +# security_file_open 60 +# shared_object_loaded 44 +# sched_process_exec 2 +# arch_prctl 2 +# security_bpf_prog 4 +# kallsyms_lookup_name 2 +# kprobe_attach 1 +# bpf_attach 1 +# sched_process_exit 2 + +bpftrace -e 'kprobe:__do_sys_vfork { }' & +bpftrace_pid=$! +sleep 3 +kill -KILL $bpftrace_pid diff --git a/cmd/evt/cmd/trigger/triggers/common/docker.sh b/cmd/evt/cmd/trigger/triggers/common/docker.sh new file mode 100755 index 000000000000..e7e153c31a32 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/common/docker.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +# common + +sh -c 'docker run --rm -it ubuntu /bin/bash' diff --git a/cmd/evt/cmd/trigger/triggers/common/mktemp-ln-rm.sh b/cmd/evt/cmd/trigger/triggers/common/mktemp-ln-rm.sh new file mode 100755 index 000000000000..a45e66116c74 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/common/mktemp-ln-rm.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# common + +# sched_process_exec 5 +# security_file_open 17 +# shared_object_loaded 5 +# arch_prctl 5 +# security_inode_unlink 3 +# security_inode_symlink 1 +# sched_process_exit 5 + +file=$(mktemp /tmp/fileXXXXXX) +link1=$(mktemp /tmp/link1XXXXXX) + +rm -f "$link1" + +ln -s "$file" "$link1" +rm "$file" "$link1" diff --git a/cmd/evt/cmd/trigger/triggers/common/ping.sh b/cmd/evt/cmd/trigger/triggers/common/ping.sh new file mode 100755 index 000000000000..b33f2f2b83e5 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/common/ping.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +# common + +# sched_process_exec 1 +# security_file_open 8 +# shared_object_loaded 4 +# arch_prctl 1 +# security_socket_create 3 +# security_socket_connect 1 +# sched_process_exit 1 + +ping 0.0.0.0 -c 1 diff --git a/cmd/evt/cmd/trigger/triggers/common/self-comm.sh b/cmd/evt/cmd/trigger/triggers/common/self-comm.sh new file mode 100755 index 000000000000..8a7f245ca1f6 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/common/self-comm.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +# common + +# magic_write 2 +# security_file_open 1 +# do_truncate 1 +# sched_process_exit 1 + +echo "fake-comm" > /proc/self/comm # trigger magic-write by fake-comm +echo "fake-comm" > /proc/self/comm # trigger do_truncate by fake-comm diff --git a/cmd/evt/cmd/trigger/triggers/common/sudo.sh b/cmd/evt/cmd/trigger/triggers/common/sudo.sh new file mode 100755 index 000000000000..8f45c5b51e76 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/common/sudo.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# common + +# sched_process_exec 3 +# security_file_open 113 +# shared_object_loaded 40 +# arch_prctl 3 +# security_socket_create 19 +# commit_creds 4 +# sched_process_fork 3 +# sched_process_exit 3 +# socket_dup 2 + +sudo echo sudo >/dev/null diff --git a/cmd/evt/cmd/trigger/triggers/common/timeout-nc.sh b/cmd/evt/cmd/trigger/triggers/common/timeout-nc.sh new file mode 100755 index 000000000000..fecd8ef8d0fc --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/common/timeout-nc.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# sched_process_exec 2 +# security_file_open 11 +# shared_object_loaded 2 +# arch_prctl 2 +# security_file_open 12 +# sched_process_fork 1 +# process_execute_failed 5 (the amount of wrong PATH entries) +# security_socket_create 1 +# security_socket_bind 1 +# sched_process_exit 2 + +basename=$(basename "$0") +socket_path=$(mktemp -u /tmp/"$basename"_XXXXXX) +timeout 0.1 nc -l -U "$socket_path" +rm -f "$socket_path" diff --git a/cmd/evt/cmd/trigger/triggers/common/true.sh b/cmd/evt/cmd/trigger/triggers/common/true.sh new file mode 100755 index 000000000000..d14c3a84219a --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/common/true.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +# common + +# sched_process_exec 1 +# security_file_open 2 +# shared_object_loaded 1 +# arch_prctl 1 +# sched_process_exit 1 + +/bin/true # full path to avoid shell built-in diff --git a/cmd/evt/cmd/trigger/triggers/common/unshare-mkdir.sh b/cmd/evt/cmd/trigger/triggers/common/unshare-mkdir.sh new file mode 100755 index 000000000000..66f11745db9d --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/common/unshare-mkdir.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +# common + +# sched_process_exec 2 +# security_file_open 13 +# shared_object_loaded 2 +# arch_prctl 2 +# debugfs_create_dir 1 +# debugfs_create_file 2 +# security_socket_create 15 +# device_add 1 +# switch_task_ns 1 +# sched_process_fork 1 +# magic_write 3 +# security_sb_mount 1 +# process_execute_failed 4 +# sched_process_exit 2 + +unshare --mount --pid --net --ipc --uts --user --fork --map-root-user sh & +sleep 1 # wait for the unshare to complete and exit +exit 0 diff --git a/cmd/evt/cmd/trigger/triggers/debugfs_create_dir.sh b/cmd/evt/cmd/trigger/triggers/debugfs_create_dir.sh new file mode 120000 index 000000000000..5126d17dc5a3 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/debugfs_create_dir.sh @@ -0,0 +1 @@ +common/unshare-mkdir.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/debugfs_create_file.sh b/cmd/evt/cmd/trigger/triggers/debugfs_create_file.sh new file mode 120000 index 000000000000..5126d17dc5a3 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/debugfs_create_file.sh @@ -0,0 +1 @@ +common/unshare-mkdir.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/device_add.sh b/cmd/evt/cmd/trigger/triggers/device_add.sh new file mode 120000 index 000000000000..5126d17dc5a3 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/device_add.sh @@ -0,0 +1 @@ +common/unshare-mkdir.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/do_truncate.sh b/cmd/evt/cmd/trigger/triggers/do_truncate.sh new file mode 120000 index 000000000000..b7d3fd2c787b --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/do_truncate.sh @@ -0,0 +1 @@ +common/self-comm.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/kallsyms_lookup_name.sh b/cmd/evt/cmd/trigger/triggers/kallsyms_lookup_name.sh new file mode 120000 index 000000000000..8bb8ef0f5c5b --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/kallsyms_lookup_name.sh @@ -0,0 +1 @@ +common/bpftrace.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/kprobe_attach.sh b/cmd/evt/cmd/trigger/triggers/kprobe_attach.sh new file mode 120000 index 000000000000..8bb8ef0f5c5b --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/kprobe_attach.sh @@ -0,0 +1 @@ +common/bpftrace.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/magic_write.sh b/cmd/evt/cmd/trigger/triggers/magic_write.sh new file mode 120000 index 000000000000..b7d3fd2c787b --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/magic_write.sh @@ -0,0 +1 @@ +common/self-comm.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/process_execute_failed.sh b/cmd/evt/cmd/trigger/triggers/process_execute_failed.sh new file mode 120000 index 000000000000..0f387e997ad6 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/process_execute_failed.sh @@ -0,0 +1 @@ +common/timeout-nc.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/ptrace.sh b/cmd/evt/cmd/trigger/triggers/ptrace.sh new file mode 100755 index 000000000000..f432a71d05b2 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/ptrace.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +# ptrace + +# sched_process_exec 2 +# security_file_open 14 +# shared_object_loaded 6 +# arch_prctl 2 +# sched_process_fork 2 +# ptrace 287 +# sched_process_exit 4 + +strace /bin/true # full path to avoid shell built-in diff --git a/cmd/evt/cmd/trigger/triggers/sched_process_exec.sh b/cmd/evt/cmd/trigger/triggers/sched_process_exec.sh new file mode 120000 index 000000000000..f00670e47d78 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/sched_process_exec.sh @@ -0,0 +1 @@ +common/true.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/sched_process_exit.sh b/cmd/evt/cmd/trigger/triggers/sched_process_exit.sh new file mode 120000 index 000000000000..f00670e47d78 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/sched_process_exit.sh @@ -0,0 +1 @@ +common/true.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/sched_process_fork.sh b/cmd/evt/cmd/trigger/triggers/sched_process_fork.sh new file mode 120000 index 000000000000..0f387e997ad6 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/sched_process_fork.sh @@ -0,0 +1 @@ +common/timeout-nc.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/security_bpf_prog.sh b/cmd/evt/cmd/trigger/triggers/security_bpf_prog.sh new file mode 100755 index 000000000000..b1d850b47849 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/security_bpf_prog.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +# security_bpf_prog + +# sched_process_exec 1 +# arch_prctl 2 +# security_bpf_prog 487 +# security_file_open 3 +# sched_process_exit 1 + +bpftool prog dump xlated name trace_execute_finished diff --git a/cmd/evt/cmd/trigger/triggers/security_file_open.sh b/cmd/evt/cmd/trigger/triggers/security_file_open.sh new file mode 120000 index 000000000000..f00670e47d78 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/security_file_open.sh @@ -0,0 +1 @@ +common/true.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/security_inode_symlink.sh b/cmd/evt/cmd/trigger/triggers/security_inode_symlink.sh new file mode 120000 index 000000000000..ac2bb20b000e --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/security_inode_symlink.sh @@ -0,0 +1 @@ +common/mktemp-ln-rm.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/security_inode_unlink.sh b/cmd/evt/cmd/trigger/triggers/security_inode_unlink.sh new file mode 120000 index 000000000000..ac2bb20b000e --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/security_inode_unlink.sh @@ -0,0 +1 @@ +common/mktemp-ln-rm.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/security_path_notify.sh b/cmd/evt/cmd/trigger/triggers/security_path_notify.sh new file mode 100755 index 000000000000..f29d07d52ce1 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/security_path_notify.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +# sched_process_exec 1 +# security_file_open 6 +# shared_object_loaded 5 +# arch_prctl 1 +# security_path_notify 1 +# sched_process_exit 1 + +inotifywait -m /tmp -t 1 diff --git a/cmd/evt/cmd/trigger/triggers/security_sb_mount.sh b/cmd/evt/cmd/trigger/triggers/security_sb_mount.sh new file mode 120000 index 000000000000..5126d17dc5a3 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/security_sb_mount.sh @@ -0,0 +1 @@ +common/unshare-mkdir.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/security_socket_bind.sh b/cmd/evt/cmd/trigger/triggers/security_socket_bind.sh new file mode 120000 index 000000000000..0f387e997ad6 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/security_socket_bind.sh @@ -0,0 +1 @@ +common/timeout-nc.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/security_socket_connect.sh b/cmd/evt/cmd/trigger/triggers/security_socket_connect.sh new file mode 120000 index 000000000000..603cfb870512 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/security_socket_connect.sh @@ -0,0 +1 @@ +common/ping.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/security_socket_create.sh b/cmd/evt/cmd/trigger/triggers/security_socket_create.sh new file mode 120000 index 000000000000..603cfb870512 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/security_socket_create.sh @@ -0,0 +1 @@ +common/ping.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/shared_object_loaded.sh b/cmd/evt/cmd/trigger/triggers/shared_object_loaded.sh new file mode 120000 index 000000000000..f00670e47d78 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/shared_object_loaded.sh @@ -0,0 +1 @@ +common/true.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/socked_dup.sh b/cmd/evt/cmd/trigger/triggers/socked_dup.sh new file mode 120000 index 000000000000..a93f46bb9bb4 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/socked_dup.sh @@ -0,0 +1 @@ +common/sudo.sh \ No newline at end of file diff --git a/cmd/evt/cmd/trigger/triggers/switch_task_ns.sh b/cmd/evt/cmd/trigger/triggers/switch_task_ns.sh new file mode 120000 index 000000000000..5126d17dc5a3 --- /dev/null +++ b/cmd/evt/cmd/trigger/triggers/switch_task_ns.sh @@ -0,0 +1 @@ +common/unshare-mkdir.sh \ No newline at end of file