fixed exec event filename and command from tarian-detector

kube-tarian · Mar 28, 2024 · f4e0249 · f4e0249
1 parent 1950ff7
commit f4e0249
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 8 deletions.
diff --git a/go.mod b/go.mod
@@ -119,4 +119,4 @@ require (
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 )
 
-replace github.com/intelops/tarian-detector => github.com/andylibrian/tarian-detector v0.0.0-20240324031146-e283e019e3aa
+replace github.com/intelops/tarian-detector => github.com/andylibrian/tarian-detector v0.0.0-20240328042403-0ad0b29f56cf
diff --git a/go.sum b/go.sum
@@ -41,8 +41,8 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
-github.com/andylibrian/tarian-detector v0.0.0-20240324031146-e283e019e3aa h1:ina+HPyp+MCrI1apve00ceN0Eg5urTT39lJGbPttcxw=
-github.com/andylibrian/tarian-detector v0.0.0-20240324031146-e283e019e3aa/go.mod h1:dXcRWq8AHABseHsjcnM8iJqwXCGX+dGGOR8kiXw1acY=
+github.com/andylibrian/tarian-detector v0.0.0-20240328042403-0ad0b29f56cf h1:sCIBD/c64HW9pW41ws1hDzFSwiQ53etRTl35zzYQzuw=
+github.com/andylibrian/tarian-detector v0.0.0-20240328042403-0ad0b29f56cf/go.mod h1:dXcRWq8AHABseHsjcnM8iJqwXCGX+dGGOR8kiXw1acY=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=

diff --git a/pkg/nodeagent/nodeagent.go b/pkg/nodeagent/nodeagent.go
@@ -4,13 +4,15 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/intelops/tarian-detector/pkg/detector"
+	"github.com/intelops/tarian-detector/pkg/eventparser"
 	"github.com/intelops/tarian-detector/tarian"
 	"github.com/kube-tarian/tarian/pkg/tarianpb"
 	"github.com/scylladb/go-set/strset"
@@ -240,7 +242,7 @@ func (n *NodeAgent) loopTarianDetectorReadEvents(ctx context.Context) error {
 			// But for kubectl exec, the detected entry comm is still the wrapper: runc:init
 			// With sys_execve_exit, the comm is the target process
 			detectionDataType := event["eventId"].(string)
-			if detectionDataType == "sys_execve_exit" {
+			if detectionDataType == "sys_execve_entry" {
 				execEvent, err2 := n.execEventFromTarianDetector(event, containerID, pod)
 				if err2 != nil {
 					n.logger.WithField("err", err2).Error("tarian-detector: error while converting tarian-detector to execEvent")
@@ -252,6 +254,8 @@ func (n *NodeAgent) loopTarianDetectorReadEvents(ctx context.Context) error {
 						n.logger.WithField("err", err3).Error("node-agent: error while handling exec event")
 					}
 				}
+
+				n.logger.WithField("execEvent", execEvent).WithField("event", event).Info("DEBUG")
 			}
 
 			byteData, err := json.Marshal(event)
@@ -261,8 +265,6 @@ func (n *NodeAgent) loopTarianDetectorReadEvents(ctx context.Context) error {
 			}
 
 			n.SendDetectionEventToClusterAgent(detectionDataType, string(byteData))
-			n.logger.WithField("binary_file_path", event["directory"]).WithField("hostProcessId", event["hostProcessId"]).
-				WithField("processId", event["processId"]).WithField("comm", event["processName"]).Info("tarian-detector: ", detectionDataType)
 		}
 	}
 }
@@ -324,11 +326,25 @@ func (n *NodeAgent) execEventFromTarianDetector(bpfEvt map[string]any, container
 	podLabels = pod.GetLabels()
 	podAnnotations = pod.GetAnnotations()
 
+	execFileName := bpfEvt["directory"].(string) + "/" + bpfEvt["processName"].(string)
+	if eventContext, ok := bpfEvt["context"].([]eventparser.Arg); ok {
+		for _, c := range eventContext {
+			if c.Name == "filename" {
+				execFileName = c.Value
+				break
+			}
+		}
+	}
+
+	// Running on kubernetes, bpfEvt["processName"] contains `runc:[2:INIT]`
+	// So, we take the command from the executable filename instead.
+	command := filepath.Base(execFileName)
+
 	// Create an ExecEvent and send it to the events channel.
 	execEvent := &ExecEvent{
 		Pid:               pid,
-		Filename:          bpfEvt["directory"].(string) + "/" + bpfEvt["processName"].(string),
-		Command:           bpfEvt["processName"].(string),
+		Filename:          execFileName,
+		Command:           command,
 		ContainerID:       containerID,
 		K8sPodName:        podName,
 		K8sPodUID:         podUID,