Question: How to load custom rego rules into Kubernetes Daemonset?

[abhaybhargav]

I have a basic question. I have checked across the documentation and the source code, but I am not able to figure this out.

I have a few custom tracee rules (rego) that I'd like to load into my running kubernetes cluster. I have deployed tracee as a DaemonSet in my cluster. How do I load these custom rules into the tracee instance running on my Kubernetes cluster?

Any help would be greatly appreciated

[josedonizetti]

@abhaybhargav Hey, sorry for the delay. Unfortunately, the experience to do it now isn't the best one, I'll create a task to make sure we improve it. So, what I did quickly here to make it work:

1 - created a configmap with my rule content

apiVersion: v1
kind: ConfigMap
metadata:
  name: tracee-config
data:
  example_rule1.rego: |
    package tracee.ExampleRule1

    __rego_metadoc__ := {
      "id": "ExampleRule1",
      "version": "0.1.0",
      "name": "Example Rule 1",
      "description": "Process uses anti-debugging technique to block debugger",
      "tags": ["linux", "container"],
      "properties": {
        "Severity": 3,
        "MITRE ATT&CK": "Defense Evasion: Execution Guardrails",
      },
    }

    tracee_selected_events[eventSelector] {
      eventSelector := {
        "source": "tracee",
        "name": "ptrace",
      }
    }

    tracee_match {
      input.eventName == "ptrace"
      arg := input.args[_]
      arg.name == "request"
      arg.value == "PTRACE_TRACEME"
    }

2 - changed tracee daemonset to mount the configmap as a volume

volumeMounts:
        - mountPath: /rules
          name: tracee-rules

....
volumes:
      - configMap:
          name: tracee-config
        name: tracee-rules

3 - changed tracee daemonset to pass the path where the rules were mounted as an argument

containers:
      - args:
        - --rules-dir
        - /rules

There are probably different ways of doing it, but this should be fixed on the tracee side for a simpler experience. Like the trivy-operator does for defsec policies.

[abhaybhargav]

@josedonizetti in my case, my rego rule has an import tracee.data.helpers statement. Do i need to import the helpers rego or the go helpers code? And how would I do that? Another configmap?

[josedonizetti]

The simpler way of doing it would be consolidate all regos in the same configmap. So for the case where you have the tracee helper, plus other rules, it would look like:

apiVersion: v1
kind: ConfigMap
metadata:
  name: tracee-config
data:
  helpers.rego: |
   .... content for tracee-helpers
  your_rule1: |
  .....
  your_rule2: |
  ...

So, when this configmaps mount, the directory will have one file per key.

[abhaybhargav]

@josedonizetti I tried this, but it doesnt seem to work. I am not sure if the rule is at fault here. I removed the helper functions so I dont have to load the configmap with that

apiVersion: v1
kind: ConfigMap
metadata:
  name: tracee-config
data:
  write_app.rego: |
    package tracee.TRC_301

    # import tracee.data.helpers

    __rego_metadoc__ := {
        "id": "TRC-301",
        "version": "0.1.0",
      "name": "Write to Python App Directory",
      "description": "Write to Python App Directory",
      "tags": ["linux", "container", "app", "python"],
      "properties": {
        "Severity": 2,
        "MITRE ATT&CK": "Loading files into protected File System",
      },
    }

    eventSelectors = [
        {
            "source": "tracee",
            "name": "vfs_write"
        },
        {
            "source": "tracee",
            "name": "vfs_writev"
        },
        {
            "source": "tracee",
            "name": "write"
        }
    ]

    trace_selected_events[eventSelector] {
        eventSelector := eventSelectors[_]
    }

    tracee_match {
        input.eventName == "write"

        arg := input.args[_]
        arg.name == "pathname"
        startswith(pathname, "/app/")
    }

    tracee_match {
        input.eventName == "vfs_write"

        arg := input.args[_]
        arg.name == "pathname"
        startswith(pathname, "/app/")
    }

    tracee_match {
        input.eventName == "vfs_writev"

        arg := input.args[_]
        arg.name == "pathname"
        startswith(pathname, "/app/")
    }

[josedonizetti]

I tried your rule, and when I restart the tracee pod I see:

{"level":"error","ts":1669910818.6172214,"msg":"creating rego signature with: package tracee.TRC_301: 3 errors occurred:\ntracee.TRC_301:41: rego_unsafe_var_error: var pathname is unsafe\ntracee.TRC_301:49: rego_unsafe_var_error: var pathname is unsafe\ntracee.TRC_301:57: rego_unsafe_var_error: var pathname is unsafe"} 
{"level":"error","ts":1669910818.6193776,"msg":"creating rego signature with: package tracee.TRC_301: 3 errors occurred:\ntracee.TRC_301:41: rego_unsafe_var_error: var pathname is unsafe\ntracee.TRC_301:49: rego_unsafe_var_error: var pathname is unsafe\ntracee.TRC_301:57: rego_unsafe_var_error: var pathname is unsafe"}

Tried to fix it, with a new version:

apiVersion: v1
kind: ConfigMap
metadata:
  name: tracee-config
data:
  write_app.rego: |
    package tracee.TRC_301

    # import tracee.data.helpers

    __rego_metadoc__ := {
        "id": "TRC-301",
        "version": "0.1.0",
      "name": "Write to Python App Directory",
      "description": "Write to Python App Directory",
      "tags": ["linux", "container", "app", "python"],
      "properties": {
        "Severity": 2,
        "MITRE ATT&CK": "Loading files into protected File System",
      },
    }

    eventSelectors = [
        {
            "source": "tracee",
            "name": "vfs_write"
        },
        {
            "source": "tracee",
            "name": "vfs_writev"
        },
        {
            "source": "tracee",
            "name": "write"
        }
    ]

    trace_selected_events[eventSelector] {
        eventSelector := eventSelectors[_]
    }

    tracee_match {
        input.eventName == "write"
        pathname := get_tracee_argument("pathname")
        startswith(pathname, "/app/")
    }

    tracee_match {
        input.eventName == "vfs_write"
        pathname := get_tracee_argument("pathname")
        startswith(pathname, "/app/")
    }

    tracee_match {
        input.eventName == "vfs_writev"
        pathname := get_tracee_argument("pathname")
        startswith(pathname, "/app/")
    }

    get_tracee_argument(arg_name) = res {
      arg := input.args[_]
      arg.name == arg_name
      res := arg.value
    }

Now, if I restart tracee, I see:

INFO: probing tracee-ebpf capabilities...
INFO: starting tracee-ebpf...
INFO: starting tracee-rules...
KConfig: warning: could not check enabled kconfig features
(could not read /boot/config-5.15.0-53-generic: stat /boot/config-5.15.0-53-generic: no such file or directory)
KConfig: warning: assuming kconfig values, might have unexpected behavior
Loaded 2 signature(s): [TRC-301 TRC-301]

[abhaybhargav]

Yes, I fixed that and its loaded, but the event is not showing up in the logs. There must be something wrong with the rule itself. Ill have to check.

I am trying to detect when something is written to any file in the path /app/. I am guessing my rule is not working for some reason.

[abhaybhargav]

@josedonizetti I dont think this is anything to do with the rule. I used a rule from your own docs (https://aquasecurity.github.io/tracee/dev/docs/detecting/rego/) and tried loading it in Kubernetes as a configmap. The rule was loaded but the logs for the event dont appear in the logs

This was the configmap by the way. As I mentioned, the rule loaded successfully. I suspect there's some issue with the parsing of the rules, etc.

apiVersion: v1
kind: ConfigMap
metadata:
  name: tracee-config
data:
    my-new-rule.rego: |
        package tracee.TRC_808

        __rego_metadoc__ := {
            "id": "TRC-808",
            "version": "0.1.0",
            "name": "Read etcpasswd",
            "description": "Read etcpasswd",
            "tags": ["linux"],
            "properties": {
                "Severity": 2,
                "MITRE ATT&CK": "Reading sensitive files",
            },
        }

        eventSelectors := [
            {
                "source": "tracee",
                "name": "openat",
            },
            {
                "source": "tracee",
                "name": "execve",
            },
        ]

        tracee_selected_events[eventSelector] {
            eventSelector := eventSelectors[_]
        }

        tracee_match {
            input.eventName == "openat"
            arg_value = get_tracee_argument("pathname")
            startswith(arg_value, "/etc/passwd")
        }

        tracee_match {
            input.eventName == "execve"
            arg_value = get_tracee_argument("pathname")
            startswith(arg_value, "/etc/passwd")
        }

        get_tracee_argument(arg_name) = res {
            arg := input.args[_]
            arg.name == arg_name
            res := arg.value
        }

[abhaybhargav]

Hi @josedonizetti any luck with those tests? I tried some other things, but to no avail

[josedonizetti]

@abhaybhargav Sorry for the delay was trying to finish a few PRs due to the release. The problem now is that we are not loading the proper events on tracee-ebpf based on the custom rules, so, even though the rule is loaded properly, the events it depends are not passed to tracee-ebpf, so the collector doesn't know you want openata and execve` -> https://github.com/aquasecurity/tracee/blob/main/builder/entrypoint.sh#L65.

I'll create a few issues from our chat here, first to do a quick fix for the problem above, so you can use the custom rules on the next release, which will happen in the next couple of days, and another one to improve the overall experience.

Thank you!

[abhaybhargav]

thanks very much. appreciate all the work you do :)

[geyslan]

@abhaybhargav Here's a quick solution #2493. I don't know if there's enough time to it be reviewed for this release. Anything, let us know.

[geyslan]

Awesome. It has just got in

[findpaths]

Hi, the solution mentioned appears to be docker specific - I'm unable to get custom rego signatures working in kubernetes (minikube) using helm as documented. What needs to change in the charts to apply a custome rego file - I'm just trying to use the example given here https://aquasecurity.github.io/tracee/latest/docs/events/custom/rego/ to monitor a file